Veracode Vulnerability DatabaseVERACODE:17611Denial Of Service (DoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
libarchive is vulnerable to denial of service (DoS) attacks. This is caused when a corrupted cpio archive has a ridiculously large size for a symlink. malloc() fails here when trying to allocate memory to contain the entire symlink which allows remote attackers to affect the availability of the application via a CPIO archive with a large symlink.
| CPE | Name | Operator | Version |
|---|---|---|---|
| libarchive | eq | 2.8.3__4.el6_2 | |
| libarchive | eq | 2.8.3__3.el6_1 | |
| libarchive | eq | 2.8.3__2.el6 |
References
rhn.redhat.com/errata/RHSA-2016-1844.html
rhn.redhat.com/errata/RHSA-2016-1850.html
www.debian.org/security/2016/dsa-3657
www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
www.securityfocus.com/bid/91813
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=1347084
github.com/libarchive/libarchive/commit/fd7e0c02
github.com/libarchive/libarchive/issues/705
rhn.redhat.com/errata/RHSA-2016-1850.html
security.gentoo.org/glsa/201701-03
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P