{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Low" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"libarchive security update", "category":"general", "title":"Synopsis" }, { "text":"An update for libarchive is now available for openEuler-22.03-LTS-SP4", "category":"general", "title":"Summary" }, { "text":"is an open-source BSD-licensed C programming library that provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution also includes bsdtar and bsdcpio, full-featured implementations of tar and cpio that use .\n\nSecurity Fix(es):\n\nA vulnerability was found in libarchive up to 3.7.x (File Compression Software). It has been classified as critical.CWE is classifying the issue as CWE-415. The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 3.8.0 eliminates this vulnerability.(CVE-2025-5914)\n\nA vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive.(CVE-2025-5916)\n\nA vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation.(CVE-2025-5917)\n\nA vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.(CVE-2025-5918)", "category":"general", "title":"Description" }, { "text":"An update for libarchive is now available for openEuler-22.03-LTS-SP4.\n\nopenEuler Security has rated this update as having a security impact of low. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Low", "category":"general", "title":"Severity" }, { "text":"libarchive", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-1658", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1658" }, { "summary":"CVE-2025-5914", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-5914&packageName=libarchive" }, { "summary":"CVE-2025-5916", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-5916&packageName=libarchive" }, { "summary":"CVE-2025-5917", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-5917&packageName=libarchive" }, { "summary":"CVE-2025-5918", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-5918&packageName=libarchive" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5914" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5916" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5917" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5918" }, { "summary":"openEuler-SA-2025-1658 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1658.json" } ], "title":"An update for libarchive is now available for openEuler-22.03-LTS-SP4", "tracking":{ "initial_release_date":"2025-06-20T21:40:07+08:00", "revision_history":[ { "date":"2025-06-20T21:40:07+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-06-20T21:40:07+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-06-20T21:40:07+08:00", "id":"openEuler-SA-2025-1658", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"openEuler-22.03-LTS-SP4", "name":"openEuler-22.03-LTS-SP4" }, "name":"openEuler-22.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"bsdcat-3.5.2-9.oe2203sp4.aarch64.rpm", "name":"bsdcat-3.5.2-9.oe2203sp4.aarch64.rpm" }, "name":"bsdcat-3.5.2-9.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"bsdcpio-3.5.2-9.oe2203sp4.aarch64.rpm", "name":"bsdcpio-3.5.2-9.oe2203sp4.aarch64.rpm" }, "name":"bsdcpio-3.5.2-9.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"bsdtar-3.5.2-9.oe2203sp4.aarch64.rpm", "name":"bsdtar-3.5.2-9.oe2203sp4.aarch64.rpm" }, "name":"bsdtar-3.5.2-9.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libarchive-3.5.2-9.oe2203sp4.aarch64.rpm", "name":"libarchive-3.5.2-9.oe2203sp4.aarch64.rpm" }, "name":"libarchive-3.5.2-9.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64.rpm", "name":"libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64.rpm" }, "name":"libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64.rpm", "name":"libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64.rpm" }, "name":"libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libarchive-devel-3.5.2-9.oe2203sp4.aarch64.rpm", "name":"libarchive-devel-3.5.2-9.oe2203sp4.aarch64.rpm" }, "name":"libarchive-devel-3.5.2-9.oe2203sp4.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"bsdcat-3.5.2-9.oe2203sp4.x86_64.rpm", "name":"bsdcat-3.5.2-9.oe2203sp4.x86_64.rpm" }, "name":"bsdcat-3.5.2-9.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"bsdcpio-3.5.2-9.oe2203sp4.x86_64.rpm", "name":"bsdcpio-3.5.2-9.oe2203sp4.x86_64.rpm" }, "name":"bsdcpio-3.5.2-9.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"bsdtar-3.5.2-9.oe2203sp4.x86_64.rpm", "name":"bsdtar-3.5.2-9.oe2203sp4.x86_64.rpm" }, "name":"bsdtar-3.5.2-9.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libarchive-3.5.2-9.oe2203sp4.x86_64.rpm", "name":"libarchive-3.5.2-9.oe2203sp4.x86_64.rpm" }, "name":"libarchive-3.5.2-9.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64.rpm", "name":"libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64.rpm" }, "name":"libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64.rpm", "name":"libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64.rpm" }, "name":"libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libarchive-devel-3.5.2-9.oe2203sp4.x86_64.rpm", "name":"libarchive-devel-3.5.2-9.oe2203sp4.x86_64.rpm" }, "name":"libarchive-devel-3.5.2-9.oe2203sp4.