CVE-2017-14166

libarchive 3.3.2 allows remote attackers to cause a denial of service (xmldata heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archivereadsupportformat_xar.c.

References

Affected packages

Git / github.com/libarchive/libarchive

Affected ranges

Type

GIT

Repo

https://github.com/libarchive/libarchive

Events

Introduced

Last affected

98a695399e8e7420635a5448aecde8b0a82fb83a

Fixed

fa7438a0ff4033e4741c807394a9af6207940d71

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.3.2"
        }
    ]
}

Affected versions

v3.*

v3.0.0a

v3.0.1b

v3.1.900a

v3.2.0

v3.2.1

v3.2.2

v3.3.0

v3.3.1

v3.3.2

Database specific

vanir_signatures

[
    {
        "digest": {
            "function_hash": "22896334843526093180736066296199390258",
            "length": 252.0
        },
        "id": "CVE-2017-14166-8b8c9fe3",
        "signature_type": "Function",
        "source": "https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71",
        "deprecated": false,
        "target": {
            "function": "atol8",
            "file": "libarchive/archive_read_support_format_xar.c"
        },
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "306826382494510933660800859828621127375",
                "263019307768072499342249514957965856663",
                "335663963310048766376761345995812168806",
                "99099958808001043042586216301068977286",
                "202259133909944234003097793124428872639",
                "182001944860290744146342507656516228755"
            ]
        },
        "id": "CVE-2017-14166-d6ce55c2",
        "signature_type": "Line",
        "source": "https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71",
        "deprecated": false,
        "target": {
            "file": "libarchive/archive_read_support_format_xar.c"
        },
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "23263452411327199978277794560809399548",
            "length": 239.0
        },
        "id": "CVE-2017-14166-efb70994",
        "signature_type": "Function",
        "source": "https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71",
        "deprecated": false,
        "target": {
            "function": "atol10",
            "file": "libarchive/archive_read_support_format_xar.c"
        },
        "signature_version": "v1"
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14166.json"

vanir_signatures_modified

"2026-04-11T04:14:21Z"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "14.04"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "16.04"
            }
        ]
    }
]