Libarchive flaws (CVE-2026-4424, CVE-2026-5121) can break backups & logs. Learn to check, fix, or block the risk on Ubuntu, Rocky, SUSE – with automation scripts & no-update workarounds.
Yes, this matters even if the patch is six months old.
Libarchive – the library behind tar, bsdtar, and tools like dpkg-deb – occasionally gets vulnerabilities that allow remote code execution or crashing your log rotators. Two recent examples (tracked as CVE-2026-4424 and CVE-2026-5121) forced updates for Oracle Linux 9.
But the real lesson is universal: archive parsers are attack surfaces. Here’s how to check, fix, and block libarchive issues on any major distro – today and next year.
1. How to Check If You Are Vulnerable (Actual Commands)
Run this on any server that handles untrusted .tar, .iso, .zip, or .cpio.
# Check your libarchive version ldconfig -p | grep libarchive || rpm -qa | grep libarchive || dpkg -l | grep libarchive # On Ubuntu / Debian dpkg -l | grep libarchive # Vulnerable if version < 3.5.3-9 (for the 2026 CVEs) # On Rocky / AlmaLinux / RHEL 9 rpm -q libarchive # Fixed version: 3.5.3-9.el9_7 or higher # On SUSE Linux Enterprise / openSUSE Leap zypper info libarchive | grep Version # Check against your distro's security advisory
Quick test (safe to run):
Create a malformed archive using echo "broken" > test.tar and run bsdtar -tf test.tar. If your system crashes or loops forever → vulnerable.
2. Automation Script to Apply the Fix (Bash – Major Distros)
Save as fix-libarchive.sh and run as root.
#!/bin/bash # Evergreen libarchive patcher – works on Ubuntu, Rocky, SUSE set -e ID=$(grep ^ID= /etc/os-release | cut -d= -f2 | tr -d '"') case $ID in ubuntu|debian) apt update apt install -y libarchive13 bsdtar ;; rocky|rhel|centos) dnf update -y libarchive bsdtar ;; suse|opensuse-leap|opensuse-tumbleweed) zypper refresh zypper update -y libarchive bsdtar ;; *) echo "Unsupported distro: $ID. Update libarchive manually." exit 1 esac echo "✅ libarchive updated. Verify with: bsdtar --version"
Make it executable and run:
chmod +x fix-libarchive.sh sudo ./fix-libarchive.sh
3. Alternative Mitigation (If You Can’t Update Now)
Block dangerous archive formats at the application level without touching libarchive.
A. iptables / nftables – Block External Archive Triggers
If your app (e.g., a file upload service) uses libarchive, temporarily block the upload port:
# Block upload port 8080 from untrusted IPs iptables -A INPUT -p tcp --dport 8080 -m recent --set iptables -A INPUT -p tcp --dport 8080 -m recent --update --seconds 60 --hitcount 4 -j DROP
B. AppArmor – Confine bsdtar
# Create /etc/apparmor.d/usr.bin.bsdtar with: profile usr.bin.bsdtar /usr/bin/bsdtar { capability dac_override, /usr/lib/** mr, /tmp/* rw, deny /etc/passwd r, } # Then: apparmor_parser -r /etc/apparmor.d/usr.bin.bsdtar
C. Proxy Filter – Block Problematic Extensions (nginx example)
location /upload { if ($request_filename ~* "\.(tar|iso|cpio)$") { return 403; } proxy_pass http://backend; }
Suggested reading:
Mastering Linux Security and Hardening - Third Edition by: Donald A. Tevault - Amazon.
Why this book fits :
Your article covers three key areas: checking vulnerability status, automating fixes, and implementing mitigations (AppArmor, iptables). This book expands each of those into full defensive strategies:
Debian Linux Security Hardening and Best Practices by: Cael Reed - Amazon.
Why This eBook Matters for Your libarchive Evergreen Content
The Debian Linux Security Hardening and Best Practices eBook by Cael Reed isn't just another security book – it's the direct extension of the workflow you just taught your readers.
Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).
Nenhum comentário:
Postar um comentário