2290448 – (CVE-2024-20696) CVE-2024-20696 libarchive: out-of-bounds access in copy_from_lzss_window_to_unp()

Bug 2290448 (CVE-2024-20696) - CVE-2024-20696 libarchive: out-of-bounds access in copy_from_lzss_window_to_unp()

Summary: CVE-2024-20696 libarchive: out-of-bounds access in copy_from_lzss_window_to_u...

Keywords:
Status:	NEW
Alias:	CVE-2024-20696
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2290449
Blocks:	2290447
TreeView+	depends on / blocked

Reported:	2024-06-04 20:25 UTC by Marco Benatto
Modified:	2025-05-13 11:38 UTC (History)
CC List:	45 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marco Benatto 2024-06-04 20:25:43 UTC

Windows Libarchive Remote Code Execution Vulnerability.

References:
https://github.com/libarchive/libarchive/pull/2172
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20696
https://clearbluejar.github.io/posts/patch-tuesday-diffing-cve-2024-20696-windows-libarchive-rce/

Upstream patch:
https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1

Comment 1 Marco Benatto 2024-06-04 20:25:58 UTC

Created libarchive tracking bugs for this issue:

Affects: fedora-all [bug 2290449]

Note You need to log in before you can comment on or make changes to this bug.

agarcial
ahrabovs
aoconnor
aprice
asegurap
aucunnin
bdettelb
caswilli
crizzo
dfreiber
dkuc
doconnor
drow
fjansen
hkataria
jburrell
jdobes
jmitchel
jsamir
jsherril
jtanner
jvasik
kaycoth
kholdawa
kshier
lcouzens
ljavorsk
luizcosta
mpierce
mskarbek
mstoklus
nweather
oezr
orabin
psegedy
rblanco
stcannon
sthirugn
teagle
vkrizan
vkumar
vmugicag
xiaoxwan
yguenane
zzhou