Bug 24756

Summary: tar new security issue CVE-2019-9923
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, mageia, marja11, smelror, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: tar-1.31-1.mga6.src.rpm CVE: CVE-2019-9923
Status comment:

Description David Walser 2019-05-03 20:46:25 CEST 
openSUSE has issued an advisory on April 18:
https://lists.opensuse.org/opensuse-updates/2019-04/msg00148.html

The issue is fixed upstream in 1.32.
Comment 1 Marja Van Waes 2019-05-03 21:26:01 CEST 
Assigning to our registered tar maintainer.
CC'ing kekepower, because he pushed the most recent security update for tar in Mga6

CC: (none) => marja11, smelror
Assignee: bugsquad => shlomif

Comment 2 Stig-Ørjan Smelror 2019-05-03 22:15:06 CEST 
Advisory
========

Tar has been updated to fix CVE-2019-9923.

CVE-2019-9923: pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

References
==========
https://lists.opensuse.org/opensuse-updates/2019-04/msg00148.html
https://nvd.nist.gov/vuln/detail/CVE-2019-9923

Files
=====

Uploaded to core/updates_testing

tar-1.31-1.1.mga6

from tar-1.31-1.1.mga6.src.rpm

Assignee: shlomif => qa-bugs
CVE: (none) => CVE-2019-9923

Comment 3 Brian Rockwell 2019-05-06 19:30:29 CEST 
$ uname -a
Linux localhost.localdomain 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 11:27:34 UTC 2019 i686 i686 i686 GNU/Linux

$ tar --version
tar (GNU tar) 1.31
Copyright (C) 2019 Free Software Foundation, Inc.

- created a tarball
- extracted it to a separate folder
- extracted individual file to separate folder


I didn't hit the security issue, but the utility is working.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => brtians1

Comment 4 PC LX 2019-05-07 17:24:52 CEST 
Installed and tested without issues.

Tested by creating new tarballs with various compressors. Also test, extract, list existing tarballs.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 08:34:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q tar
tar-1.31-1.1.mga6

CC: (none) => mageia
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 5 Thomas Andrews 2019-05-07 20:06:32 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-05-12 10:01:27 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2019-05-12 11:37:13 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0164.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED