So I managed to create a tar file with an extended attribute name of length of ~ 999936 bytes long (the largest I can do without exceeding the existing check on maximum extended header lengths it seems) but this is not able to trigger the vuln - so if you are able to share your PoC that would be great.
So I managed to create a tar file with an extended attribute name of length of ~ 999936 bytes long (the largest I can do without exceeding the existing check on maximum extended header lengths it seems) but this is not able to trigger the vuln - so if you are able to share your PoC that would be great.