Dev using Libarchive? Patch and push

Input validation bug opens code execution vuln

The popular Libarchive open source compression library needs an update to cover a code execution vulnerability.

The issue was notified to the maintainers in February by Rock Stevens, and has been disclosed now that version 3.2.0 has carried out the patch.

As the Carnegie-Mellon CERT advisory notes, a crafted zipfile can be exploited to force a victim's machine to execute arbitrary code.

“A crafted zip file can provide an incorrect compressed size, which may allow an attacker to place arbitrary code on the heap and execute it in the context of the current user. The user must be coerced into unzipping the crafted zip file”, the notice says.

The vulnerability will be inherited by a bunch of utilities on different operating systems: FreeBSD (its original home), Arch Linux, Chrome OS, and ports in Debian and Gentoo.

The popular OS X Darwinports package manager uses the library, as does NetBSD's pkg_install, Gentoo's/Exherbo's Paludis package manager, and various open source file browsers (like ark in KDE).

There will almost certainly be vendor kit (switches, routers and so on) who embed the library as well, so Vulture South expects fixes to trickle through for quite some time. ®

Sponsored: Becoming a Pragmatic Security Leader

Biting the hand that feeds IT © 1998–2019