Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-ORACLE8-LIBARCHIVE-5600193
- published 16 May 2023
- disclosed 22 Nov 2022
How to fix?
libarchive to version 0:3.3.3-5.el8 or higher.
This issue was patched in
Note: Versions mentioned in the description apply only to the upstream
libarchive package and not the
libarchive package as distributed by
How to fix? for
Oracle:8 relevant fixed versions and status.
In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."