Debian alert DLA-4368-1 (libarchive)
| From: | rouca@debian.org | |
| To: | <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 4368-1] libarchive security update | |
| Date: | Tue, 11 Nov 2025 21:29:04 +0100 | |
| Message-ID: | <9f8c0d5f58b5ece36c4518f182a6ae30@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4368-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès November 11, 2025 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : libarchive Version : 3.4.3-2+deb11u3 CVE ID : CVE-2025-5914 CVE-2025-5916 CVE-2025-5917 CVE-2025-5918 Debian Bug : 1107621 1107623 1107624 1107626 Multiple vulnerabilties were fixed in libarchive a multi-format archive and compression library. CVE-2025-5914 A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition. CVE-2025-5916 This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. CVE-2025-5917 This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation. CVE-2025-5918 This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. For Debian 11 bullseye, these problems have been fixed in version 3.4.3-2+deb11u3. We recommend that you upgrade your libarchive packages. For the detailed security status of libarchive please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libarchive Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkTnJAACgkQADoaLapB CF/cUxAAri7zC3cHstbilbexXzVrCnvNd/0CWDeztI6DilabcHXA3Ru8zh4oNVN6 jRBZaiSrooP1y+oQ92B2AP4wMhLZwLH4n2DGNamYmSuFT5ObNXbHyY/RG8DJdTcH e9xseQRO0OAYTsukiuhtb+R5EMHlxnqFIdbtZ/SByyVr16M2veJIF+umgmfJ3X46 BnXAmHdH2r84GulfXL2g82pSQhopNzjvYpX+D2qTkync57nQs0kXNEPHHuutUtXV IaC7Ep1dajBEdWajjdAkBva5A1HFWKGnrt982TFJWDlZz9jqY94rkFetPUygBWOY /FdouYMeGwwIQXYgQrMW24552+Aqzcl/p8+bmG3qPycbi2UyDRShMFVr1w9MsIXD pmEZUxnt64MrZhnKQh0XVXKLvp0JgAzBuUkmBEAhsSOApBqlkFSnpOSaD/eoXC8G BZalJynyeAghi+lvec0aR0O1je051774i4eIAx81NOyxNerGN5d6j2Cq4rQ8QOZJ 1sqv1XJzlUHhMVRXDyilOoJBMo+PmN8E+0FBVIvFSA5Gm1VUbC4V5iUXUmjlNDhg 3qPvC1NiIAKunPL8KA5W4FErOuNobAXH02v3Ni6LZ+fdgVTJBtjehg+ravt5+nzi neeJG8lSd66Bx4QOPF2PDXG9f+9ldIyhm+A5Yj6tx5R32jDPcx4= =wMxd -----END PGP SIGNATURE-----