CVE-2007-3644 - Vulnerability Details - OpenCVE

archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (infinite loop) via (1) an end-of-file condition within a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Freebsd	Libarchive

Configuration 1 [-]

cpe:2.3:a:freebsd:libarchive:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432924
http://osvdb.org/38093
http://osvdb.org/38094
http://people.freebsd.org/~kientzle/libarchive/
http://secunia.com/advisories/26050
http://secunia.com/advisories/26062
http://secunia.com/advisories/26355
http://secunia.com/advisories/28377
http://security.freebsd.org/advisories/FreeBSD-SA-07:05.libarchive.asc
http://security.freebsd.org/patches/SA-07:05/libarchive.patch
http://security.gentoo.org/glsa/glsa-200708-03.xml
http://www.debian.org/security/2008/dsa-1455
http://www.kb.cert.org/vuls/id/970849
http://www.novell.com/linux/security/advisories/2007_15_sr.html
http://www.securityfocus.com/bid/24885
http://www.securitytracker.com/id?1018379
http://www.vupen.com/english/advisories/2007/2521
https://exchange.xforce.ibmcloud.com/vulnerabilities/35402

History

No history.

MITRE

Status: PUBLISHED

Assigner: freebsd

Published: 2007-07-14T00:00:00

Updated: 2024-08-07T14:21:36.568Z

Reserved: 2007-07-09T00:00:00

Link: CVE-2007-3644

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2007-07-14T00:30:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-3644

