{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-04-11T00:00:00", "descriptions": [{"lang": "en", "value": "The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "USN-3033-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-3033-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libarchive/libarchive/issues/547"}, {"name": "RHSA-2016:1844", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1844.html"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"}, {"name": "91424", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/91424"}, {"name": "SUSE-SU-2016:1909", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00025.html"}, {"name": "RHSA-2016:1850", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1850.html"}, {"name": "[oss-security] 20160617 Many invalid memory access issues in libarchive", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/06/17/2"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security-tracker.debian.org/tracker/CVE-2015-8932"}, {"name": "GLSA-201701-03", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201701-03"}, {"name": "[oss-security] 20160617 Re: Many invalid memory access issues in libarchive", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/06/17/5"}, {"name": "DSA-3657", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3657"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-8932", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "USN-3033-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-3033-1"}, {"name": "https://github.com/libarchive/libarchive/issues/547", "refsource": "CONFIRM", "url": "https://github.com/libarchive/libarchive/issues/547"}, {"name": "RHSA-2016:1844", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-1844.html"}, {"name": "https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html", "refsource": "MISC", "url": "https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html"}, {"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"}, {"name": "91424", "refsource": "BID", "url": "http://www.securityfocus.com/bid/91424"}, {"name": "SUSE-SU-2016:1909", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00025.html"}, {"name": "RHSA-2016:1850", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-1850.html"}, {"name": "[oss-security] 20160617 Many invalid memory access issues in libarchive", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/06/17/2"}, {"name": "https://security-tracker.debian.org/tracker/CVE-2015-8932", "refsource": "CONFIRM", "url": "https://security-tracker.debian.org/tracker/CVE-2015-8932"}, {"name": "GLSA-201701-03", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201701-03"}, {"name": "[oss-security] 20160617 Re: Many invalid memory access issues in libarchive", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/06/17/5"}, {"name": "DSA-3657", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3657"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T08:36:30.371Z"}, "title": "CVE Program Container", "references": [{"name": "USN-3033-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-3033-1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libarchive/libarchive/issues/547"}, {"name": "RHSA-2016:1844", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1844.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"}, {"name": "91424", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/91424"}, {"name": "SUSE-SU-2016:1909", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00025.html"}, {"name": "RHSA-2016:1850", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-1850.html"}, {"name": "[oss-security] 20160617 Many invalid memory access issues in libarchive", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/06/17/2"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security-tracker.debian.org/tracker/CVE-2015-8932"}, {"name": "GLSA-201701-03", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201701-03"}, {"name": "[oss-security] 20160617 Re: Many invalid memory access issues in libarchive", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/06/17/5"}, {"name": "DSA-3657", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3657"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-8932", "datePublished": "2016-09-20T14:00:00", "dateReserved": "2016-06-17T00:00:00", "dateUpdated": "2024-08-06T08:36:30.371Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "matchCriteriaId": "E88A537F-F4D0-46B9-9E37-965233C2A355", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1:*:*:*:*:*:*", "matchCriteriaId": "3A0BA503-3F96-48DA-AF47-FBA37A9D0C48", "vulnerable": true}, {"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:sp1:*:*:*:*:*:*", "matchCriteriaId": "2076747F-A98E-4DD9-9B52-BF1732BCAD3D", "vulnerable": true}, {"criteria": "cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1:*:*:*:*:*:*", "matchCriteriaId": "5A633996-2FD7-467C-BAA6-529E16BD06D1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libarchive:libarchive:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC45D478-0BA2-4386-B1D2-E516D9AC28A9", "versionEndIncluding": "3.1.901a", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift."}, {"lang": "es", "value": "La funci\u00f3n compress_bidder_init en archive_read_support_filter_compress.c en libarchive en versiones anteriores a 3.2.0 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (ca\u00edda) a trav\u00e9s de un archivo tar manipulado, lo que desencadena un desplazamiento a la izquierda no v\u00e1lida."}], "id": "CVE-2015-8932", "lastModified": "2018-01-05T02:30:24.900", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-09-20T14:15:18.963", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00025.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2016-1844.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2016-1850.html"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2016/dsa-3657"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/06/17/2"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2016/06/17/5"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/91424"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-3033-1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://blog.fuzzing-project.org/47-Many-invalid-memory-access-issues-in-libarchive.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/libarchive/libarchive/issues/547"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2015-8932"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201701-03"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2016:1850", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "libarchive-0:2.8.3-7.el6_8", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2016-09-12T00:00:00Z"}, {"advisory": "RHSA-2016:1844", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "libarchive-0:3.1.2-10.el7_2", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2016-09-12T00:00:00Z"}], "bugzilla": {"description": "libarchive: Undefined behavior / invalid shiftleft in TAR parser", "id": "1348780", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1348780"}, "csaw": false, "cvss": {"cvss_base_score": "3.5", "cvss_scoring_vector": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "status": "verified"}, "cvss3": {"cvss3_base_score": "3.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-682", "details": ["The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift.", "Undefined behavior (invalid left shift) was discovered in libarchive, in how Compress streams are identified. This could cause certain files to be mistakenly identified as Compress archives and fail to read."], "name": "CVE-2015-8932", "public_date": "2016-06-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-8932\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-8932"], "threat_severity": "Low", "upstream_fix": "libarchive 3.2.0"}