Severe flaws detected in popular compression library

The library is used by software coders to gain access to a variety of compressed file formats.
The library is used by software coders to gain access to a variety of compressed file formats.

Programming errors found in libarchive, a popular open source compression library, makes software used in a number of platforms vulnerable to exploitation, according to a guest column on the Tripwire blog, The State of Security, by security researcher Graham Cluley.

The flaws have wide-ranging repercussions as the library is used by software coders all over the globe to gain access to a variety of compressed file formats – including zip, tar, 7z, cab and more. Plus, libarchive is a source for many file and package managers embedded in Linux and BSD systems, as well as security tools and file browsers, Cluley wrote.

So it's not a trivial bug, he said. Citing security researchers at Cisco Talos, he explained that the root cause of the three newly detected flaws is a failure to properly validate input – data being read from a compressed file. Bad actors could pollute archive files that take advantage of any one of these vulnerabilities to execute unauthorized malicious code on a user's computer. "All an attacker would need to do is send a poisoned archive file to their intended target," he wrote.

With these so-called common mode failures, miscreants could compromise a variety of programs in a single incursion.

Cluley urged vendors and software developers to upgrade all relevant programs as soon as possible with patches made available by libarchive's maintainers.
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS