CVE-2019-9923
Description
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
15- osv-coords13 versionspkg:rpm/opensuse/tar&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/tar&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/tar&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tar&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/tar&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/tar&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/tar&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/tar&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/tar&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/tar&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/tar&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/tar&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tar&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 1.30-lp150.7.1+ 12 more
- (no CPE)range: < 1.30-lp150.7.1
- (no CPE)range: < 1.34-150000.3.12.1
- (no CPE)range: < 1.34-2.2
- (no CPE)range: < 1.34-150000.3.12.1
- (no CPE)range: < 1.34-150000.3.12.1
- (no CPE)range: < 1.34-150000.3.12.1
- (no CPE)range: < 1.30-3.3.2
- (no CPE)range: < 1.34-150000.3.12.1
- (no CPE)range: < 1.27.1-14.8.1
- (no CPE)range: < 1.34-150000.3.12.1
- (no CPE)range: < 1.27.1-14.8.1
- (no CPE)range: < 1.27.1-15.6.3
- (no CPE)range: < 1.27.1-15.6.3
Patches
Vulnerability mechanics
Root cause
"Missing NULL check after find_next_block() in pax_decode_header allows NULL pointer dereference on malformed archives"
Attack vector
An attacker crafts a malformed archive whose extended headers trigger a code path in `pax_decode_header` where `find_next_block()` returns NULL, causing a NULL pointer dereference [ref_id=1]. The issue arises in two locations within the function: one via the `COPY_BUF` macro loop and another in the direct call for decoding, both lacking a NULL check after seeking the next block [CWE-476]. No authentication or special privileges are needed; the attacker only needs to supply the crafted archive to GNU Tar's extraction routine. The crash occurs during parsing of the sparse header data, before any payload data is processed, making it a simple denial-of-service vector.
What the fix does
The patch adds two `if (!blk) FATAL_ERROR(...)` checks in `src/sparse.c` `pax_decode_header` after calls to `find_next_block()` [ref_id=1]. The first check guards the `b = find_next_block()` inside the `COPY_BUF` macro loop; the second guards the direct `blk = find_next_block()` call. Without these checks, when `find_next_block()` returns NULL at end-of-archive, the subsequent dereference `b->buffer` or `blk->buffer` triggers a NULL pointer dereference. The fix converts this undefined behavior into a controlled fatal error with a diagnostic message.
Preconditions
- inputThe user must run GNU Tar on a crafted archive with malformed extended headers that cause find_next_block to return NULL
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.htmlmitrevendor-advisoryx_refsource_SUSE
- git.savannah.gnu.org/cgit/tar.git/commit/mitrex_refsource_MISC
- bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241mitrex_refsource_MISC
- lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.