Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 681728 (CVE-2019-9923) - <app-arch/tar-1.32: null-pointer dereference in pax_decode_header in sparse.c
Summary: <app-arch/tar-1.32: null-pointer dereference in pax_decode_header in sparse.c
Status: RESOLVED FIXED
Alias: CVE-2019-9923
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [cve glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-25 11:35 UTC by Agostino Sarubbo
Modified: 2019-04-08 06:58 UTC (History)
1 user (show)

See Also:
Package list:
app-arch/tar-1.32
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-03-25 11:35:37 UTC 
From ${URL} :

pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended 
headers.

Reference:
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241

Upstream commit:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-25 15:13:57 UTC 
amd64 stable
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-25 21:13:27 UTC 
amd64 stable
Comment 3 Rolf Eike Beer archtester 2019-03-25 21:42:50 UTC 
sparc stable
Comment 4 Rolf Eike Beer archtester 2019-03-27 19:30:40 UTC 
hppa stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 23:46:48 UTC 
x86 stable
Comment 6 Matt Turner gentoo-dev 2019-03-29 04:38:35 UTC 
ppc/ppc64 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-30 19:00:26 UTC 
arm stable
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2019-04-02 06:23:28 UTC 
New GLSA Request filed.
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-02 09:51:07 UTC 
s390 stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:44:30 UTC 
ia64 stable
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2019-04-08 04:32:15 UTC 
arm64 stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-08 06:54:56 UTC 
alpha stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-08 06:55:17 UTC 
m68k stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-04-08 06:55:36 UTC 
sh stable
Comment 15 Larry the Git Cow gentoo-dev 2019-04-08 06:57:55 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f24827067ff6f59cd0290e37b36efed2f9c4c84

commit 0f24827067ff6f59cd0290e37b36efed2f9c4c84
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2019-04-08 06:57:38 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2019-04-08 06:57:38 +0000

    app-arch/tar: Security cleanup
    
    Closes: https://bugs.gentoo.org/681728
    Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.11

 app-arch/tar/Manifest                              |  1 -
 .../tar-1.31-remove-erroneous-abort-call.patch     | 33 ---------
 app-arch/tar/tar-1.31-r1.ebuild                    | 81 ----------------------
 3 files changed, 115 deletions(-)