CVE-2024-57970 — Buffer Over-read in Libarchive

CWE-126 — Buffer Over-read6 documents6 sources

Severity

4.0MEDIUMNVD

EPSS

0.0%

top 96.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libarchive Debian Libarchive Msrc Azl3 Cmake 3.30.3-6 ON Azure Linux 3.0 +3 more

Timeline

PublishedFeb 16

Description

libarchive through 3.7.7 has a heap-based buffer over-read in header_gnu_longlink in archive_read_support_format_tar.c via a TAR archive because it mishandles truncation in the middle of a GNU long linkname.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 2.5 | Impact: 1.4

Affected Packages7 packages

▶Alpinelibarchive/libarchive< 3.7.9-r0+5

▶CVEListV5libarchive/libarchive3.7.7

▶debiandebian/libarchive

▶msrcmsrc/azl3_libarchive_3.7.7-2_on_azure_linux_3.0

▶msrcmsrc/cbl2_libarchive_3.6.1-6_on_cbl_mariner_2.0

🔴Vulnerability Details

OSV

CVE-2024-57970: libarchive through 3↗2025-02-16

▶

GHSA

GHSA-2q66-6w43-8rm9: libarchive through 3↗2025-02-16

▶

📋Vendor Advisories

Red Hat

libarchive: heap buffer over-read in header_gnu_longlink↗2025-02-16

▶

Microsoft

▶

Debian

CVE-2024-57970: libarchive - libarchive through 3.7.7 has a heap-based buffer over-read in header_gnu_longlin...↗2024

▶