951332 – (CVE-2024-57970, CVE-2025-1632, CVE-2025-25724) <app-arch/libarchive-3.7.8: Multiple vulnerabilities

Bug 951332 (CVE-2024-57970, CVE-2025-1632, CVE-2025-25724) - <app-arch/libarchive-3.7.8: Multiple vulnerabilities

Summary: <app-arch/libarchive-3.7.8: Multiple vulnerabilities

Status:	IN_PROGRESS

Alias:	CVE-2024-57970, CVE-2025-1632, CVE-2025-25724

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	951708
Blocks:
	Show dependency tree

Reported:	2025-03-14 11:26 UTC by Sam James
Modified:	2025-03-30 20:04 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/libarchive/libarchive/issues/2415 https://github.com/libarchive/libarchive/pull/2422
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2025-03-14 11:26:56 UTC

"libarchive through 3.7.7 has a heap-based buffer over-read in header_gnu_longlink in archive_read_support_format_tar.c via a TAR archive because it mishandles truncation in the middle of a GNU long linkname."

Comment 1 Sam James archtester

2025-03-21 11:21:21 UTC

commit 65f6685b82458f2aea81522ba23f51a3e6d78ecf
Author: Michał Górny <mgorny@gentoo.org>
Date:   Fri Mar 21 04:19:38 2025 +0100

    app-arch/libarchive: Bump to 3.7.8

    Signed-off-by: Michał Górny <mgorny@gentoo.org>

It also has other security fixes:
"""
Security fixes:

    tar reader: Handle truncation in the middle of a GNU long linkname (#2422, CVE-2024-57970)
    unzip: fix null pointer dereference (#2532, CVE-2025-1632)
    tar reader: fix unchecked return value in list_item_verbose() (#2532, CVE-2025-25724)
"""