Bug 2282521 (CVE-2024-26256) - CVE-2024-26256 libarchive: Heap based buffer overflow in rar e8 filter
Summary: CVE-2024-26256 libarchive: Heap based buffer overflow in rar e8 filter
Keywords:
Status: NEW
Alias: CVE-2024-26256
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: 2290446 (view as bug list)
Depends On: 2282531 2282527 2282528 2282529 2282530
Blocks: 2282522 CVE-2024-20697
TreeView+ depends on / blocked
 
Reported: 2024-05-22 13:54 UTC by Zack Miele
Modified: 2025-05-13 11:39 UTC (History)
47 users (show)

Fixed In Version: libarchive 3.7.4
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Zack Miele 2024-05-22 13:54:34 UTC 
A heap-based buffer overflow flaw was found in the rar e8 filter in libarchive. An attacker could trick a user into opening a specially crafted rar archive to induce a denial of service or arbitrary code execution in the context of the application using libarchive.

References:
https://github.com/advisories/GHSA-2jc9-36w4-pmqw
https://www.zerodayinitiative.com/blog/2024/4/17/cve-2024-20697-windows-libarchive-remote-code-execution-vulnerability

Upstream patch:
https://github.com/libarchive/libarchive/pull/2135
Comment 1 Zack Miele 2024-05-22 14:06:18 UTC 
Created cmake3 tracking bugs for this issue:

Affects: epel-7 [bug 2282528]


Created libarchive tracking bugs for this issue:

Affects: fedora-39 [bug 2282529]
Affects: fedora-40 [bug 2282527]


Created mingw-libarchive tracking bugs for this issue:

Affects: fedora-39 [bug 2282530]
Affects: fedora-40 [bug 2282531]
Comment 5 Lukas Javorsky 2024-06-06 07:08:51 UTC 
*** Bug 2290446 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.