The libarchive programming library was recently patched against three critical memory-related vulnerabilities that could be abused to execute code on computers running the vulnerable software.
As is the case with most open source software packages, patching the core library is only half the battle; admins must now ensure that third-party software running the library is also fixed, and that’s not an easy task.
“When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on, and bundle libarchive are affected,” said Cisco Talos researcher Marcin Noga in a report published Tuesday. “These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems. Users are encouraged to patch all relevant programs as quickly as possible.”
Cisco found and privately disclosed the vulnerabilities to libarchive’s maintainers. Libarchive, which was developed in 2004 for FreeBSD, provides access to the different file archive formats out there, including Zip, tar, pax and others. FreeBSD still makes use of the library as do a number of package managers such as Pacman and XBPS on different Linux distributions. Archiving tools and file browsers such as tarsnap, Springy (on Mac OS X) and Nautilus also use it. GnuWin32, Darwinports, Debian Linux and Gentoo all use ports of libarchive. Libarchive published a running list on its GitHub page.
“Because of the number of products that include libarchive in their handling of compressed files, Talos urges all users to patch/upgrade related, vulnerable software,” Noga said.
The Cisco blog contains technical details on each of the three vulnerabilities, each of which lead to code execution.
The first, CVE-2016-4300, is an integer overflow flaw in 7-Zip that can be exploited if an attacker is able to convince a user to open a malicious archive for 7-Zip that would be processed by libarchive. Cisco said the vulnerability lies in the 7-Zip support format module: libarchivearchive_read_support_format_7zip.c.
Cisco also disclosed a stack-based buffer overflow, CVE-2016-4301, in the mtree support format module libarchivearchive_read_support_format_mtree.c.
The final issue, CVE-2016-4302, is a heap overflow in the libarchive RAR restartmodel.
“The root cause of these libarchive vulnerabilities is a failure to properly validate input –data being read from a compressed file,” Noga said. “Sadly, these types of programming errors occur over, and over again.”
Noga, in May, was credited with finding several 7-Zip code execution and file corruption bugs.