OESA-2025-1623
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1623
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2025-1623.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2025-1623
- Upstream
- Published
- 2025-06-13T14:19:29Z
- Modified
- 2025-08-12T05:52:11.160514Z
- Summary
- libarchive security update
- Details
-
is an open-source BSD-licensed C programming library that provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution also includes bsdtar and bsdcpio, full-featured implementations of tar and cpio that use .
Security Fix(es):
A vulnerability was found in libarchive up to 3.7.x (File Compression Software). It has been classified as critical.CWE is classifying the issue as CWE-415. The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 3.8.0 eliminates this vulnerability.(CVE-2025-5914)
A vulnerability was found in libarchive up to 3.7.x (File Compression Software). It has been declared as critical.The CWE definition for the vulnerability is CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().As an impact it is known to affect confidentiality, integrity, and availability.Upgrading to version 3.8.0 eliminates this vulnerability.(CVE-2025-5915)
A vulnerability was found in libarchive up to 3.7.x (File Compression Software). It has been rated as critical.Using CWE to declare the problem leads to CWE-190. The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Impacted is confidentiality, integrity, and availability.Upgrading to version 3.8.0 eliminates this vulnerability.(CVE-2025-5916)
A vulnerability classified as critical has been found in libarchive up to 3.7.x (File Compression Software).CWE is classifying the issue as CWE-193. A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 3.8.0 eliminates this vulnerability.(CVE-2025-5917)
A vulnerability classified as critical was found in libarchive up to 3.7.x (File Compression Software).The CWE definition for the vulnerability is CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.As an impact it is known to affect confidentiality, integrity, and availability.Upgrading to version 3.8.0 eliminates this vulnerability.(CVE-2025-5918)
- Database specific
{ "severity": "Low" }- References
-
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1623
- https://nvd.nist.gov/vuln/detail/CVE-2025-5914
- https://nvd.nist.gov/vuln/detail/CVE-2025-5915
- https://nvd.nist.gov/vuln/detail/CVE-2025-5916
- https://nvd.nist.gov/vuln/detail/CVE-2025-5917
- https://nvd.nist.gov/vuln/detail/CVE-2025-5918
Affected packages
openEuler:24.03-LTS-SP1 / libarchive
Package
- Name
- libarchive
- Purl
- pkg:rpm/openEuler/libarchive&distro=openEuler-24.03-LTS-SP1
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.7.1-7.oe2403sp1
Ecosystem specific
{
"aarch64": [
"bsdcat-3.7.1-7.oe2403sp1.aarch64.rpm",
"bsdcpio-3.7.1-7.oe2403sp1.aarch64.rpm",
"bsdtar-3.7.1-7.oe2403sp1.aarch64.rpm",
"bsdunzip-3.7.1-7.oe2403sp1.aarch64.rpm",
"libarchive-3.7.1-7.oe2403sp1.aarch64.rpm",
"libarchive-debuginfo-3.7.1-7.oe2403sp1.aarch64.rpm",
"libarchive-debugsource-3.7.1-7.oe2403sp1.aarch64.rpm",
"libarchive-devel-3.7.1-7.oe2403sp1.aarch64.rpm"
],
"src": [
"libarchive-3.7.1-7.oe2403sp1.src.rpm"
],
"noarch": [
"libarchive-help-3.7.1-7.oe2403sp1.noarch.rpm"
],
"x86_64": [
"bsdcat-3.7.1-7.oe2403sp1.x86_64.rpm",
"bsdcpio-3.7.1-7.oe2403sp1.x86_64.rpm",
"bsdtar-3.7.1-7.oe2403sp1.x86_64.rpm",
"bsdunzip-3.7.1-7.oe2403sp1.x86_64.rpm",
"libarchive-3.7.1-7.oe2403sp1.x86_64.rpm",
"libarchive-debuginfo-3.7.1-7.oe2403sp1.x86_64.rpm",
"libarchive-debugsource-3.7.1-7.oe2403sp1.x86_64.rpm",
"libarchive-devel-3.7.1-7.oe2403sp1.x86_64.rpm"
]
}