libarchive 3.3.2 allows remote attackers to cause a denial of service (xmldata heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archivereadsupportformat_xar.c.
[
{
"source": "https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71",
"id": "CVE-2017-14166-8b8c9fe3",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "atol8",
"file": "libarchive/archive_read_support_format_xar.c"
},
"digest": {
"function_hash": "22896334843526093180736066296199390258",
"length": 252.0
}
},
{
"source": "https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71",
"id": "CVE-2017-14166-d6ce55c2",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "libarchive/archive_read_support_format_xar.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"306826382494510933660800859828621127375",
"263019307768072499342249514957965856663",
"335663963310048766376761345995812168806",
"99099958808001043042586216301068977286",
"202259133909944234003097793124428872639",
"182001944860290744146342507656516228755"
]
}
},
{
"source": "https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71",
"id": "CVE-2017-14166-efb70994",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "atol10",
"file": "libarchive/archive_read_support_format_xar.c"
},
"digest": {
"function_hash": "23263452411327199978277794560809399548",
"length": 239.0
}
}
]