Vulnerabilities > CVE-2019-9923 - NULL Pointer Dereference vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

gnu

opensuse

CWE-476

nessus

NVD

Published: 2019-03-22

Updated: 2023-11-07

Summary

pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

Vulnerable Configurations

Part	Description	Count
Application	Gnu GNU TAR - GNU TAR 1.11 GNU TAR 1.11.1 GNU TAR 1.11.8 GNU TAR 1.12 GNU TAR 1.13 GNU TAR 1.13.5 GNU TAR 1.13.11 GNU TAR 1.13.14 GNU TAR 1.13.16 GNU TAR 1.13.17 GNU TAR 1.13.18 GNU TAR 1.13.19 GNU TAR 1.13.25 GNU TAR 1.14 GNU TAR 1.14.1 GNU TAR 1.14.90 GNU TAR 1.15 GNU TAR 1.15.1 GNU TAR 1.15.90 GNU TAR 1.15.91 GNU TAR 1.16 GNU TAR 1.16.1 GNU TAR 1.17 GNU TAR 1.18 GNU TAR 1.19 GNU TAR 1.20 GNU TAR 1.21 GNU TAR 1.22 GNU TAR 1.23 GNU TAR 1.24 GNU TAR 1.25 GNU TAR 1.26 GNU TAR 1.27 GNU TAR 1.27.1 GNU TAR 1.28 GNU TAR 1.29 GNU TAR 1.30 GNU TAR 1.31	39
OS	Opensuse Opensuse Leap 15.0	1

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

Nessus

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2019-1_0-0228_TAR.NASL
description	An update of the tar package has been released.
last seen	2020-06-01
modified	2020-06-02
plugin id	124868
published	2019-05-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124868
title	Photon OS 1.0: Tar PHSA-2019-1.0-0228

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1347.NASL
description	According to the version of the tar package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - tar: null-pointer dereference in pax_decode_header in sparse.c.(CVE-2019-9923) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2019-05-06
plugin id	124633
published	2019-05-06
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124633
title	EulerOS 2.0 SP5 : tar (EulerOS-SA-2019-1347)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2019-1237.NASL
description	This update for tar fixes the following issues : Security issues fixed : - CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496). - CVE-2018-20482: Fixed a denial of service when the
last seen	2020-06-01
modified	2020-06-02
plugin id	124188
published	2019-04-19
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124188
title	openSUSE Security Update : tar (openSUSE-2019-1237)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1600.NASL
description	According to the version of the tar package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - tar: null-pointer dereference in pax_decode_header in sparse.c.(CVE-2019-9923) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2019-05-29
plugin id	125527
published	2019-05-29
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125527
title	EulerOS 2.0 SP2 : tar (EulerOS-SA-2019-1600)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-0926-1.NASL
description	This update for tar fixes the following issues : Security issues fixed : CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496). CVE-2018-20482: Fixed a denial of service when the
last seen	2020-06-01
modified	2020-06-02
plugin id	123995
published	2019-04-11
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/123995
title	SUSE SLED15 / SLES15 Security Update : tar (SUSE-SU-2019:0926-1)

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2019-2_0-0154_TAR.NASL
description	An update of the tar package has been released.
last seen	2020-06-01
modified	2020-06-02
plugin id	125080
published	2019-05-15
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125080
title	Photon OS 2.0: Tar PHSA-2019-2.0-0154

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1624.NASL
description	According to the version of the tar package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.(CVE-2019-9923) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	125576
published	2019-05-30
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125576
title	EulerOS Virtualization for ARM 64 3.0.2.0 : tar (EulerOS-SA-2019-1624)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1601.NASL
description	According to the version of the tar package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - tar: null-pointer dereference in pax_decode_header in sparse.c.(CVE-2019-9923) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2019-05-29
plugin id	125528
published	2019-05-29
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125528
title	EulerOS 2.0 SP3 : tar (EulerOS-SA-2019-1601)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1366.NASL
description	According to the version of the tar package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.(CVE-2019-9923) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	124744
published	2019-05-10
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124744
title	EulerOS Virtualization 2.5.3 : tar (EulerOS-SA-2019-1366)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1608.NASL
description	According to the version of the tar package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.(CVE-2019-9923) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	125560
published	2019-05-30
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125560
title	EulerOS Virtualization 3.0.1.0 : tar (EulerOS-SA-2019-1608)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

References