Severe flaws in widely used archive library put many projects at risk
In a world where any new software project is built in large part on existing third-party code, finding and patching vulnerabilities in popular open-source libraries is vital to creating reliable and secure applications.
For example, three severe flaws in libarchive, recently found by researchers from Cisco Systems’ Talos group, could affect a large number of software products.
Libarchive is an open-source library first created for FreeBSD, but since ported to all major operating systems. It provides real-time access to files compressed with a variety of algorithms, including tar, pax, cpio, ISO9660, zip, lha/lzh, rar, cab and 7-Zip.
The library is used by file and package managers included in many Linux and BSD systems, as well as by components and tools in OS X and Chrome OS. Developers can also include the library’s code in their own projects, so it’s hard to know how many other applications or firmware packages contain it.