The developers of Libarchive have released a new version of the open-source library to address several potentially serious vulnerabilities.
Libarchive is a programming library that can be used to create and read several streaming archive formats. Originally developed for FreeBSD, the library is currently used in many software products, including Linux package managers, archiving tools and file browsers.
Researchers at Cisco Talos discovered that the library is plagued by three severe flaws. One of them, tracked as CVE-2016-4300, is an integer overflow that allows an attacker to execute arbitrary code using specially crafted 7-Zip files. The attacker can exploit the vulnerability by getting the target to process a malicious 7-Zip file via Libarchive.
The other vulnerabilities, identified as CVE-2016-4301 and CVE-2016-4302, are a stack-based buffer overflow and a heap corruption – both of which can lead to arbitrary code execution via specially crafted files.
“The root cause of these libarchive vulnerabilities is a failure to properly validate input –data being read from a compressed file. Sadly, these types of programming errors occur over, and over again,” Cisco researchers explained in a blog post. “When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on, and bundle libarchive are affected. These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems.”
The flaws were addressed on Monday with the release of Libarchive 3.2.1, which also patches an integer overflow that can be exploited via malformed ISO files. This issue was discovered by researcher Hanno Böck using the American Fuzzy Lop (AFL) fuzzer developed by Google’s Michał Zalewski.
Last month, CERT/CC warned that Libarchive was plagued by a heap-based buffer overflow that allowed an attacker to execute arbitrary code in the context of the targeted user via a malicious ZIP file. The issue, tracked as CVE-2016-1541, was reported by Rock Stevens and Andrew Ruef, and independently by Cisco’s Marcin Noga. CVE-2016-1541 was patched on May 1 with the release of Libarchive 3.2.0.
Libarchive is not the only archive and compression library found to be vulnerable by Cisco Talos researchers. In March, the company published an advisory describing a potential arbitrary code execution flaw in the Lhasa library.
Related: “Libotr” Library Flaw Exposes Popular IM Apps
Related: Remote Code Execution Flaw Patched in glibc Library
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
Latest News
- Italy Temporarily Blocks ChatGPT Over Privacy Concerns
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
