libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference vulnerability in ACL parser - libarchive/archiveacl.c, archiveaclfromtext_l() that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted archive file.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*",
"cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*"
],
"vendor_product": "fedoraproject:fedora",
"extracted_events": [
{
"introduced": "28"
},
{
"last_affected": "28"
},
{
"introduced": "29"
},
{
"last_affected": "29"
},
{
"introduced": "30"
},
{
"last_affected": "30"
}
],
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "15.0"
},
{
"last_affected": "15.0"
}
],
"vendor_product": "opensuse:leap",
"source": "CPE_STRING"
}
]
}