According to the RedHat summary [1]: A vulnerability in libarchive exists that allows an archive Entry with type 1 (hardlink), but has a non-zero data size to cause a file overwrite. This vulnerability can be leveraged in a way that has a significant security impact (this was not clear at first during initial research by upstream). [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5418 Reproducible: Always
there are some other vulnerabilities. I guess we will go for 3.2.2 directly
commit 44dbb86594383c91dbb21bb471b4c89347325e48 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Oct 31 22:15:42 2016 app-arch/libarchive: Security bump to version 3.2.2 (bug #596568). Package-Manager: portage-2.3.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
CVE-2016-5418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418): The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.
(In reply to GLSAMaker/CVETool Bot from comment #3) > CVE-2016-5418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418): > The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink > archive entries of non-zero data size, which might allow remote attackers > to > write to arbitrary files via a crafted archive file. CVE is misleading so please ignore the version numbers. Upstream Github commits show these were included in 3.2.2 as identified by the previous comments.
This issue was resolved and addressed in GLSA 201701-03 at https://security.gentoo.org/glsa/201701-03 by GLSA coordinator Thomas Deutschmann (whissi).