{"id":"USN-3033-1","summary":"libarchive vulnerabilities","details":"Hanno Böck discovered that libarchive contained multiple security issues\nwhen processing certain malformed archive files. A remote attacker could\nuse this issue to cause libarchive to crash, resulting in a denial of\nservice, or possibly execute arbitrary code. (CVE-2015-8916, CVE-2015-8917\nCVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8922, CVE-2015-8923,\nCVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2015-8930,\nCVE-2015-8931, CVE-2015-8932, CVE-2015-8933, CVE-2015-8934, CVE-2016-5844)\n\nMarcin \"Icewall\" Noga discovered that libarchive contained multiple\nsecurity issues when processing certain malformed archive files. A remote\nattacker could use this issue to cause libarchive to crash, resulting in a\ndenial of service, or possibly execute arbitrary code. (CVE-2016-4300,\nCVE-2016-4302)\n\nIt was discovered that libarchive incorrectly handled memory allocation\nwith large cpio symlinks. A remote attacker could use this issue to\npossibly cause libarchive to crash, resulting in a denial of service.\n(CVE-2016-4809)\n","modified":"2026-04-22T09:26:28.265552Z","published":"2016-07-14T17:55:04Z","related":["UBUNTU-CVE-2015-8916","UBUNTU-CVE-2015-8917","UBUNTU-CVE-2015-8919","UBUNTU-CVE-2015-8920","UBUNTU-CVE-2015-8921","UBUNTU-CVE-2015-8922","UBUNTU-CVE-2015-8923","UBUNTU-CVE-2015-8924","UBUNTU-CVE-2015-8925","UBUNTU-CVE-2015-8926","UBUNTU-CVE-2015-8928","UBUNTU-CVE-2015-8930","UBUNTU-CVE-2015-8931","UBUNTU-CVE-2015-8932","UBUNTU-CVE-2015-8933","UBUNTU-CVE-2015-8934","UBUNTU-CVE-2016-4300","UBUNTU-CVE-2016-4302","UBUNTU-CVE-2016-4809","UBUNTU-CVE-2016-5844"],"upstream":["CVE-2015-8916","CVE-2015-8917","CVE-2015-8919","CVE-2015-8920","CVE-2015-8921","CVE-2015-8922","CVE-2015-8923","CVE-2015-8924","CVE-2015-8925","CVE-2015-8926","CVE-2015-8928","CVE-2015-8930","CVE-2015-8931","CVE-2015-8932","CVE-2015-8933","CVE-2015-8934","CVE-2016-4300","CVE-2016-4302","CVE-2016-4809","CVE-2016-5844","UBUNTU-CVE-2015-8916","UBUNTU-CVE-2015-8917","UBUNTU-CVE-2015-8919","UBUNTU-CVE-2015-8920","UBUNTU-CVE-2015-8921","UBUNTU-CVE-2015-8922","UBUNTU-CVE-2015-8923","UBUNTU-CVE-2015-8924","UBUNTU-CVE-2015-8925","UBUNTU-CVE-2015-8926","UBUNTU-CVE-2015-8928","UBUNTU-CVE-2015-8930","UBUNTU-CVE-2015-8931","UBUNTU-CVE-2015-8932","UBUNTU-CVE-2015-8933","UBUNTU-CVE-2015-8934","UBUNTU-CVE-2016-4300","UBUNTU-CVE-2016-4302","UBUNTU-CVE-2016-4809","UBUNTU-CVE-2016-5844"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3033-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8916"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8917"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8919"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8920"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8921"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8922"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8923"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8924"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8925"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8926"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8928"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8930"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8931"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8932"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8933"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-8934"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-4300"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-4302"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-4809"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-5844"}],"affected":[{"package":{"name":"libarchive","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/libarchive@3.1.2-7ubuntu2.3?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.2-7ubuntu2.3"}]}],"versions":["3.1.2-5ubuntu1","3.1.2-7ubuntu1","3.1.2-7ubuntu2","3.1.2-7ubuntu2.1","3.1.2-7ubuntu2.2"],"ecosystem_specific":{"binaries":[{"binary_name":"bsdcpio","binary_version":"3.1.2-7ubuntu2.3"},{"binary_name":"bsdtar","binary_version":"3.1.2-7ubuntu2.3"},{"binary_name":"libarchive13","binary_version":"3.1.2-7ubuntu2.3"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3033-1.json","cves_map":{"cves":[{"id":"CVE-2015-8916","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2015-8917","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2015-8919","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2015-8920","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8921","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8922","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8923","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8924","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8925","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8926","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8928","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8930","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8931","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2015-8932","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8933","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8934","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2016-4300","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2016-4302","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2016-4809","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2016-5844","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:14.04:LTS"}}},{"package":{"name":"libarchive","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/libarchive@3.1.2-11ubuntu0.16.04.2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.2-11ubuntu0.16.04.2"}]}],"versions":["3.1.2-11build1","3.1.2-11ubuntu0.16.04.1"],"ecosystem_specific":{"binaries":[{"binary_name":"bsdcpio","binary_version":"3.1.2-11ubuntu0.16.04.2"},{"binary_name":"bsdtar","binary_version":"3.1.2-11ubuntu0.16.04.2"},{"binary_name":"libarchive13","binary_version":"3.1.2-11ubuntu0.16.04.2"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3033-1.json","cves_map":{"cves":[{"id":"CVE-2015-8916","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2015-8917","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2015-8919","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2015-8920","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8921","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8922","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8923","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8924","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8925","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8926","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8928","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8930","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8931","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2015-8932","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8933","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-8934","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2016-4300","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2016-4302","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2016-4809","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2016-5844","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:16.04:LTS"}}}],"schema_version":"1.7.5"}