Bug 1120659 (CVE-2018-1000880)

Summary: VUL-1: CVE-2018-1000880: libarchive: Improper Input Validation vulnerability in WARC parser
Product: [Novell Products] SUSE Security Incidents Reporter: Karol Babioch <karol>
Component: IncidentsAssignee: Adrian Schröter <adrian.schroeter>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/221610/
Whiteboard: CVSSv3:SUSE:CVE-2018-1000880:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Karol Babioch 2019-01-03 15:02:11 UTC

libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards
(release v3.2.0 onwards) contains a CWE-20: Improper Input Validation
vulnerability in WARC parser - libarchive/archive_read_support_format_warc.c,
_warc_read() that can result in DoS - quasi-infinite run time and disk usage
from tiny file. This attack appear to be exploitable via the victim must open a
specially crafted WARC file.

Comment 3 Swamp Workflow Management 2019-04-01 16:11:50 UTC
SUSE-SU-2019:0831-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1120653,1120654,1120656,1120659,1124341,1124342
CVE References: CVE-2018-1000877,CVE-2018-1000878,CVE-2018-1000879,CVE-2018-1000880,CVE-2019-1000019,CVE-2019-1000020
Sources used:
SUSE Linux Enterprise Module for Development Tools 15 (src):    libarchive-3.3.2-3.8.4
SUSE Linux Enterprise Module for Basesystem 15 (src):    libarchive-3.3.2-3.8.4

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 4 Adrian Schröter 2020-07-13 09:46:10 UTC