CVE-2019-1000020 — MEDIUM (6.5)

Q: How severe is CVE-2019-1000020?

CVE-2019-1000020 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-1000020?

Check the references section above for vendor advisories and patch information. Affected products include: Libarchive Libarchive, Canonical Ubuntu Linux, Debian Debian Linux, Fedoraproject Fedora, Opensuse Leap.

Vulnerability Description

libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libarchive	Libarchive	>= 2.8.0, < 3.4.0
Canonical	Ubuntu Linux	14.04
Debian	Debian Linux	8.0
Fedoraproject	Fedora	29
Opensuse	Leap	15.0
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Workstation	7.0

Related Weaknesses (CWE)

CWE-835

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00015.html
https://access.redhat.com/errata/RHSA-2019:2298Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3698
https://github.com/libarchive/libarchive/pull/1120Third Party Advisory
https://github.com/libarchive/libarchive/pull/1120/commits/8312eaa576014cd9b9650PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00013.htmlThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://usn.ubuntu.com/3884-1/Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00015.html
https://access.redhat.com/errata/RHSA-2019:2298Third Party Advisory

FAQ

What is CVE-2019-1000020?

CVE-2019-1000020 is a vulnerability with a CVSS score of 6.5 (MEDIUM). libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 ...

How severe is CVE-2019-1000020?

CVE-2019-1000020 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-1000020?

Check the references section above for vendor advisories and patch information. Affected products include: Libarchive Libarchive, Canonical Ubuntu Linux, Debian Debian Linux, Fedoraproject Fedora, Opensuse Leap.