PT-2020-8615 · Opensuse · Xar

Published

2026-06-22

·

Updated

2026-06-23

·

CVE-2018-17094

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
This update for xar fixes the following issues:
Changes in xar:
  • Switch to the maintained Apple xar lineage (build 503, versioned 1.8.0.0.503): the mackyle 1.6.1 fork this package tracked has been dead since 2012, and Debian, Fedora and Gentoo all moved to Apple's xar (apple-oss-distributions/xar). This resolves the long-standing NULL-pointer dereferences in xar get path() and xar unserialize() when parsing malformed archives:
  • CVE-2017-11124 (boo#1047875)
  • CVE-2017-11125 (boo#1047874)
  • CVE-2018-17093 (boo#1108595)
  • CVE-2018-17094 (boo#1108596)
Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2018-17094
OPENSUSE-SU-2026:11103-1
OPENSUSE-SU-2026:21153-1

Affected Products

Xar