Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Several Vulnerabilities Patched in Libarchive Library

The developers of Libarchive have released a new version of the open-source library to address several potentially serious vulnerabilities.

The developers of Libarchive have released a new version of the open-source library to address several potentially serious vulnerabilities.

Libarchive is a programming library that can be used to create and read several streaming archive formats. Originally developed for FreeBSD, the library is currently used in many software products, including Linux package managers, archiving tools and file browsers.

Researchers at Cisco Talos discovered that the library is plagued by three severe flaws. One of them, tracked as CVE-2016-4300, is an integer overflow that allows an attacker to execute arbitrary code using specially crafted 7-Zip files. The attacker can exploit the vulnerability by getting the target to process a malicious 7-Zip file via Libarchive.

The other vulnerabilities, identified as CVE-2016-4301 and CVE-2016-4302, are a stack-based buffer overflow and a heap corruption – both of which can lead to arbitrary code execution via specially crafted files.

“The root cause of these libarchive vulnerabilities is a failure to properly validate input –data being read from a compressed file. Sadly, these types of programming errors occur over, and over again,” Cisco researchers explained in a blog post. “When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on, and bundle libarchive are affected. These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems.”

The flaws were addressed on Monday with the release of Libarchive 3.2.1, which also patches an integer overflow that can be exploited via malformed ISO files. This issue was discovered by researcher Hanno Böck using the American Fuzzy Lop (AFL) fuzzer developed by Google’s Michał Zalewski.

Last month, CERT/CC warned that Libarchive was plagued by a heap-based buffer overflow that allowed an attacker to execute arbitrary code in the context of the targeted user via a malicious ZIP file. The issue, tracked as CVE-2016-1541, was reported by Rock Stevens and Andrew Ruef, and independently by Cisco’s Marcin Noga. CVE-2016-1541 was patched on May 1 with the release of Libarchive 3.2.0.

Libarchive is not the only archive and compression library found to be vulnerable by Cisco Talos researchers. In March, the company published an advisory describing a potential arbitrary code execution flaw in the Lhasa library.

Advertisement. Scroll to continue reading.

Related: “Libotr” Library Flaw Exposes Popular IM Apps

Related: Remote Code Execution Flaw Patched in glibc Library

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.