Bug 2345954 (CVE-2024-57970) - CVE-2024-57970 libarchive: heap buffer over-read in header_gnu_longlink [NEEDINFO]
Summary: CVE-2024-57970 libarchive: heap buffer over-read in header_gnu_longlink
Keywords:
Status: NEW
Alias: CVE-2024-57970
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2346145 2346148 2346144 2346146
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-16 04:01 UTC by OSIDB Bzimport
Modified: 2025-02-26 14:28 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
ljavorsk: needinfo? (prodsec-dev)


Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-16 04:01:07 UTC
libarchive through 3.7.7 has a heap-based buffer over-read in header_gnu_longlink in archive_read_support_format_tar.c via a TAR archive because it mishandles truncation in the middle of a GNU long linkname.

Comment 2 Lukas Javorsky 2025-02-18 14:17:55 UTC
Hi, is there a reason why this is not reported to Fedora 42 and Fedora Rawhide?

From NVD [1], I found that this commit [1] fixes the CVE, but it affects even the version present in both mentioned Fedora versions.

Could you please create trackers for them as well?

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-57970
[2] https://github.com/libarchive/libarchive/commit/82912103214506316bd9990d73f33d743d55f570


Note You need to log in before you can comment on or make changes to this bug.