openSUSE has issued an advisory on April 18: https://lists.opensuse.org/opensuse-updates/2019-04/msg00148.html The issue is fixed upstream in 1.32.
Assigning to our registered tar maintainer. CC'ing kekepower, because he pushed the most recent security update for tar in Mga6
CC: (none) => marja11, smelrorAssignee: bugsquad => shlomif
Advisory ======== Tar has been updated to fix CVE-2019-9923. CVE-2019-9923: pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers. References ========== https://lists.opensuse.org/opensuse-updates/2019-04/msg00148.html https://nvd.nist.gov/vuln/detail/CVE-2019-9923 Files ===== Uploaded to core/updates_testing tar-1.31-1.1.mga6 from tar-1.31-1.1.mga6.src.rpm
Assignee: shlomif => qa-bugsCVE: (none) => CVE-2019-9923
$ uname -a Linux localhost.localdomain 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 11:27:34 UTC 2019 i686 i686 i686 GNU/Linux $ tar --version tar (GNU tar) 1.31 Copyright (C) 2019 Free Software Foundation, Inc. - created a tarball - extracted it to a separate folder - extracted individual file to separate folder I didn't hit the security issue, but the utility is working.
Whiteboard: (none) => MGA6-32-OKCC: (none) => brtians1
Installed and tested without issues. Tested by creating new tarballs with various compressors. Also test, extract, list existing tarballs. System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 08:34:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q tar tar-1.31-1.1.mga6
CC: (none) => mageiaWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0164.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED