Patching Critical libarchive Vulnerabilities in End-of-Life Ubuntu
Recently, multiple security vulnerabilities were fixed in libarchive, a widely used free and open-source library for reading and writing various archive file formats. These vulnerabilities could potentially allow attackers to exploit systems and cause denial of service (DoS) by crashing applications linked with libarchive.
libarchive Vulnerabilities Details
CVE-2022-36227 (CVSS v3 Score: 9.8 Critical)
A vulnerability in libarchive was identified due to a missing check of the return value from the calloc
function. In cases of out-of-memory conditions or when a system’s memory allocation limit is reached, this flaw can trigger a NULL pointer dereference. The application that relies on libarchive can crash, leading to a potential denial of service. However, it’s important to note that this vulnerability can only be exploited when the system is under significant memory strain.
CVE-2024-48957 (CVSS v3 Score: 7.8 High)
This libarchive vulnerability occurs due to out-of-bounds access in the execute_filter_audio
function within the libarchive/archive_read_support_format_rar.c
file. When processing a maliciously crafted RAR archive, libarchive may not properly validate the data, resulting in a crash. This flaw leaves applications that rely on libarchive susceptible to denial-of-service attacks.
CVE-2024-48958 (CVSS v3 Score: 7.8 High)
Similar to CVE-2024-48957, this vulnerability also stems from out-of-bounds access, but it is triggered in the execute_filter_delta
function within the same archive_read_support_format_rar.c
file. Like the previous flaw, this issue arises when libarchive processes a specially crafted RAR archive, leading to potential application crashes and subsequent denial of service.
Available Updates and How to Stay Secure
Canonical has recently addressed these security vulnerabilities by releasing updates for the following Ubuntu versions: Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 20.04 LTS. In addition, extended security updates have been made available for older, end-of-life (EOL) Ubuntu versions under Extended Security Maintenance (ESM): Ubuntu 18.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 14.04 ESM.
To safeguard your systems against these vulnerabilities, it is essential to update the libarchive package to the latest version available in your Ubuntu repositories. For users running Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, or Ubuntu 20.04 LTS, these updates can be applied directly through the standard Ubuntu repositories.
For users still relying on end-of-life Ubuntu versions like Ubuntu 18.04, Ubuntu 16.04, and Ubuntu 14.04, applying security patches requires an Ubuntu Pro subscription, which provides access to expanded security maintenance through ESM.
Affordable Alternative: TuxCare’s Endless Lifecycle Support
For those using older Ubuntu versions who want to avoid the higher costs of an Ubuntu Pro subscription, TuxCare’s Endless Lifecycle Support offers a cost-effective solution. TuxCare’s ELS service provides vendor-grade security patches for EOL Ubuntu versions (Ubuntu 16.04 and Ubuntu 18.04), enabling you to continue operating securely for as long as you need after the official EOL date. This allows organizations to migrate at their own pace while ensuring ongoing security compliance.
TuxCare also supports other end-of-life Linux distributions, including CentOS 6, CentOS 7, CentOS 8, CentOS Stream 8, Oracle Linux 6, and Oracle Linux 7
Source: USN-7070-1


