985704 – (CVE-2015-8926) VUL-1: CVE-2015-8926: bsdtar,libarchive: Null pointer access in RAR parser

Bug 985704 (CVE-2015-8926) - VUL-1: CVE-2015-8926: bsdtar,libarchive: Null pointer access in RAR parser

Summary: VUL-1: CVE-2015-8926: bsdtar,libarchive: Null pointer access in RAR parser

Status:	RESOLVED FIXED

Alias:	CVE-2015-8926

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	Adrian Schröter
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/170292/
Whiteboard:	CVSSv2:SUSE:CVE-2015-8926:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-20 15:33 UTC by Marcus Meissner
Modified:	2019-11-25 15:37 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
segfault.rar (64 bytes, application/octet-stream) 2016-06-20 15:35 UTC, Marcus Meissner	Details
aab7393.patch (1.35 KB, patch) 2016-06-20 15:36 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-20 15:33:18 UTC

CVE-2015-8926

> https://github.com/libarchive/libarchive/issues/518
> Null pointer access in RAR parser

Use CVE-2015-8926.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8926
http://seclists.org/oss-sec/2016/q2/566

Comment 1 Marcus Meissner 2016-06-20 15:35:38 UTC

Created attachment 681381 [details]
segfault.rar

QA REPRODUCER:

bsdtar xf segfault.rar

Comment 2 Marcus Meissner 2016-06-20 15:36:14 UTC

Created attachment 681382 [details]
aab7393.patch

commit aab7393

Comment 3 Swamp Workflow Management 2016-06-20 22:03:13 UTC

bugbot adjusting priority

Comment 4 Swamp Workflow Management 2016-07-29 12:11:49 UTC

SUSE-SU-2016:1909-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Server 12-SP1 (src):    libarchive-3.1.2-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libarchive-3.1.2-22.1

Comment 5 Swamp Workflow Management 2016-08-11 15:16:16 UTC

openSUSE-SU-2016:2036-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 984990,985609,985665,985669,985673,985675,985679,985682,985685,985688,985689,985697,985698,985700,985703,985704,985706,985826,985832,985835
CVE References: CVE-2015-8918,CVE-2015-8919,CVE-2015-8920,CVE-2015-8921,CVE-2015-8922,CVE-2015-8923,CVE-2015-8924,CVE-2015-8925,CVE-2015-8926,CVE-2015-8928,CVE-2015-8929,CVE-2015-8930,CVE-2015-8931,CVE-2015-8932,CVE-2015-8933,CVE-2015-8934,CVE-2016-4300,CVE-2016-4301,CVE-2016-4302,CVE-2016-4809
Sources used:
openSUSE Leap 42.1 (src):    libarchive-3.1.2-13.2

Comment 6 Adrian Schröter 2018-10-10 13:36:47 UTC

already done

Comment 10 Alexandros Toptsoglou 2019-11-25 12:45:15 UTC

rar is not supported in bsdtar closing