An update for libarchive is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1310 Final 1.0 1.0 2025-03-21 Initial 2025-03-21 2025-03-21 openEuler SA Tool V1.0 2025-03-21 libarchive security update An update for libarchive is now available for openEuler-24.03-LTS is an open-source BSD-licensed C programming library that provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution also includes bsdtar and bsdcpio, full-featured implementations of tar and cpio that use . Security Fix(es): A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.(CVE-2025-1632) list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.(CVE-2025-25724) An update for libarchive is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium libarchive https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1310 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-1632 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-25724 https://nvd.nist.gov/vuln/detail/CVE-2025-1632 https://nvd.nist.gov/vuln/detail/CVE-2025-25724 openEuler-24.03-LTS bsdcat-3.7.1-6.oe2403.aarch64.rpm bsdcpio-3.7.1-6.oe2403.aarch64.rpm bsdtar-3.7.1-6.oe2403.aarch64.rpm bsdunzip-3.7.1-6.oe2403.aarch64.rpm libarchive-3.7.1-6.oe2403.aarch64.rpm libarchive-debuginfo-3.7.1-6.oe2403.aarch64.rpm libarchive-debugsource-3.7.1-6.oe2403.aarch64.rpm libarchive-devel-3.7.1-6.oe2403.aarch64.rpm bsdcat-3.7.1-6.oe2403.x86_64.rpm bsdcpio-3.7.1-6.oe2403.x86_64.rpm bsdtar-3.7.1-6.oe2403.x86_64.rpm bsdunzip-3.7.1-6.oe2403.x86_64.rpm libarchive-3.7.1-6.oe2403.x86_64.rpm libarchive-debuginfo-3.7.1-6.oe2403.x86_64.rpm libarchive-debugsource-3.7.1-6.oe2403.x86_64.rpm libarchive-devel-3.7.1-6.oe2403.x86_64.rpm libarchive-3.7.1-6.oe2403.src.rpm libarchive-help-3.7.1-6.oe2403.noarch.rpm A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-03-21 CVE-2025-1632 openEuler-24.03-LTS Low 3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L libarchive security update 2025-03-21 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1310 list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale. 2025-03-21 CVE-2025-25724 openEuler-24.03-LTS Medium 4.0 AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L libarchive security update 2025-03-21 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1310