openSUSE has issued an advisory on April 18:
The issue is fixed upstream in 1.32.
Assigning to our registered tar maintainer.
CC'ing kekepower, because he pushed the most recent security update for tar in Mga6
Tar has been updated to fix CVE-2019-9923.
CVE-2019-9923: pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
Uploaded to core/updates_testing
$ uname -a
Linux localhost.localdomain 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 11:27:34 UTC 2019 i686 i686 i686 GNU/Linux
$ tar --version
tar (GNU tar) 1.31
Copyright (C) 2019 Free Software Foundation, Inc.
- created a tarball
- extracted it to a separate folder
- extracted individual file to separate folder
I didn't hit the security issue, but the utility is working.
Installed and tested without issues.
Tested by creating new tarballs with various compressors. Also test, extract, list existing tarballs.
System: Mageia 6, x86_64, Intel CPU.
$ uname -a
Linux marte 4.14.116-desktop-1.mga6 #1 SMP Sat May 4 08:34:09 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q tar
Validating. Advisory in Comment 2.
An update for this issue has been pushed to the Mageia Updates repository.