CVE-2019-1000019 — MEDIUM (6.5)

Q: How severe is CVE-2019-1000019?

CVE-2019-1000019 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-1000019?

Check the references section above for vendor advisories and patch information. Affected products include: Libarchive Libarchive, Debian Debian Linux, Canonical Ubuntu Linux, Fedoraproject Fedora, Opensuse Leap.

Vulnerability Description

libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libarchive	Libarchive	>= 3.0.2, < 3.4.0
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	14.04
Fedoraproject	Fedora	28
Opensuse	Leap	15.0
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Workstation	7.0

Related Weaknesses (CWE)

CWE-125

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00015.html
https://access.redhat.com/errata/RHSA-2019:2298Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3698
https://github.com/libarchive/libarchive/pull/1120Third Party Advisory
https://github.com/libarchive/libarchive/pull/1120/commits/65a23f5dbee4497064e9bExploitPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00013.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://usn.ubuntu.com/3884-1/Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00015.html
https://access.redhat.com/errata/RHSA-2019:2298Third Party Advisory

FAQ

What is CVE-2019-1000019?

CVE-2019-1000019 is a vulnerability with a CVSS score of 6.5 (MEDIUM). libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_for...

How severe is CVE-2019-1000019?

CVE-2019-1000019 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-1000019?

Check the references section above for vendor advisories and patch information. Affected products include: Libarchive Libarchive, Debian Debian Linux, Canonical Ubuntu Linux, Fedoraproject Fedora, Opensuse Leap.