rpms/libarchive

Fork 0

[security][HIGH] libarchive 3.7.7: 2 CVE require triage #2

New issue

Closed

opened 2026-04-29 04:39:02 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-04-29 04:39:02 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: libarchive
Version: 3.7.7
EVR: 3.7.7-1
Category: library
Policy class: library
NiceOS policy class: -
Owner: base-team
Severity: HIGH
Max CVSS: 7.8
CVE count: 2

LLM recommendation / Рекомендация LLM

RU

Обнаружены два кандидата на уязвимости (CVE-2025-25724 и CVE-2025-5914) в библиотеке libarchive версии 3.7.7. Уязвимости включают потенциальную атаку через Denial of Service из-за недостаточной проверки возвращаемого значения strftime и возможность выполнения произвольного кода через переполнение целых чисел и double-free при обработке RAR-архивов.

Необходимо провести углубленный анализ (triage) для подтверждения применимости уязвимостей к конкретным сборкам НАЙС.ОС, так как текущее совпадение основано только на диапазоне версий. Если уязвимости подтверждены, требуется немедленное обновление пакета до исправленной версии.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: 1. Проверить наличие уязвимых функций tar/util.c и archive_read_format_rar_seek_data() в исходном коде пакета libarchive 3.7.7 в репозитории НАЙС.ОС.
2. Скомпилировать пакет с отладочной информацией и проверить наличие патчей, закрывающих CVE-2025-25724 и CVE-2025-5914.
3. Провести тестирование на Denial of Service с использованием специально сформированных TAR-архивов (verbose=2).
4. Провести тестирование на выполнение кода с использованием специально сформированных RAR-архивов.

Риски: Высокий риск: возможность остановки работы системы (DoS) при чтении специально созданного TAR-архива и критический риск выполнения произвольного кода атакующего при чтении RAR-архива из-за уязвимости double-free.

EN

Two CVE candidates (CVE-2025-25724 and CVE-2025-5914) identified in libarchive version 3.7.7. Vulnerabilities include potential DoS via insufficient strftime return value checking and arbitrary code execution via integer overflow and double-free when processing RAR archives.

Conduct deep triage to confirm applicability of these vulnerabilities to specific НАЙС.ОС builds, as the current match is based solely on version ranges. If confirmed, immediate package update to the patched version is required.

Recommended action: needs_triage

Target version hint: -

Tests: 1. Verify presence of vulnerable functions tar/util.c and archive_read_format_rar_seek_data() in the libarchive 3.7.7 source code within the НАЙС.ОС repository.
2. Compile the package with debug info and check for patches addressing CVE-2025-25724 and CVE-2025-5914.
3. Perform DoS testing using crafted TAR archives (verbose=2).
4. Perform code execution testing using crafted RAR archives.

Risks: High risk: system crash (DoS) when reading a crafted TAR archive and critical risk of arbitrary code execution when reading RAR archives due to the double-free vulnerability.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2025-25724	HIGH	7.8	cpe-range	needs_triage	package version is inside version range
CVE-2025-5914	HIGH	7.8	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2025-25724

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.

