A compression library included by default in Debian, Ubuntu, Gentoo, Arch Linux, FreeBSD, and NetBSD distros, contains a vulnerability that can allow hackers to execute code on user machines. The macOS and Windows operating systems, where this library is also included and used as a default decompression utility, are not affected. The vulnerability impacts Libarchive, a library for reading and creating compressed files. It is a powerful all-in-one toolkit for working with archive files that also bundle other Linux/BSD utilities like tar, cpio, and cat, making it ideal for a wide variety of operations, and the reason it’s so widely adopted across operating systems. The bug, tracked under the CVE-2019-18408 identifier, allows an attacker to execute code on a user’s system via a malformed archive file. Exploitation scenarios include users who receive malicious files from attackers or local apps that use Libarchive’s various components for file decompression.
Submitted by: Arnfried Walbrecht