Slashdot Mirror

← Back to Stories (view on slashdot.org)

Severe Flaws Found In Libarchive Open Source Library (talosintel.com)

Posted by msmash on from the security-woes dept.

Reader itwbennett writes: Researchers from Cisco Systems' Talos group have found three memory corruption errors in the widely used open-source library libarchive that can result in arbitrary code execution and can be exploited by passing specially crafted files to applications that contain the vulnerable code. "The library is used by file and package managers included in many Linux and BSD systems, as well as by components and tools in OS X and Chrome OS," writes Lucian Constantin. "Developers can also include the library's code in their own projects, so it's hard to know how many other applications or firmware packages contain it." (Original blog post) So, while the libarchive maintainers have released patches for the flaws, it will likely take a long time for them to trickle down through all the affected projects.

39 of 82 comments (clear)

  1. Goddammit, people! We need to use Rust NOW! by Anonymous Coward · · Score: 1, Funny

    For crying out loud! How long must this continue? We need to start using the Rust programming language and we need to start using it now! If you don't know what Rust is, let me inform you. The Rust web site describes it as "a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety." It has "guaranteed memory safety" and it has "threads without data races" and you get all of this with "zero-cost abstractions"! Rust doesn't just make programming safe. Thanks to its code of conduct the Rust community is a safe space free of intolerance and prejudice, too.

    Essentially, Rust is what C and C++ should have been all along. This submission shows that we badly need what Rust offers. We need the safety of Rust, and we need it now! I don't think we really have any choice. We need to start using Rust for everything! It's the only way we can be sure that the software we're writing is safe and secure.

    1. Re:Goddammit, people! We need to use Rust NOW! by magarity · · Score: 1

      the Rust community is a safe space free of intolerance and prejudice, too

      As evidenced by how their shills start off with "Goddammit, people..."

    2. Re:Goddammit, people! We need to use Rust NOW! by NotInHere · · Score: 4, Insightful

      Its just so funny. Most rust applications as of now only work because they use rust wrappers to native libraries. So even if you wrote your program in rust, if you used this crate, you'd have exactly the same problems as all those c/c++ writers: https://crates.io/crates/libar...

    3. Re:Goddammit, people! We need to use Rust NOW! by Darinbob · · Score: 1

      What's the guarantee say? Perfect safety or your money back?

      All magic bullets are essentially myths. You fix some errors more easily but then get lulled into a false sense of security instead of always being on guard.

    4. Re:Goddammit, people! We need to use Rust NOW! by Darinbob · · Score: 4, Interesting

      Generally it's "please use this new language that has minimal support and is single sourced and apply it to your critical systems now!" It's nice to have new languages, but if we all rushed to the latest one then we'd just be repeating the same mistakes of having a monoculture.

      Remember when Java was the perfect language, designed from the ground up to make sure you can't do anything unsafe with it and it runs in a perfect sandbox that won't harm your computer.

      Now Rust is a nice language. But it'll take a whole lot more than "goddammit people!" to get projects to switch.

    5. Re:Goddammit, people! We need to use Rust NOW! by Darinbob · · Score: 2

      That's why its linker should be called Duck Tape.

    6. Re:Goddammit, people! We need to use Rust NOW! by NotInHere · · Score: 1

      Rust uses the normal C/C++ linker.

    7. Re:Goddammit, people! We need to use Rust NOW! by guruevi · · Score: 1

      The problem with Rust and Java, even though they are safer they are also a lot slower. If you want something to be successful, you need to be able to take existing code and compile it with all the checks and balances of Rust/Java checked during compilation, not runtime. Testing is useful but not quite broad enough, on the other hand, I don't want to insert or be forced to insert a number of runtime range checks when I'm dealing with realtime code on a closed platform.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    8. Re:Goddammit, people! We need to use Rust NOW! by Darinbob · · Score: 1

      This is why I liked the concept in Eiffel. Basically pepper your code with lots of easy to use pre-condititions and post-conditions and develop that way, but in production you can disable those checks so that you don't have abysmal performance. Of course you need training for this, you can't just plop down any old Java programmer and have them do it right. I see code today where people just toss in asserts left and right for things that could be easily handled, so you end up with customers having regular crashes because some developer didn't think that an unexpected type of packet would show up.

    9. Re:Goddammit, people! We need to use Rust NOW! by guruevi · · Score: 1

      Java isn't slow (although library creep quickly makes big programs slow as molasses) but it's still a magnitude slower than C/C++. In recent benchmarks Rust performs as good (or bad) as Java, Haskell and Go and the programs also compile to much (two times) larger binaries. Although that's "okay" for most desktop software (is it?) to be significantly slower, imagine Google, Apple or Amazon suddenly requiring 10-20% more data centers worldwide or instead of the 64k chip, having to purchase the 128k chip for a few million of embedded devices.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  2. Fuck all this by Anonymous Coward · · Score: 2, Funny

    I'm going back to DOS 2.11 on my bone stock original IBM XT.
    HACK THAT! HA!

  3. Fad of the day vs D language by inode_buddha · · Score: 1

    What really amazes me is how people seem completely oblivious to D. The D programming language was the logical heir and successor to C, fixing many of its flaws and extending it in relevant ways.

    --
    C|N>K
    1. Re:Fad of the day vs D language by Darinbob · · Score: 1

      It's a nice language too. It seemed to hit a peak popularity though. Mozilla could have used it but I suspect there's a lot of thinking about how to do even better, better implementation, better tuned to their local needs, etc.

    2. Re:Fad of the day vs D language by phantomfive · · Score: 1

      I always thought of D (and also now, Rust) as replacements for C++, not for C. Totally different purposes.

      And now D has missed the "type" wave that is the big hype right now.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Fad of the day vs D language by haruchai · · Score: 1

      I wonder if Google Go aka golang is ready for prime time.
      I don't know who Robert Griesemer is but Rob Pike & Ken Thompson? If systems programmers had gods.......

      --
      Pain is merely failure leaving the body
    4. Re:Fad of the day vs D language by phantomfive · · Score: 1

      Reports are that Go works great in production. The biggest reason I see that people use Rust instead is that Go is a garbage-collection based language. Also some people are turned off by the lack of inheritance, but those people probably aren't C programmers.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:Fad of the day vs D language by haruchai · · Score: 1

      Just how popular is Rust? It's not been around for very long and I'm surprised that it would quickly win out over more established ones like D, Eiffel, Scala, Erlang or Ruby

      --
      Pain is merely failure leaving the body
    6. Re:Fad of the day vs D language by HiThere · · Score: 1

      While there's a certain amount of justice in that position, I'd be more open to it if C++ was less of a cluster-fuck. It works, sort of, but UGLY!!

      That said D is putting a lot of effort into developing template level stuff which is NOT where my interest is. I understand that it helps make efficient code that you can specify at compile time, but I'm more interested in efficient code that you can adapt at run time. Objective-C would be reasonable, I think, if development hadn't stopped on anything except Apple. And Apple has a history of dropping languages and leaving them to die. I spent many years with ObjectPascal for the Apple.

      So I agree that D needs to have an Open Standards organization set up...but it should probably be controlled by Walter Bright. It already is rather open, with two forks (LDC and GDC: LLVM and gcc based implementations), but there does need to be some sort of standards process. As the Python community put it "What happens if Guido is hit by a bus?". Possibly the same approach would be effective.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    7. Re:Fad of the day vs D language by HiThere · · Score: 1

      D is a truly terrible name to search for on the web. I understand the rationale behind it, but search engines needed more consideration. Asking everyone referring to it to use the phrase "the D programming language" isn't an optimal solution. Even dlang (analogous to golang) would have been better.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    8. Re:Fad of the day vs D language by phantomfive · · Score: 1

      I don't know how popular it is in terms of numbers, but in terms of hype it's the top of the heap.
      The Rust team has an organization (Mozilla) behind them helping to drive things forward. I haven't heard of many companies adopting it (except maybe on a side/experimental project by one developer) but people are talking about replacing the entire unix-land with it because it's presumably safer.

      --
      "First they came for the slanderers and i said nothing."
    9. Re:Fad of the day vs D language by Anonymous Coward · · Score: 1

      Rust is not another D. D is garbage collected, so C++ programmers would never consider it a real alternative.

      Rust is also much more modern and includes a lot of important lessons about programming languages from recent decades that D ignored.

  4. CVE-2016-4300 by Fly+Swatter · · Score: 1

    Is not publicly available yet, why is Talos posting a public blog (and howto) for a vulnerability without proper time for the fix to trickle out to major distributions ?

    Isn't that a no-no? Especially if you claim to be a 'security specialist' ?

    1. Re:CVE-2016-4300 by Anonymous Coward · · Score: 1

      There is no shortage of CVEs for libarchive. Really.

  5. Re:So, Linux, BSD, OSX, are all vulnerable... by doconnor · · Score: 1

    Windows is closed source, so you can't find out.

  6. "the libarchive maintainers have released patches" by volkerdi · · Score: 2

    Really? I've not been able to find anything other than a new release. The patches might be in git, but they are not easily found.

  7. Re:"the libarchive maintainers have released patch by NotInHere · · Score: 3, Informative

    They are in git, indeed:

    CVE-2016-4300: https://github.com/libarchive/...
    CVE-2016-4301: https://github.com/libarchive/...
    CVE-2016-4302: https://github.com/libarchive/...

    append .patch to the url in order to get an apply-able patch.

    But better update the whole library, usually there is lots of security related fixing going on when a security researcher takes a look at the code. Also, the git commit log may lie, and in fact some other commits fixed the issue, its just not marked this prominently.

    The best policy is always to not copy the whole library into your source tree, but making downloading the library part of the build process. If you have to modify the library some way, its best to upstream those changes, but if you don't want to do it for some reason, or can't do it, then you can create patch files, and apply the patches as part of the build process as well. Updating the library then gets as easy as changing an url and rebuilding + checking that all the patches applied + retesting.

  8. Re:Would a Mozilla Rust-only OS have prevented thi by Guy+Harris · · Score: 3, Funny

    It is Rust top to bottom.

    It probably wouldn't be very good on mobile machines because, as we know, Rust never sleeps.

  9. Re:Shared libraries by ledow · · Score: 1

    Because when your program crashes / errors / doesn't work because someone updated the library that it depends on, it looks like you're the idiot.

    Because when your program does that because the library isn't installed, or the dependencies were wrongly specified, or API changed (because the old one was declared unfixable without a change of API because of, say, a security issue?), or whatever reason, you get the blame. Have you seen the vitriol you can get as a developer on, say, Steam, because your program needs a certain DirectX DLL and the user has to run the "official" DirectX installer all over again like they did for hundreds of other games. Or .NET. Or even audio DLL's.

    And if you upgrade the library, it can break other programs on the same machine and if you don't upgrade, you can break the expectations of new programs or propagate security flaws.

    Sure, it's a lovely idea that we get a perfect static API and shared libraries the same on every machine and architecture, but it's a pipe dream. And when you include certain OS into the mix, shared libraries quickly become a nightmare (e.g. Windows DLL hell such as Cygwin still has, etc.). Or are we supposed to compile against a shared library on Linux and a static on Windows?

    In the end, sometimes the only way to do these things without getting 500 users on the first day of software release all complaining about install the Visual C++ DLL's yet again, or not working on a fresh system because it needs all the dependencies installing, etc. is to statically compile. Which, for 99% of programs which aren't security critical (Games? Are you going to open a "malicious" savegame?), is the only sensible way to go.

    The problem is that shared libraries have no sense of versioning or backwards compatibility and little auto-resolution of dependencies without someone, somewhere literally writing out a list. And, even then, the list of dependencies sucked in might be far too much just because you include support for, say, OGG, MP3 and whatever where most people only care about MP3 but - bam - "apt-get install" automatically brings in dozens of libraries that aren't necessary, potentially giving you more problems than you started with.

    The program is that the developer gets the blame for the distribution, installer, third-parties or even just lack of user common sense when it comes to shared libraries.

  10. Re:Shared libraries by Anonymous Coward · · Score: 2, Insightful

    Basically, your post boils down to "I don't understand something, therefore it cannot possibly exist"

    Now, I honestly can't tell if you're being serious or just trolling, but for your benefit, in short:

    1. Shared libraries have extensive versioning information embedded into them, which is why you can hold a couple of versions of the same library. The real point of versioning is to signal ABI changes, and not marketing as you may assume.

    2. If you upgrade a library, you don't crash an existing program due to ABI changes because of 1. versioning, and also because of copy on run semantics.

    3. Versioning and dependencies have been a pretty much solved problem for many years now. In fact, we're spoilt for choice with ways to manage this.

    4. You don't want to hold a single copy of a library that something you installed depends on, but you'd rather hold multiple copies of the every library for every single thing you've installed? I don't understand why you can't see that this is far worse.

    So I'll leave you to your security nightmare, and when you get hacked and your bank account emptied, remember to tell your bank that you were warned but failed to take sensible precautions!

  11. Good luck by JThundley · · Score: 2

    Good luck updating all your vulnerable software, Windows users!

    1. Re:Good luck by HiThere · · Score: 1

      Good luck updating all your vulnerable software, whatever your OS. It is quite legal for this code to be embedded within other code, so there's no guarantee that FOSS programs haven't done so...or done so for portions of the code, which would make an update problematical.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    2. Re: Good luck by buchanmilne · · Score: 1

      Except in most distributions, if upstream software is found to ship private copies of libraries, the packager/maintainer will either ensure the software is built against a system version if the software natively supports that or patch it to if it doesn't.

