libarchive does not properly terminate loop

Overview

libarchive contains a vulnerability that may allow an attacker to cause a denial of service.

Description

The libarchive library provides an interface for reading and writing archive files.

There is a vulnerability in libarchive that occurs when it parses the pax interchange format. If an archive prematurely ends within a pax extension, libarchive may enter an infinite loop.

---

Impact

A remote, unauthenitcated attacker may be able to cause a denial of service condition.

---

Solution

Upgrade
Multiple operating system vendors have released an update to address this issue. Administrators should the systems affected portion of this document for more information.

---

Vendor Information

970849

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Debian GNU/Linux __ Affected

Updated: March 20, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.debian.org/security/2008/dsa-1455&gt; for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970849 Feedback>).

FreeBSD, Inc. __ Affected

Updated: March 20, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://security.freebsd.org/advisories/FreeBSD-SA-07:05.libarchive.asc&gt; for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970849 Feedback>).

Gentoo Linux __ Affected

Updated: March 20, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.gentoo.org/security/en/glsa/glsa-200708-03.xml&gt; for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970849 Feedback>).

SUSE Linux __ Affected

Updated: March 20, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.novell.com/linux/security/advisories/2007_15_sr.html&gt; for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23970849 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <https://vulners.com/cve/CVE-2007-3644&gt;
• <https://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html&gt;
• <http://security.freebsd.org/advisories/FreeBSD-SA-07:05.libarchive.asc&gt;
• <http://people.freebsd.org/~kientzle/libarchive/&gt;

Acknowledgements

Theanks to CERT-FI and CPNI for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs:	CVE-2007-3644
Severity Metric:	1.35 Date Public: