CVE-2016-8687 Libarchive CVE debrief

Who should care

Security teams and maintainers responsible for libarchive deployments, downstream packages, archive extraction/listing tools such as bsdtar, and any application that processes untrusted archives or filenames.

Technical summary

NVD describes the issue as a stack-based buffer overflow in safe_fprintf within tar/util.c in libarchive 3.2.1, mapped to CWE-119. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a remotely reachable availability impact with no confidentiality or integrity impact recorded in the advisory. NVD also lists affected CPEs for libarchive 3.2.1 and an openSUSE Leap 42.2 entry, plus references to upstream patch material and third-party advisories.

Defensive priority

High

Recommended defensive actions

• Upgrade libarchive to a version that includes the upstream fix and apply any vendor security updates for packaged distributions.
• Inventory products and services that bundle or statically link libarchive, then rebuild or redeploy them with patched libraries.
• Prioritize testing of archive-processing paths that accept attacker-controlled filenames or extracted metadata, especially where multibyte or non-printable characters may appear.
• Use vendor and distribution advisories linked from the CVE record to confirm backported fixes in your environment.
• Add regression coverage for archive listing and extraction workflows so fixed builds continue to reject or safely handle malformed filenames.

Evidence notes

Source evidence is limited to the supplied NVD/CVE record and its linked references. The NVD record states the vulnerability, CVSS vector, weakness classification, affected CPEs, and references to an upstream GitHub commit, an oss-security mailing list post, and third-party advisories. No exploit code or reproduction details are included here.

Official resources