Libarchive needs patching again

Users, developers, sysadmins – World+Dog, really – need to get busy patching libarchive, after Cisco Talos researchers turned up three new vulnerabilities.

Described here, the bugs all relate to input validation.

CVE-2016-4300 is a heap overflow in its handling of 7zip files: a malicious file can cause an integer overflow, memory corruption, and ultimately code execution.

The second, CVE-2016-4301, is a buffer overflow in the handling of mtree files; and finally, Rar file handling is subject to an exploitable heap overflow, CVE-2016-4302.

The problem for libraries like libarchive is the huge number of programs that depend on them. Quite apart from compression/decompression tools, the libraries are used at the OS-level, in all manner of package managers, file browsers, security software and the like.

Input validation was also behind the March bugs in libarchive, exposing users to attacks via crafted zipfiles.

Vulture South wouldn't be surprised if Rock Stevens' work in February provided the hint that led to Talos' current research. ®