CVE-2021-23177: 
NixOS vulnerability analysis and mitigation

CVE-2021-23177 is a security vulnerability in libarchive that was discovered and fixed in version 3.5.2. The vulnerability involves an improper link resolution flaw while extracting an archive that can lead to changing the access control list (ACL) of the target of the link. When an archive entry contains a symbolic link that has defined ACLs on Linux, on extraction the ACLs of the link target are modified because the function aclsetfile() is used without a prior check if the file is not a symbolic link (Debian Security, GitHub Issue).

The vulnerability occurs because libarchive attempts to set ACLs on symbolic links, which is not supported on Linux systems. The issue specifically arises from the use of aclsetfile() function without first verifying if the file is a symbolic link. On Linux, ACLs on symbolic links are not supported, and attempting to set them results in modifying the ACLs of the link target instead. The fix involves adding proper checks to avoid calling aclsetfile() on symbolic links, as their targets would be modified unintentionally (GitHub Commit).

An attacker could exploit this vulnerability by providing a malicious archive to a victim user, who would trigger this flaw when attempting to extract the archive. The successful exploitation could allow a local attacker to change the ACL of files on the system and potentially gain elevated privileges (Ubuntu Security).

The vulnerability has been fixed in libarchive version 3.5.2 and later. Various Linux distributions have backported the fix to their maintained versions. For example, Debian has addressed this in version 3.4.3-2+deb11u1 for bullseye, and Red Hat has included fixes in their security updates. Users are advised to update their libarchive packages to the latest available version (Debian Security, Red Hat Bugzilla).