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libarchive-3.5.2-9.oe2203sp4.src.rpm", "name":"libarchive-3.5.2-9.oe2203sp4.src.rpm" }, "name":"libarchive-3.5.2-9.oe2203sp4.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libarchive-help-3.5.2-9.oe2203sp4.noarch.rpm", "name":"libarchive-help-3.5.2-9.oe2203sp4.noarch.rpm" }, "name":"libarchive-help-3.5.2-9.oe2203sp4.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"bsdcat-3.5.2-9.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "name":"bsdcat-3.5.2-9.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"bsdcpio-3.5.2-9.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "name":"bsdcpio-3.5.2-9.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"bsdtar-3.5.2-9.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "name":"bsdtar-3.5.2-9.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libarchive-3.5.2-9.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "name":"libarchive-3.5.2-9.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "name":"libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "name":"libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libarchive-devel-3.5.2-9.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "name":"libarchive-devel-3.5.2-9.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"bsdcat-3.5.2-9.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "name":"bsdcat-3.5.2-9.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"bsdcpio-3.5.2-9.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "name":"bsdcpio-3.5.2-9.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"bsdtar-3.5.2-9.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "name":"bsdtar-3.5.2-9.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libarchive-3.5.2-9.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "name":"libarchive-3.5.2-9.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "name":"libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "name":"libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libarchive-devel-3.5.2-9.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "name":"libarchive-devel-3.5.2-9.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libarchive-3.5.2-9.oe2203sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "name":"libarchive-3.5.2-9.oe2203sp4.src as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libarchive-help-3.5.2-9.oe2203sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch", "name":"libarchive-help-3.5.2-9.oe2203sp4.noarch as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-5914", "notes":[ { "text":"A vulnerability was found in libarchive up to 3.7.x (File Compression Software). It has been classified as critical.CWE is classifying the issue as CWE-415. The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 3.8.0 eliminates this vulnerability.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ], "details":"libarchive security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1658" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"LOW", "baseScore":3.9, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ] } ], "threats":[ { "details":"Low", "category":"impact" } ], "title":"CVE-2025-5914" }, { "cve":"CVE-2025-5916", "notes":[ { "text":"A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ], "details":"libarchive security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1658" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"LOW", "baseScore":3.9, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ] } ], "threats":[ { "details":"Low", "category":"impact" } ], "title":"CVE-2025-5916" }, { "cve":"CVE-2025-5917", "notes":[ { "text":"A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ], "details":"libarchive security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1658" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"LOW", "baseScore":2.8, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ] } ], "threats":[ { "details":"Low", "category":"impact" } ], "title":"CVE-2025-5917" }, { "cve":"CVE-2025-5918", "notes":[ { "text":"A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ], "details":"libarchive security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1658" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"LOW", "baseScore":3.9, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.aarch64", "openEuler-22.03-LTS-SP4:bsdcat-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdcpio-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:bsdtar-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-devel-3.5.2-9.oe2203sp4.x86_64", "openEuler-22.03-LTS-SP4:libarchive-3.5.2-9.oe2203sp4.src", "openEuler-22.03-LTS-SP4:libarchive-help-3.5.2-9.oe2203sp4.noarch" ] } ], "threats":[ { "details":"Low", "category":"impact" } ], "title":"CVE-2025-5918" } ] }