[Buildroot] [git commit branch/2024.02.x] package/libarchive: security bump to version 3.7.9

Thomas Perale thomas.perale at mind.be
Wed Apr 16 08:52:17 UTC 2025 

commit: https://git.buildroot.net/buildroot/commit/?id=1b69735ae1b9d1854bb477ee91bf7c87f3a8e914
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2024.02.x

Fixes the following security issues:

- CVE-2024-57970: libarchive through 3.7.7 has a heap-based buffer
    over-read in header_gnu_longlink in archive_read_support_format_tar.c
    via a TAR archive because it mishandles truncation in the middle of a
    GNU long linkname.

For more information, see:
  - https://nvd.nist.gov/vuln/detail/CVE-2024-57970
  - https://github.com/libarchive/libarchive/commit/82912103214506316bd9990d73f33d743d55f570

- CVE-2025-1632: This affects the function list of the file bsdunzip.c.
    The manipulation leads to null pointer dereference. It is possible
    to launch the attack on the local host.

For more information, see:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-1632
  - https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532

- CVE-2025-25724: list_item_verbose in tar/util.c in libarchive through 3.7.7
    does not check an strftime return value, which can lead to a denial of
    service or unspecified other impact via a crafted TAR archive that is read
    with a verbose value of 2.
    For example, the 100-byte buffer may not be sufficient for a custom locale.

For more information, see:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-25724
  - https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532

The patch added in [1] are still needed for this version bump.

For more details on the version bump, see the release notes:
  - https://github.com/libarchive/libarchive/releases/tag/v3.7.8
  - https://github.com/libarchive/libarchive/releases/tag/v3.7.9

[1] 9ac63a3360 package/libarchive: fix uclibc build with libiconv (again)

Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Signed-off-by: Julien Olivain <ju.o at free.fr>
(cherry picked from commit fde0b3fe1c99207436fd0c25a94c09856d1ee552)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 package/libarchive/libarchive.hash | 2 +-
 package/libarchive/libarchive.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libarchive/libarchive.hash b/package/libarchive/libarchive.hash
index c0b04b0f4b..d132664e17 100644
--- a/package/libarchive/libarchive.hash
+++ b/package/libarchive/libarchive.hash
@@ -1,4 +1,4 @@
 # From https://www.libarchive.de/downloads/sha256sums
-sha256  879acd83c3399c7caaee73fe5f7418e06087ab2aaf40af3e99b9e29beb29faee  libarchive-3.7.7.tar.xz
+sha256  ed8b5732e4cd6e30fae909fb945cad8ff9cb7be5c6cdaa3944ec96e4a200c04c  libarchive-3.7.9.tar.xz
 # Locally computed:
 sha256  b2cdf763345de2de34cebf54394df3c61a105c3b71288603c251f2fa638200ba  COPYING
diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
index 70123ee2b1..7fec01a040 100644
--- a/package/libarchive/libarchive.mk
+++ b/package/libarchive/libarchive.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBARCHIVE_VERSION = 3.7.7
+LIBARCHIVE_VERSION = 3.7.9
 LIBARCHIVE_SOURCE = libarchive-$(LIBARCHIVE_VERSION).tar.xz
 LIBARCHIVE_SITE = https://www.libarchive.de/downloads
 LIBARCHIVE_INSTALL_STAGING = YES

More information about the buildroot mailing list