{"schema_version":"1.7.2","id":"OESA-2025-1311","modified":"2025-03-21T13:18:12Z","published":"2025-03-21T13:18:12Z","upstream":["CVE-2025-1632","CVE-2025-25724"],"summary":"libarchive security update","details":" is an open-source BSD-licensed C programming library that \nprovides streaming access to a variety of different archive formats,\nincluding tar, cpio, pax, zip, and ISO9660 images. The distribution \nalso includes bsdtar and bsdcpio, full-featured implementations of \ntar and cpio that use .\r\n\r\nSecurity Fix(es):\n\nA vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.(CVE-2025-1632)\n\nlist_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.(CVE-2025-25724)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"libarchive","purl":"pkg:rpm/openEuler/libarchive\u0026distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.7.1-6.oe2403sp1"}]}],"ecosystem_specific":{"aarch64":["bsdcat-3.7.1-6.oe2403sp1.aarch64.rpm","bsdcpio-3.7.1-6.oe2403sp1.aarch64.rpm","bsdtar-3.7.1-6.oe2403sp1.aarch64.rpm","bsdunzip-3.7.1-6.oe2403sp1.aarch64.rpm","libarchive-3.7.1-6.oe2403sp1.aarch64.rpm","libarchive-debuginfo-3.7.1-6.oe2403sp1.aarch64.rpm","libarchive-debugsource-3.7.1-6.oe2403sp1.aarch64.rpm","libarchive-devel-3.7.1-6.oe2403sp1.aarch64.rpm"],"noarch":["libarchive-help-3.7.1-6.oe2403sp1.noarch.rpm"],"src":["libarchive-3.7.1-6.oe2403sp1.src.rpm"],"x86_64":["bsdcat-3.7.1-6.oe2403sp1.x86_64.rpm","bsdcpio-3.7.1-6.oe2403sp1.x86_64.rpm","bsdtar-3.7.1-6.oe2403sp1.x86_64.rpm","bsdunzip-3.7.1-6.oe2403sp1.x86_64.rpm","libarchive-3.7.1-6.oe2403sp1.x86_64.rpm","libarchive-debuginfo-3.7.1-6.oe2403sp1.x86_64.rpm","libarchive-debugsource-3.7.1-6.oe2403sp1.x86_64.rpm","libarchive-devel-3.7.1-6.oe2403sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1311"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1632"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-25724"}],"database_specific":{"severity":"Medium"}}