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-07-12T00:00:00", "descriptions": [{"lang": "en", "value": "archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (infinite loop) via (1) an end-of-file condition within a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-28T12:57:01", "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd"}, "references": [{"name": "FreeBSD-SA-07:05", "tags": ["vendor-advisory", "x_refsource_FREEBSD"], "url": "http://security.freebsd.org/advisories/FreeBSD-SA-07:05.libarchive.asc"}, {"name": "VU#970849", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/970849"}, {"name": "ADV-2007-2521", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/2521"}, {"name": "DSA-1455", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2008/dsa-1455"}, {"tags": ["x_refsource_MISC"], "url": "http://security.freebsd.org/patches/SA-07:05/libarchive.patch"}, {"name": "26050", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26050"}, {"name": "24885", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/24885"}, {"name": "freebsd-libarchive-pax-dos(35402)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35402"}, {"name": "GLSA-200708-03", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200708-03.xml"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432924"}, {"name": "38094", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/38094"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://people.freebsd.org/~kientzle/libarchive/"}, {"name": "26062", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26062"}, {"name": "38093", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/38093"}, {"name": "26355", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/26355"}, {"name": "1018379", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1018379"}, {"name": "28377", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/28377"}, {"name": "SUSE-SR:2007:015", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secteam@freebsd.org", "ID": "CVE-2007-3644", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (infinite loop) via (1) an end-of-file condition within a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "FreeBSD-SA-07:05", "refsource": "FREEBSD", "url": "http://security.freebsd.org/advisories/FreeBSD-SA-07:05.libarchive.asc"}, {"name": "VU#970849", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/970849"}, {"name": "ADV-2007-2521", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/2521"}, {"name": "DSA-1455", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2008/dsa-1455"}, {"name": "http://security.freebsd.org/patches/SA-07:05/libarchive.patch", "refsource": "MISC", "url": "http://security.freebsd.org/patches/SA-07:05/libarchive.patch"}, {"name": "26050", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/26050"}, {"name": "24885", "refsource": "BID", "url": "http://www.securityfocus.com/bid/24885"}, {"name": "freebsd-libarchive-pax-dos(35402)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35402"}, {"name": "GLSA-200708-03", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200708-03.xml"}, {"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432924", "refsource": "CONFIRM", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432924"}, {"name": "38094", "refsource": "OSVDB", "url": "http://osvdb.org/38094"}, {"name": "http://people.freebsd.org/~kientzle/libarchive/", "refsource": "CONFIRM", "url": "http://people.freebsd.org/~kientzle/libarchive/"}, {"name": "26062", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/26062"}, {"name": "38093", "refsource": "OSVDB", "url": "http://osvdb.org/38093"}, {"name": "26355", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/26355"}, {"name": "1018379", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1018379"}, {"name": "28377", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/28377"}, {"name": "SUSE-SR:2007:015", "refsource": "SUSE", "url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T14:21:36.568Z"}, "title": "CVE Program Container", "references": [{"name": "FreeBSD-SA-07:05", "tags": ["vendor-advisory", "x_refsource_FREEBSD", "x_transferred"], "url": "http://security.freebsd.org/advisories/FreeBSD-SA-07:05.libarchive.asc"}, {"name": "VU#970849", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/970849"}, {"name": "ADV-2007-2521", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/2521"}, {"name": "DSA-1455", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2008/dsa-1455"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://security.freebsd.org/patches/SA-07:05/libarchive.patch"}, {"name": "26050", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/26050"}, {"name": "24885", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/24885"}, {"name": "freebsd-libarchive-pax-dos(35402)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35402"}, {"name": "GLSA-200708-03", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-200708-03.xml"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432924"}, {"name": "38094", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/38094"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://people.freebsd.org/~kientzle/libarchive/"}, {"name": "26062", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/26062"}, {"name": "38093", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/38093"}, {"name": "26355", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/26355"}, {"name": "1018379", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1018379"}, {"name": "28377", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/28377"}, {"name": "SUSE-SR:2007:015", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"}]}]}, "cveMetadata": {"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "assignerShortName": "freebsd", "cveId": "CVE-2007-3644", "datePublished": "2007-07-14T00:00:00", "dateReserved": "2007-07-09T00:00:00", "dateUpdated": "2024-08-07T14:21:36.568Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freebsd:libarchive:*:*:*:*:*:*:*:*", "matchCriteriaId": "637AE244-745E-4506-90FA-6092C83CC9BD", "versionEndIncluding": "2.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (infinite loop) via (1) an end-of-file condition within a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive."}, {"lang": "es", "value": "archive_read_support_format_tar.c de libarchive versiones anteriores a 2.2.4 permite a atacantes remotos con la complicidad del usuario provocar una denegaci\u00f3n de servicio (bucle infinito) mediante (1) una condici\u00f3n de final de fichero con una cabecera de extensi\u00f3n pax \u00f3 (2) una una cabecera de extensi\u00f3n pax malformada en un fichero (a) PAX \u00f3 (b) TAR."}], "id": "CVE-2007-3644", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2007-07-14T00:30:00.000", "references": [{"source": "secteam@freebsd.org", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432924"}, {"source": "secteam@freebsd.org", "url": "http://osvdb.org/38093"}, {"source": "secteam@freebsd.org", "url": "http://osvdb.org/38094"}, {"source": "secteam@freebsd.org", "url": "http://people.freebsd.org/~kientzle/libarchive/"}, {"source": "secteam@freebsd.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/26050"}, {"source": "secteam@freebsd.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/26062"}, {"source": "secteam@freebsd.org", "url": "http://secunia.com/advisories/26355"}, {"source": "secteam@freebsd.org", "url": "http://secunia.com/advisories/28377"}, {"source": "secteam@freebsd.org", "tags": ["Vendor Advisory"], "url": "http://security.freebsd.org/advisories/FreeBSD-SA-07:05.libarchive.asc"}, {"source": "secteam@freebsd.org", "tags": ["Patch"], "url": "http://security.freebsd.org/patches/SA-07:05/libarchive.patch"}, {"source": "secteam@freebsd.org", "url": "http://security.gentoo.org/glsa/glsa-200708-03.xml"}, {"source": "secteam@freebsd.org", "url": "http://www.debian.org/security/2008/dsa-1455"}, {"source": "secteam@freebsd.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/970849"}, {"source": "secteam@freebsd.org", "url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"}, {"source": "secteam@freebsd.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/24885"}, {"source": "secteam@freebsd.org", "url": "http://www.securitytracker.com/id?1018379"}, {"source": "secteam@freebsd.org", "url": "http://www.vupen.com/english/advisories/2007/2521"}, {"source": "secteam@freebsd.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35402"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=432924"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/38093"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/38094"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://people.freebsd.org/~kientzle/libarchive/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/26050"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/26062"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/26355"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/28377"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://security.freebsd.org/advisories/FreeBSD-SA-07:05.libarchive.asc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://security.freebsd.org/patches/SA-07:05/libarchive.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://security.gentoo.org/glsa/glsa-200708-03.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2008/dsa-1455"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/970849"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/24885"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id?1018379"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2007/2521"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35402"}], "sourceIdentifier": "secteam@freebsd.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}