CVE-2019-11463

EUVD-2019-3136
A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive 3.3.4-dev allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Affected Products (NVD)
VendorProductVersion
libarchivelibarchive
𝑥
< 3.4.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libarchive
bookworm
3.6.2-1+deb12u1
fixed
bookworm (security)
3.6.2-1+deb12u1
fixed
bullseye
3.4.3-2+deb11u1
fixed
sid
3.7.4-1.1
fixed
trixie
3.7.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libarchive
bionic
not-affected
cosmic
ignored
disco
not-affected
eoan
not-affected
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/libarchive/libarchive/commit/ba641f73f3d758d9032b3f0e5597a9c6e593a505
https://github.com/libarchive/libarchive/issues/1165
https://access.redhat.com/security/cve/cve-2019-11463
https://github.com/libarchive/libarchive/commit/ba641f73f3d758d9032b3f0e5597a9c6e593a505
https://github.com/libarchive/libarchive/issues/1165