CVE-2023-39804

In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.2 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
6.2 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
VendorProductVersion
gnutar
𝑥
< 1.35
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tar
bullseye
1.34+dfsg-1+deb11u1
fixed
bookworm
1.34+dfsg-1.2+deb12u1
fixed
sid
1.35+dfsg-3.1
fixed
trixie
1.35+dfsg-3.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tar
mantic
Fixed 1.34+dfsg-1.2ubuntu1.1
released
lunar
Fixed 1.34+dfsg-1.2ubuntu0.2
released
jammy
Fixed 1.34+dfsg-1ubuntu0.1.22.04.2
released
focal
Fixed 1.30+dfsg-7ubuntu0.20.04.4
released
bionic
Fixed 1.29b-2ubuntu0.4+esm1
released
xenial
Fixed 1.28-2.1ubuntu0.2+esm3
released
trusty
Fixed 1.27.1-1ubuntu0.1+esm4
released
References
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058079
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4
https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058079
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4
https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723
https://lists.debian.org/debian-lts-announce/2024/03/msg00008.html