GNU tar vulnerability could lead to application crash
CVE-2023-39804

6.2MEDIUM

Key Information:

Vendor

GNU
Status
Tar
Vendor
CVE Published:
27 March 2024

What is CVE-2023-39804?

In versions of GNU Tar prior to 1.35, there exists a vulnerability that arises from the improper handling of extension attributes in PAX archives. This flaw in the xheader.c file can lead to application crashes, posing a risk to system stability and data integrity. Maliciously crafted PAX archives may exploit this vulnerability, emphasizing the importance of updating to the latest version to mitigate potential threats.

References

https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339...
https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheade...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058079

CVSS V3.1

Score:
6.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2023-39804 : GNU tar vulnerability could lead to application crash