{"id":"CVE-2016-8687","details":"Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename.","modified":"2026-02-21T00:11:44.242188Z","published":"2017-02-15T19:59:00.580Z","related":["SUSE-SU-2016:2911-1","openSUSE-SU-2024:10127-1"],"references":[{"type":"WEB","url":"http://www.securitytracker.com/id/1037668"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/11/msg00037.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2016-12/msg00027.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/10/16/11"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/93781"},{"type":"ADVISORY","url":"https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-stack-based-buffer-overflow-in-bsdtar_expand_char-util-c/"},{"type":"ADVISORY","url":"https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201701-03"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1377926"},{"type":"REPORT","url":"https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/10/16/11"},{"type":"FIX","url":"https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-stack-based-buffer-overflow-in-bsdtar_expand_char-util-c/"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1377926"},{"type":"FIX","url":"https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a"},{"type":"FIX","url":"https://security.gentoo.org/glsa/201701-03"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2016/10/16/11"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libarchive/libarchive","events":[{"introduced":"0"},{"fixed":"e37b620fe8f14535d737e89a4dcabaed4517bf1a"}]}],"versions":["v2.6.0","v2.6.1","v2.6.2","v2.7.0","v2.7.1","v2.8.0","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.8.5","v3.0.0a","v3.0.1b","v3.0.2","v3.0.3","v3.0.4","v3.1.0","v3.1.1","v3.1.2","v3.1.900a","v3.1.901a","v3.2.0","v3.2.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-8687.json","vanir_signatures":[{"deprecated":false,"signature_version":"v1","digest":{"line_hashes":["274947236785517941576769110957933520277","162673665667336708429251698339556414402","30924440026046384237080647977686539477","6762232481255207823455611895071712144"],"threshold":0.9},"source":"https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a","target":{"file":"tar/util.c"},"signature_type":"Line","id":"CVE-2016-8687-2b8436e1"},{"deprecated":false,"signature_version":"v1","digest":{"function_hash":"306124670893253162293110805501400168732","length":1454},"source":"https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a","target":{"function":"safe_fprintf","file":"tar/util.c"},"signature_type":"Function","id":"CVE-2016-8687-f2b8937e"}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}