PublicDateAtUSN: 2016-09-21
Candidate: CVE-2016-5418
PublicDate: 2016-09-21 14:25:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5418
 https://ubuntu.com/security/notices/USN-3225-1
Description:
 The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink
 archive entries of non-zero data size, which might allow remote attackers
 to write to arbitrary files via a crafted archive file.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837714
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]

Patches_libarchive:
 upstream: https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a
 upstream: https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
 upstream: https://github.com/libarchive/libarchive/commit/063ea3ea3fcb569a380b2ebe9c9ddd8bd6ce0d49
 upstream: https://github.com/libarchive/libarchive/commit/50952acd22df3326c49771f5e5ba48630899468c
 upstream: https://github.com/libarchive/libarchive/commit/dc1882e4ab48c3b1c11a596e9f577c43a5592dfb
 distro: https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418-variation.patch;jsessionid=1dexz8h9qdewibih5aonbu3 (1/2)
 distro: https://git.centos.org/blob/rpms!libarchive.git/9952851f8b327a8c93d26a5873c190c1fb09ae6c/SOURCES!libarchive-3.1.2-CVE-2016-5418.patch;jsessionid=1dexz8h9qdewibih5aonbu3 (2/2)
upstream_libarchive: released (3.2.1-4)
precise_libarchive: released (3.0.3-6ubuntu1.4)
trusty_libarchive: released (3.1.2-7ubuntu2.4)
trusty/esm_libarchive: released (3.1.2-7ubuntu2.4)
vivid/stable-phone-overlay_libarchive: DNE
vivid/ubuntu-core_libarchive: DNE
xenial_libarchive: released (3.1.2-11ubuntu0.16.04.3)
esm-infra/xenial_libarchive: released (3.1.2-11ubuntu0.16.04.3)
yakkety_libarchive: released (3.2.1-2ubuntu0.1)
devel_libarchive: not-affected (3.2.1-6)