An update for libarchive is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1494 Final 1.0 1.0 2022-01-22 Initial 2022-01-22 2022-01-22 openEuler SA Tool V1.0 2022-01-22 libarchive security update An update for libarchive is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3. is an open-source BSD-licensed C programming library that provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution also includes bsdtar and bsdcpio, full-featured implementations of tar and cpio that use . Security Fix(es): Incorrect link resolution flaws can occur when extracting archives, resulting in changes to the mode, time, access control list, and flags of files outside the archive. An attacker could deliver malicious archives to victim users, triggering this vulnerability when they attempt to extract the archives. A local attacker could exploit this vulnerability to gain additional privileges on the system.(CVE-2021-31566) Incorrect link resolution flaws when using ACLs to extract symbolic links can lead to changes to the access control list (ACL) of the link target. An attacker could deliver malicious archives to victim users, triggering this vulnerability when they attempt to extract the archives. A local attacker could exploit this vulnerability to change the ACL of a file on the system and gain more permissions.(CVE-2021-23177) An update for libarchive is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium libarchive https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1494 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-31566 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-23177 https://nvd.nist.gov/vuln/detail/CVE-2021-31566 https://nvd.nist.gov/vuln/detail/CVE-2021-23177 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 libarchive-debuginfo-3.4.3-4.oe1.aarch64.rpm libarchive-debugsource-3.4.3-4.oe1.aarch64.rpm libarchive-devel-3.4.3-4.oe1.aarch64.rpm libarchive-3.4.3-4.oe1.aarch64.rpm libarchive-debuginfo-3.4.3-4.oe1.aarch64.rpm libarchive-devel-3.4.3-4.oe1.aarch64.rpm libarchive-debugsource-3.4.3-4.oe1.aarch64.rpm libarchive-3.4.3-4.oe1.aarch64.rpm libarchive-3.4.3-4.oe1.aarch64.rpm libarchive-debugsource-3.4.3-4.oe1.aarch64.rpm libarchive-devel-3.4.3-4.oe1.aarch64.rpm libarchive-debuginfo-3.4.3-4.oe1.aarch64.rpm libarchive-help-3.4.3-4.oe1.noarch.rpm libarchive-help-3.4.3-4.oe1.noarch.rpm libarchive-help-3.4.3-4.oe1.noarch.rpm libarchive-3.4.3-4.oe1.src.rpm libarchive-3.4.3-4.oe1.src.rpm libarchive-3.4.3-4.oe1.src.rpm libarchive-debuginfo-3.4.3-4.oe1.x86_64.rpm libarchive-3.4.3-4.oe1.x86_64.rpm libarchive-debugsource-3.4.3-4.oe1.x86_64.rpm libarchive-devel-3.4.3-4.oe1.x86_64.rpm libarchive-debugsource-3.4.3-4.oe1.x86_64.rpm libarchive-3.4.3-4.oe1.x86_64.rpm libarchive-debuginfo-3.4.3-4.oe1.x86_64.rpm libarchive-devel-3.4.3-4.oe1.x86_64.rpm libarchive-debuginfo-3.4.3-4.oe1.x86_64.rpm libarchive-3.4.3-4.oe1.x86_64.rpm libarchive-devel-3.4.3-4.oe1.x86_64.rpm libarchive-debugsource-3.4.3-4.oe1.x86_64.rpm Incorrect link resolution flaws can occur when extracting archives, resulting in changes to the mode, time, access control list, and flags of files outside the archive. An attacker could deliver malicious archives to victim users, triggering this vulnerability when they attempt to extract the archives. A local attacker could exploit this vulnerability to gain additional privileges on the system. 2022-01-22 CVE-2021-31566 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 Medium 4.4 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L libarchive security update 2022-01-22 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1494 Incorrect link resolution flaws when using ACLs to extract symbolic links can lead to changes to the access control list (ACL) of the link target. An attacker could deliver malicious archives to victim users, triggering this vulnerability when they attempt to extract the archives. A local attacker could exploit this vulnerability to change the ACL of a file on the system and gain more permissions. 2022-01-22 CVE-2021-23177 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 Medium 6.6 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L libarchive security update 2022-01-22 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1494