CVE-2023-39804 Overview
CVE-2023-39804 is a denial of service vulnerability affecting GNU tar versions prior to 1.35. The vulnerability exists in the handling of extension attributes within PAX archives, where mishandled attributes can lead to an application crash in the xheader.c source file. This vulnerability can be exploited locally to cause GNU tar to crash when processing specially crafted PAX archive files.
Critical Impact
Attackers can cause GNU tar to crash by providing maliciously crafted PAX archives with malformed extension attributes, potentially disrupting backup operations, automated scripts, and system administration tasks that rely on tar functionality.
Affected Products
- GNU tar versions prior to 1.35
Discovery Timeline
- 2024-03-27 - CVE-2023-39804 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2023-39804
Vulnerability Analysis
This vulnerability stems from improper handling of extension attributes when processing PAX (POSIX.1-2001) archive format files. PAX archives support extended header records that store metadata as key-value pairs, including file attributes that cannot be represented in traditional tar formats. The vulnerability is located in the xheader.c file, which is responsible for parsing and processing these extended headers.
When GNU tar encounters a PAX archive with malformed or specially crafted extension attributes, the parsing logic in xheader.c fails to properly validate input, leading to a crash condition. This represents an input validation vulnerability that affects the availability of the application without impacting confidentiality or integrity of data.
Root Cause
The root cause lies in insufficient validation of extension attribute data within the xheader.c parsing routines. When processing PAX extended headers, the code does not properly handle certain malformed attribute values, leading to unexpected program termination. The vulnerable code path is triggered during the extraction or listing of PAX archives containing crafted extension attributes.
Attack Vector
The attack requires local access to the system and involves providing a maliciously crafted PAX archive to GNU tar for processing. An attacker could exploit this vulnerability through several scenarios:
The vulnerability is triggered when a user extracts, lists, or otherwise processes a PAX archive containing malformed extension attributes. This could occur through direct command-line usage, automated backup scripts, or package extraction operations. Since the attack vector is local, the attacker would need to either place the malicious archive on the target system or convince a user to process an attacker-controlled archive.
The GNU Tar Source Code Reference provides details on the vulnerable code section in the xheader.c file at line 1723 of the release_1_34 branch.
Detection Methods for CVE-2023-39804
Indicators of Compromise
- Unexpected GNU tar crashes or core dumps when processing PAX format archives
- Error messages referencing xheader.c in tar application logs or system logs
- Repeated tar process terminations during automated backup or extraction operations
- Presence of suspicious .tar or .pax archives with unusual extension attribute structures
Detection Strategies
- Monitor system logs for repeated tar process crashes, particularly those occurring during archive extraction operations
- Implement file integrity monitoring on systems where tar is used for automated processing to detect anomalous archive files
- Use process monitoring tools to track tar execution and flag unexpected terminations
- Review package management and backup logs for patterns of failed archive operations
Monitoring Recommendations
- Configure application crash reporting to alert on repeated GNU tar failures
- Implement rate limiting or sandboxing for archive processing operations to contain potential DoS conditions
- Monitor disk space usage for core dumps that may indicate exploitation attempts
- Track GNU tar version information across systems to identify unpatched installations
How to Mitigate CVE-2023-39804
Immediate Actions Required
- Upgrade GNU tar to version 1.35 or later on all affected systems
- Audit automated scripts and backup processes that utilize GNU tar for processing untrusted archives
- Implement input validation for archive files before processing with tar, particularly in automated workflows
- Consider using alternative archive utilities for processing untrusted PAX archives until patching is complete
Patch Information
GNU has addressed this vulnerability in GNU tar version 1.35. The fix is available in GNU Tar Commit a339f05, which corrects the extension attribute handling in xheader.c.
For Debian-based systems, security updates are available as documented in the Debian LTS Announcement March 2024. The Debian Bug Report #1058079 provides additional tracking information for Debian distributions.
Workarounds
- Restrict processing of PAX archives from untrusted sources until patching is completed
- Use --format=gnu or --format=ustar options when creating archives to avoid PAX format where possible
- Implement wrapper scripts that validate archive format and source before passing to tar
- Run tar operations in sandboxed environments or containers to limit the impact of crashes on production systems
# Check current GNU tar version
tar --version
# Example: Upgrade tar on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade tar
# Example: Upgrade tar on RHEL/CentOS systems
sudo yum update tar
# Verify tar version after upgrade (should be 1.35 or later)
tar --version | head -1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
