CVE-2018-10115

Name
CVE-2018-10115
Description
Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/
Exploit https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/
Third Party Advisory http://www.securitytracker.com/id/1040832
Third Party Advisory http://www.securityfocus.com/bid/104132

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:7-zip:7-zip:*:*:*:*:*:*:*:* 7-zip >= None <= 18.03

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
p7zip 3.12-main 16.02-r3 Natanael Copa <ncopa@alpinelinux.org> fixed
p7zip 3.11-main 16.02-r3 Natanael Copa <ncopa@alpinelinux.org> fixed
p7zip 3.10-main 16.02-r3 Natanael Copa <ncopa@alpinelinux.org> fixed