Mmatuska

**Name of the Vulnerable Software and Affected Versions** libarchive (affected versions not specified) **Description** An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libarchive (affected versions not specified) **Description** The issue is related to an improper link resolution flaw that occurs when extracting an archive, potentially allowing an attacker to change modes, times, access control lists, and flags of a file outside of the archive. This could be exploited by a local attacker to gain more privileges in a system by providing a malicious archive to a victim user. The flaw is also associated with the tracking of symbolic links in the libarchive library, which could be exploited by creating a specially crafted link to a malicious file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libarchive versions prior to 3.2.1 **Description** The issue is related to a stack-based buffer overflow in the `parse device` function, which can be triggered by a crafted mtree file. This allows remote attackers to execute arbitrary code. **Recommendations** For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `parse device` function in `archive read support format mtree.c` until a patch is available.