Stack based buffer overflow vulnerability was found in bsdtar_expand_char in util.c by invoking bsdtar on crafted file. It occurs when trying to format a non-printable multibyte character that overflows 20-byte buffer in safe_fprintf. Upstream patch: https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a CVE assignment: http://seclists.org/oss-sec/2016/q4/152
Created libarchive3 tracking bugs for this issue: Affects: epel-6 [bug 1385676]
Created mingw-libarchive tracking bugs for this issue: Affects: fedora-all [bug 1385674]
Created libarchive tracking bugs for this issue: Affects: fedora-all [bug 1385673] Affects: epel-5 [bug 1385675]
*** This bug has been marked as a duplicate of bug 1377926 ***