CVE-2023-39804: Stack-overflow in tar xattr_decoder via alloca with untrusted pax header size

GNU tar's extended header processing contains a stack-overflow vulnerability in the xattr_decoder function. The function uses alloca() to allocate stack memory with the 'size' parameter from pax extended header records without validation. Since pax headers are untrusted archive content, an attacker can craft a tar archive with multiple SCHILY.xattr entries or global pax headers with large size values, causing repeated stack allocations that exhaust the stack memory and trigger denial-of-service or potentially code execution.