Bug 24756 - tar new security issue CVE-2019-9923
Summary: tar new security issue CVE-2019-9923
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-05-03 20:46 CEST by David Walser
Modified: 2019-05-12 11:37 CEST (History)
7 users (show)

See Also:
Source RPM: tar-1.31-1.mga6.src.rpm
CVE: CVE-2019-9923
Status comment:


Attachments

Description David Walser 2019-05-03 20:46:25 CEST
openSUSE has issued an advisory on April 18:
https://lists.opensuse.org/opensuse-updates/2019-04/msg00148.html

The issue is fixed upstream in 1.32.
Comment 1 Marja Van Waes 2019-05-03 21:26:01 CEST
Assigning to our registered tar maintainer.
CC'ing kekepower, because he pushed the most recent security update for tar in Mga6

CC: (none) => marja11, smelror
Assignee: bugsquad => shlomif

Comment 2 Stig-Ørjan Smelror 2019-05-03 22:15:06 CEST
Advisory
========

Tar has been updated to fix CVE-2019-9923.

CVE-2019-9923: pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

References
==========
https://lists.opensuse.org/opensuse-updates/2019-04/msg00148.html
https://nvd.nist.gov/vuln/detail/CVE-2019-9923

Files
=====

Uploaded to core/updates_testing

tar-1.31-1.1.mga6

from tar-1.31-1.1.mga6.src.rpm

Assignee: shlomif => qa-bugs
CVE: (none) => CVE-2019-9923

Comment 3 Brian Rockwell 2019-05-06 19:30:29 CEST
$ uname -a
Linux localhost.localdomain 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 11:27:34 UTC 2019 i686 i686 i686 GNU/Linux

$ tar --version
tar (GNU tar) 1.31
Copyright (C) 2019 Free Software Foundation, Inc.

- created a tarball
- extracted it to a separate folder
- extracted individual file to separate folder


I didn't hit the security issue, but the utility is working.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => brtians1

Comment 4 PC LX 2019-05-07 17:24:52 CEST
Installed and tested without issues.

Tested by creating new tarballs with various compressors. Also test, extract, list existing tarballs.

System: Mageia 6, x86_64, Intel CPU.

$ uname -a
Linux marte 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 08:34:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q tar
tar-1.31-1.1.mga6

CC: (none) => mageia
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 5 Thomas Andrews 2019-05-07 20:06:32 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-05-12 10:01:27 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2019-05-12 11:37:13 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0164.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.