ID CVE-2018-1000877
Summary libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar->lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.
References
Vulnerable Configurations
  • cpe:2.3:a:libarchive:libarchive:3.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.2:*:*:*:*:x64:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.2:*:*:*:*:x64:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.2:-:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.2:-:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.900a:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.900a:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.901a:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.901a:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.3:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 06-11-2019 - 01:15)
Impact:
Exploitability:
CWE CWE-415
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2019:2298
  • rhsa
    id RHSA-2019:3698
rpms
  • bsdcpio-0:3.1.2-12.el7
  • bsdtar-0:3.1.2-12.el7
  • libarchive-0:3.1.2-12.el7
  • libarchive-debuginfo-0:3.1.2-12.el7
  • libarchive-devel-0:3.1.2-12.el7
  • bsdcat-debuginfo-0:3.3.2-7.el8
  • bsdcpio-debuginfo-0:3.3.2-7.el8
  • bsdtar-0:3.3.2-7.el8
  • bsdtar-debuginfo-0:3.3.2-7.el8
  • libarchive-0:3.3.2-7.el8
  • libarchive-debuginfo-0:3.3.2-7.el8
  • libarchive-debugsource-0:3.3.2-7.el8
  • libarchive-devel-0:3.3.2-7.el8
refmap via4
bid 106324
debian DSA-4360
fedora
  • FEDORA-2019-0233ec0ff3
  • FEDORA-2019-c595a93536
  • FEDORA-2019-fbe83d0e32
misc
mlist [debian-lts-announce] 20181221 [SECURITY] [DLA 1612-1] libarchive security update
suse
  • openSUSE-SU-2019:1196
  • openSUSE-SU-2019:2615
  • openSUSE-SU-2019:2632
ubuntu USN-3859-1
Last major update 06-11-2019 - 01:15
Published 20-12-2018 - 17:29
Last modified 06-11-2019 - 01:15
Back to Top