QwikSec

Security Database

CVE

CWE

Training

CVE-2016-8688

Published: Feb 15, 2017

Modified: Aug 6, 2024

PUBLISHED

Description

The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

[oss-security] 20161015 Re: Libarchive/bsdtar: multiple crashes

mailing-list

x_refsource_MLIST

[debian-lts-announce] 20181129 [SECURITY] [DLA 1600-1] libarchive security update

mailing-list

x_refsource_MLIST

https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-detect_form-archive_read_support_format_mtree-c/

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=1377923

x_refsource_CONFIRM

vendor-advisory

x_refsource_GENTOO

https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca

x_refsource_CONFIRM

https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-bid_entry-archive_read_support_format_mtree-c/

x_refsource_MISC

vdb-entry

x_refsource_BID

https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-memory-corruptionunknown-crash-in-bid_entry-archive_read_support_format_mtree-c/

x_refsource_MISC

https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-detect_form-archive_read_support_format_mtree-c/

x_refsource_MISC

openSUSE-SU-2016:3002

vendor-advisory

x_refsource_SUSE

https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-bid_entry-archive_read_support_format_mtree-c/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.