CVE-2015-8930
libarchive: Endless loop in ISO parser
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (infinite loop) via an ISO with a directory that is a member of itself.
bsdtar en libarchive en versiones anteriores a 3.2.0 permite a atacantes remotos provocar una denegación de servicio (bucle infinito) a través de una ISO con un directorio que es miembro de si mismo.
A vulnerability was found in libarchive. A specially crafted ISO file could cause the application to consume resources until it hit a memory limit, leading to a crash or denial of service.
The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers. Security Fix: A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive's file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-06-17 CVE Reserved
- 2016-07-14 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CAPEC
References (13)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/06/17/2 | Mailing List |
|
| http://www.openwall.com/lists/oss-security/2016/06/17/5 | Mailing List |
|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/91339 | Vdb Entry | |
| https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/libarchive/libarchive/issues/522 | 2018-01-05 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00025.html | 2018-01-05 | |
| http://rhn.redhat.com/errata/RHSA-2016-1844.html | 2018-01-05 | |
| http://www.debian.org/security/2016/dsa-3657 | 2018-01-05 | |
| http://www.ubuntu.com/usn/USN-3033-1 | 2018-01-05 | |
| https://security.gentoo.org/glsa/201701-03 | 2018-01-05 | |
| https://access.redhat.com/security/cve/CVE-2015-8930 | 2016-09-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1349204 | 2016-09-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Suse Search vendor "Suse" | Linux Enterprise Desktop Search vendor "Suse" for product "Linux Enterprise Desktop" | 12 Search vendor "Suse" for product "Linux Enterprise Desktop" and version "12" | sp1 |
Affected
| ||||||
| Suse Search vendor "Suse" | Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server" | 12 Search vendor "Suse" for product "Linux Enterprise Server" and version "12" | sp1 |
Affected
| ||||||
| Suse Search vendor "Suse" | Linux Enterprise Software Development Kit Search vendor "Suse" for product "Linux Enterprise Software Development Kit" | 12 Search vendor "Suse" for product "Linux Enterprise Software Development Kit" and version "12" | sp1 |
Affected
| ||||||
| Libarchive Search vendor "Libarchive" | Libarchive Search vendor "Libarchive" for product "Libarchive" | <= 3.1.901a Search vendor "Libarchive" for product "Libarchive" and version " <= 3.1.901a" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 15.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||