A compression library included by default in Debian, Ubuntu, Gentoo, Arch Linux, FreeBSD, and NetBSD distros, contains a vulnerability that can allow hackers to execute code on user machines.
The macOS and Windows operating systems, where this library is also included and used as a default decompression utility, are not affected.
CVE-2019-18408 in Libarchive
The vulnerability impacts Libarchive, a library for reading and creating compressed files. It is a powerful all-in-one toolkit for working with archive files that also bundles other Linux/BSD utilities like tar, cpio, and cat, making it ideal for a wide variety of operations, and the reason it’s so widely adopted across operating systems.
Last week, details about a major bug impacting the library have been made public after several Linux and FreeBSD distros rolled out updates containing patches for the Libarchive version they had been shipping out to users.
The bug, tracked under the CVE-2019-18408 identifier, allows an attacker to execute code on a user’s system via a malformed archive file.
Exploitation scenarios include users who receive malicious files from attackers or local apps that use Libarchive’s various components for file decompression.
The bug was discovered and patched back in June, but it took some time for the patch to make its way upstream to all operating systems. The vulnerability was identified by Google security researchers using two automated code testing tools called ClusterFuzz and OSS-Fuzz, and patched in Libarchive 3.4.0.
Could have been much worse
The list of vulnerable operating systems and software utilities that ship Libarchive is exhaustive, opening a huge attack surface for malicious threat actors.
It includes desktops and server operating systems, package managers, security utilities, file browsers, and multimedia processing tools. The bigger names include pkgutils, Pacman, CMake, Nautilus, KDE’s ark, and Samba.
While the impacted operating systems have rolled out updates to address the reported bug, the patch status of Libarchive in the other apps is currently unknown.
Thankfully, Windows and macOS, today’s two most popular operating systems are not impacted; otherwise, the bug would have caused major headaches to users all over the world, just like a 19-year-old WinRAR bug did earlier this spring.
At the time of writing, ZDNet is unaware of any public proof-of-concept exploit code for this vulnerability or any in-the-wild exploitation attempts.