Severe flaws patched in libarchive, dependent projects urged to follow
Three severe bugs that could be easily exploited to perform arbitrary code execution have been patched with version 3.2.1 of the libarchive open source multi-format archive and compression library.
That would be the end of the problem if not for the fact that the library is widely used in several Linux and Unix-like distributions, many package managers, archiving tools, file browsers, and some security software.
The developers of some of these software packages have already implemented the new version of the library, while others will hopefully do it soon enough.
In the meantime Cisco Talos has shared more technical details about the three flaws, which were discovered by researcher Marcin Noga.
All three (CVE-2016-4300, CVE-2016-4301, CVE-2016-4302) can be triggered by the target handling specially crafted, malformed files (7-zip, mtree, or rar). And getting a user to do so is as simple as masquerading the file as something that the user wants and needs to unzip and look at.
“The root cause of these libarchive vulnerabilities is a failure to properly validate input – data being read from a compressed file. Sadly, these types of programming errors occur over, and over again,” Cisco Talos researchers noted.
“When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on, and bundle libarchive are affected. These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems. Users are encouraged to patch all relevant programs as quickly as possible.”
This is the second time in a few months that libarchive had to patch a code execution flaw arising from improper input validation.