Main Vulnerability Database Vulnerabilities #VU33271

#VU33271 Data Handling in libarchive - CVE-2016-5418

Published: September 21, 2016 / Updated: August 3, 2020

Vulnerability identifier: #VU33271

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-5418

CWE-ID: CWE-19

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
libarchive

Software vendor:
libarchive

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.

Remediation

Install update from vendor's website.

External links

http://rhn.redhat.com/errata/RHSA-2016-1844.html
http://rhn.redhat.com/errata/RHSA-2016-1850.html
http://www.openwall.com/lists/oss-security/2016/08/09/2
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
http://www.securityfocus.com/bid/93165
https://access.redhat.com/errata/RHSA-2016:1852
https://access.redhat.com/errata/RHSA-2016:1853
https://bugzilla.redhat.com/show_bug.cgi?id=1362601
https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f
https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
https://github.com/libarchive/libarchive/issues/746
https://security.gentoo.org/glsa/201701-03

#VU33271 Data Handling in libarchive - CVE-2016-5418

Description

Remediation

External links

Please verify you're human