Wednesday, April 23, 2025

[USN-7454-1] libarchive vulnerabilities

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmgJQWgFAwAAAAAACgkQZWnYVadEvpMM
kA//bhorHJ2DhccU5ZP4StDYEqCPMJ+D/Y2HQV6l9bPgLJXL17AsR1qJD7apiaYEZ65bHl2PQ4xp
w0W09iE1thkbB0wue1/T97xL5NvJpIU8Qmycsy4izsMHl72J8V4y5zcoO56yIRFWH2E08PS6GK/e
B46Gp0DDCH2ZwMgmXv1PYU1fNZ6e/oohoy7wuE1q5V/IDLe25DpngcSXuQyV18pVlgCXC/XD5ph3
I6xq+NVbX7dbC4ZSK23fL3tW91e+hLeH7R1TRfxU2fmiuE9OUBukosor4WE2slELxMDWGlgfsUfW
z5VJ7shh3djkZg9ehxuIg73CAbb2EytD+5C7+SJdlVwrvqV/Qgj/e8n87zaNF24Hri4/J10f+s93
kxPWu54WffoJ/6H/AWFIzqQfssbWSnb4OB+9k/JNh/JRwG+YjhlBdW46TOGPV9gy4sHR8l0ehR66
rwCLCSe5Vkrp6IeeUpWEIVWdXOBb+4CWPy9Pd7LzAjbKDSXzjXmaBC6DgVQL7HFKn2MlmRvk03P2
oLTq/hmcV4BuThYvePfSxL6n36NACoodbhSqrIqJwa2d3LGtZKpnEVEaBO8sCxgrxz0dUJaUY5Kc
HBogP2LPzpvqfUwrq0tknyJ5NlDJMpIsXLdC4e5KCyBpF1G46mN1rZWfufzI4jLfb6MmXP/EXnMR
cTo=
=Z1op
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7454-1
April 23, 2025

libarchive vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in libarchive.

Software Description:
- libarchive: Library to read/write archive files

Details:

It was discovered that the libarchive bsdunzip utility incorrectly handled
certain ZIP archive files. If a user or automated system were tricked into
processing a specially crafted ZIP archive, an attacker could use this
issue to cause libarchive to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 24.10, and Ubuntu 25.04. (CVE-2025-1632)

It was discovered that libarchive incorrectly handled certain TAR archive
files. If a user or automated system were tricked into processing a
specially crafted TAR archive, an attacker could use this issue to cause
libarchive to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2025-25724)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
libarchive-tools 3.7.7-0ubuntu2.1
libarchive13t64 3.7.7-0ubuntu2.1

Ubuntu 24.10
libarchive-tools 3.7.4-1ubuntu0.2
libarchive13t64 3.7.4-1ubuntu0.2

Ubuntu 24.04 LTS
libarchive-tools 3.7.2-2ubuntu0.4
libarchive13t64 3.7.2-2ubuntu0.4

Ubuntu 22.04 LTS
libarchive-tools 3.6.0-1ubuntu1.4
libarchive13 3.6.0-1ubuntu1.4

Ubuntu 20.04 LTS
libarchive-tools 3.4.0-2ubuntu1.5
libarchive13 3.4.0-2ubuntu1.5

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7454-1
CVE-2025-1632, CVE-2025-25724

Package Information:
https://launchpad.net/ubuntu/+source/libarchive/3.7.7-0ubuntu2.1
https://launchpad.net/ubuntu/+source/libarchive/3.7.4-1ubuntu0.2
https://launchpad.net/ubuntu/+source/libarchive/3.7.2-2ubuntu0.4
https://launchpad.net/ubuntu/+source/libarchive/3.6.0-1ubuntu1.4
https://launchpad.net/ubuntu/+source/libarchive/3.4.0-2ubuntu1.5

No comments:

Post a Comment