CVE-2018-10115

CVE-2018-10115

Name

CVE-2018-10115

Description

Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Issue Tracking	https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/
Exploit	https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/
Third Party Advisory	http://www.securitytracker.com/id/1040832
Third Party Advisory	http://www.securityfocus.com/bid/104132

Type

URI

Issue Tracking

https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/

Exploit

https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/

Third Party Advisory

http://www.securitytracker.com/id/1040832

Third Party Advisory

http://www.securityfocus.com/bid/104132

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:7-zip:7-zip::::::::`	7-zip	>= None	<= 18.03

CPE URI

Source package

Min version

Max version

cpe:2.3:a:7-zip:7-zip:*:*:*:*:*:*:*:*

7-zip

>= None

<= 18.03

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
p7zip	edge-main	16.02-r3	None	fixed
p7zip	3.17-main	16.02-r3	None	fixed
p7zip	3.12-main	16.02-r3	Natanael Copa <ncopa@alpinelinux.org>	fixed
p7zip	3.11-main	16.02-r3	Natanael Copa <ncopa@alpinelinux.org>	fixed
p7zip	3.10-main	16.02-r3	Natanael Copa <ncopa@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

p7zip

edge-main

16.02-r3

None

fixed

p7zip

3.17-main