Linux users warned to update libarchive to beat flaw – Naked Security

Every now and again, a security vulnerability is discovered in a program with little fanfare, despite the fact that it’s buried in plain sight inside software lots of people depend on.

A good example is libarchive, which has a flaw discovered by Google researchers in May using the ClusterFuzz and OSSFuzz automated ‘fuzzing’ tools and fixed by libarchive’s maintainers on 12 June in version 3.4.0.

Libarchive, for those not familiar with it, is a compression and archiving library originally developed for FreeBSD that has achieved widespread popularity because it functions like a do-everything compressed archive handler supporting file and compression formats including ZIP, gzip, tar, uuencode, 7z, Microsoft CAB, ISO9660 (CD images) and many more.

It’s also used by Debian, Ubuntu, Gentoo, Arch Linux, and the Chromebook Chrome OS, as well as tools such as the Samba Linux-Windows interoperability suite, all of which are now receiving the June patch.

It’s even part of Apple’s macOS and Microsoft’s Windows 10, although neither are thought to be affected by the vulnerability.