libarchive 3.3.2 allows remote attackers to cause a denial of service (xmldata heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archivereadsupportformat_xar.c.
[ { "signature_type": "Function", "target": { "function": "atol8", "file": "libarchive/archive_read_support_format_xar.c" }, "digest": { "length": 252.0, "function_hash": "22896334843526093180736066296199390258" }, "id": "CVE-2017-14166-8b8c9fe3", "source": "https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71", "signature_version": "v1", "deprecated": false }, { "signature_type": "Line", "target": { "file": "libarchive/archive_read_support_format_xar.c" }, "digest": { "line_hashes": [ "306826382494510933660800859828621127375", "263019307768072499342249514957965856663", "335663963310048766376761345995812168806", "99099958808001043042586216301068977286", "202259133909944234003097793124428872639", "182001944860290744146342507656516228755" ], "threshold": 0.9 }, "id": "CVE-2017-14166-d6ce55c2", "source": "https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71", "signature_version": "v1", "deprecated": false }, { "signature_type": "Function", "target": { "function": "atol10", "file": "libarchive/archive_read_support_format_xar.c" }, "digest": { "length": 239.0, "function_hash": "23263452411327199978277794560809399548" }, "id": "CVE-2017-14166-efb70994", "source": "https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71", "signature_version": "v1", "deprecated": false } ]