So I managed to create a tar file with an extended attribute name of length of ~ 999936 bytes long (the largest I can do without exceeding the existing check on maximum extended header lengths it seems) but this is not able to trigger the vuln - so if you are able to share your PoC that would be great.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to tar in Ubuntu. https://bugs.launchpad.net/bugs/2029464 Title: A stack overflow in GNU Tar Status in tar package in Ubuntu: New Bug description: A stack overflow vulnerability exists in GNU Tar up to including v1.34, as far as I can see, Ubuntu is using v1.3. The bug exists in the function xattr_decoder() in xheader.c, where alloca() is used and it may overflow the stack if a sufficiently long xattr key is used. The vulnerability can be triggered when extracting a tar/pax archive that contains such a long xattr key. Vulnerable code: https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723 PoC tar archive is attached in a zip archive to reduce the size. I reported the vulnerability yesterday to GNU Tar maintainers and they replied that the issue was fixed in the version that was released two weeks ago: "Sergey fixed that bug here: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 and the fix appears in tar 1.35, released July 18. " To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/2029464/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
