CVE-2021-31566: 
Splunk Forwarder vulnerability analysis and mitigation

CVE-2021-31566 is an improper link resolution vulnerability in libarchive that was discovered in 2021. The flaw occurs while extracting an archive, leading to unauthorized changes of modes, times, access control lists, and flags of files outside the archive. This vulnerability affects libarchive versions up to (excluding) 3.5.2 and various systems and applications that use this library (NVD, Red Hat).

The vulnerability stems from an improper link resolution mechanism during archive extraction. When processing fixup entries, if a directory entry is marked for post-processing and a symlink entry with the same path replaces the directory, the postprocessing may incorrectly alter the link target instead of the file itself. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, GitHub Issue).

The vulnerability allows a local attacker to gain elevated privileges in a system by providing a malicious archive to a victim user. When the victim attempts to extract the archive, the flaw can be triggered, potentially leading to unauthorized modification of files outside the intended extraction scope (NVD).

The vulnerability was fixed in libarchive version 3.5.2. The fix involves using lchmod() instead of chmod() and modifying the handling of symbolic links during the fixup process. Multiple patches were implemented to address this issue, including b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 and subsequent improvements (GitHub Commit, Debian Advisory).