[USN-7454-1] libarchive vulnerabilities

Wed, 23 Apr 2025 13:19:21 -0700 

==========================================================================
Ubuntu Security Notice USN-7454-1
April 23, 2025

libarchive vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in libarchive.

Software Description:
- libarchive: Library to read/write archive files

Details:

It was discovered that the libarchive bsdunzip utility incorrectly handled
certain ZIP archive files. If a user or automated system were tricked into
processing a specially crafted ZIP archive, an attacker could use this
issue to cause libarchive to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 24.10, and Ubuntu 25.04. (CVE-2025-1632)

It was discovered that libarchive incorrectly handled certain TAR archive
files. If a user or automated system were tricked into processing a
specially crafted TAR archive, an attacker could use this issue to cause
libarchive to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2025-25724)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
  libarchive-tools                3.7.7-0ubuntu2.1
  libarchive13t64                 3.7.7-0ubuntu2.1

Ubuntu 24.10
  libarchive-tools                3.7.4-1ubuntu0.2
  libarchive13t64                 3.7.4-1ubuntu0.2

Ubuntu 24.04 LTS
  libarchive-tools                3.7.2-2ubuntu0.4
  libarchive13t64                 3.7.2-2ubuntu0.4

Ubuntu 22.04 LTS
  libarchive-tools                3.6.0-1ubuntu1.4
  libarchive13                    3.6.0-1ubuntu1.4

Ubuntu 20.04 LTS
  libarchive-tools                3.4.0-2ubuntu1.5
  libarchive13                    3.4.0-2ubuntu1.5

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7454-1
  CVE-2025-1632, CVE-2025-25724

Package Information:
  https://launchpad.net/ubuntu/+source/libarchive/3.7.7-0ubuntu2.1
  https://launchpad.net/ubuntu/+source/libarchive/3.7.4-1ubuntu0.2
  https://launchpad.net/ubuntu/+source/libarchive/3.7.2-2ubuntu0.4
  https://launchpad.net/ubuntu/+source/libarchive/3.6.0-1ubuntu1.4
  https://launchpad.net/ubuntu/+source/libarchive/3.4.0-2ubuntu1.5

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature














    











					Reply via email to