CVE-2024-37407

Name of the Vulnerable Software and Affected Versions Libarchive versions prior to 3.7.4

Description The issue is related to a buffer overflow vulnerability when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in the slurp central directory function in archive read support format zip.c. The vulnerability can be exploited by a remote attacker to cause a denial of service using a specially crafted archive.

Recommendations For Libarchive versions prior to 3.7.4, update to version 3.7.4 or later to resolve the issue. As a temporary workaround, consider disabling the mac-ext feature when handling ZIP archives to minimize the risk of exploitation. Restrict access to the slurp central directory function in archive read support format zip.c until the issue is resolved. Avoid using ZIP archives with empty-name files until the issue is fixed.