Unrated severityOSV Advisory· Published Dec 20, 2018· Updated Aug 5, 2024

CVE-2018-1000878

Description

libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c that can result in Crash/DoS - it is unknown if RCE is possible. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Libarchive/LibarchiveOSV2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: >= v3.1.0
osv-coords14 versions
pkg:rpm/opensuse/bsdtar&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/libarchive&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/libarchive&distro=openSUSE%20Leap%2015.1 pkg:rpm/suse/libarchive&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4 pkg:rpm/suse/libarchive&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/libarchive&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/libarchive&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015 pkg:rpm/suse/libarchive&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1 pkg:rpm/suse/libarchive&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4 pkg:rpm/suse/libarchive&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/libarchive&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/libarchive&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/libarchive&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4 pkg:rpm/suse/libarchive&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 3.5.1-1.5+ 13 more
- (no CPE)range: < 3.5.1-1.5
- (no CPE)range: < 3.3.2-lp150.7.1
- (no CPE)range: < 3.3.2-lp151.5.3.1
- (no CPE)range: < 3.1.2-26.6.1
- (no CPE)range: < 3.3.2-3.8.4
- (no CPE)range: < 3.3.2-3.11.1
- (no CPE)range: < 3.3.2-3.8.4
- (no CPE)range: < 3.3.2-3.11.1
- (no CPE)range: < 3.1.2-26.6.1
- (no CPE)range: < 3.1.2-26.6.1
- (no CPE)range: < 3.1.2-26.6.1
- (no CPE)range: < 3.1.2-26.6.1
- (no CPE)range: < 3.1.2-26.6.1
- (no CPE)range: < 3.1.2-26.6.1

Patches

Vulnerability mechanics

References

lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-12/msg00015.htmlmitrevendor-advisoryx_refsource_SUSE
access.redhat.com/errata/RHSA-2019:2298mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2019:3698mitrevendor-advisoryx_refsource_REDHAT
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBOCC2M6YGPZA6US43YK4INPSJZZHRTG/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W645KCLWFDBDGFJHG57WOVXGE62QSIJI/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVXA7PHINVT6DFF6PRLTDTVTXKDLVHNF/mitrevendor-advisoryx_refsource_FEDORA
usn.ubuntu.com/3859-1/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2018/dsa-4360mitrevendor-advisoryx_refsource_DEBIAN
www.securityfocus.com/bid/106324mitrevdb-entryx_refsource_BID
bugs.launchpad.net/ubuntu/+source/libarchive/+bug/1794909mitrex_refsource_MISC
github.com/libarchive/libarchive/pull/1105mitrex_refsource_MISC
github.com/libarchive/libarchive/pull/1105/commits/bfcfe6f04ed20db2504db8a254d1f40a1d84eb28mitrex_refsource_MISC
lists.debian.org/debian-lts-announce/2018/12/msg00011.htmlmitremailing-listx_refsource_MLIST

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.004
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000