NVD Vulnerability Detail

CVE-2013-0211

Summary	Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.
Publication Date	Oct. 1, 2013, 7:55 a.m.
Registration Date	Jan. 26, 2021, 3:32 p.m.
Last Update	Nov. 21, 2024, 10:47 a.m.

CVSS2.0 : MEDIUM
Score	5.0
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:libarchive:libarchive::::::x64::*			3.1.2

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:14.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
cpe:2.3:o:opensuse:opensuse:13.1:::::::*
cpe:2.3:o:opensuse:opensuse:13.2:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:17:::::::*
cpe:2.3:o:fedoraproject:fedora:18:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:freebsd:freebsd:9.3:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101687.html	Third Party Advisory
2	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101687.html	Third Party Advisory
3	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101700.html	Third Party Advisory
4	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101700.html	Third Party Advisory
5	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101872.html	Third Party Advisory
6	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101872.html	Third Party Advisory
7	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101876.html	Third Party Advisory
8	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101876.html	Third Party Advisory
9	http://lists.opensuse.org/opensuse-updates/2015-03/msg00065.html	Third Party Advisory
10	http://lists.opensuse.org/opensuse-updates/2015-03/msg00065.html	Third Party Advisory
11	http://www.mandriva.com/security/advisories?name=MDVSA-2013:147	Third Party Advisory
12	http://www.mandriva.com/security/advisories?name=MDVSA-2013:147	Third Party Advisory
13	http://www.securityfocus.com/bid/58926
14	http://www.securityfocus.com/bid/58926
15	http://www.securitytracker.com/id/1035995	Third Party Advisory VDB Entry
16	http://www.securitytracker.com/id/1035995	Third Party Advisory VDB Entry
17	http://www.ubuntu.com/usn/USN-2549-1	Third Party Advisory
18	http://www.ubuntu.com/usn/USN-2549-1	Third Party Advisory
19	https://bugzilla.redhat.com/show_bug.cgi?id=902998	Issue Tracking Patch
20	https://bugzilla.redhat.com/show_bug.cgi?id=902998	Issue Tracking Patch
21	https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4	Patch
22	https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4	Patch
23	https://www.freebsd.org/security/advisories/FreeBSD-SA-16:23.libarchive.asc	Third Party Advisory
24	https://www.freebsd.org/security/advisories/FreeBSD-SA-16:23.libarchive.asc	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-189	数値処理の問題	https://cwe.mitre.org/data/definitions/189.html

JVN Vulnerability Information

libarchive の archive_write_set_format_zip.c における整数符号エラーの脆弱性

Title	libarchive の archive_write_set_format_zip.c における整数符号エラーの脆弱性
Summary	libarchive の archive_write_set_format_zip.c 内の archive_write_zip_data 関数には、64-bit マシン上で稼働する場合、整数符号エラーの脆弱性が存在します。
Possible impacts	攻撃者により、サービス運用妨害 (クラッシュ) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 22, 2013, midnight
Registration Date	Oct. 3, 2013, 2:23 p.m.
Last Update	Dec. 19, 2013, 6:25 p.m.

Affected System

libarchive

libarchive 3.1.2 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-0211	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0211
National Vulnerability Database (NVD)
2	CVE-2013-0211	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0211

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-189	https://jvndb.jvn.jp/ja/cwe/CWE-189.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	FEDORA-2013-4522	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101876.html
2	FEDORA-2013-4537	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101872.html
3	FEDORA-2013-4576	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101700.html
4	FEDORA-2013-4592	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101687.html
GitHub
5	Limit write requests to at most INT_MAX	https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4
Red Hat Bugzilla
6	Bug 902998	https://bugzilla.redhat.com/show_bug.cgi?id=902998
Security Advisories
7	MDVSA-2013:147	http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:147/?name=MDVSA-2013:147

Change Log

No	Changed Details	Date of change
0	[2013年10月03日] 掲載 [2013年10月23日] CWE による脆弱性タイプ一覧：内容を更新 [2013年12月19日] ベンダ情報：Fedora Project (FEDORA-2013-4522) を追加ベンダ情報：Fedora Project (FEDORA-2013-4537) を追加ベンダ情報：Fedora Project (FEDORA-2013-4576) を追加ベンダ情報：Fedora Project (FEDORA-2013-4592) を追加	Feb. 17, 2018, 10:37 a.m.