#VU15818 Out-of-bounds read in libarchive


Published: 2018-11-12 | Updated: 2018-11-13

Vulnerability identifier: #VU15818

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-14501

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libarchive
Client/Desktop applications / Software for archiving

Vendor: libarchive

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to out-of-bounds read condition in the parse_file_info function, as defined in the archive_read_support_format_iso9660.c source code file when extracting ISO 9660 files. A remote attacker can trick the victim into extracting an ISO 9660 file that submits malicious input and cause the service to crash.

Mitigation
Update to version 3.3.3.

Vulnerable software versions

libarchive: 3.3.2

External links
http://github.com/libarchive/libarchive/issues/949

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell Container Storage Modules
Out-of-bounds read in IBM App Connect Enterprise Certified Container
Out-of-bounds read in libarchive (Alpine package)
Gentoo update for libarchive
Debian update for libarchive
OpenSUSE Linux update for libarchive
OpenSUSE Linux update for libarchive
Multiple vulnerabilities in libarchive
Denial of service in libarchive