CVE-2024-37407

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-37407
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-37407.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-37407
Published
2024-06-08T13:15:58.337Z
Modified
2025-11-15T11:21:03.847946Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
[none]
Details

Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurpcentraldirectory in archivereadsupportformatzip.c.

References

Affected packages

Git / github.com/libarchive/libarchive

Affected ranges

Type
GIT
Repo
https://github.com/libarchive/libarchive
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
313aa1fa10b657de791e3202c168a6c833bc3543
Fixed
b6a979481b7d77c12fa17bbed94576b63bbcb0c0

Affected versions

v2.*

v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5

v3.*

v3.0.0a
v3.0.1b
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.1
v3.1.2
v3.1.900a
v3.1.901a
v3.2.0
v3.2.1
v3.2.2
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.6.1
v3.6.2
v3.7.0
v3.7.1
v3.7.2
v3.7.3

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0",
        "target": {
            "file": "libarchive/archive_read_support_format_zip.c"
        },
        "id": "CVE-2024-37407-39a99576",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "169510583151600880360681763136394354429",
                "166418436347227073868014082647047719771",
                "66351049021125490625824910797739220536",
                "305798257792280429190797816914595457782"
            ]
        }
    },
    {
        "source": "https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0",
        "target": {
            "function": "slurp_central_directory",
            "file": "libarchive/archive_read_support_format_zip.c"
        },
        "id": "CVE-2024-37407-cf22f438",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "function_hash": "136375031937386002894752944749580128560",
            "length": 4222.0
        }
    }
]