Vulnerability in RAR5 File Handling in Libarchive Affects Multiple Distributions
CVE-2020-9308

8.8HIGH

Key Information:

Vendor

Libarchive

Status
Libarchive
Vendor
CVE Published:
20 February 2020

What is CVE-2020-9308?

A vulnerability exists in the file handling process of Libarchive's RAR5 support, specifically within the archive_read_support_format_rar5.c module. When attempting to unpack a RAR5 file featuring an invalid or corrupted header—such as a header size of zero—the system may encounter a SIGSEGV (segmentation fault). This unexpected behavior can disrupt normal operations and potentially lead to broader impacts due to the nature of these exceptions. Various advisories, including those from Gentoo and Ubuntu, outline the importance of upgrading to Libarchive version 3.4.2 or later to mitigate this issue.

References

https://github.com/libarchive/libarchive/pull/1326
x_refsource_MISC
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20459
x_refsource_MISC
https://github.com/libarchive/libarchive/pull/1326/commit...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.