tar xheader.c: heap overflow risk from strcpy/strcat using getenv-derived buffer

In src/xheader.c, xheader_ghdr_name builds globexthdr_name using strcpy and strcat after allocating based on strlen(TMPDIR)+strlen(global_header_template)+1. Using string functions like strcpy/strcat without bounds ties memory safety to assumptions about inputs having no embedded NULs and templates matching strlen(), which can be violated by crafted environment strings, leading to heap buffer overflow (CWE-120/121).