{"id":"CVE-2016-8688","details":"The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c.","modified":"2026-04-01T23:55:07.474693Z","published":"2017-02-15T19:59:00.643Z","related":["SUSE-SU-2016:2911-1","openSUSE-SU-2024:10127-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/11/msg00037.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2016-12/msg00027.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/93781"},{"type":"FIX","url":"https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-memory-corruptionunknown-crash-in-bid_entry-archive_read_support_format_mtree-c/"},{"type":"FIX","url":"https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-bid_entry-archive_read_support_format_mtree-c/"},{"type":"FIX","url":"https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-use-after-free-in-detect_form-archive_read_support_format_mtree-c/"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1377923"},{"type":"FIX","url":"https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca"},{"type":"FIX","url":"https://security.gentoo.org/glsa/201701-03"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/10/16/11"},{"type":"FIX","url":"https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-bid_entry-archive_read_support_format_mtree-c/"},{"type":"FIX","url":"https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-heap-based-buffer-overflow-in-detect_form-archive_read_support_format_mtree-c/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libarchive/libarchive","events":[{"introduced":"0"},{"last_affected":"139d0576b51a253732a5ab1f66805dffbf8b00af"},{"fixed":"eec077f52bfa2d3f7103b4b74d52572ba8a15aca"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.2.1"}]}}],"versions":["v2.6.0","v2.6.1","v2.6.2","v2.7.0","v2.7.1","v2.8.0","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.8.5","v3.0.0a","v3.0.1b","v3.0.2","v3.0.3","v3.0.4","v3.1.0","v3.1.1","v3.1.2","v3.1.900a","v3.1.901a","v3.2.0","v3.2.1"],"database_specific":{"vanir_signatures":[{"digest":{"length":769,"function_hash":"223740311993473210139103012324376062846"},"id":"CVE-2016-8688-32674c9e","target":{"function":"next_line","file":"libarchive/archive_read_support_format_mtree.c"},"deprecated":false,"source":"https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca","signature_type":"Function","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["49533266774681543131039842645057671075","321939831539605999812602556020703905102","86327894471780845113511688328954627230","195140934946345616962134847248004045130","216781037651015841101945166112837526521","108166397868030482561271342092105106413","188419350599359671913867752680796738459"]},"id":"CVE-2016-8688-b0001ac3","target":{"file":"libarchive/archive_read_support_format_mtree.c"},"deprecated":false,"source":"https://github.com/libarchive/libarchive/commit/eec077f52bfa2d3f7103b4b74d52572ba8a15aca","signature_type":"Line","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-8688.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"42.2"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}