PT-2019-15050 · Libyal+1 · Libfwsi+1
Published
2019-10-06
·
Updated
2024-08-05
·
CVE-2019-17263
CVSS v3.1
3.3
Low
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
libyal libfwsi versions prior to 20191006
Description
The issue is related to a heap-based buffer over-read in the libfwsi extension block copy from byte stream function in libfwsi extension block.c. This occurs because the rejection of an unsupported size only considers values less than 6, even though values of 6 and 7 are also unsupported. The vendor has disputed this issue as described in the GitHub issue.
Recommendations
For versions prior to 20191006, update to a version 20191006 or later to resolve the issue. As a temporary workaround, consider restricting the input to the libfwsi extension block copy from byte stream function to prevent exploitation.
Exploit
Fix
Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Libfwsi