Bug 2345954 (CVE-2024-57970) - CVE-2024-57970 libarchive: heap buffer over-read in header_gnu_longlink [NEEDINFO]
Summary: CVE-2024-57970 libarchive: heap buffer over-read in header_gnu_longlink
Keywords:
Status: NEW
Alias: CVE-2024-57970
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2346148 2346144 2346145 2346146
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-16 04:01 UTC by OSIDB Bzimport
Modified: 2025-05-13 16:01 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
ljavorsk: needinfo? (prodsec-dev)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:7510 0 None None None 2025-05-13 16:01:31 UTC

Description OSIDB Bzimport 2025-02-16 04:01:07 UTC 
libarchive through 3.7.7 has a heap-based buffer over-read in header_gnu_longlink in archive_read_support_format_tar.c via a TAR archive because it mishandles truncation in the middle of a GNU long linkname.
Comment 2 Lukas Javorsky 2025-02-18 14:17:55 UTC 
Hi, is there a reason why this is not reported to Fedora 42 and Fedora Rawhide?

From NVD [1], I found that this commit [1] fixes the CVE, but it affects even the version present in both mentioned Fedora versions.

Could you please create trackers for them as well?

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-57970
[2] https://github.com/libarchive/libarchive/commit/82912103214506316bd9990d73f33d743d55f570
Comment 5 errata-xmlrpc 2025-05-13 16:01:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7510 https://access.redhat.com/errata/RHSA-2025:7510
Note You need to log in before you can comment on or make changes to this bug.