#1107621 libarchive: CVE-2025-5914

Package:
src:libarchive
Source:
src:libarchive
Submitter:
Salvatore Bonaccorso
Date:
2025-08-27 19:33:05 UTC
Severity:
normal
Tags:
#1107621#5
Date:
2025-06-10 19:19:36 UTC
From:
To:
Hi,

The following vulnerability was published for libarchive.

CVE-2025-5914[0]:
| A vulnerability has been identified in the libarchive library,
| specifically within the archive_read_format_rar_seek_data()
| function. This flaw involves an integer overflow that can ultimately
| lead to a double-free condition. Exploiting a double-free
| vulnerability can result in memory corruption, enabling an attacker
| to execute arbitrary code or cause a denial-of-service condition.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-5914
https://www.cve.org/CVERecord?id=CVE-2025-5914
[1] https://github.com/libarchive/libarchive/pull/2598
[2] https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1107621#16
Date:
2025-07-26 14:50:20 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1107621@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Pentchev <roam@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 24 Jul 2025 17:40:32 +0300
Source: libarchive
Architecture: source
Version: 3.7.4-4
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Peter Pentchev <roam@debian.org>
Closes: 1107621 1107622 1107623 1107626
Changes:
 libarchive (3.7.4-4) unstable; urgency=medium
 .
   * Add the CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, and
     CVE-2025-5917 patches.
     Closes: #1107621, #1107622, #1107623, #1107626
Checksums-Sha1:
 6c5e9f9fe003593036dbda133c771748898c2ff1 2714 libarchive_3.7.4-4.dsc
 b1c450c9b9049cd7397f38e9e7bc92b01baa8252 31444 libarchive_3.7.4-4.debian.tar.xz
Checksums-Sha256:
 95655dc4e44c164458bcbb5cf028713de3ffd2c77690f82a33b1a57d9eb7ae1c 2714 libarchive_3.7.4-4.dsc
 f37171018c1c66871643b6212a29f9e7ebf8e64deab80be50ce3f24b50cd232a 31444 libarchive_3.7.4-4.debian.tar.xz
Files:
 717fbdb981fa75a9cad1ea4502891509 2714 libs optional libarchive_3.7.4-4.dsc
 2c0195fd110c851662e81b860076a11c 31444 libs optional libarchive_3.7.4-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmiE4aUQHHJvYW1AZGVi
aWFuLm9yZwAKCRBlHu+wJSffE/++D/9BAzW5TgDMM5ipwntDx8mM58LOuQ58lWq6
3jM260NPpan+9WQpXmPLSLIEE91zOeQk1lW768dC9cUnAMu3Z9LexpFoTNx9h6mh
3IBAgQOBoqDfDkH1brZWulHMHdyo7YVdE2JQEtSflVWBNqF0R/bkpxx7E6eAdOHX
GcZs13yEFeUxVEaxpF6MsjWYU+4LferJBvVflw80GRMXxYTQjfCedxL2g6xq8Qah
237p37J5e0Uh98/n3opb43cpmYFSZkmX5zV6mSQ7fkmQeGonxHnAIgrh/a8LtXo0
nGcX9qOWTiYTsYae6kvaLV0eAsa/mDjg+I40nw/bhbwuNtQ14GfUTCBE1BOPeyIp
xRLXQ9Ex1u3mzdFYQiIOBsv3gNw80Wv/G8JqKgH8PNejhdGI1aPcMQGiPNdefMyf
teD0Coq1pJlcAOg0oodaiI8oen9PW81+OExvXEcQ//7GRszYlIKyId6qcFXyQDFK
6Mh8v/pJlzif54x3QQ50Upuuo3v9TKZnvL3FV8sIdNSZeZtKJ7CEj26IR+e0BVkC
a0+WVQLxLYyc/ZHFsftjQJeKdWY9IS3xXzw62Iqtk48H4YyBH8aOjM60vNgw6fTh
j33sRQ78OHhQY/WjgyOPsUWGy3QWQCctxO2JtuTXyoEKSU8mIkDNBwKTpdJmGkrc
wT5ZHAiMyA==
=XKBQ
-----END PGP SIGNATURE-----
#1107621#21
Date:
2025-08-11 12:20:48 UTC
From:
To:
Hey.

Haven't looked into the details yet, but at least heise[0] (German, use
Google Translate or so) claims now that CVE-2025-5914 has been changed
to a critical CVSS value.

So it might be necessary to get the fixes also into bookworm.


Cheers,
Chris.


