Linux users warned to update libarchive to beat flaw

Every now and again, a security vulnerability is discovered in a program with little fanfare, despite the fact that it’s buried in plain sight inside software lots of people depend on.

A good example is libarchive, which has a flaw discovered by Google researchers in May using the ClusterFuzz and OSSFuzz automated ‘fuzzing’ tools and fixed by libarchive’s maintainers on 12 June in version 3.4.0.

Libarchive, for those not familiar with it, is a compression and archiving library originally developed for FreeBSD that has achieved widespread popularity because it functions like a do-everything compressed archive handler supporting file and compression formats including ZIP, gzip, tar, uuencode, 7z, Microsoft CAB, ISO9660 (CD images) and many more.

It’s also used by Debian, Ubuntu, Gentoo, Arch Linux, and the Chromebook Chrome OS, as well as tools such as the Samba Linux-Windows interoperability suite, all of which are now receiving the June patch.

It’s even part of Apple’s macOS and Microsoft’s Windows 10, although neither are thought to be affected by the vulnerability.

The bug is identified as CVE-2019-18408, a high-priority ‘use-after-free’ bug when dealing with a failed archive.

No real-world exploits have been detected but if one existed, it would attempt to use a malicious archive to induce a denial-of-service state or arbitrary code execution.

Obviously, this sets a low bar for an attacker which earns it a CVSS rating of 7.5. However, the real nuisance of this one is simply the inconvenient volume of software using it, which must now be patched.

Given that Google discovered the issue, we suspect the Chrome OS will have quietly been patched over the summer but that still leaves Debian, Ubuntu and many others to get busy.

Given the range of software using libarchive, there’s a lot for attackers to aim at if there are any laggards.

It’s also not the first security issue libarchive has suffered in recent times. A similar vulnerability cropped up in 2016 that led to CVE-2016-1541.

As with that bug, there are no short-term mitigations – so the answer is to update as soon as possible.