CVE-2025-5914

A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-25724",
    "CVE-2025-5914"
  ],
  "fingerprint": "1512dd8ce27a7d01d4fd",
  "generated_at": "2026-04-29T01:39:02Z",
  "package": "libarchive",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "3.7.7"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `libarchive` - Version: `3.7.7` - EVR: `3.7.7-1` - Category: `library` - Policy class: `library` - NiceOS policy class: `-` - Owner: `base-team` - Severity: `HIGH` - Max CVSS: `7.8` - CVE count: `2` ## LLM recommendation / Рекомендация LLM ### RU Обнаружены два кандидата на уязвимости (CVE-2025-25724 и CVE-2025-5914) в библиотеке libarchive версии 3.7.7. Уязвимости включают потенциальную атаку через Denial of Service из-за недостаточной проверки возвращаемого значения strftime и возможность выполнения произвольного кода через переполнение целых чисел и double-free при обработке RAR-архивов. Необходимо провести углубленный анализ (triage) для подтверждения применимости уязвимостей к конкретным сборкам НАЙС.ОС, так как текущее совпадение основано только на диапазоне версий. Если уязвимости подтверждены, требуется немедленное обновление пакета до исправленной версии. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** 1. Проверить наличие уязвимых функций tar/util.c и archive_read_format_rar_seek_data() в исходном коде пакета libarchive 3.7.7 в репозитории НАЙС.ОС. 2. Скомпилировать пакет с отладочной информацией и проверить наличие патчей, закрывающих CVE-2025-25724 и CVE-2025-5914. 3. Провести тестирование на Denial of Service с использованием специально сформированных TAR-архивов (verbose=2). 4. Провести тестирование на выполнение кода с использованием специально сформированных RAR-архивов. **Риски:** Высокий риск: возможность остановки работы системы (DoS) при чтении специально созданного TAR-архива и критический риск выполнения произвольного кода атакующего при чтении RAR-архива из-за уязвимости double-free. ### EN Two CVE candidates (CVE-2025-25724 and CVE-2025-5914) identified in libarchive version 3.7.7. Vulnerabilities include potential DoS via insufficient strftime return value checking and arbitrary code execution via integer overflow and double-free when processing RAR archives. Conduct deep triage to confirm applicability of these vulnerabilities to specific НАЙС.ОС builds, as the current match is based solely on version ranges. If confirmed, immediate package update to the patched version is required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** 1. Verify presence of vulnerable functions tar/util.c and archive_read_format_rar_seek_data() in the libarchive 3.7.7 source code within the НАЙС.ОС repository. 2. Compile the package with debug info and check for patches addressing CVE-2025-25724 and CVE-2025-5914. 3. Perform DoS testing using crafted TAR archives (verbose=2). 4. Perform code execution testing using crafted RAR archives. **Risks:** High risk: system crash (DoS) when reading a crafted TAR archive and critical risk of arbitrary code execution when reading RAR archives due to the double-free vulnerability. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2025-25724 | HIGH | 7.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-5914 | HIGH | 7.8 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2025-25724 list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale. ### CVE-2025-5914 A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-25724", "CVE-2025-5914" ], "fingerprint": "1512dd8ce27a7d01d4fd", "generated_at": "2026-04-29T01:39:02Z", "package": "libarchive", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "3.7.7" } ```

sbelikov added the

labels

2026-04-29 04:39:02 +03:00

sbelikov commented

2026-04-29 23:27:43 +03:00

Author

Owner

Fixed in NiceOS 5.2 package libarchive-3.7.9-3.

Triage result:

CVE	NiceOS status	Resolution
CVE-2025-25724	fixed	Updated from `3.7.7-1` to `3.7.9`; upstream fixed this in the 3.7.8 line and 3.7.9 contains the fix.
CVE-2025-5914	fixed	Backported upstream RAR double-free fix onto the NiceOS 5.2 pinned 3.7.x line. Patch is applied in `%prep` and verified in the prepared build tree.

Verification:

rpmbuild -bp confirms the RAR fix is present in archive_read_support_format_rar.c.
rpmbuild -ba completed successfully.
%check completed successfully.
Source lock / metadata regenerated for final EVR.

Closing as fixed.

Fixed in NiceOS 5.2 package `libarchive-3.7.9-3`. Triage result: | CVE | NiceOS status | Resolution | |---|---|---| | CVE-2025-25724 | fixed | Updated from `3.7.7-1` to `3.7.9`; upstream fixed this in the 3.7.8 line and 3.7.9 contains the fix. | | CVE-2025-5914 | fixed | Backported upstream RAR double-free fix onto the NiceOS 5.2 pinned 3.7.x line. Patch is applied in `%prep` and verified in the prepared build tree. | Verification: - `rpmbuild -bp` confirms the RAR fix is present in `archive_read_support_format_rar.c`. - `rpmbuild -ba` completed successfully. - `%check` completed successfully. - Source lock / metadata regenerated for final EVR. Closing as fixed.

sbelikov closed this issue

2026-04-29 23:27:43 +03:00