CVE-2016-10349 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Libarchive

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122 — Heap-based Buffer Overflow11 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

1.5%

top 18.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libarchive Debian Libarchive

Timeline

PublishedMay 1

Latest updateMay 14

Description

The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/libarchive< libarchive 3.2.2-3.1 (bookworm)

▶Debianlibarchive/libarchive< 3.2.2-3.1+3

▶Ubuntulibarchive/libarchive< 3.1.2-7ubuntu2.6+2

▶NVDlibarchive/libarchive3.2.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-93f9-r2hf-qqvr: The archive_le32dec function in archive_endian↗2022-05-14

▶

OSV

libarchive vulnerabilities↗2018-08-13

▶

OSV

CVE-2016-10349: The archive_le32dec function in archive_endian↗2017-05-01

▶

📋Vendor Advisories

Ubuntu

libarchive vulnerabilities↗2018-08-13

▶

Red Hat

libarchive: Heap-based buffer over-read in the archive_le32dec function↗2016-12-06

▶

Debian

CVE-2016-10349: libarchive - The archive_le32dec function in archive_endian.h in libarchive 3.2.2 allows remo...↗2016

▶

💬Community

Bugzilla

CVE-2016-10349 CVE-2016-10350 libarchive3: various flaws [epel-6]↗2017-05-10

▶

Bugzilla

CVE-2016-10349 CVE-2016-10350 mingw-libarchive: various flaws [fedora-all]↗2017-05-10

▶

Bugzilla

CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function↗2017-05-10

▶

Bugzilla

CVE-2016-10349 CVE-2016-10350 CVE-2017-14166 CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 libarchive: various flaws [fedora-all]↗2017-05-10

▶