This site requires JavaScript to be enabled to function correctly, please enable it.
Summary:
CVE-2016-4809 libarchive: Memory allocate error with symbolic links in cpio archives
Product:
[Other] Security Response
Reporter:
Doran Moppert <dmoppert>
Component:
vulnerability Assignee:
Red Hat Product Security <security-response-team>
Status:
CLOSED
ERRATA
QA Contact:
Severity:
low
Docs Contact:
Priority:
low
Version:
unspecified CC:
carnil, jrusnack, ndevos, praiskup, sardella, slawomir
Target Milestone:
--- Keywords:
Security
Target Release:
---
Hardware:
All
OS:
Linux
Whiteboard:
Fixed In Version:
libarchive 3.2.1
Doc Type:
Bug Fix
Doc Text:
A vulnerability was found in libarchive. A specially crafted cpio archive containing a symbolic link to a ridiculously large target path can cause memory allocation to fail, resulting in any attempt to view or extract the archive crashing.
Story Points:
---
Clone Of:
Environment:
Last Closed:
2019-06-08 02:55:00 UTC
Type:
---
Regression:
---
Mount Type:
---
Documentation:
---
CRM:
Verified Versions:
Category:
---
oVirt Team:
---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:
---
Target Upstream Version:
Embargoed:
Bug Depends On:
1352775 , 1352776 , 1353065 , 1353066 , 1353067 , 1353068
Bug Blocks:
1334215
A cpio archive with a ridiculously large symlink can cause memory allocation to fail, resulting in any attempt to view or extract the archive crashing. The failed allocation appears to be handled correctly within libarchive and not lead to further issues. External references: https://github.com/libarchive/libarchive/issues/705 Upstream fix: https://github.com/libarchive/libarchive/commit/fd7e0c02