{ "threat_severity" : "Moderate", "public_date" : "2019-01-20T00:00:00Z", "bugzilla" : { "description" : "libarchive: Out of bounds read in archive_read_support_format_7zip.c resulting in a denial of service", "id" : "1672892", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1672892" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file." ], "statement" : "This vulnerability is present in the libarchive package included in Red Hat Virtualization Hypervisor, however it is never exposed to archives created by attackers or users, so the vulnerability can not be exploited.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2019-08-06T00:00:00Z", "advisory" : "RHSA-2019:2298", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "libarchive-0:3.1.2-12.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-11-05T00:00:00Z", "advisory" : "RHSA-2019:3698", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "libarchive-0:3.3.2-7.el8" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "libarchive", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Not affected", "package_name" : "redhat-virtualization-host", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-1000019\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1000019" ], "name" : "CVE-2019-1000019", "csaw" : false }