CVE-2017-5601 Libarchive CVE debrief

Who should care

Security and platform teams running libarchive 3.2.2 directly, or shipping products that parse archives through libarchive. This is especially relevant for systems that accept user-uploaded, email-delivered, downloaded, or otherwise untrusted archive files.

Technical summary

The vulnerability is classified by NVD as CWE-125 (out-of-bounds read) and has CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The affected CPE in the supplied record is libarchive 3.2.2. The issue resides in lha_read_file_header_1() within archive_read_support_format_lha.c, where malformed archive data can cause an out-of-bounds read and subsequent crash. The NVD references a libarchive commit that corresponds to a patch for the issue.

Defensive priority

High

Recommended defensive actions

• Inventory all applications, appliances, and libraries that include libarchive and confirm whether version 3.2.2 is present.
• Upgrade to a libarchive release that includes the referenced fix commit or a vendor-maintained build containing that patch.
• Treat all archive inputs as untrusted and apply defense-in-depth controls around archive extraction and parsing.
• Add crash monitoring and alerting for services that process archives, since the primary documented impact is denial of service.
• If immediate upgrading is not possible, reduce exposure by restricting who can submit archives and by isolating archive-processing workloads.

Evidence notes

Supported by the official NVD CVE record and the CVE.org record. The supplied NVD metadata identifies libarchive 3.2.2 as vulnerable, describes an out-of-bounds read in lha_read_file_header_1(), assigns CWE-125, and lists CVSS v3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The NVD reference list includes the upstream libarchive commit 98dcbbf0bf4854bf987557e55e55fff7abbf3ea9 as a patch reference.

Official resources