ID CVE-2019-18408
Summary archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.
References
Vulnerable Configurations
  • cpe:2.3:a:libarchive:libarchive:2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:2.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:2.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.0.0a:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.0.0a:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.0.1b:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.0.1b:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.2:*:*:*:*:x64:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.2:*:*:*:*:x64:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.2:-:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.2:-:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.900a:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.900a:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.1.901a:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.1.901a:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libarchive:libarchive:3.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:libarchive:libarchive:3.3.3:*:*:*:*:*:*:*
  • cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
    cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 01-11-2019 - 11:15)
Impact:
Exploitability:
CWE CWE-416
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 1769979
    title CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment bsdcpio is earlier than 0:3.1.2-14.el7_7
            oval oval:com.redhat.rhsa:tst:20200203001
          • comment bsdcpio is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20161844002
        • AND
          • comment bsdtar is earlier than 0:3.1.2-14.el7_7
            oval oval:com.redhat.rhsa:tst:20200203003
          • comment bsdtar is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20161844004
        • AND
          • comment libarchive is earlier than 0:3.1.2-14.el7_7
            oval oval:com.redhat.rhsa:tst:20200203005
          • comment libarchive is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111507002
        • AND
          • comment libarchive-devel is earlier than 0:3.1.2-14.el7_7
            oval oval:com.redhat.rhsa:tst:20200203007
          • comment libarchive-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111507004
    rhsa
    id RHSA-2020:0203
    released 2020-01-22
    severity Important
    title RHSA-2020:0203: libarchive security update (Important)
  • bugzilla
    id 1769979
    title CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment bsdtar is earlier than 0:3.3.2-8.el8_1
            oval oval:com.redhat.rhsa:tst:20200271001
          • comment bsdtar is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20161844004
        • AND
          • comment libarchive is earlier than 0:3.3.2-8.el8_1
            oval oval:com.redhat.rhsa:tst:20200271003
          • comment libarchive is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111507002
        • AND
          • comment libarchive-debugsource is earlier than 0:3.3.2-8.el8_1
            oval oval:com.redhat.rhsa:tst:20200271005
          • comment libarchive-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20193698006
        • AND
          • comment libarchive-devel is earlier than 0:3.3.2-8.el8_1
            oval oval:com.redhat.rhsa:tst:20200271007
          • comment libarchive-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20111507004
    rhsa
    id RHSA-2020:0271
    released 2020-01-29
    severity Important
    title RHSA-2020:0271: libarchive security update (Important)
  • rhsa
    id RHSA-2020:0246
rpms
  • bsdcpio-0:3.1.2-14.el7_7
  • bsdtar-0:3.1.2-14.el7_7
  • libarchive-0:3.1.2-14.el7_7
  • libarchive-debuginfo-0:3.1.2-14.el7_7
  • libarchive-devel-0:3.1.2-14.el7_7
  • bsdcat-debuginfo-0:3.3.2-4.el8_0
  • bsdcpio-debuginfo-0:3.3.2-4.el8_0
  • bsdtar-0:3.3.2-4.el8_0
  • bsdtar-debuginfo-0:3.3.2-4.el8_0
  • libarchive-0:3.3.2-4.el8_0
  • libarchive-debuginfo-0:3.3.2-4.el8_0
  • libarchive-debugsource-0:3.3.2-4.el8_0
  • bsdcat-debuginfo-0:3.3.2-8.el8_1
  • bsdcpio-debuginfo-0:3.3.2-8.el8_1
  • bsdtar-0:3.3.2-8.el8_1
  • bsdtar-debuginfo-0:3.3.2-8.el8_1
  • libarchive-0:3.3.2-8.el8_1
  • libarchive-debuginfo-0:3.3.2-8.el8_1
  • libarchive-debugsource-0:3.3.2-8.el8_1
  • libarchive-devel-0:3.3.2-8.el8_1
refmap via4
bugtraq 20191104 [SECURITY] [DSA 4557-1] libarchive security update
confirm https://support.f5.com/csp/article/K52144175?utm_source=f5support&utm_medium=RSS
debian DSA-4557
fedora FEDORA-2019-71b2273a9f
gentoo GLSA-202003-28
misc
mlist [debian-lts-announce] 20191026 [SECURITY] [DLA 1971-1] libarchive security update
suse
  • openSUSE-SU-2019:2615
  • openSUSE-SU-2019:2632
ubuntu USN-4169-1
Last major update 01-11-2019 - 11:15
Published 24-10-2019 - 14:15
Last modified 01-11-2019 - 11:15
Back to Top