| Name | CVE-2025-5918 |
| Description | A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1107624 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libarchive (PTS) | bullseye | 3.4.3-2+deb11u1 | vulnerable |
| bullseye (security) | 3.4.3-2+deb11u2 | vulnerable | |
| bookworm | 3.6.2-1+deb12u3 | vulnerable | |
| bookworm (security) | 3.6.2-1+deb12u2 | vulnerable | |
| forky, sid, trixie | 3.7.4-4 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libarchive | source | (unstable) | (unfixed) | 1107624 |
[trixie] - libarchive <no-dsa> (Minor issue)
[bookworm] - libarchive <no-dsa> (Minor issue)
[bullseye] - libarchive <postponed> (Minor issue)
https://github.com/libarchive/libarchive/pull/2584
Fixed by: https://github.com/libarchive/libarchive/commit/dcbf1e0ededa95849f098d154a25876ed5754bcf (v3.8.0)
Regression: https://github.com/libarchive/libarchive/issues/2641
Regression fixed by: https://github.com/libarchive/libarchive/commit/51b4c35bb38b7df4af24de7f103863dd79129b01