CVE-2019-1000020 — Infinite Loop in Libarchive

CWE-835 — Infinite Loop13 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

1.4%

top 19.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libarchive Canonical Ubuntu Linux Debian Linux +5 more

Timeline

PublishedFeb 4

Latest updateMay 13

Description

libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages7 packages

▶NVDlibarchive/libarchive2.8.0 — 3.4.0

▶Debianlibarchive/libarchive< 3.3.3-4+3

▶Ubuntulibarchive/libarchive< 3.1.2-7ubuntu2.8+2

▶NVDopensuse/leap15.0

▶NVDredhat/enterprise_linux_server7.0

Also affects: Debian Linux 8.0, Fedora 29, Ubuntu Linux 14.04, 16.04, 18.04, 18.10

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-rv4c-7xgc-3x93: libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2↗2022-05-13

▶

OSV

libarchive vulnerabilities↗2019-02-07

▶

OSV

CVE-2019-1000020: libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2↗2019-02-04

▶

CVEList

CVE-2019-1000020: libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2↗2019-02-04

▶

📋Vendor Advisories

Ubuntu

libarchive vulnerabilities↗2019-02-07

▶

Red Hat

libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service↗2019-01-20

▶

Debian

CVE-2019-1000020: libarchive - libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (vers...↗2019

▶

💬Community

Bugzilla

CVE-2019-1000019 CVE-2019-1000020 mingw-libarchive: various flaws [fedora-all]↗2019-02-08

▶

Bugzilla

CVE-2019-1000020 libarchive3: libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service [epel-6]↗2019-02-07

▶

Bugzilla

CVE-2019-1000020 libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service↗2019-02-06

▶

Bugzilla

CVE-2019-1000019 CVE-2019-1000020 libarchive3: various flaws [epel-6]↗2019-02-06

▶

Bugzilla

CVE-2019-1000019 CVE-2019-1000020 libarchive: various flaws [fedora-all]↗2019-02-06

▶