CVE-2024-37407

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-37407

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37407.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-37407

Downstream

ROOT-OS-DEBIAN-12-CVE-2024-37407

Related

CGA-8qpv-pph6-w794

Published

2024-06-08T13:15:58.337Z

Modified

2026-03-14T12:34:40.450096Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator

Summary

[none]

Details

Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurpcentraldirectory in archivereadsupportformatzip.c.

References

Affected packages

Git / github.com/libarchive/libarchive

Affected ranges

Type

GIT

Repo

https://github.com/libarchive/libarchive

Events

Introduced

Last affected

4fcc02d906cca4b9e21a78a833f1142a2689ec52

Fixed

b6a979481b7d77c12fa17bbed94576b63bbcb0c0

Fixed

313aa1fa10b657de791e3202c168a6c833bc3543

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.7.3"
        }
    ]
}

Affected versions

v2.*

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.7.1

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v3.*

v3.0.0a

v3.0.1b

v3.0.2

v3.0.3

v3.0.4

v3.1.0

v3.1.1

v3.1.2

v3.1.900a

v3.1.901a

v3.2.0

v3.2.1

v3.2.2

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.5.0

v3.5.1

v3.5.2

v3.6.0

v3.6.1

v3.6.2

v3.7.0

v3.7.1

v3.7.2

v3.7.3

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2024-37407-39a99576",
        "target": {
            "file": "libarchive/archive_read_support_format_zip.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "169510583151600880360681763136394354429",
                "166418436347227073868014082647047719771",
                "66351049021125490625824910797739220536",
                "305798257792280429190797816914595457782"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2024-37407-cf22f438",
        "target": {
            "file": "libarchive/archive_read_support_format_zip.c",
            "function": "slurp_central_directory"
        },
        "digest": {
            "length": 4222.0,
            "function_hash": "136375031937386002894752944749580128560"
        },
        "signature_version": "v1",
        "source": "https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0"
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37407.json"