Summary: | <app-arch/libarchive-3.2.2: file overwrite (CVE-2016-5418) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Ian Zimmerman <nobrowser> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bsd+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 598950 | ||
Bug Blocks: |
Description
Ian Zimmerman
2016-10-08 19:31:34 UTC
there are some other vulnerabilities. I guess we will go for 3.2.2 directly commit 44dbb86594383c91dbb21bb471b4c89347325e48 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon Oct 31 22:15:42 2016 app-arch/libarchive: Security bump to version 3.2.2 (bug #596568). Package-Manager: portage-2.3.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> CVE-2016-5418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418): The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file. (In reply to GLSAMaker/CVETool Bot from comment #3) > CVE-2016-5418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418): > The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink > archive entries of non-zero data size, which might allow remote attackers > to > write to arbitrary files via a crafted archive file. CVE is misleading so please ignore the version numbers. Upstream Github commits show these were included in 3.2.2 as identified by the previous comments. This issue was resolved and addressed in GLSA 201701-03 at https://security.gentoo.org/glsa/201701-03 by GLSA coordinator Thomas Deutschmann (whissi). |