CVE-2021-23177

NameCVE-2021-23177
DescriptionAn improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2987-1, DLA-3202-1, ELA-603-1
Debian Bugs1001986

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libarchive (PTS)jessie, jessie (lts)3.1.2-11+deb8u12fixed
stretch (security)3.2.2-2+deb9u3fixed
stretch (lts), stretch3.2.2-2+deb9u5fixed
buster, buster (lts)3.3.3-4+deb10u4fixed
buster (security)3.3.3-4+deb10u3fixed
bullseye3.4.3-2+deb11u1fixed
bullseye (security)3.4.3-2+deb11u2fixed
bookworm3.6.2-1+deb12u1fixed
bookworm (security)3.6.2-1+deb12u2fixed
sid, trixie3.7.4-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libarchivesourcejessie3.1.2-11+deb8u9ELA-603-1
libarchivesourcestretch3.2.2-2+deb9u3DLA-2987-1
libarchivesourcebuster3.3.3-4+deb10u2DLA-3202-1
libarchivesourcebullseye3.4.3-2+deb11u1
libarchivesource(unstable)3.5.2-11001986

Notes

https://github.com/libarchive/libarchive/issues/1565
https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad (v3.5.2)

Search for package or bug name: Reporting problems