list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
Weakness
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libarchive | Libarchive | * | 3.7.7 (including) |
| Red Hat Enterprise Linux 10 | RedHat | libarchive-0:3.7.7-3.el10_0 | * |
| Red Hat Enterprise Linux 9 | RedHat | libarchive-0:3.5.3-5.el9_6 | * |
| Red Hat Enterprise Linux 9 | RedHat | libarchive-0:3.5.3-5.el9_6 | * |
| Red Hat Discovery 2 | RedHat | discovery/discovery-server-rhel9:sha256:c499a099e03c7488ffe50529a34723ade191a89fcfc59d1f0edd01db2b579ca3 | * |
| Libarchive | Ubuntu | devel | * |
| Libarchive | Ubuntu | esm-infra/focal | * |
| Libarchive | Ubuntu | focal | * |
| Libarchive | Ubuntu | jammy | * |
| Libarchive | Ubuntu | noble | * |
| Libarchive | Ubuntu | oracular | * |
| Libarchive | Ubuntu | plucky | * |
| Libarchive | Ubuntu | questing | * |