OpenSUSE Linux update for bzip2

Published: 2019-05-15 | Updated: 2019-05-15
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2016-3189
CWE ID CWE-416
Exploitation vector Network
Public exploit N/A
Vulnerable software Opensuse Subscribe
Vendor Novell

Security Advisory

This security advisory describes one low risk vulnerability.

1) Use-after-free memory corruption in bzip2recover

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-3189

CWE-ID: CWE-416 - Use After Free

Description

The vulnerability allows a remote attacker to cause the target application to crash.

The vulnerability exists due to an use-after-free error in bzip2recover when handling bzip2 files. A remote unauthenticated attacker can send a specially crafted bzip2 archive and cause the target application to crash.

Successful exploitation of this vulnerability will result in denial of service.

Mitigation

Update the affected packages.

Vulnerable software versions

Opensuse: 15.0

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2019-05/msg00035.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.