CVE-2018-1000879

Published: 20 December 2018

libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference vulnerability in ACL parser - libarchive/archive_acl.c, archive_acl_from_text_l() that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted archive file.

Priority

CVSS 3 base score: 6.5

Status

Package	Release	Status
libarchive Launchpad, Ubuntu, Debian	Upstream	Needs triage




	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable (code not present)
	Ubuntu 16.04 ESM (Xenial Xerus)	Not vulnerable (code not present)
	Ubuntu 14.04 ESM (Trusty Tahr)	Not vulnerable (code not present)
	Patches: Upstream: https://github.com/libarchive/libarchive/pull/1105/commits/15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916962

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›