Bug 1091758 - (CVE-2018-10115) VUL-0: CVE-2018-10115: p7zip: denial of service (segmentation fault) or arbitrary code execute inside the initialization logic of RAR decoder objects in 7-Zip
(CVE-2018-10115)
VUL-0: CVE-2018-10115: p7zip: denial of service (segmentation fault) or arbit...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/205186/
CVSSv3:SUSE:CVE-2018-10115:5.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-03 07:00 UTC by Alexander Bergmann
Modified: 2018-05-07 14:43 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-05-03 07:00:59 UTC
CVE-2018-10115

Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before
can lead to usage of uninitialized memory, allowing remote attackers to cause a
denial of service (segmentation fault) or execute arbitrary code via a crafted
RAR archive.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10115
https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/
https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/
https://www.7-zip.org/download.html
Comment 1 Kristyna Streitova 2018-05-03 11:17:59 UTC
We are not affected as our SLE and openSUSE p7zip packages don't contain RAR support anymore (see bug 1077978).

I'm closing it as invalid and reassigning it back to the security team.