Bugzilla – Bug 1130496
VUL-1: CVE-2019-9923: tar: null-pointer dereference in pax_decode_header in sparse.c
Last modified: 2022-05-05 19:17:56 UTC
rh#1691764 pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers. Reference: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241 Upstream commit: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120 References: https://bugzilla.redhat.com/show_bug.cgi?id=1691764 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9923 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9923.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9923 https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241 http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120 http://savannah.gnu.org/bugs/?55369
tracking these codestreams as affected: - SUSE:SLE-11:Update - SUSE:SLE-12:Update - SUSE:SLE-15:Update Not affected, because of missing code: - SUSE:SLE-10-SP3:Update
| Codestream | Request | |------------------|--------------| | SLE10SP3 | not affected | | SLE11 | 188644 | | SLE12 | 188643 | | SLE15 | 188642 | | openSUSE:Leap | via SLE | | openSUSE:Factory | 688646 | We are done here, I'm reassigning it back to the security team.
SUSE-SU-2019:0926-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1120610,1130496 CVE References: CVE-2018-20482,CVE-2019-9923 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): tar-1.30-3.3.2 SUSE Linux Enterprise Module for Basesystem 15 (src): tar-1.30-3.3.2 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1237-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1120610,1130496 CVE References: CVE-2018-20482,CVE-2019-9923 Sources used: openSUSE Leap 15.0 (src): tar-1.30-lp150.7.1
SUSE-SU-2019:14215-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1120610,1130496,1152736 CVE References: CVE-2018-20482,CVE-2019-9923 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): tar-1.27.1-14.8.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): tar-1.27.1-14.8.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tar-1.27.1-14.8.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): tar-1.27.1-14.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2806-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1120610,1130496 CVE References: CVE-2018-20482,CVE-2019-9923 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): tar-1.27.1-15.6.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done
SUSE-SU-2022:1548-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1029961,1120610,1130496,1181131 CVE References: CVE-2018-20482,CVE-2019-9923,CVE-2021-20193 JIRA References: Sources used: openSUSE Leap 15.3 (src): tar-1.34-150000.3.12.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): tar-1.34-150000.3.12.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): tar-1.34-150000.3.12.1 SUSE Linux Enterprise Micro 5.2 (src): tar-1.34-150000.3.12.1 SUSE Linux Enterprise Micro 5.1 (src): tar-1.34-150000.3.12.1 SUSE Linux Enterprise Micro 5.0 (src): tar-1.34-150000.3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.