CVE-2018-1000879: Null Pointer Dereference
First published: Thu Dec 20 2018(Updated: )
libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference vulnerability in ACL parser - libarchive/archive_acl.c, archive_acl_from_text_l() that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted archive file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Libarchive Libarchive | >=3.3.0<3.4.0 | |
| Fedoraproject Fedora | =28 | |
| Fedoraproject Fedora | =29 | |
| Fedoraproject Fedora | =30 | |
| openSUSE Leap | =15.0 |
Remedy
https://github.com/libarchive/libarchive/pull/1105/commits/15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.html
- http://www.securityfocus.com/bid/106324
- https://bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909
- https://github.com/libarchive/libarchive/pull/1105
- https://github.com/libarchive/libarchive/pull/1105/commits/15bf44fd2c1ad0e3fd87048b3fcc90c4dcff1175
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBOCC2M6YGPZA6US43YK4INPSJZZHRTG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W645KCLWFDBDGFJHG57WOVXGE62QSIJI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVXA7PHINVT6DFF6PRLTDTVTXKDLVHNF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVXA7PHINVT6DFF6PRLTDTVTXKDLVHNF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W645KCLWFDBDGFJHG57WOVXGE62QSIJI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBOCC2M6YGPZA6US43YK4INPSJZZHRTG/
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2018-1000879.
What is the severity of CVE-2018-1000879?
The severity of CVE-2018-1000879 is medium with a CVSS score of 6.5.
Which software versions are affected by CVE-2018-1000879?
libarchive versions commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) are affected by CVE-2018-1000879.
How does CVE-2018-1000879 vulnerability manifest?
CVE-2018-1000879 manifests as a NULL Pointer Dereference vulnerability in ACL parser in libarchive.
What is the recommended action for CVE-2018-1000879?
To mitigate the CVE-2018-1000879 vulnerability, users should update libarchive to version 3.4.0 or newer.
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/remedy
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/libarchive
- canonical/libarchive libarchive
- version/libarchive libarchive/3.3.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/28
- version/fedoraproject fedora/29
- version/fedoraproject fedora/30
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0