Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Several Vulnerabilities Patched in Libarchive Library

The developers of Libarchive have released a new version of the open-source library to address several potentially serious vulnerabilities.

The developers of Libarchive have released a new version of the open-source library to address several potentially serious vulnerabilities.

Libarchive is a programming library that can be used to create and read several streaming archive formats. Originally developed for FreeBSD, the library is currently used in many software products, including Linux package managers, archiving tools and file browsers.

Researchers at Cisco Talos discovered that the library is plagued by three severe flaws. One of them, tracked as CVE-2016-4300, is an integer overflow that allows an attacker to execute arbitrary code using specially crafted 7-Zip files. The attacker can exploit the vulnerability by getting the target to process a malicious 7-Zip file via Libarchive.

The other vulnerabilities, identified as CVE-2016-4301 and CVE-2016-4302, are a stack-based buffer overflow and a heap corruption – both of which can lead to arbitrary code execution via specially crafted files.

“The root cause of these libarchive vulnerabilities is a failure to properly validate input –data being read from a compressed file. Sadly, these types of programming errors occur over, and over again,” Cisco researchers explained in a blog post. “When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on, and bundle libarchive are affected. These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems.”

The flaws were addressed on Monday with the release of Libarchive 3.2.1, which also patches an integer overflow that can be exploited via malformed ISO files. This issue was discovered by researcher Hanno Böck using the American Fuzzy Lop (AFL) fuzzer developed by Google’s Michał Zalewski.

Last month, CERT/CC warned that Libarchive was plagued by a heap-based buffer overflow that allowed an attacker to execute arbitrary code in the context of the targeted user via a malicious ZIP file. The issue, tracked as CVE-2016-1541, was reported by Rock Stevens and Andrew Ruef, and independently by Cisco’s Marcin Noga. CVE-2016-1541 was patched on May 1 with the release of Libarchive 3.2.0.

Libarchive is not the only archive and compression library found to be vulnerable by Cisco Talos researchers. In March, the company published an advisory describing a potential arbitrary code execution flaw in the Lhasa library.

Related: “Libotr” Library Flaw Exposes Popular IM Apps

Related: Remote Code Execution Flaw Patched in glibc Library

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.