[Git][security-tracker-team/security-tracker][master] CVE-2025-5915/libarchive

Bastien Roucariès (@rouca) rouca at debian.org
Sun Nov 9 22:48:04 GMT 2025 


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
560d2847 by Bastien Roucariès at 2025-11-09T23:47:26+01:00
CVE-2025-5915/libarchive

According to pull commit the fix is organized arround 4 commits
1. a test commit https://github.com/libarchive/libarchive/pull/2599/commits/c1d1dcd4b4e746079f60b72676146b6768633868
2. a filter fix commit https://github.com/libarchive/libarchive/pull/2599/commits/f76f205d67829240c06e33bc9e50d3aa8b767875
3. an override fix https://github.com/libarchive/libarchive/pull/2599/commits/7d2503a421415673c9b5fb3b11553ab8c9463d9b
4. a clean up fix https://github.com/libarchive/libarchive/pull/2599/commits/60e2ecfcdbbfa261cfbc6950c9b4c89bab46c5bf

(1) and (4) are not interesting from a security point of view

(2) does not concern bullseye because filter code is not supported see [1] where filter aka symbol==257
is rejected. Filter support was introduced later in [2] in 3.6.0

(3) fix was not needed because code here [3] include + firstpart

Therefore mark this CVE as not affected for bullseye

[1] https://sources.debian.org/src/libarchive/3.4.3-2%2Bdeb11u1/libarchive/archive_read_support_format_rar.c#L2786
[2] https://github.com/libarchive/libarchive/commit/01a2d329dfc71741892e2b590cf9fb25092474a0
[3] https://sources.debian.org/src/libarchive/3.4.3-2%2Bdeb11u1/libarchive/archive_read_support_format_rar.c#L2949

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -50780,7 +50780,7 @@ CVE-2025-5916 (A vulnerability has been identified in the libarchive library. Th
 CVE-2025-5915 (A vulnerability has been identified in the libarchive library. This fl ...)
 	- libarchive 3.7.4-4 (bug #1107622)
 	[bookworm] - libarchive 3.6.2-1+deb12u3
-	[bullseye] - libarchive <postponed> (Minor issue)
+	[bullseye] - libarchive <not-affected> (vulnerable code introduced later)
 	NOTE: https://github.com/libarchive/libarchive/pull/2599
 	NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c (v3.8.0)
 CVE-2025-5914 (A vulnerability has been identified in the libarchive library, specifi ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/560d2847519b8d413924294e34eadf3728c2baba

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/560d2847519b8d413924294e34eadf3728c2baba
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251109/054b3445/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list