{"id":"CVE-2016-8687","details":"Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename.","modified":"2026-04-11T05:01:00.971186Z","published":"2017-02-15T19:59:00.580Z","related":["SUSE-SU-2016:2911-1","openSUSE-SU-2024:10127-1"],"references":[{"type":"WEB","url":"http://www.securitytracker.com/id/1037668"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/11/msg00037.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2016-12/msg00027.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/93781"},{"type":"FIX","url":"https://blogs.gentoo.org/ago/2016/09/11/libarchive-bsdtar-stack-based-buffer-overflow-in-bsdtar_expand_char-util-c/"},{"type":"FIX","url":"https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/10/16/11"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1377926"},{"type":"FIX","url":"https://security.gentoo.org/glsa/201701-03"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libarchive/libarchive","events":[{"introduced":"0"},{"last_affected":"139d0576b51a253732a5ab1f66805dffbf8b00af"},{"fixed":"e37b620fe8f14535d737e89a4dcabaed4517bf1a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.2.1"}]}}],"versions":["v3.0.0a","v3.0.1b","v3.1.900a","v3.2.0","v3.2.1"],"database_specific":{"vanir_signatures_modified":"2026-04-11T05:01:00Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"42.2"}]}],"vanir_signatures":[{"id":"CVE-2016-8687-2b8436e1","target":{"file":"tar/util.c"},"source":"https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["274947236785517941576769110957933520277","162673665667336708429251698339556414402","30924440026046384237080647977686539477","6762232481255207823455611895071712144"]},"deprecated":false},{"id":"CVE-2016-8687-f2b8937e","target":{"function":"safe_fprintf","file":"tar/util.c"},"source":"https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a","signature_type":"Function","signature_version":"v1","digest":{"length":1454,"function_hash":"306124670893253162293110805501400168732"},"deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-8687.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}