list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libarchive | Libarchive | * | 3.7.7 (including) |
| Red Hat Enterprise Linux 10 | RedHat | libarchive-0:3.7.7-3.el10_0 | * |
| Red Hat Enterprise Linux 9 | RedHat | libarchive-0:3.5.3-5.el9_6 | * |
| Red Hat Enterprise Linux 9 | RedHat | libarchive-0:3.5.3-5.el9_6 | * |
| Red Hat Discovery 2 | RedHat | registry.redhat.io/discovery/discovery-server-rhel9:sha256:bd9cb502def3153c193713b56372694cb555a71b38d4fc0fd9d021bccc5602de | * |
| Libarchive | Ubuntu | devel | * |
| Libarchive | Ubuntu | focal | * |
| Libarchive | Ubuntu | jammy | * |
| Libarchive | Ubuntu | noble | * |
| Libarchive | Ubuntu | oracular | * |
| Libarchive | Ubuntu | plucky | * |