Security update for libarchive SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0985-1 Final 1 1 2025-03-21T17:45:17Z current 2025-03-21T17:45:17Z 2025-03-21T17:45:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libarchive This update for libarchive fixes the following issues: - CVE-2025-1632: Fixed null pointer dereference in bsdunzip.c (bsc#1237606) - CVE-2025-25724: Fixed buffer overflow vulnerability in function list_item_verbose() in tar/util.c (bsc#1238610) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/spack:latest-2025-985,SUSE-2025-985,SUSE-SLE-Module-Basesystem-15-SP6-2025-985,SUSE-SLE-Module-Development-Tools-15-SP6-2025-985,openSUSE-SLE-15.6-2025-985 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250985-1/ Link for SUSE-SU-2025:0985-1 https://lists.suse.com/pipermail/sle-security-updates/2025-March/020577.html E-Mail link for SUSE-SU-2025:0985-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1237606 SUSE Bug 1237606 https://bugzilla.suse.com/1238610 SUSE Bug 1238610 https://www.suse.com/security/cve/CVE-2025-1632/ SUSE CVE CVE-2025-1632 page https://www.suse.com/security/cve/CVE-2025-25724/ SUSE CVE CVE-2025-25724 page Container bci/spack:latest SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Module for Development Tools 15 SP6 openSUSE Leap 15.6 libarchive13-3.7.2-150600.3.12.1 bsdtar-3.7.2-150600.3.12.1 libarchive-devel-3.7.2-150600.3.12.1 libarchive13-32bit-3.7.2-150600.3.12.1 libarchive13-64bit-3.7.2-150600.3.12.1 libarchive13-3.7.2-150600.3.12.1 as a component of Container bci/spack:latest libarchive-devel-3.7.2-150600.3.12.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libarchive13-3.7.2-150600.3.12.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 bsdtar-3.7.2-150600.3.12.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP6 bsdtar-3.7.2-150600.3.12.1 as a component of openSUSE Leap 15.6 libarchive-devel-3.7.2-150600.3.12.1 as a component of openSUSE Leap 15.6 libarchive13-3.7.2-150600.3.12.1 as a component of openSUSE Leap 15.6 libarchive13-32bit-3.7.2-150600.3.12.1 as a component of openSUSE Leap 15.6 A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVE-2025-1632 Container bci/spack:latest:libarchive13-3.7.2-150600.3.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libarchive-devel-3.7.2-150600.3.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libarchive13-3.7.2-150600.3.12.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:bsdtar-3.7.2-150600.3.12.1 openSUSE Leap 15.6:bsdtar-3.7.2-150600.3.12.1 openSUSE Leap 15.6:libarchive-devel-3.7.2-150600.3.12.1 openSUSE Leap 15.6:libarchive13-3.7.2-150600.3.12.1 openSUSE Leap 15.6:libarchive13-32bit-3.7.2-150600.3.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250985-1/ https://www.suse.com/security/cve/CVE-2025-1632.html CVE-2025-1632 https://bugzilla.suse.com/1237606 SUSE Bug 1237606 list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale. CVE-2025-25724 Container bci/spack:latest:libarchive13-3.7.2-150600.3.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libarchive-devel-3.7.2-150600.3.12.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libarchive13-3.7.2-150600.3.12.1 SUSE Linux Enterprise Module for Development Tools 15 SP6:bsdtar-3.7.2-150600.3.12.1 openSUSE Leap 15.6:bsdtar-3.7.2-150600.3.12.1 openSUSE Leap 15.6:libarchive-devel-3.7.2-150600.3.12.1 openSUSE Leap 15.6:libarchive13-3.7.2-150600.3.12.1 openSUSE Leap 15.6:libarchive13-32bit-3.7.2-150600.3.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250985-1/ https://www.suse.com/security/cve/CVE-2025-25724.html CVE-2025-25724 https://bugzilla.suse.com/1238610 SUSE Bug 1238610