CVE-2016-8689Out-of-bounds Read in Libarchive

CWE-125Out-of-bounds ReadCWE-228Improper Handling of Syntactically Invalid Structure13 documents7 sources
Severity
7.5HIGHNVD
EPSS
1.1%
top 21.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LibarchiveDebian LibarchiveOpensuse Leap
Timeline
PublishedFeb 15
Latest updateMay 14

Description

The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bounds read) via multiple EmptyStream attributes in a header in a 7zip archive.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

debiandebian/libarchive< libarchive 3.2.1-5 (bookworm)
Debianlibarchive/libarchive< 3.2.1-5+3
Ubuntulibarchive/libarchive< 3.1.2-7ubuntu2.4+1
NVDopensuse/leap42.2

Patches

Patch: www.openwall.comPatch: blogs.gentoo.orgPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
GHSA
GHSA-55v8-px3p-89m5: The read_Header function in archive_read_support_format_7zip2022-05-14
OSV
libarchive vulnerabilities2017-03-09
OSV
CVE-2016-8689: The read_Header function in archive_read_support_format_7zip2017-02-15

📋Vendor Advisories

3
Ubuntu
libarchive vulnerabilities2017-03-09
Red Hat
libarchive: heap based buffer overflow in read_header (archive_read_support_format_7zip.c)2016-09-15
Debian
CVE-2016-8689: libarchive - The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2...2016

💬Community

6
Bugzilla
CVE-2016-8687 CVE-2016-8688 CVE-2016-8689 libarchive: various flaws [epel-5]2016-10-17
Bugzilla
libarchive: various flaws [fedora-all]2016-10-17
Bugzilla
CVE-2016-8687 CVE-2016-8688 CVE-2016-8689 libarchive3: various flaws [epel-6]2016-10-17
Bugzilla
CVE-2016-8687 CVE-2016-8688 CVE-2016-8689 mingw-libarchive: various flaws [fedora-all]2016-10-17
Bugzilla
CVE-2016-8689 libarchive: heap based buffer overflow in read_header (archive_read_support_format_7zip.c) [fedora-all]2016-09-23