CVE-2018-1000879

Published: 20 December 2018

libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference vulnerability in ACL parser - libarchive/archive_acl.c, archive_acl_from_text_l() that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted archive file.

Priority

CVSS 3 base score: 6.5

Status

Package	Release	Status
libarchive Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	cosmic	Not vulnerable (code not present)
	precise	Does not exist
	trusty	Not vulnerable (code not present)
	upstream	Needs triage
	xenial	Not vulnerable (code not present)
	Patches: upstream: https://github.com/libarchive/libarchive/pull/1105/commits/15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916962

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Security