CVE-2018-5996

NameCVE-2018-5996
DescriptionInsufficient exception handling in the method NCompress::NRar3::CDecoder::Code of 7-Zip before 18.00 and p7zip can lead to multiple memory corruptions within the PPMd code, allows remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs888314

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
p7zip-rar (PTS)stretch/non-free16.02-1vulnerable
sid/non-free, bullseye/non-free, buster/non-free16.02-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
p7zip-rarsource(unstable)16.02-2888314

Notes

[stretch] - p7zip-rar <no-dsa> (Non-free not supported)
[jessie] - p7zip-rar <no-dsa> (Non-free not supported)
[wheezy] - p7zip-rar <no-dsa> (Non-free not supported)
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/

Search for package or bug name: Reporting problems