libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16. An attacker could use this flaw to cause a denial of service. Upstream issue: https://github.com/libarchive/libarchive/issues/948
Created libarchive tracking bugs for this issue: Affects: fedora-all [bug 1449531]
https://github.com/libarchive/libarchive/commit/f9569c086ff29259c73790db9cbf39fe8fb9d862
I cited wrong commit, the right is: https://github.com/libarchive/libarchive/commit/2c8c83b9731ff822fad6cc8c670ea5519c366a14
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2298 https://access.redhat.com/errata/RHSA-2019:2298
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-14503
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3698 https://access.redhat.com/errata/RHSA-2019:3698