ClickCease Patching Critical libarchive Vulnerabilities in End-of-Life Ubuntu

Table of Contents

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Patching Critical libarchive Vulnerabilities in End-of-Life Ubuntu

by Rohan Timalsina

October 28, 2024 - TuxCare expert team

Recently, multiple security vulnerabilities were fixed in libarchive, a widely used free and open-source library for reading and writing various archive file formats. These vulnerabilities could potentially allow attackers to exploit systems and cause denial of service (DoS) by crashing applications linked with libarchive.

 

libarchive Vulnerabilities Details

 

CVE-2022-36227 (CVSS v3 Score: 9.8 Critical)

A vulnerability in libarchive was identified due to a missing check of the return value from the calloc function. In cases of out-of-memory conditions or when a system’s memory allocation limit is reached, this flaw can trigger a NULL pointer dereference. The application that relies on libarchive can crash, leading to a potential denial of service. However, it’s important to note that this vulnerability can only be exploited when the system is under significant memory strain.

 

CVE-2024-48957 (CVSS v3 Score: 7.8 High)

This libarchive vulnerability occurs due to out-of-bounds access in the execute_filter_audio function within the libarchive/archive_read_support_format_rar.c file. When processing a maliciously crafted RAR archive, libarchive may not properly validate the data, resulting in a crash. This flaw leaves applications that rely on libarchive susceptible to denial-of-service attacks.

 

CVE-2024-48958 (CVSS v3 Score: 7.8 High)

Similar to CVE-2024-48957, this vulnerability also stems from out-of-bounds access, but it is triggered in the execute_filter_delta function within the same archive_read_support_format_rar.c file. Like the previous flaw, this issue arises when libarchive processes a specially crafted RAR archive, leading to potential application crashes and subsequent denial of service.

 

Available Updates and How to Stay Secure

 

Canonical has recently addressed these security vulnerabilities by releasing updates for the following Ubuntu versions: Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 20.04 LTS. In addition, extended security updates have been made available for older, end-of-life (EOL) Ubuntu versions under Extended Security Maintenance (ESM): Ubuntu 18.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 14.04 ESM.

To safeguard your systems against these vulnerabilities, it is essential to update the libarchive package to the latest version available in your Ubuntu repositories. For users running Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, or Ubuntu 20.04 LTS, these updates can be applied directly through the standard Ubuntu repositories.

For users still relying on end-of-life Ubuntu versions like Ubuntu 18.04, Ubuntu 16.04, and Ubuntu 14.04, applying security patches requires an Ubuntu Pro subscription, which provides access to expanded security maintenance through ESM.

 

Affordable Alternative: TuxCare’s Endless Lifecycle Support

 

For those using older Ubuntu versions who want to avoid the higher costs of an Ubuntu Pro subscription, TuxCare’s Endless Lifecycle Support offers a cost-effective solution. TuxCare’s ELS service provides vendor-grade security patches for EOL Ubuntu versions (Ubuntu 16.04 and Ubuntu 18.04), enabling you to continue operating securely for as long as you need after the official EOL date. This allows organizations to migrate at their own pace while ensuring ongoing security compliance.

TuxCare also supports other end-of-life Linux distributions, including CentOS 6, CentOS 7, CentOS 8, CentOS Stream 8, Oracle Linux 6, and Oracle Linux 7

 

Source: USN-7070-1

Summary
Patching Critical libarchive Vulnerabilities in End-of-Life Ubuntu
Article Name
Patching Critical libarchive Vulnerabilities in End-of-Life Ubuntu
Description
Explore recent libarchive vulnerabilities affecting Ubuntu systems and learn how to stay secure with updates or Endless Lifecycle Support.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer