Your message dated Sat, 26 Jul 2025 14:50:20 +0000
with message-id <[email protected]>
and subject line Bug#1107621: fixed in libarchive 3.7.4-4
has caused the Debian Bug report #1107621,
regarding libarchive: CVE-2025-5914
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1107621: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107621
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libarchive
Version: 3.7.4-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/libarchive/libarchive/pull/2598
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3.6.2-1+deb12u2
Control: found -1 3.6.2-1
Hi,
The following vulnerability was published for libarchive.
CVE-2025-5914[0]:
| A vulnerability has been identified in the libarchive library,
| specifically within the archive_read_format_rar_seek_data()
| function. This flaw involves an integer overflow that can ultimately
| lead to a double-free condition. Exploiting a double-free
| vulnerability can result in memory corruption, enabling an attacker
| to execute arbitrary code or cause a denial-of-service condition.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-5914
https://www.cve.org/CVERecord?id=CVE-2025-5914
[1] https://github.com/libarchive/libarchive/pull/2598
[2]
https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 3.7.4-4
Done: Peter Pentchev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Pentchev <[email protected]> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 24 Jul 2025 17:40:32 +0300
Source: libarchive
Architecture: source
Version: 3.7.4-4
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <[email protected]>
Changed-By: Peter Pentchev <[email protected]>
Closes: 1107621 1107622 1107623 1107626
Changes:
libarchive (3.7.4-4) unstable; urgency=medium
.
* Add the CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, and
CVE-2025-5917 patches.
Closes: #1107621, #1107622, #1107623, #1107626
Checksums-Sha1:
6c5e9f9fe003593036dbda133c771748898c2ff1 2714 libarchive_3.7.4-4.dsc
b1c450c9b9049cd7397f38e9e7bc92b01baa8252 31444 libarchive_3.7.4-4.debian.tar.xz
Checksums-Sha256:
95655dc4e44c164458bcbb5cf028713de3ffd2c77690f82a33b1a57d9eb7ae1c 2714
libarchive_3.7.4-4.dsc
f37171018c1c66871643b6212a29f9e7ebf8e64deab80be50ce3f24b50cd232a 31444
libarchive_3.7.4-4.debian.tar.xz
Files:
717fbdb981fa75a9cad1ea4502891509 2714 libs optional libarchive_3.7.4-4.dsc
2c0195fd110c851662e81b860076a11c 31444 libs optional
libarchive_3.7.4-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmiE4aUQHHJvYW1AZGVi
aWFuLm9yZwAKCRBlHu+wJSffE/++D/9BAzW5TgDMM5ipwntDx8mM58LOuQ58lWq6
3jM260NPpan+9WQpXmPLSLIEE91zOeQk1lW768dC9cUnAMu3Z9LexpFoTNx9h6mh
3IBAgQOBoqDfDkH1brZWulHMHdyo7YVdE2JQEtSflVWBNqF0R/bkpxx7E6eAdOHX
GcZs13yEFeUxVEaxpF6MsjWYU+4LferJBvVflw80GRMXxYTQjfCedxL2g6xq8Qah
237p37J5e0Uh98/n3opb43cpmYFSZkmX5zV6mSQ7fkmQeGonxHnAIgrh/a8LtXo0
nGcX9qOWTiYTsYae6kvaLV0eAsa/mDjg+I40nw/bhbwuNtQ14GfUTCBE1BOPeyIp
xRLXQ9Ex1u3mzdFYQiIOBsv3gNw80Wv/G8JqKgH8PNejhdGI1aPcMQGiPNdefMyf
teD0Coq1pJlcAOg0oodaiI8oen9PW81+OExvXEcQ//7GRszYlIKyId6qcFXyQDFK
6Mh8v/pJlzif54x3QQ50Upuuo3v9TKZnvL3FV8sIdNSZeZtKJ7CEj26IR+e0BVkC
a0+WVQLxLYyc/ZHFsftjQJeKdWY9IS3xXzw62Iqtk48H4YyBH8aOjM60vNgw6fTh
j33sRQ78OHhQY/WjgyOPsUWGy3QWQCctxO2JtuTXyoEKSU8mIkDNBwKTpdJmGkrc
wT5ZHAiMyA==
=XKBQ
-----END PGP SIGNATURE-----
pgpK_9DloUUhP.pgp
Description: PGP signature
--- End Message ---
