NULL dereference when decompressing specially crafted archives

Bug #1810241 reported by Daniel Axtens on 2019-01-02
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tar (Ubuntu)

Bug Description


Fuzzing tar with checksums disabled reveals a NULL pointer dereference when parsing certain archives that have malformed extended headers. This affects tar from (at least) Trusty, Bionic and Cosmic. I haven't tested Xenial's version.

A test case with fixed checksums is attached. To avoid breaking anything that looks inside tar archives, I have converted it to text with xxd. To reproduce:

$ xxd -r gnutar-crash.tar.txt gnutar-crash.tar
$ tar Oxf gnutar-crash.tar
tar: Ignoring unknown extended header keyword 'GNU.sparse.minTr'
tar: Malformed extended header: missing length
Segmentation fault (core dumped)

I have also attached a patch against the latest upstream git and against 1.30 (in Cosmic). This fixes the issue by detecting the null result before it is dereferenced.


CVE References

Daniel Axtens (daxtens) wrote :
Daniel Axtens (daxtens) wrote :
Daniel Axtens (daxtens) wrote :
Seth Arnold (seth-arnold) wrote :

Hello Daniel, very nice.

Have you reported this issue upstream yet?


Daniel Axtens (daxtens) wrote :

Hi Seth,

I've just learned how to navigate Savannah and reported it. I will let you know if/when they reply.


Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public?

Daniel Axtens (daxtens) wrote :

The tar maintainers have disclosed the issue via the commit, so that sounds fine to me.

information type: Private Security → Public Security

The attachment "patch against git head" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Seth Arnold (seth-arnold) wrote :

Use CVE-2019-9923.


Changed in tar (Ubuntu):
status: New → Triaged
Changed in tar (Ubuntu):
importance: Undecided → High
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments