Slashdot Mirror

← Back to Stories (view on slashdot.org)

Severe Flaws Found In Libarchive Open Source Library (talosintel.com)

Posted by msmash on from the security-woes dept.

Reader itwbennett writes: Researchers from Cisco Systems' Talos group have found three memory corruption errors in the widely used open-source library libarchive that can result in arbitrary code execution and can be exploited by passing specially crafted files to applications that contain the vulnerable code. "The library is used by file and package managers included in many Linux and BSD systems, as well as by components and tools in OS X and Chrome OS," writes Lucian Constantin. "Developers can also include the library's code in their own projects, so it's hard to know how many other applications or firmware packages contain it." (Original blog post) So, while the libarchive maintainers have released patches for the flaws, it will likely take a long time for them to trickle down through all the affected projects.

9 of 82 comments (clear)

  1. Re:Goddammit, people! We need to use Rust NOW! by NotInHere · · Score: 4, Insightful

    Its just so funny. Most rust applications as of now only work because they use rust wrappers to native libraries. So even if you wrote your program in rust, if you used this crate, you'd have exactly the same problems as all those c/c++ writers: https://crates.io/crates/libar...

  2. Fuck all this by Anonymous Coward · · Score: 2, Funny

    I'm going back to DOS 2.11 on my bone stock original IBM XT.
    HACK THAT! HA!

  3. "the libarchive maintainers have released patches" by volkerdi · · Score: 2

    Really? I've not been able to find anything other than a new release. The patches might be in git, but they are not easily found.

  4. Re:Goddammit, people! We need to use Rust NOW! by Darinbob · · Score: 4, Interesting

    Generally it's "please use this new language that has minimal support and is single sourced and apply it to your critical systems now!" It's nice to have new languages, but if we all rushed to the latest one then we'd just be repeating the same mistakes of having a monoculture.

    Remember when Java was the perfect language, designed from the ground up to make sure you can't do anything unsafe with it and it runs in a perfect sandbox that won't harm your computer.

    Now Rust is a nice language. But it'll take a whole lot more than "goddammit people!" to get projects to switch.

  5. Re:"the libarchive maintainers have released patch by NotInHere · · Score: 3, Informative

    They are in git, indeed:

    CVE-2016-4300: https://github.com/libarchive/...
    CVE-2016-4301: https://github.com/libarchive/...
    CVE-2016-4302: https://github.com/libarchive/...

    append .patch to the url in order to get an apply-able patch.

    But better update the whole library, usually there is lots of security related fixing going on when a security researcher takes a look at the code. Also, the git commit log may lie, and in fact some other commits fixed the issue, its just not marked this prominently.

    The best policy is always to not copy the whole library into your source tree, but making downloading the library part of the build process. If you have to modify the library some way, its best to upstream those changes, but if you don't want to do it for some reason, or can't do it, then you can create patch files, and apply the patches as part of the build process as well. Updating the library then gets as easy as changing an url and rebuilding + checking that all the patches applied + retesting.

  6. Re:Would a Mozilla Rust-only OS have prevented thi by Guy+Harris · · Score: 3, Funny

    It is Rust top to bottom.

    It probably wouldn't be very good on mobile machines because, as we know, Rust never sleeps.

  7. Re:Goddammit, people! We need to use Rust NOW! by Darinbob · · Score: 2

    That's why its linker should be called Duck Tape.

  8. Re:Shared libraries by Anonymous Coward · · Score: 2, Insightful

    Basically, your post boils down to "I don't understand something, therefore it cannot possibly exist"

    Now, I honestly can't tell if you're being serious or just trolling, but for your benefit, in short:

    1. Shared libraries have extensive versioning information embedded into them, which is why you can hold a couple of versions of the same library. The real point of versioning is to signal ABI changes, and not marketing as you may assume.

    2. If you upgrade a library, you don't crash an existing program due to ABI changes because of 1. versioning, and also because of copy on run semantics.

    3. Versioning and dependencies have been a pretty much solved problem for many years now. In fact, we're spoilt for choice with ways to manage this.

    4. You don't want to hold a single copy of a library that something you installed depends on, but you'd rather hold multiple copies of the every library for every single thing you've installed? I don't understand why you can't see that this is far worse.

    So I'll leave you to your security nightmare, and when you get hacked and your bank account emptied, remember to tell your bank that you were warned but failed to take sensible precautions!

  9. Good luck by JThundley · · Score: 2

    Good luck updating all your vulnerable software, Windows users!