OESA-2025-1658

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1658
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2025-1658.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2025-1658
Upstream
Published
2025-06-20T13:26:43Z
Modified
2025-08-12T05:52:13.161701Z
Summary
libarchive security update
Details

is an open-source BSD-licensed C programming library that provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution also includes bsdtar and bsdcpio, full-featured implementations of tar and cpio that use .

Security Fix(es):

A vulnerability was found in libarchive up to 3.7.x (File Compression Software). It has been classified as critical.CWE is classifying the issue as CWE-415. The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.This is going to have an impact on confidentiality, integrity, and availability.Upgrading to version 3.8.0 eliminates this vulnerability.(CVE-2025-5914)

A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive.(CVE-2025-5916)

A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation.(CVE-2025-5917)

A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.(CVE-2025-5918)

Database specific 
{
    "severity": "Low"
}
References

Affected packages

openEuler:22.03-LTS-SP4 / libarchive

Package

Name
libarchive
Purl
pkg:rpm/openEuler/libarchive&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.5.2-9.oe2203sp4

Ecosystem specific 

{
    "aarch64": [
        "bsdcat-3.5.2-9.oe2203sp4.aarch64.rpm",
        "bsdcpio-3.5.2-9.oe2203sp4.aarch64.rpm",
        "bsdtar-3.5.2-9.oe2203sp4.aarch64.rpm",
        "libarchive-3.5.2-9.oe2203sp4.aarch64.rpm",
        "libarchive-debuginfo-3.5.2-9.oe2203sp4.aarch64.rpm",
        "libarchive-debugsource-3.5.2-9.oe2203sp4.aarch64.rpm",
        "libarchive-devel-3.5.2-9.oe2203sp4.aarch64.rpm"
    ],
    "src": [
        "libarchive-3.5.2-9.oe2203sp4.src.rpm"
    ],
    "x86_64": [
        "bsdcat-3.5.2-9.oe2203sp4.x86_64.rpm",
        "bsdcpio-3.5.2-9.oe2203sp4.x86_64.rpm",
        "bsdtar-3.5.2-9.oe2203sp4.x86_64.rpm",
        "libarchive-3.5.2-9.oe2203sp4.x86_64.rpm",
        "libarchive-debuginfo-3.5.2-9.oe2203sp4.x86_64.rpm",
        "libarchive-debugsource-3.5.2-9.oe2203sp4.x86_64.rpm",
        "libarchive-devel-3.5.2-9.oe2203sp4.x86_64.rpm"
    ],
    "noarch": [
        "libarchive-help-3.5.2-9.oe2203sp4.noarch.rpm"
    ]
}