PT-2026-45517

microtar through 0.1.0 contains a stack-based buffer overflow vulnerability in the raw to header function in src/microtar.c that allows attackers to corrupt adjacent stack memory by supplying a crafted TAR archive with non-null-terminated name or linkname fields. The function uses strcpy to copy...

Unbounded allocation for old GNU sparse in archive/tar

...

Important: libarchive security update

The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file...

Improper Handling of Unicode Encoding

Overview tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in Path Reservations via Unicode Sharp-S ß Collisions on macOS APFS. An attacker can overwrite arbitrary files by exploiting Unicode normalization collisions ...

JLSEC-2025-244 Null Pointer Dereference vulnerability in libarchive 3.7.6 and earlier when running program bsdtar i...

Null Pointer Dereference vulnerability in libarchive 3.7.6 and earlier when running program bsdtar in function headerpaxextension at rchivereadsupportformattar.c:1844:8...

RLSA-2025:9431 Moderate: libarchive security update

The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file...

RLSA-2025:9420 Moderate: libarchive security update

The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file...

Libarchive: off by one error in build_ustar_entry_name() at archive_write_set_format_pax.c

...

SUSE CVE-2024-48615

Null Pointer Dereference vulnerability in libarchive 3.7.6 and earlier when running program bsdtar in function headerpaxextension at rchivereadsupportformattar.c:1844:8...

OESA-2025-1313 libarchive security update

is an open-source BSD-licensed C programming library that provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution also includes bsdtar and bsdcpio, full-featured implementations of tar and cpio that use . Security...

tar: heap buffer overflow at from_header() in list.c via specially crafted checksum

A flaw was found in the Tar package. When attempting to read files with old V7 tar format with a specially crafted checksum, an invalid memory read may occur. An attacker could possibly use this issue to expose sensitive information or cause a crash...

GHSA-5R98-F33J-G8H7 pnpm incorrectly parses tar archives relative to specification

Summary It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. Details The TAR format is an append-only archive format, and as such, the specification for how to update a...

pnpm incorrectly parses tar archives relative to specification

Summary It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. Details The TAR format is an append-only archive format, and as such, the specification for how to update a...

SUSE CVE-2015-8933

Integer overflow in the archivereadformattarskip function in archivereadsupportformattar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service crash via a crafted tar file...

GitLab: Local files could be overwritten in GitLab, leading to remote command execution

Summary Arbitrary file overwrite A new feature download a directory of a repository in GitLab 11.11 introduced some changes in ./internal/service/repository/archive.go of Gitaly. go func handleArchivectx context.Context, writer io.Writer, in gitalypb.GetArchiveRequest, compressCmd exec.Cmd, forma...

USN-3351-1 evince vulnerability

Felix Wilhelm discovered that Evince did not safely invoke tar when handling tar comic book cbt files. An attacker could use this to construct a malicious cbt comic book format file that, when opened in Evince, executes arbitrary code. Please note that this update disables support for cbt files i...

Cisco Email Security Appliance Content Filter Bypass Vulnerability

A vulnerability in the content filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass user filters that are configured for an affected device. The vulnerability is due to improper filtering of certain TAR...

PT-2015-7837 · Libarchive +5 · Libarchive +5

Name of the Vulnerable Software and Affected Versions: libarchive versions prior to 3.2.0 Description: The issue allows remote attackers to cause a denial of service out-of-bounds read via a crafted tar file. This is due to a problem in the archive read format tar read header function in archive...

UBUNTU-CVE-2015-8924

The archivereadformattarreadheader function in archivereadsupportformattar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service out-of-bounds read via a crafted tar file...

[SECURITY] Fedora 18 Update: libtar-1.2.11-25.fc18

libtar is a C library for manipulating tar archives. It supports both the strict POSIX tar format and many of the commonly-used GNU extensions...