CVE-2018-11496 — Use After Free in Range ZIP Project Long Range ZIP

CWE-416 — Use After Free10 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.8%

top 25.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ckolivas Lrzip Debian Linux Long Range ZIP Project Long Range ZIP

Timeline

PublishedMay 26

Latest updateMay 13

Description

In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in read_stream in stream.c, because decompress_file in lrzip.c lacks certain size validation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶Debianckolivas/lrzip< 0.631+git180528-1+3

▶NVDlong_range_zip_project/long_range_zip0.631

Also affects: Debian Linux 9.0

🔴Vulnerability Details

GHSA

GHSA-j3rv-w4w8-qcv2: In Long Range Zip (aka lrzip) 0↗2022-05-13

▶

OSV

CVE-2018-11496: In Long Range Zip (aka lrzip) 0↗2018-05-26

▶

CVEList

CVE-2018-11496: In Long Range Zip (aka lrzip) 0↗2018-05-26

▶

📋Vendor Advisories

Ubuntu

Long Range ZIP vulnerabilities↗2021-12-09

▶

Ubuntu

Long Range ZIP vulnerabilities↗2021-12-06

▶

Debian

CVE-2018-11496: lrzip - In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in read_stream in...↗2018

▶

💬Community

Bugzilla

CVE-2018-11496 lrzip: Use after free in read_stream in stream.c [fedora-26]↗2018-05-28

▶

Bugzilla

CVE-2018-11496 lrzip: Use after free in read_stream in stream.c↗2018-05-28

▶

Bugzilla

CVE-2018-11496 lrzip: Use after free in read_stream in stream.c [epel-all]↗2018-05-28

▶