CVE-2019-1000020

libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835: Loop with Unreachable Exit Condition (Infinite Loop) vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.

Weakness

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Affected Software

Name	Vendor	Start Version	End Version
Libarchive	Libarchive	2.8.0 (including)	3.4.0 (excluding)

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00055.html
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00015.html
https://access.redhat.com/errata/RHSA-2019:2298
https://access.redhat.com/errata/RHSA-2019:3698
https://github.com/libarchive/libarchive/pull/1120
https://github.com/libarchive/libarchive/pull/1120/commits/8312eaa576014cd9b965012af51bc1f967b12423
https://lists.debian.org/debian-lts-announce/2019/02/msg00013.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBOCC2M6YGPZA6US43YK4INPSJZZHRTG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVXA7PHINVT6DFF6PRLTDTVTXKDLVHNF/
https://usn.ubuntu.com/3884-1/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-1000020
CWE	https://cwe.mitre.org/data/definitions/835.html

Loop with Unreachable Exit Condition ('Infinite Loop')

Weakness

Affected Software

References