Libarchive Vulnerabilities

The Cisco Talos blog reported newly discovered vulnerabilities in the widely used libarchive open-source programming library. Cisco Talos reports that it has worked with the maintainers of the archive to patch what it calls three rather severe bugs in the library. Cisco Talos encourages users to patch/upgrade related, vulnerable software. Christopher Fearon, research director at Black Duck Software, which helps organisations to identify, secure and manage open source software in the enterprise commented below.

Christopher Fearon, Research Director at Black Duck Software:

“This is another example of a widely used component that is also consumed by other open source packages,” said Christopher Fearon, research director at Black Duck Software, which helps organisations to secure and manage open source software. “Not only is libarchive bundled with specific tools and products offering archiving functionality, but it’s also included in various package managers and numerous Linux distributions – in essence, libarchive is everywhere.”

According to the Black Duck Open Hub (an online community and public directory of open source software), libarchive has had 4,718 commits made by 103 contributors since the first community commit in 2008. Over 25 per cent of the lifetime committers have contributed to the project in just the past 12 months.

“In this case, it’s not enough to know that you’re using a specific Linux distribution, you need to also have visibility into that package’s subcomponents. Ensuring a robust vulnerability management solution in conjunction with an open source management platform is key to identifying and understanding the business impact and risks associated with libarchive usage. While we may always be a step behind malicious actors, the adoption of automated vulnerability detection tools and open source software management solutions will assist in long term risk mitigation.”