[0] https://www.heise.de/news/libarchive-Sicherheitsluecke-entpuppt-sich-als-kritisch-10516447.html
#1107621#26
Date:
2025-08-26 06:25:10 UTC
From:
To:
Hi there

As Chris already reported, the CVE got a higher rating in the meanwhile and most other distros patched the CVE (e. g. Ubuntu - https://ubuntu.com/security/CVE-2025-5914).

Therefore i wanted to ask, if there will also be an update for bullseye and bookworm?

Thanks for taking a look at it and a quick reply.

Best regards
Dani
#1107621#31
Date:
2025-08-26 15:35:13 UTC
From:
To:
Hi,

No DSA is planned for this issue, but the fix will land (likely) in
the upcoming next point release scheduled for 6th of september.

Regards,
Salvatore
#1107621#36
Date:
2025-08-27 19:32:28 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1107621@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 Aug 2025 22:53:07 +0200
Source: libarchive
Architecture: source
Version: 3.6.2-1+deb12u3
Distribution: bookworm
Urgency: medium
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Closes: 1107621 1107622 1107623 1107626
Changes:
 libarchive (3.6.2-1+deb12u3) bookworm; urgency=medium
 .
   * CVE-2025-5914 (Closes: #1107621)
   * CVE-2025-5915 (Closes: #1107622)
   * CVE-2025-5916 (Closes: #1107623)
   * CVE-2025-5917 (Closes: #1107626)
Checksums-Sha1:
 5074356fbd588c64b8f70eceed9c7b1c6a7f7e34 2561 libarchive_3.6.2-1+deb12u3.dsc
 5c180acd996e9d1779498c66abb41714e7c588be 31416 libarchive_3.6.2-1+deb12u3.debian.tar.xz
 30b5e34f9a29862c1b620151a6dd4870817ed3ac 8164 libarchive_3.6.2-1+deb12u3_amd64.buildinfo
Checksums-Sha256:
 046ac1af7b20d70071e5171badc5df406ac3f2450828a568194a5b5e92814f24 2561 libarchive_3.6.2-1+deb12u3.dsc
 2774090be2ba8e08f79b098284e7f72ec73583946d1abae199188af56013b4f2 31416 libarchive_3.6.2-1+deb12u3.debian.tar.xz
 00d746586cef6368f542e41b2753f56f5b5ff83b19af9b8cb546081210557b5e 8164 libarchive_3.6.2-1+deb12u3_amd64.buildinfo
Files:
 38c22b2b70e3d921e5a161da5d1a88ff 2561 libs optional libarchive_3.6.2-1+deb12u3.dsc
 1cb7f026841e1de8e5e13020a42968ae 31416 libs optional libarchive_3.6.2-1+deb12u3.debian.tar.xz
 356dc28a959baf03d0c45a48abd2272f 8164 libs optional libarchive_3.6.2-1+deb12u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmit/qwPHGptbUBkZWJp
YW4ub3JnAAoJEBDCk7bDfE42nX8P/17Xe+gaclA71HHKWKV3HHchVPEKGvG+LcsB
qGRVbOAVJJ/4ucvAct6MS339dnPgAu6apWYxAfixQu0qDpc46lG3C0ybvffjKkAE
SRtgvx37LTnyjPUK5jO1nz6o9TYNdJZ3vITeLLcXkR8GL7in9fW+Qw2TwJcGme9G
udpldNpMy32F7EdEMc62nYLNeYER13ybJ2syPer1jhgtBraVyLxuk0zhiS7VNL1P
LTaS3Du7ucKVduuNjuvugEYdNsZjkJ3ohn/juA7GQ+ckJqogvrU0e9fAChlTwU8K
S5L0U2Un8Bbsr5GEmUSTRU9EhwONuqEc+k/YhZMzANHbKTZTDvI1eCwdOqtXBodF
hDDcSOM55ejI1HBJCS+ojeLQxiS1fyd5yBRNL9Ox6AXWbDojus5Plspoj7JjYEgs
eR5Z/R+hb4KHFSmF+yyQD6qc1OwQi5EUtM0IVuuLz53WH8826MMcSi/a+RFsMIfT
4sjPWrEiCrW9yEi1Tw1BegptRNpRbR5r7Q/+taRL1RbsvjzAmaTe3XwhkCQo2sHd
64f3cYr67Jr6r51Z4ok9gLgwkrxEB/o9wE4ujgZe7UU9fGJ5OVUG5VjDyreFe56K
uXsblI5SiZada44iUausSLXBBsCjNsSCXYgzp+yuqyT2mILxfexucnI1jhIlr4H7
l1qbcZ4N
=rdrR
-----END PGP SIGNATURE-----