    3. Re: Good luck by HiThere · · Score: 1

      And if they only use a part of it? That's where the real update problem comes in if it's open source.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    4. Re:Good luck by JThundley · · Score: 1

      Why would Free software projects include statically-compiled libraries and not update them?

  12. Re:Shared libraries by CrashNBrn · · Score: 1
    I get where Canonical is coming from regarding Snaps as such, but I fail to see why it's not implemented with softlinks.

    Install all libraries into "/snaps/lib/<NAME>/<version.X.Y.Z>/" and link to the directory.

    Worst-case scenario in that setup, would be at most a single duplication of a given library version - that you already have installed in your system.

    Then ALL "snaps" could run a compatibility-check when updating the snaps shared-libraries before linking to the new version, as well as easily fall back to the old-library-version if necessary.

  13. Re:So, Linux, BSD, OSX, are all vulnerable... by exomondo · · Score: 1

    Of course you can find out. You can test against this vulnerability and see if you can exploit it on Windows, if you can't then obviously it isn't vulnerable to it.

  14. Re:Would a Mozilla Rust-only OS have prevented thi by HiThere · · Score: 1

    There are classes of bugs that would not show up in Rust programs. But most languages can make the same claim (for different classes of bugs). The only exception I can think of is (non-macro) assembler.

    Probably the safest reasonable language is SparkAda, which is a subset of Ada. But it's not really convenient to use it.

    And, honestly, a complete language is going to have entire classes of bugs that cannot be detected. This is sort of a corollary to the halting problem.

    That said, Rust claims to be immune to classes of bugs that make concurrent execution difficult. I prefer message passing, though.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  15. Re:Shared libraries by HiThere · · Score: 1

    Indeed, but shared libraries have their own problems, which have the general name "central point of failure" and include things like the interface being updated in a way incompatible with your application, but also the central repository being hacked, and many other cases. I would hesitate to say that either approach is, in general, better than the other, but each approach avoids many of the problems inherent in the other.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  16. Re:Shared libraries by ledow · · Score: 1

    1) Yes. They do. And point versions are normally fine. When they are updated. But take OpenSSL as an example - numerous programs broke when they had to change the way the library worked. And if something breaks the ABI, the shared library stops and the program needs a rewrite. This does happen all the time.

    2) No, maybe not "crash" in the programmer sense. But it will refuse to load, error out, the function won't be found by dlopen or similar. To the user, that's all pretty much the same thing. Take a Windows game and upgrade the library to a non-compatible version. It just stops working, errors out, or falls over itself into an error handler that only the developer can fix.

    3) Nope. You think that. It's just not that simple. Manage a network or similar and see. Windows will bodge it by keeping old copies of DLL's around in a cache for particular programs but still be using them (insecure much?) and they can be a bitch to discover which particular version it's decided to use for a particular program. Linux et al pretty much have a "get the updated library" mentality (which is correct, but just breaks "working" programs from the user point of view). If you really want to prove this to yourself, install multiple copies of Cygwin and then see what happens to your programs that use it.

    4) I don't WANT to do any of those things. Nobody does. But the reason those kinds of things occur, the reason that hundreds of games in my library have their own copies of SDL libraries and similar or are statically compiled is not because those people want to. It's because that's how you get things to work for your users with the least amount of hassle.

    It's not MY security nightmare. It's OURS until we learn to deal with it differently. Our bodge at the moment is to keep old copies of libraries around silently and not tell anyone (happens even on Linux if the shared library is in use, even if only for a limited period of time until certain applications restart). That's not secure. The alternative is break existing user programs in ways that users cannot fix (Sorry, no, you can't do your banking / gaming / browsing until we release a new version). That's not acceptable either, but it is why many developers of non-security-critical programs choose not to do that.

    The solution is not as clear cut as you make out, especially when new versions of libraries do anything more than just add features and put in compatibility layers for older functions. The second you deprecate, you've broken userspace. The second you introduce an element to a structure, you've broken userspace. The second you write a new way of doing things without providing a 100% backwards compatible legacy function emulation, you've broken userspace.

    That might be acceptable on a closed system with on-hand developers. It's not out there in the real world, especially where people do business or are charging customers for it.

    I'm not saying there's a solution. In fact, I'm saying you're blinkered to think that either way is a real-world viable solution. The problem is that we have no alternative and have to choose between "Program may be insecure" or "Program won't work next week without warning".