Описание
list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
A flaw was found in the libarchive package. Affected versions of libarchive do not check a strftime return value, which can lead to a denial of service or unspecified other impacts via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-252: Unchecked Return Value vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Return values from critical operations are consistently evaluated through enforced development standards and automated static analysis, reducing the likelihood of logic flaws or silent failures reaching production. Error-handling routines are integrated into application behavior to ensure that failures are properly logged, traced, and contained, maintaining system stability under fault conditions. Additionally, the platform is designed to respond to errors predictably, preventing uncontrolled behavior and ensuring that processes fail in a known, recoverable state.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | libarchive | Affected | ||
| Red Hat Enterprise Linux 6 | libarchive | Out of support scope | ||
| Red Hat Enterprise Linux 7 | libarchive | Out of support scope | ||
| Red Hat Enterprise Linux 8 | libarchive | Out of support scope | ||
| Red Hat Enterprise Linux 9 | libarchive | Affected | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
4 Medium
CVSS3
Связанные уязвимости
list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
list_item_verbose in tar/util.c in libarchive through 3.7.7 does not c ...
list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
4 Medium
CVSS3