An update for libarchive is now available for openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1656 Final 1.0 1.0 2025-06-20 Initial 2025-06-20 2025-06-20 openEuler SA Tool V1.0 2025-06-20 libarchive security update An update for libarchive is now available for openEuler-20.03-LTS-SP4 is an open-source BSD-licensed C programming library that provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution also includes bsdtar and bsdcpio, full-featured implementations of tar and cpio that use . Security Fix(es): A vulnerability was found in libarchive up to 3.7.x (File Compression Software). It has been classified as critical.CWE is classifying the issue as CWE-415. The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 3.8.0 eliminates this vulnerability.(CVE-2025-5914) A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive.(CVE-2025-5916) A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation.(CVE-2025-5917) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.(CVE-2025-5918) An update for libarchive is now available for openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of low. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Low libarchive https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1656 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-5914 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-5916 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-5917 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-5918 https://nvd.nist.gov/vuln/detail/CVE-2025-5914 https://nvd.nist.gov/vuln/detail/CVE-2025-5916 https://nvd.nist.gov/vuln/detail/CVE-2025-5917 https://nvd.nist.gov/vuln/detail/CVE-2025-5918 openEuler-20.03-LTS-SP4 libarchive-3.4.3-10.oe2003sp4.x86_64.rpm libarchive-debuginfo-3.4.3-10.oe2003sp4.x86_64.rpm libarchive-debugsource-3.4.3-10.oe2003sp4.x86_64.rpm libarchive-devel-3.4.3-10.oe2003sp4.x86_64.rpm libarchive-help-3.4.3-10.oe2003sp4.noarch.rpm libarchive-3.4.3-10.oe2003sp4.aarch64.rpm libarchive-debuginfo-3.4.3-10.oe2003sp4.aarch64.rpm libarchive-debugsource-3.4.3-10.oe2003sp4.aarch64.rpm libarchive-devel-3.4.3-10.oe2003sp4.aarch64.rpm libarchive-3.4.3-10.oe2003sp4.src.rpm A vulnerability was found in libarchive up to 3.7.x (File Compression Software). It has been classified as critical.CWE is classifying the issue as CWE-415. The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 3.8.0 eliminates this vulnerability. 2025-06-20 CVE-2025-5914 openEuler-20.03-LTS-SP4 Low 3.9 AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L libarchive security update 2025-06-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1656 A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. 2025-06-20 CVE-2025-5916 openEuler-20.03-LTS-SP4 Low 3.9 AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L libarchive security update 2025-06-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1656 A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation. 2025-06-20 CVE-2025-5917 openEuler-20.03-LTS-SP4 Low 2.8 AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L libarchive security update 2025-06-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1656 A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. 2025-06-20 CVE-2025-5918 openEuler-20.03-LTS-SP4 Low 3.9 AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L libarchive security update 2025-06-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1656