The developers of Libarchive have released a new version of the open-source library to address several potentially serious vulnerabilities.
Libarchive is a programming library that can be used to create and read several streaming archive formats. Originally developed for FreeBSD, the library is currently used in many software products, including Linux package managers, archiving tools and file browsers.
Researchers at Cisco Talos discovered that the library is plagued by three severe flaws. One of them, tracked as CVE-2016-4300, is an integer overflow that allows an attacker to execute arbitrary code using specially crafted 7-Zip files. The attacker can exploit the vulnerability by getting the target to process a malicious 7-Zip file via Libarchive.
The other vulnerabilities, identified as CVE-2016-4301 and CVE-2016-4302, are a stack-based buffer overflow and a heap corruption – both of which can lead to arbitrary code execution via specially crafted files.
“The root cause of these libarchive vulnerabilities is a failure to properly validate input –data being read from a compressed file. Sadly, these types of programming errors occur over, and over again,” Cisco researchers explained in a blog post. “When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on, and bundle libarchive are affected. These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems.”
The flaws were addressed on Monday with the release of Libarchive 3.2.1, which also patches an integer overflow that can be exploited via malformed ISO files. This issue was discovered by researcher Hanno Böck using the American Fuzzy Lop (AFL) fuzzer developed by Google’s Michał Zalewski.
Last month, CERT/CC warned that Libarchive was plagued by a heap-based buffer overflow that allowed an attacker to execute arbitrary code in the context of the targeted user via a malicious ZIP file. The issue, tracked as CVE-2016-1541, was reported by Rock Stevens and Andrew Ruef, and independently by Cisco’s Marcin Noga. CVE-2016-1541 was patched on May 1 with the release of Libarchive 3.2.0.
Libarchive is not the only archive and compression library found to be vulnerable by Cisco Talos researchers. In March, the company published an advisory describing a potential arbitrary code execution flaw in the Lhasa library.