{"id":"CVE-2023-39804","details":"In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.","modified":"2026-03-20T12:34:18.544102Z","published":"2024-03-27T04:15:08.897Z","related":["SUSE-SU-2024:0070-1","SUSE-SU-2024:0070-2","SUSE-SU-2024:0071-1","openSUSE-SU-2024:13751-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/03/msg00008.html"},{"type":"WEB","url":"https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34#n1723"},{"type":"FIX","url":"https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4"},{"type":"ARTICLE","url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058079"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://cgit.git.savannah.gnu.org/cgit/tar.git","events":[{"introduced":"0"},{"fixed":"a339f05cd269013fa133d2f148d73f6f7d4247e4"}]},{"type":"GIT","repo":"https://git.savannah.gnu.org/git/tar.git/","events":[{"introduced":"0"},{"fixed":"e545d446dfe6564265cdf4186641ee76f4acc7fa"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.35"}]}}],"versions":["alpha_1_13_93","alpha_1_15_90","alpha_1_15_90_incremental_1","alpha_1_15_91","old","release_1_14","release_1_15","release_1_15_1","release_1_16","release_1_16_1","release_1_17","release_1_18","release_1_19","release_1_20","release_1_21","release_1_22","release_1_23","release_1_24","release_1_25","release_1_26","release_1_27","release_1_27_1","release_1_28","release_1_29","release_1_30","release_1_31","release_1_32","release_1_33"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-39804.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}