Home News Libarchive Vulnerability Allows Code Execution on Linux and BSD Distros

Libarchive Vulnerability Allows Code Execution on Linux and BSD Distros


Libarchive is a default compression library that is optimized for reading and writing compressed archive files in a single go. It means that Libarchive can process large archive files that cannot be stored on a disk and instead process them on-the-go as they read from or write to a network or a tape drive.

Google recently disclosed a Libarchive vulnerability which was discovered by its security researchers (having identifier CVE-2019-18408) using ClusterFuzz and OSSFuzz automated testing tools. It allowed hackers to execute arbitrary code if it received a specially crafted archive file. This library is included by default in Debian, Ubuntu, Gentoo, Arch Linux, FreeBSD (Berkeley Software Distribution), and NetBSD distros. The announcement of this vulnerability was made public as several Linux and FreeBSD distros released updated patches to fix the Libarchive vulnerability.

Debian Security Advisory authored by Moritz Muehlenhoff said, “A use-after-free was found in libarchive, a multi-format archive and compression library, which could result in denial of service (DDOS attack) and potentially, the execution of arbitrary code if a malformed archive is processed.” IBM in its security bulletin also mentioned that multiple Libarchive vulnerabilities have affected its Watson Explorer, a cognitive and content analysis platform.

Libarchive is also included as a default library in Microsoft Windows 10 (insider build 17063) since 2017.  Similarly, MacOS has integrated the usage of Libarchives since 2009, with bsdtar and bsdcpio being the default system tar and cpio command-line utilities. The bsdtar and bsdcpio command-line utilities are feature and performance enhanced as compared to other tar and cpio implementations and hence very popular across various operating environments. Its features include:

  • Reads a variety of formats, including tar, pax, cpio, zip, xar, lha, ar, cab, mtree, rar, and ISO images.
  • Writes tar, pax, cpio, zip, xar, ar, ISO, mtree, and shar archives.
  • Automatically handles archives compressed with gzip, bzip2, lzip, xz, lzma, or compress.
  • Unique format conversion feature.

Although this could have affected a wider audience, the Libarchive vulnerability being ineffective on Apple and Microsoft operating systems helped in its timely containment and rapid fix.