CVE-2021-23177

NameCVE-2021-23177
DescriptionAn improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2987-1, DLA-3202-1
Debian Bugs1001986

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libarchive (PTS)buster3.3.3-4+deb10u1vulnerable
buster (security)3.3.3-4+deb10u3fixed
bullseye3.4.3-2+deb11u1fixed
bookworm3.6.2-1fixed
sid, trixie3.7.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libarchivesourcestretch3.2.2-2+deb9u3DLA-2987-1
libarchivesourcebuster3.3.3-4+deb10u2DLA-3202-1
libarchivesourcebullseye3.4.3-2+deb11u1
libarchivesource(unstable)3.5.2-11001986

Notes

https://github.com/libarchive/libarchive/issues/1565
https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad (v3.5.2)
Search for package or bug name: Reporting problems