CVE-2019-1000020

libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.

CVSS v3.0 6.5 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:N/A:P

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/libarchive/libarchive/pull/1120/commits/8312eaa576014cd9b965012af51bc1f967b12423	Patch Third Party Advisory
https://github.com/libarchive/libarchive/pull/1120	Third Party Advisory
https://usn.ubuntu.com/3884-1/	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00013.html	Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVXA7PHINVT6DFF6PRLTDTVTXKDLVHNF/	Mailing List Release Notes Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBOCC2M6YGPZA6US43YK4INPSJZZHRTG/	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.html	Mailing List Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2298	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3698
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00015.html

Configurations

Configuration 1 (hide)

cpe:2.3:a:libarchive:libarchive:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
	cpe:2.3:o:fedoraproject:fedora:29:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:opensuse:leap:15.0:::::::*

Information

Published : 2019-02-04 13:29

Updated : 2020-08-24 10:37

NVD link : CVE-2019-1000020

Mitre link : CVE-2019-1000020

JSON object : View

CWE

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

Products Affected

redhat

enterprise_linux_desktop
enterprise_linux_workstation
enterprise_linux_server

fedoraproject

fedora

canonical

ubuntu_linux

opensuse

leap

debian

debian_linux

libarchive

libarchive

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2019-1000020

6.5^/10

4.3^/10

Attach tags to `CVE-2019-1000020`