SB2016120110 - NULL pointer dereference in linux-firmware (Alpine package)
Published: December 1, 2016
Security Bulletin ID
SB2016120110
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) NULL pointer dereference (CVE-ID: CVE-2016-9296)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in function CInArchive::ReadAndDecodePackedStreams in CPP/7zip/Archive/7z/7zIn.cpp, as used in the 7z.so library and in 7z applications. A remote attacker can perform a denial of service (DoS) attack via a specially crafted 7z file.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=8534c21265a404ef97e1d534101899b1abd43fe1
- https://git.alpinelinux.org/aports/commit/?id=d2bfb22c8e8f67ad7d8d02704f35ec4d2a19f9b9
- https://git.alpinelinux.org/aports/commit/?id=8df17e769fc14be8892c248aa366ad2b872a838e
- https://git.alpinelinux.org/aports/commit/?id=916b50fbdafda4e285e59c6b59805040daee9fce
- https://git.alpinelinux.org/aports/commit/?id=1e3620e1d6ab6cfff0d1ebe4600ddc44e5aa614e
- https://git.alpinelinux.org/aports/commit/?id=2c5e07e07d00696e93c338f61e2879e2b12a2172
- https://git.alpinelinux.org/aports/commit/?id=3a748737d065019a3f1c7773e0913af91c268a7d
- https://git.alpinelinux.org/aports/commit/?id=5c65d504502485a44b1b30bfd3fa56800518fa54
- https://git.alpinelinux.org/aports/commit/?id=2bb44c1c48783fb5c3ce06a3b5ea14058cc04373