Bug 1672888 (CVE-2019-1000020)
| Summary: | CVE-2019-1000020 libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | besser82, bmcclain, databases-maint, dblechte, dfediuck, eedri, hhorak, mgoldboi, michal.skrivanek, mike, ndevos, pkubat, praiskup, sbonazzo, security-response-team, sherold, tomm.momi, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 19:20:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1672900, 1672901, 1673150, 1673151, 1674057 | ||
| Bug Blocks: | 1672899 | ||
Created libarchive tracking bugs for this issue: Affects: fedora-all [bug 1672900] Created libarchive tracking bugs for this issue: Affects: epel-6 [bug 1672901] Easily reproduced on Red Hat Enterprise 7 and 8. Did not reproduce on 6 due to a lack of bsdtar, but it looks vulnerable after a brief glance at the source code. Target function (read_ce) seems to use lots of pointer aliasing and I'm unclear what the actual while loop exit condition even means due lack of any comments, but guessing it has to do with the p pointer not getting incremented by read_rockridge. Created libarchive3 tracking bugs for this issue: Affects: epel-6 [bug 1673424] Created mingw-libarchive tracking bugs for this issue: Affects: fedora-all [bug 1674057] Statement: This vulnerability is present in the libarchive package included in Red Hat Virtualization Hypervisor, however it is never exposed to ISO images created by attackers or users, so the vulnerability can not be exploited. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2298 https://access.redhat.com/errata/RHSA-2019:2298 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1000020 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3698 https://access.redhat.com/errata/RHSA-2019:3698 |
libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file. References: https://github.com/libarchive/libarchive/pull/1120/commits/8312eaa576014cd9b965012af51bc1f967b12423 https://github.com/libarchive/libarchive/pull/1120