| Name | CVE-2025-5918 |
| Description | A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-4368-1 |
| Debian Bugs | 1107624 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libarchive (PTS) | bullseye | 3.4.3-2+deb11u1 | vulnerable |
| bullseye (security) | 3.4.3-2+deb11u4 | fixed | |
| bookworm | 3.6.2-1+deb12u4 | fixed | |
| bookworm (security) | 3.6.2-1+deb12u2 | vulnerable | |
| trixie | 3.7.4-4+deb13u1 | fixed | |
| forky, sid | 3.8.7-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libarchive | source | bullseye | 3.4.3-2+deb11u3 | DLA-4368-1 | ||
| libarchive | source | bookworm | 3.6.2-1+deb12u4 | |||
| libarchive | source | trixie | 3.7.4-4+deb13u1 | |||
| libarchive | source | (unstable) | 3.8.4-1 | 1107624 |
https://github.com/libarchive/libarchive/pull/2584
Fixed by: https://github.com/libarchive/libarchive/commit/dcbf1e0ededa95849f098d154a25876ed5754bcf (v3.8.0)
Regression: https://github.com/libarchive/libarchive/issues/2641
Regression fixed by: https://github.com/libarchive/libarchive/commit/51b4c35bb38b7df4af24de7f103863dd79129b01
Regression fixed by: https://github.com/libarchive/libarchive/commit/0dc4f71fcbfde97eac10a2c23188f2dfc74d7a5e (v3.8.1)