Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Several Vulnerabilities Patched in Libarchive Library

The developers of Libarchive have released a new version of the open-source library to address several potentially serious vulnerabilities.

The developers of Libarchive have released a new version of the open-source library to address several potentially serious vulnerabilities.

Libarchive is a programming library that can be used to create and read several streaming archive formats. Originally developed for FreeBSD, the library is currently used in many software products, including Linux package managers, archiving tools and file browsers.

Researchers at Cisco Talos discovered that the library is plagued by three severe flaws. One of them, tracked as CVE-2016-4300, is an integer overflow that allows an attacker to execute arbitrary code using specially crafted 7-Zip files. The attacker can exploit the vulnerability by getting the target to process a malicious 7-Zip file via Libarchive.

The other vulnerabilities, identified as CVE-2016-4301 and CVE-2016-4302, are a stack-based buffer overflow and a heap corruption – both of which can lead to arbitrary code execution via specially crafted files.

“The root cause of these libarchive vulnerabilities is a failure to properly validate input –data being read from a compressed file. Sadly, these types of programming errors occur over, and over again,” Cisco researchers explained in a blog post. “When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on, and bundle libarchive are affected. These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems.”

The flaws were addressed on Monday with the release of Libarchive 3.2.1, which also patches an integer overflow that can be exploited via malformed ISO files. This issue was discovered by researcher Hanno Böck using the American Fuzzy Lop (AFL) fuzzer developed by Google’s Michał Zalewski.

Last month, CERT/CC warned that Libarchive was plagued by a heap-based buffer overflow that allowed an attacker to execute arbitrary code in the context of the targeted user via a malicious ZIP file. The issue, tracked as CVE-2016-1541, was reported by Rock Stevens and Andrew Ruef, and independently by Cisco’s Marcin Noga. CVE-2016-1541 was patched on May 1 with the release of Libarchive 3.2.0.

Libarchive is not the only archive and compression library found to be vulnerable by Cisco Talos researchers. In March, the company published an advisory describing a potential arbitrary code execution flaw in the Lhasa library.

Related: “Libotr” Library Flaw Exposes Popular IM Apps

Related: Remote Code Execution Flaw Patched in glibc Library

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.