[Buildroot] [PATCH 1/1] package/libarchive: security bump to version 3.7.9
Julien Olivain
ju.o at free.fr
Fri Apr 11 17:56:25 UTC 2025
On 11/04/2025 19:48, Thomas Perale via buildroot wrote:
> Fixes the following security issues:
>
> - CVE-2024-57970: libarchive through 3.7.7 has a heap-based buffer
> over-read in header_gnu_longlink in
> archive_read_support_format_tar.c
> via a TAR archive because it mishandles truncation in the middle of
> a
> GNU long linkname.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2024-57970
> -
> https://github.com/libarchive/libarchive/commit/82912103214506316bd9990d73f33d743d55f570
>
> - CVE-2025-1632: This affects the function list of the file bsdunzip.c.
> The manipulation leads to null pointer dereference. It is possible
> to launch the attack on the local host.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-1632
> -
> https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532
>
> - CVE-2025-25724: list_item_verbose in tar/util.c in libarchive through
> 3.7.7
> does not check an strftime return value, which can lead to a denial
> of
> service or unspecified other impact via a crafted TAR archive that
> is read
> with a verbose value of 2.
> For example, the 100-byte buffer may not be sufficient for a custom
> locale.
>
> For more information, see:
> - https://nvd.nist.gov/vuln/detail/CVE-2025-25724
> -
> https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532
>
> The patch added in [1] are still needed for this version bump.
>
> For more details on the version bump, see the release notes:
> - https://github.com/libarchive/libarchive/releases/tag/v3.7.8
> - https://github.com/libarchive/libarchive/releases/tag/v3.7.9
>
> [1] 9ac63a3360 package/libarchive: fix uclibc build with libiconv
> (again)
>
> Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Applied to master, thanks.
More information about the buildroot
mailing list