Security update for libarchive SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20257-1 Final 1 1 2025-03-31T14:21:21Z current 2025-03-31T14:21:21Z 2025-03-31T14:21:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libarchive This update for libarchive fixes the following issues: - CVE-2025-1632: Fixed null pointer dereference in bsdunzip.c (bsc#1237606) - CVE-2025-25724: Fixed Buffer Overflow vulnerability in libarchive (bsc#1238610) - CVE-2024-48958: Fixed out-of-bounds access in execute_filter_delta (bsc#1231624) - CVE-2024-20697: Fixed Out of bounds Remote Code Execution Vulnerability (also attributed CVE-2024-26256) (CVE-2024-26256, bsc#1225972) - CVE-2024-48957: Fixed out-of-bounds access in execute_filter_audio (bsc#1231544) - CVE-2024-20696: Fixed heap based out-of-bounds write (bsc#1225971) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-50 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520257-1/ Link for SUSE-SU-2025:20257-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021061.html E-Mail link for SUSE-SU-2025:20257-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1225971 SUSE Bug 1225971 https://bugzilla.suse.com/1225972 SUSE Bug 1225972 https://bugzilla.suse.com/1231544 SUSE Bug 1231544 https://bugzilla.suse.com/1231624 SUSE Bug 1231624 https://bugzilla.suse.com/1237606 SUSE Bug 1237606 https://bugzilla.suse.com/1238610 SUSE Bug 1238610 https://www.suse.com/security/cve/CVE-2024-20696/ SUSE CVE CVE-2024-20696 page https://www.suse.com/security/cve/CVE-2024-20697/ SUSE CVE CVE-2024-20697 page https://www.suse.com/security/cve/CVE-2024-26256/ SUSE CVE CVE-2024-26256 page https://www.suse.com/security/cve/CVE-2024-48957/ SUSE CVE CVE-2024-48957 page https://www.suse.com/security/cve/CVE-2024-48958/ SUSE CVE CVE-2024-48958 page https://www.suse.com/security/cve/CVE-2025-1632/ SUSE CVE CVE-2025-1632 page https://www.suse.com/security/cve/CVE-2025-25724/ SUSE CVE CVE-2025-25724 page SUSE Linux Micro 6.1 libarchive13-3.7.4-slfo.1.1_2.1 libarchive13-3.7.4-slfo.1.1_2.1 as a component of SUSE Linux Micro 6.1 Windows libarchive Remote Code Execution Vulnerability CVE-2024-20696 SUSE Linux Micro 6.1:libarchive13-3.7.4-slfo.1.1_2.1 important 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520257-1/ https://www.suse.com/security/cve/CVE-2024-20696.html CVE-2024-20696 https://bugzilla.suse.com/1225971 SUSE Bug 1225971 https://bugzilla.suse.com/1225972 SUSE Bug 1225972 Windows libarchive Remote Code Execution Vulnerability CVE-2024-20697 SUSE Linux Micro 6.1:libarchive13-3.7.4-slfo.1.1_2.1 important 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520257-1/ https://www.suse.com/security/cve/CVE-2024-20697.html CVE-2024-20697 https://bugzilla.suse.com/1225972 SUSE Bug 1225972 Libarchive Remote Code Execution Vulnerability CVE-2024-26256 SUSE Linux Micro 6.1:libarchive13-3.7.4-slfo.1.1_2.1 important 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520257-1/ https://www.suse.com/security/cve/CVE-2024-26256.html CVE-2024-26256 https://bugzilla.suse.com/1222911 SUSE Bug 1222911 execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. CVE-2024-48957 SUSE Linux Micro 6.1:libarchive13-3.7.4-slfo.1.1_2.1 important 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520257-1/ https://www.suse.com/security/cve/CVE-2024-48957.html CVE-2024-48957 https://bugzilla.suse.com/1231543 SUSE Bug 1231543 execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. CVE-2024-48958 SUSE Linux Micro 6.1:libarchive13-3.7.4-slfo.1.1_2.1 important 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520257-1/ https://www.suse.com/security/cve/CVE-2024-48958.html CVE-2024-48958 https://bugzilla.suse.com/1231622 SUSE Bug 1231622 A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. CVE-2025-1632 SUSE Linux Micro 6.1:libarchive13-3.7.4-slfo.1.1_2.1 moderate 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520257-1/ https://www.suse.com/security/cve/CVE-2025-1632.html CVE-2025-1632 https://bugzilla.suse.com/1237606 SUSE Bug 1237606 list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale. CVE-2025-25724 SUSE Linux Micro 6.1:libarchive13-3.7.4-slfo.1.1_2.1 low 4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520257-1/ https://www.suse.com/security/cve/CVE-2025-25724.html CVE-2025-25724 https://bugzilla.suse.com/1238610 SUSE Bug 1238610