CVE-2017-14166 — Out-of-bounds Read in Libarchive

CWE-125 — Out-of-bounds Read CWE-122 — Heap-based Buffer Overflow9 documents7 sources

Severity

6.5MEDIUMNVD

OSV5.5

EPSS

1.6%

top 18.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libarchive Debian Libarchive Canonical Ubuntu Linux +1 more

Timeline

PublishedSep 6

Latest updateMay 14

Description

libarchive 3.3.2 allows remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/libarchive< libarchive 3.2.2-3.1 (bookworm)

▶Debianlibarchive/libarchive< 3.2.2-3.1+3

▶Ubuntulibarchive/libarchive< 3.1.2-7ubuntu2.6+2

▶NVDlibarchive/libarchive3.3.2

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04

Patches

Patch: blogs.gentoo.org ↗Patch: github.com ↗Patch: blogs.gentoo.org ↗

🔴Vulnerability Details

GHSA

GHSA-2j9p-6c4h-8967: libarchive 3↗2022-05-14

▶

OSV

libarchive vulnerabilities↗2018-08-13

▶

OSV

CVE-2017-14166: libarchive 3↗2017-09-06

▶

📋Vendor Advisories

Ubuntu

libarchive vulnerabilities↗2018-08-13

▶

Red Hat

libarchive: Heap-based buffer over-read in the atol8 function↗2017-09-05

▶

Debian

CVE-2017-14166: libarchive - libarchive 3.3.2 allows remote attackers to cause a denial of service (xml_data ...↗2017

▶

💬Community

Bugzilla

CVE-2017-14166 libarchive: Heap-based buffer over-read in the atol8 function↗2017-09-08

▶

Bugzilla

CVE-2016-10349 CVE-2016-10350 CVE-2017-14166 CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 libarchive: various flaws [fedora-all]↗2017-05-10

▶