ID CVE-2016-8688
Summary The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c.
References
Vulnerable Configurations
  • libarchive 3.2.1
    cpe:2.3:a:libarchive:libarchive:3.2.1
  • openSUSE Leap 42.2
    cpe:2.3:o:opensuse:leap:42.2
CVSS
Base: 4.3 (as of 16-02-2017 - 14:09)
Impact:
Exploitability:
CWE CWE-125
CAPEC
  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0010_LIBARCHIVE.NASL
    description An update of the libarchive package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121677
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121677
    title Photon OS 1.0: Libarchive PHSA-2017-0010
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3225-1.NASL
    description It was discovered that libarchive incorrectly handled hardlink entries when extracting archives. A remote attacker could possibly use this issue to overwrite arbitrary files. (CVE-2016-5418) Christian Wressnegger, Alwin Maier, and Fabian Yamaguchi discovered that libarchive incorrectly handled filename lengths when writing ISO9660 archives. A remote attacker could use this issue to cause libarchive to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6250) Alexander Cherepanov discovered that libarchive incorrectly handled recursive decompressions. A remote attacker could possibly use this issue to cause libarchive to hang, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-7166) It was discovered that libarchive incorrectly handled non-printable multibyte characters in filenames. A remote attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service. (CVE-2016-8687) It was discovered that libarchive incorrectly handled line sizes when extracting certain archives. A remote attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service. (CVE-2016-8688) It was discovered that libarchive incorrectly handled multiple EmptyStream attributes when extracting certain 7zip archives. A remote attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service. (CVE-2016-8689) Jakub Jirasek discovered that libarchive incorrectly handled memory when extracting certain archives. A remote attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service. (CVE-2017-5601). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 97660
    published 2017-03-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97660
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : libarchive vulnerabilities (USN-3225-1)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL35263486.NASL
    description The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c. (CVE-2016-8688)
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 97360
    published 2017-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97360
    title F5 Networks BIG-IP : libarchive vulnerability (K35263486)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2911-1.NASL
    description This update for libarchive fixes several issues. These security issues were fixed : - CVE-2016-8687: Buffer overflow when printing a filename (bsc#1005070). - CVE-2016-8689: Heap overflow when reading corrupted 7Zip files (bsc#1005072). - CVE-2016-8688: Use after free because of incorrect calculation in next_line (bsc#1005076). - CVE-2016-5844: Integer overflow in the ISO parser in libarchive allowed remote attackers to cause a denial of service (application crash) via a crafted ISO file (bsc#986566). - CVE-2016-6250: Integer overflow in the ISO9660 writer in libarchive allowed remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow (bsc#989980). - CVE-2016-5418: The sandboxing code in libarchive mishandled hardlink archive entries of non-zero data size, which might allowed remote attackers to write to arbitrary files via a crafted archive file (bsc#998677). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 95367
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95367
    title SUSE SLED12 / SLES12 Security Update : libarchive (SUSE-SU-2016:2911-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1404.NASL
    description This update for libarchive fixes several issues. These security issues were fixed : - CVE-2016-8687: Buffer overflow when printing a filename (bsc#1005070). - CVE-2016-8689: Heap overflow when reading corrupted 7Zip files (bsc#1005072). - CVE-2016-8688: Use after free because of incorrect calculation in next_line (bsc#1005076). - CVE-2016-5844: Integer overflow in the ISO parser in libarchive allowed remote attackers to cause a denial of service (application crash) via a crafted ISO file (bsc#986566). - CVE-2016-6250: Integer overflow in the ISO9660 writer in libarchive allowed remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow (bsc#989980). - CVE-2016-5418: The sandboxing code in libarchive mishandled hardlink archive entries of non-zero data size, which might allowed remote attackers to write to arbitrary files via a crafted archive file (bsc#998677). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-12-06
    plugin id 95558
    published 2016-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95558
    title openSUSE Security Update : libarchive (openSUSE-2016-1404)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-03 (libarchive: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libarchive. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to open a specially crafted archive file possibly resulting in the execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-01-03
    plugin id 96234
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96234
    title GLSA-201701-03 : libarchive: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1405.NASL
    description This update for libarchive fixes several issues. These security issues were fixed : - CVE-2016-8687: Buffer overflow when printing a filename (bsc#1005070). - CVE-2016-8689: Heap overflow when reading corrupted 7Zip files (bsc#1005072). - CVE-2016-8688: Use after free because of incorrect calculation in next_line (bsc#1005076). - CVE-2016-5844: Integer overflow in the ISO parser in libarchive allowed remote attackers to cause a denial of service (application crash) via a crafted ISO file (bsc#986566). - CVE-2016-6250: Integer overflow in the ISO9660 writer in libarchive allowed remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow (bsc#989980). - CVE-2016-5418: The sandboxing code in libarchive mishandled hardlink archive entries of non-zero data size, which might allowed remote attackers to write to arbitrary files via a crafted archive file (bsc#998677). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-12-06
