Researchers from Cisco Systems’ Talos group have found three severe security flaws—an integer overflow, a buffer overflow and a heap overflow—in an open source library called libarchive. Many popular open source projects rely on the library, which provides real-time access to compressed files. It’s used by many Linux and BSD file managers, as well as by OS X and Chrome OS components. No one knows how many other pieces of software may rely on libarchive, making them vulnerable to attacks.
“When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on and bundle libarchive are affected,” the Talos researchers blogged. “These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems. Users are encouraged to patch all relevant programs as quickly as possible.”
