CVE-2015-8916 — MEDIUM (6.5)

Q: How severe is CVE-2015-8916?

CVE-2015-8916 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-8916?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Debian Debian Linux, Libarchive Libarchive.

Vulnerability Description

bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a "split file in multivolume RAR," which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted rar file.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Canonical	Ubuntu Linux	12.04
Debian	Debian Linux	7.0
Libarchive	Libarchive	<= 3.1.901a

Related Weaknesses (CWE)

CWE-476

References

http://rhn.redhat.com/errata/RHSA-2016-1844.html
http://www.debian.org/security/2016/dsa-3657
http://www.openwall.com/lists/oss-security/2016/06/17/2Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/17/5Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.h
http://www.securityfocus.com/bid/91296
http://www.ubuntu.com/usn/USN-3033-1Third Party Advisory
https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchThird Party Advisory
https://github.com/libarchive/libarchive/issues/504
https://security-tracker.debian.org/tracker/CVE-2015-8916Third Party Advisory
https://security.gentoo.org/glsa/201701-03
http://rhn.redhat.com/errata/RHSA-2016-1844.html
http://www.debian.org/security/2016/dsa-3657
http://www.openwall.com/lists/oss-security/2016/06/17/2Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/17/5Third Party Advisory

FAQ

What is CVE-2015-8916?

CVE-2015-8916 is a vulnerability with a CVSS score of 6.5 (MEDIUM). bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a "split file in multivolume RAR," which allows remote attackers to cause a denial of service (NUL...

How severe is CVE-2015-8916?

CVE-2015-8916 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-8916?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Debian Debian Linux, Libarchive Libarchive.