2054465 – libarchive: Extracting a symlink with ACLs modifies ACLs of target

Bug 2054465 - libarchive: Extracting a symlink with ACLs modifies ACLs of target

Summary: libarchive: Extracting a symlink with ACLs modifies ACLs of target

Keywords:
Status:	CLOSED DUPLICATE of bug 2024245
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2054464
TreeView+	depends on / blocked

Reported:	2022-02-15 01:18 UTC by Todd Cullum
Modified:	2022-02-15 19:18 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-02-15 19:16:49 UTC
Embargoed:

Attachments	(Terms of Use)

Description Todd Cullum 2022-02-15 01:18:33 UTC

In libarchive before 3.5.2, when an archive entry contains a symbolic link that has defined ACLs on Linux, on extraction the ACLs of the link target are modified. This is because the function acl_set_file() is used without a prior check if the file is not a symbolic link. On Linux ACLs on symbolic links are not supported.

Upstream issue:
https://github.com/libarchive/libarchive/issues/1565

Upstream patch:
https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2024245

Comment 3 Todd Cullum 2022-02-15 19:16:49 UTC


*** This bug has been marked as a duplicate of bug 2024245 ***

Note You need to log in before you can comment on or make changes to this bug.

bdettelb
caswilli
databases-maint
dhalasz
fjansen
jburrell
jnakfour
jwong
kaycoth
ljavorsk
micjohns
mike
mmuzila
ndevos
odubaj
panovotn
pkubat
praiskup
psegedy
sthirugn
tkasparek
tsasak
vkrizan
vmugicag
zmiklank