Number: AV16-104
Date: 21 June 2016
Purpose
The purpose of this advisory is to bring attention to a libarchive security update.
Assessment
A security update was released for libarchive which addresses multiple vulnerabilities. Exploitation of these vulnerabilities may allow for arbitrary remote code execution. The libarchive library is included with and leveraged by several hardware and software products.
Affected Versions: libarchive versions prior to 3.2.1
CVE References: CVE-2016-4300, CVE-2016-4301, CVE-2016-4302
Suggested action
CCIRC recommends that system administrators identify their affected assets and potential interdependencies with their organization's critical services, and follow their patch management process accordingly.
References
Cisco Talos (vulnerability report):
http://blog.talosintel.com/2016/06/the-poisoned-archives.html
libarchive:
http://libarchive.org/