Bug 1672888 (CVE-2019-1000020) - CVE-2019-1000020 libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service
Summary: CVE-2019-1000020 libarchive: Infinite recursion in archive_read_support_forma...
Alias: CVE-2019-1000020
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1672900 1672901 1673150 1673151 1674057
Blocks: 1672899
TreeView+ depends on / blocked
Reported: 2019-02-06 06:31 UTC by Dhananjay Arunesh
Modified: 2021-02-16 22:23 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-06 19:20:43 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2298 0 None None None 2019-08-06 12:38:24 UTC
Red Hat Product Errata RHSA-2019:3698 0 None None None 2019-11-05 22:05:31 UTC

Description Dhananjay Arunesh 2019-02-06 06:31:01 UTC
libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards
(version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit
Condition ('Infinite Loop') vulnerability in ISO9660 parser,
archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can
result in DoS by infinite loop. This attack appears to be exploitable via the
victim opening a specially crafted ISO9660 file.


Comment 1 Dhananjay Arunesh 2019-02-06 07:44:49 UTC
Created libarchive tracking bugs for this issue:

Affects: fedora-all [bug 1672900]

Comment 2 Dhananjay Arunesh 2019-02-06 07:45:18 UTC
Created libarchive tracking bugs for this issue:

Affects: epel-6 [bug 1672901]

Comment 3 Scott Gayou 2019-02-06 17:44:10 UTC
Easily reproduced on Red Hat Enterprise 7 and 8. Did not reproduce on 6 due to a lack of bsdtar, but it looks vulnerable after a brief glance at the source code. Target function (read_ce) seems to use lots of pointer aliasing and I'm unclear what the actual while loop exit condition even means due lack of any comments, but guessing it has to do with the p pointer not getting incremented by read_rockridge.

Comment 6 Dhananjay Arunesh 2019-02-07 14:00:08 UTC
Created libarchive3 tracking bugs for this issue:

Affects: epel-6 [bug 1673424]

Comment 7 Tomas Hoger 2019-02-08 22:00:25 UTC
Created mingw-libarchive tracking bugs for this issue:

Affects: fedora-all [bug 1674057]

Comment 8 Doran Moppert 2019-02-11 00:56:22 UTC

This vulnerability is present in the libarchive package included in Red Hat Virtualization Hypervisor, however it is never exposed to ISO images created by attackers or users, so the vulnerability can not be exploited.

Comment 10 errata-xmlrpc 2019-08-06 12:38:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2298 https://access.redhat.com/errata/RHSA-2019:2298

Comment 11 Product Security DevOps Team 2019-08-06 19:20:43 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 12 errata-xmlrpc 2019-11-05 22:05:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3698 https://access.redhat.com/errata/RHSA-2019:3698

Note You need to log in before you can comment on or make changes to this bug.