CVE-2016-8687 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Libarchive

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-131 — Incorrect Calculation of Buffer Size CWE-121 — Stack-based Buffer Overflow17 documents8 sources

Severity

7.5HIGHNVD

EPSS

1.4%

top 19.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libarchive Debian Libarchive Apple IOS +4 more

Timeline

PublishedFeb 15

Latest updateMay 14

Description

Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

▶debiandebian/libarchive< libarchive 3.2.1-5 (bookworm)

▶Debianlibarchive/libarchive< 3.2.1-5+3

▶Ubuntulibarchive/libarchive< 3.1.2-7ubuntu2.4+1

▶NVDlibarchive/libarchive3.2.1

▶Appleapple/ios10.2.1

Patches

Patch: www.openwall.com ↗Patch: blogs.gentoo.org ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-c42q-jv3x-rq38: Stack-based buffer overflow in the safe_fprintf function in tar/util↗2022-05-14

▶

OSV

libarchive vulnerabilities↗2017-03-09

▶

OSV

CVE-2016-8687: Stack-based buffer overflow in the safe_fprintf function in tar/util↗2017-02-15

▶

📋Vendor Advisories

Ubuntu

libarchive vulnerabilities↗2017-03-09

▶

Apple

CVE-2016-8687: iOS 10.2.1↗2017-01-23

▶

Apple

CVE-2016-8687: tvOS 10.1.1↗2017-01-23

▶

Apple

CVE-2016-8687: macOS Sierra 10.12.3↗2017-01-23

▶

Apple

CVE-2016-8687: watchOS 3.1.3↗2017-01-23

▶

💬Community

Bugzilla

CVE-2016-8687 CVE-2016-8688 CVE-2016-8689 libarchive: various flaws [epel-5]↗2016-10-17

▶

Bugzilla

libarchive: various flaws [fedora-all]↗2016-10-17

▶

Bugzilla

CVE-2016-8687 CVE-2016-8688 CVE-2016-8689 libarchive3: various flaws [epel-6]↗2016-10-17

▶

Bugzilla

CVE-2016-8687 CVE-2016-8688 CVE-2016-8689 mingw-libarchive: various flaws [fedora-all]↗2016-10-17

▶

Bugzilla

CVE-2016-8687 libarchive: stack based buffer overflow in bsdtar_expand_char (util.c) [fedora-all]↗2016-09-23

▶