{ "document": { "aggregate_severity": { "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2025-5916: fix signed integer overflow in WARC format reader\n- CVE-2025-5917: fix buffer overflow in build_ustar_entry for PAX format\n- CVE-2025-5918: prevent skipping past EOF in archive file reading", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/tuxcare9.6esu/advisories/2025/clsa-2025_1766232351.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1766232351", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1766232351" } ], "tracking": { "current_release_date": "2026-02-09T17:33:27Z", "generator": { "date": "2026-02-09T17:33:27Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1766232351", "initial_release_date": "2025-12-20T12:06:43Z", "revision_history": [ { "date": "2025-12-20T12:06:43Z", "number": "1", "summary": "Initial version" }, { "date": "2026-02-09T17:33:27Z", "number": "2", "summary": "Update document" } ], "status": "final", "version": "2" }, "title": "libarchive: Fix of 3 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.6", "product": { "name": "AlmaLinux 9.6", "product_id": "AlmaLinux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Rocky Linux 9.6", "product": { "name": "Rocky Linux 9.6", "product_id": "Rocky Linux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:resf:rocky_linux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Rocky Linux" } ], "category": "vendor", "name": "Rocky Linux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product": { "name": "bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product_id": "bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/bsdcat@3.5.3-6.el9_6.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product": { "name": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product_id": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive-devel@3.5.3-6.el9_6.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product": { "name": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product_id": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive@3.5.3-6.el9_6.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product": { "name": "bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product_id": "bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/bsdcpio@3.5.3-6.el9_6.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product": { "name": "bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product_id": "bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/bsdtar@3.5.3-6.el9_6.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "product": { "name": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "product_id": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive-devel@3.5.3-6.el9_6.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "product": { "name": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "product_id": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive@3.5.3-6.el9_6.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" }, "product_reference": "bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686" }, "product_reference": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" }, "product_reference": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686" }, "product_reference": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" }, "product_reference": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" }, "product_reference": "bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" }, "product_reference": "bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" }, "product_reference": "bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686" }, "product_reference": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" }, "product_reference": "libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686" }, "product_reference": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" }, "product_reference": "libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" }, "product_reference": "bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" }, "product_reference": "bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-5916", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. This bug affects libarchive versions prior to 3.8.0.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-5916" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2025-5916", "url": "https://access.redhat.com/security/cve/CVE-2025-5916" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2370872", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370872" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/pull/2568", "url": "https://github.com/libarchive/libarchive/pull/2568" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0", "url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0" } ], "release_date": "2025-06-09T20:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-12-20T12:05:53.802108Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1766232351", "product_ids": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1766232351" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2025-5914", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-5914" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14130", "url": "https://access.redhat.com/errata/RHSA-2025:14130" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14135", "url": "https://access.redhat.com/errata/RHSA-2025:14135" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14137", "url": "https://access.redhat.com/errata/RHSA-2025:14137" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14141", "url": "https://access.redhat.com/errata/RHSA-2025:14141" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14142", "url": "https://access.redhat.com/errata/RHSA-2025:14142" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14525", "url": "https://access.redhat.com/errata/RHSA-2025:14525" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14528", "url": "https://access.redhat.com/errata/RHSA-2025:14528" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14594", "url": "https://access.redhat.com/errata/RHSA-2025:14594" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14644", "url": "https://access.redhat.com/errata/RHSA-2025:14644" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14808", "url": "https://access.redhat.com/errata/RHSA-2025:14808" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14810", "url": "https://access.redhat.com/errata/RHSA-2025:14810" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:14828", "url": "https://access.redhat.com/errata/RHSA-2025:14828" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:15024", "url": "https://access.redhat.com/errata/RHSA-2025:15024" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:15397", "url": "https://access.redhat.com/errata/RHSA-2025:15397" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:15709", "url": "https://access.redhat.com/errata/RHSA-2025:15709" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:15827", "url": "https://access.redhat.com/errata/RHSA-2025:15827" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:15828", "url": "https://access.redhat.com/errata/RHSA-2025:15828" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:16524", "url": "https://access.redhat.com/errata/RHSA-2025:16524" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:18217", "url": "https://access.redhat.com/errata/RHSA-2025:18217" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:18218", "url": "https://access.redhat.com/errata/RHSA-2025:18218" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:18219", "url": "https://access.redhat.com/errata/RHSA-2025:18219" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:19041", "url": "https://access.redhat.com/errata/RHSA-2025:19041" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:19046", "url": "https://access.redhat.com/errata/RHSA-2025:19046" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:21885", "url": "https://access.redhat.com/errata/RHSA-2025:21885" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2025:21913", "url": "https://access.redhat.com/errata/RHSA-2025:21913" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2026:0326", "url": "https://access.redhat.com/errata/RHSA-2026:0326" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2026:0934", "url": "https://access.redhat.com/errata/RHSA-2026:0934" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2026:1541", "url": "https://access.redhat.com/errata/RHSA-2026:1541" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2025-5914", "url": "https://access.redhat.com/security/cve/CVE-2025-5914" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370861" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/pull/2598", "url": "https://github.com/libarchive/libarchive/pull/2598" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0", "url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0" } ], "release_date": "2025-06-09T20:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-12-20T12:05:53.802108Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1766232351", "product_ids": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1766232351" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-5918", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-5918" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2025-5918", "url": "https://access.redhat.com/security/cve/CVE-2025-5918" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2370877", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370877" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/pull/2584", "url": "https://github.com/libarchive/libarchive/pull/2584" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0", "url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0" } ], "release_date": "2025-06-09T20:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-12-20T12:05:53.802108Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1766232351", "product_ids": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1766232351" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2025-5917", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation. This bug affects libarchive versions prior to 3.8.0.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-5917" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2025-5917", "url": "https://access.redhat.com/security/cve/CVE-2025-5917" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2370874", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370874" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/pull/2588", "url": "https://github.com/libarchive/libarchive/pull/2588" }, { "category": "external", "summary": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0", "url": "https://github.com/libarchive/libarchive/releases/tag/v3.8.0" } ], "release_date": "2025-06-09T20:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2025-12-20T12:05:53.802108Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2025:1766232351", "product_ids": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1766232351" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "AlmaLinux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcat-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdcpio-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:bsdtar-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-0:3.5.3-6.el9_6.tuxcare.els1.x86_64", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.i686", "Rocky Linux-9.6:libarchive-devel-0:3.5.3-6.el9_6.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }