Libarchive Security Flaw Discovered

When it comes to security, everyone knows you shouldn't run executable files from an untrustworthy source. Back in the late 1990s, when web users were a little more naive, it was quite common to receive infected email messages with fake attachments.

The attachments usually were disguised as images or mp3s, but a quick look would tell you they were executables. Nevertheless, the promise of illicit images often overwhelmed common sense, and millions of machines were infected.

Since then, we've learned not to open dodgy executable files. But other file types are okay, right? Surely nothing bad could happen if you opened an archive and looked inside it?

Well, it turns out that very bad things can happen—even to Linux users. You don't have to run an executable file compressed in the archive, just opening or decompressing the archive is enough.

How can this happen? It's because of a security flaw in a popular library used by many projects. The library is used in file managers, archive browsers, office software, package managers and many other places too. It's present in open-source software and proprietary applications.

Libarchive is an open-source library that can create and read archives in a range of different formats. It's a very popular library, and it's used in hundreds of applications on several operating systems, including Linux, Chrome OS and OS X. And on Tuesday, June, 21, 2016, Cisco's Talos team revealed that it contains three serious security flaws.

These flaws mean that attackers can cause your PC to execute arbitrary malicious code when you open or extract an archive. All they have to do is trick you into downloading it.

How is this possible? Each of the weaknesses revolves around a memory management error that attackers can exploit. When the archive contains a certain pattern of data (such as a specific number of folders), it triggers an error in the code.

Data that should be constrained within a specific area of memory spills over, and this allows attackers to overwrite legitimate code with their own evil instructions.

You can read the full technical details here.

The Talos team has worked with the libarchive maintainers to fix the flaws, and they have written three patches that address each issue. As I write this, maintainers throughout the Open Source community are updating their software to fix the problem, but it will take some time before every app is updated.

In the meantime, it's worth reviewing your security procedures. Don't open archives from untrustworthy sources. Don't even download them. And, keep your system updated—security exploits are discovered all the time, and attackers prey on victims who don't update.