update: libarchive

Question

dongsupark opened this issue a month ago · comments

Name: libarchive
CVEs: CVE-2024-26256, CVE-2024-37407
CVSSs: 7.8
Action Needed: update to >= 3.7.4

Summary:

CVE-2024-26256: Remote code execution vulnerability, an out-of-bound error in rar e8 filter.
- GHSA-2jc9-36w4-pmqw
- Fix: libarchive/libarchive#2135
CVE-2024-37407: Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurp_central_directory in archive_read_support_format_zip.c.
- https://bugzilla.redhat.com/show_bug.cgi?id=2292307
- libarchive/libarchive#2145

refmap.gentoo: TBD

Dongsu Park · Answer 1 · Mon Jul 01 2024 22:08:09 GMT+0800 (China Standard Time)