CVE-2019-9923

CWE-476 — NULL Pointer Dereference10 documents8 sources

Severity

7.5HIGH

EPSS

0.4%

top 39.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU TAR Opensuse Leap

Timeline

PublishedMar 22

Latest updateMay 13

Description

pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDgnu/tar< 1.32

▶Debiantar< 1.32+dfsg-1+3

▶NVDopensuse/leap15.0

Patches

Patch: git.savannah.gnu.org ↗Patch: bugs.launchpad.net ↗Patch: git.savannah.gnu.org ↗

🔴Vulnerability Details

GHSA

GHSA-mg5f-88x3-g9cw: pax_decode_header in sparse↗2022-05-13

▶

OSV

tar vulnerabilities↗2021-01-13

▶

OSV

CVE-2019-9923: pax_decode_header in sparse↗2019-03-22

▶

CVEList

CVE-2019-9923: pax_decode_header in sparse↗2019-03-22

▶

📋Vendor Advisories

Ubuntu

tar vulnerabilities↗2021-01-13

▶

Red Hat

tar: null-pointer dereference in pax_decode_header in sparse.c↗2019-01-02

▶

Debian

CVE-2019-9923: tar - pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer derefere...↗2019

▶

💬Community

Bugzilla

CVE-2019-9923 tar: null-pointer dereference in pax_decode_header in sparse.c [fedora-all]↗2019-03-22

▶

Bugzilla

CVE-2019-9923 tar: null-pointer dereference in pax_decode_header in sparse.c↗2019-03-22

▶