ID CVE-2019-1000020
Summary libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.
References
Vulnerable Configurations
  • cpe:2.3:a:libarchive:libarchive:2.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.0.0a:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.0.0a:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.0.1b:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.0.1b:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.2:*:*:*:*:x64:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.2:*:*:*:*:x64:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.2:-:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.2:-:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.900a:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.900a:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.901a:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.901a:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.3:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 24-08-2020 - 17:37)
Impact:
Exploitability:
CWE CWE-835
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 1672892
    title CVE-2019-1000019 libarchive: Out of bounds read in archive_read_support_format_7zip.c resulting in a denial of service
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment bsdcpio is earlier than 0:3.1.2-12.el7
            oval oval:com.redhat.rhsa:tst:20192298001
          • comment bsdcpio is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20161844002
        • AND
          • comment bsdtar is earlier than 0:3.1.2-12.el7
            oval oval:com.redhat.rhsa:tst:20192298003
          • comment bsdtar is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20161844004
        • AND
          • comment libarchive is earlier than 0:3.1.2-12.el7
            oval oval:com.redhat.rhsa:tst:20192298005
          • comment libarchive is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111507002
        • AND
          • comment libarchive-devel is earlier than 0:3.1.2-12.el7
            oval oval:com.redhat.rhsa:tst:20192298007
          • comment libarchive-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111507004
    rhsa
    id RHSA-2019:2298
    released 2019-08-06
    severity Moderate
    title RHSA-2019:2298: libarchive security update (Moderate)
  • bugzilla
    id 1672892
    title CVE-2019-1000019 libarchive: Out of bounds read in archive_read_support_format_7zip.c resulting in a denial of service
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment bsdtar is earlier than 0:3.3.2-7.el8
            oval oval:com.redhat.rhsa:tst:20193698001
          • comment bsdtar is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20161844004
        • AND
          • comment libarchive is earlier than 0:3.3.2-7.el8
            oval oval:com.redhat.rhsa:tst:20193698003
          • comment libarchive is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111507002
        • AND
          • comment libarchive-debugsource is earlier than 0:3.3.2-7.el8
            oval oval:com.redhat.rhsa:tst:20193698005
          • comment libarchive-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20193698006
        • AND
          • comment libarchive-devel is earlier than 0:3.3.2-7.el8
            oval oval:com.redhat.rhsa:tst:20193698007
          • comment libarchive-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111507004
    rhsa
    id RHSA-2019:3698
    released 2019-11-05
    severity Moderate
    title RHSA-2019:3698: libarchive security and bug fix update (Moderate)
rpms
  • bsdcpio-0:3.1.2-12.el7
  • bsdtar-0:3.1.2-12.el7
  • libarchive-0:3.1.2-12.el7
  • libarchive-debuginfo-0:3.1.2-12.el7
  • libarchive-devel-0:3.1.2-12.el7
  • bsdcat-debuginfo-0:3.3.2-7.el8
  • bsdcpio-debuginfo-0:3.3.2-7.el8
  • bsdtar-0:3.3.2-7.el8
  • bsdtar-debuginfo-0:3.3.2-7.el8
  • libarchive-0:3.3.2-7.el8
  • libarchive-debuginfo-0:3.3.2-7.el8
  • libarchive-debugsource-0:3.3.2-7.el8
  • libarchive-devel-0:3.3.2-7.el8
refmap via4
fedora
  • FEDORA-2019-0233ec0ff3
  • FEDORA-2019-c595a93536
misc
mlist [debian-lts-announce] 20190207 [SECURITY] [DLA 1668-1] libarchive security update
suse
  • openSUSE-SU-2019:1196
  • openSUSE-SU-2019:2615
  • openSUSE-SU-2019:2632
ubuntu USN-3884-1
Last major update 24-08-2020 - 17:37
Published 04-02-2019 - 21:29
Last modified 24-08-2020 - 17:37
Back to Top