{{announcement.body}}
{{announcement.title}}

Vulnerability in Libarchive Threatens Many Linux Distributions

DZone 's Guide to

Vulnerability in Libarchive Threatens Many Linux Distributions

See why this bug could be a big problem for Linux users.

· Security Zone ·
Free Resource

8 Reasons to Learn and Switch to Linux

This summer, Google experts using the ClusterFuzz and OSS-Fuzz tools, discovered a dangerous bug in the Libarchive library, which is responsible for working with archives and compressed files. Libarchive is included by default with Debian, Ubuntu, Gentoo, Arch Linux, FreeBSD, and NetBSD, and the vulnerability allows an attacker to execute arbitrary code on a vulnerable machine. It is reported that Windows and macOS, which also include the library, are not vulnerable.

The bug received the identifier CVE-2019-18408 and allows the attacker to execute arbitrary code in the system using a specially created archive file. The problem can be exploited through a malicious file obtained from cybercriminals through local applications that use various Libarchive components in their work.

Information about the problem was released only recently, after the release of patches for Linux and FreeBSD. The vulnerability is already fixed in Libarchive version 3.4.0. Most Linux distributions have already fixed the problem. GitHub has published a list of vulnerable operating systems and applications, which include desktop and server operating systems, package managers, security utilities, file browsers, and so on, including well-known names like pkgutils, Pacman, CMake, Nautilus, and Samba.


Further Reading

Topics:
linux ,bug ,fuzzing ,cybersecurity ,ubuntu ,debian ,vulnerability

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}