It was found that libxar.so in xar 1.6.1 has a NULL pointer dereference in the xar_get_path function in util.c. A local attacker could cause the application to crash. References: https://blogs.gentoo.org/ago/2017/06/28/xar-null-pointer-dereference-in-xar_get_path-util-c/
It was found that libxar.so in xar 1.6.1 has a NULL pointer dereference in the xar_unserialize function in archive.c. A local attacker could cause the application to crash. References: https://blogs.gentoo.org/ago/2017/06/28/xar-null-pointer-dereference-in-xar_unserialize-archive-c/
Created xar tracking bugs for this issue: Affects: fedora-all [bug 1470073]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Fixed in xar-1.8.0.417.1-1