Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker
Commits: 560d2847 by Bastien Roucariès at 2025-11-09T23:47:26+01:00 CVE-2025-5915/libarchive According to pull commit the fix is organized arround 4 commits 1. a test commit https://github.com/libarchive/libarchive/pull/2599/commits/c1d1dcd4b4e746079f60b72676146b6768633868 2. a filter fix commit https://github.com/libarchive/libarchive/pull/2599/commits/f76f205d67829240c06e33bc9e50d3aa8b767875 3. an override fix https://github.com/libarchive/libarchive/pull/2599/commits/7d2503a421415673c9b5fb3b11553ab8c9463d9b 4. a clean up fix https://github.com/libarchive/libarchive/pull/2599/commits/60e2ecfcdbbfa261cfbc6950c9b4c89bab46c5bf (1) and (4) are not interesting from a security point of view (2) does not concern bullseye because filter code is not supported see [1] where filter aka symbol==257 is rejected. Filter support was introduced later in [2] in 3.6.0 (3) fix was not needed because code here [3] include + firstpart Therefore mark this CVE as not affected for bullseye [1] https://sources.debian.org/src/libarchive/3.4.3-2%2Bdeb11u1/libarchive/archive_read_support_format_rar.c#L2786 [2] https://github.com/libarchive/libarchive/commit/01a2d329dfc71741892e2b590cf9fb25092474a0 [3] https://sources.debian.org/src/libarchive/3.4.3-2%2Bdeb11u1/libarchive/archive_read_support_format_rar.c#L2949 - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -50780,7 +50780,7 @@ CVE-2025-5916 (A vulnerability has been identified in the libarchive library. Th CVE-2025-5915 (A vulnerability has been identified in the libarchive library. This fl ...) - libarchive 3.7.4-4 (bug #1107622) [bookworm] - libarchive 3.6.2-1+deb12u3 - [bullseye] - libarchive <postponed> (Minor issue) + [bullseye] - libarchive <not-affected> (vulnerable code introduced later) NOTE: https://github.com/libarchive/libarchive/pull/2599 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c (v3.8.0) CVE-2025-5914 (A vulnerability has been identified in the libarchive library, specifi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/560d2847519b8d413924294e34eadf3728c2baba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/560d2847519b8d413924294e34eadf3728c2baba You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