    plugin id 95559
    published 2016-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95559
    title openSUSE Security Update : libarchive (openSUSE-2016-1405)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0010.NASL
    description An update of [binutils,ntp,libarchive] packages for PhotonOS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111859
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111859
    title Photon OS 1.0: Binutils / Libarchive / Ntp PHSA-2017-0010 (deprecated)
  • NASL family CGI abuses
    NASL id SPLUNK_652.NASL
    description According to its self-reported version number, the version of Splunk Enterprise hosted on the remote web server is 5.0.x prior to 5.0.17, 6.0.x prior to 6.0.13, 6.1.x prior to 6.1.12, 6.2.x prior to 6.2.13, 6.3.x prior to 6.3.9, 6.4.x prior to 6.4.5, or 6.5.x prior to 6.5.2; or else it is Splunk Light prior to 6.5.2. It is, therefore, affected by multiple vulnerabilities : - A security bypass vulnerability exists in the libarchive component due to a failure to properly check hardlinks that contain payload data. An unauthenticated, remote attacker can exploit this to bypass sandbox restrictions. (CVE-2016-5418) - An out-of-bounds write error exists in the libarchive component in the get_line_size() function in archive_read_support_format_mtree.c that is triggered when parsing lines. An unauthenticated, remote attacker can exploit this to crash the library or disclose memory contents. (CVE-2016-8688) - An information disclosure vulnerability exists in Splunk Light due to various system information being assigned to the global window property '$C' when a request is made to '/en-US/config?autoload=1'. An unauthenticated, remote attacker attacker can exploit this, via a specially crafted web page, to disclose sensitive information. (CVE-2017-5607) - A denial of service vulnerability exists in the Splunk Web component due to improper validation of user-supplied input. An authenticated, remote attacker can exploit this, via a specially crafted GET request, to crash the daemon. (CVE-2017-5880) - A flaw exists in the libarchive component in the check_symlinks() function in archive_write_disk_posix.c that is triggered during the handling of subdirectories. An unauthenticated, remote attacker can exploit this to overwrite arbitrary files. - A flaw exists in the libarchive component in the edit_deep_directories() function due to symlink checks and deep-directory support failing to properly handle overly long pathnames. An unauthenticated, remote attacker can exploit this to overwrite arbitrary files. - A flaw exists in the libarchive component in the check_symlinks() function that is due to an overly aggressive cached path handling mechanism. An unauthenticated, remote attacker can exploit this to make changes to the permissions of arbitrary directories. - An out-of-bounds write error exists in the libarchive component in the bsdtar_expand_char() function in util.c due to improper handling of crafted archives. An unauthenticated, remote attacker can exploit this, by convincing a user to open or load a specially crafted archive, to execute arbitrary code. - A stored cross-site scripting (XSS) vulnerability exists due to improper validation of input before returning it to users. An authenticated, remote attacker who has administrative access can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. - A stored cross-site scripting (XSS) vulnerability exists in Splunk Light within the web interface due to improper validation of unspecified input before returning to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. Note that the vulnerabilities in the libarchive component do not affect Splunk Enterprise 6.5.1 or Splunk Light 6.5.1.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 97100
    published 2017-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97100
    title Splunk Enterprise < 5.0.17 / 6.0.13 / 6.1.12 / 6.2.13 / 6.3.9 / 6.4.5 / 6.5.2 or Splunk Light < 6.5.2 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1600.NASL
    description Multiple security vulnerabilities were found in libarchive, a multi-format archive and compression library. Heap-based buffer over-reads, NULL pointer dereferences and out-of-bounds reads allow remote attackers to cause a denial of service (application crash) via specially crafted archive files. For Debian 8 'Jessie', these problems have been fixed in version 3.1.2-11+deb8u4. We recommend that you upgrade your libarchive packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 119289
    published 2018-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119289
    title Debian DLA-1600-1 : libarchive security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-661.NASL
    description Agostino Sarubbo of Gentoo discovered several security vulnerabilities in libarchive, a multi-format archive and compression library. An attacker could take advantage of these flaws to cause a buffer overflow or an out of bounds read using a carefully crafted input file. CVE-2016-8687 Agostino Sarubbo of Gentoo discovered a possible stack-based buffer overflow when printing a filename in bsdtar_expand_char() of util.c. CVE-2016-8688 Agostino Sarubbo of Gentoo discovered a possible out of bounds read when parsing multiple long lines in bid_entry() and detect_form() of archive_read_support_format_mtree.c. CVE-2016-8689 Agostino Sarubbo of Gentoo discovered a possible heap-based buffer overflow when reading corrupted 7z files in read_Header() of archive_read_support_format_7zip.c. For Debian 7 'Wheezy', these problems have been fixed in version 3.0.4-3+wheezy5. We recommend that you upgrade your libarchive packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-10
    plugin id 94102
    published 2016-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94102
    title Debian DLA-661-1 : libarchive security update
refmap via4
bid 93781
confirm
gentoo GLSA-201701-03
misc
mlist
  • [debian-lts-announce] 20181129 [SECURITY] [DLA 1600-1] libarchive security update
  • [oss-security] 20161015 Re: Libarchive/bsdtar: multiple crashes
suse openSUSE-SU-2016:3002
Last major update 17-02-2017 - 11:59
Published 15-02-2017 - 14:59
Last modified 30-11-2018 - 06:29
Back to Top