|Summary:||<app-arch/libarchive-3.2.2: file overwrite (CVE-2016-5418)|
|Product:||Gentoo Security||Reporter:||Ian Zimmerman <nobrowser>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||A2 [glsa cve]|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||598950|
Description Ian Zimmerman 2016-10-08 19:31:34 UTC
According to the RedHat summary : A vulnerability in libarchive exists that allows an archive Entry with type 1 (hardlink), but has a non-zero data size to cause a file overwrite. This vulnerability can be leveraged in a way that has a significant security impact (this was not clear at first during initial research by upstream).  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5418 Reproducible: Always
Comment 1 Agostino Sarubbo 2016-10-09 14:23:45 UTC
there are some other vulnerabilities. I guess we will go for 3.2.2 directly
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) 2016-10-31 22:42:11 UTC
commit 44dbb86594383c91dbb21bb471b4c89347325e48 Author: Lars Wendler <firstname.lastname@example.org> Date: Mon Oct 31 22:15:42 2016 app-arch/libarchive: Security bump to version 3.2.2 (bug #596568). Package-Manager: portage-2.3.2 Signed-off-by: Lars Wendler <email@example.com>
Comment 3 GLSAMaker/CVETool Bot 2016-11-21 10:35:24 UTC
CVE-2016-5418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418): The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.
Comment 4 Aaron Bauman 2016-11-21 10:41:34 UTC
(In reply to GLSAMaker/CVETool Bot from comment #3) > CVE-2016-5418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418): > The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink > archive entries of non-zero data size, which might allow remote attackers > to > write to arbitrary files via a crafted archive file. CVE is misleading so please ignore the version numbers. Upstream Github commits show these were included in 3.2.2 as identified by the previous comments.