A stack overflow exists in GNU Tar up to and including 1.34. This issue occurs at xattr_decoder() in xheader.c. The issue occurs with attempting to read a tar with xattr where the key is a longer string than what alloca() can allocate on the stack.
xattr_decoder() does not check the key size before calling alloca() Attached to this report is a PoC file "atest1.tar.zip"
<<attachment: atest1.zip>>