vulnerability
Ubuntu: USN-7454-1 (CVE-2025-25724): libarchive vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 3 | (AV:L/AC:M/Au:N/C:N/I:P/A:P) | Mar 2, 2025 | Apr 24, 2025 | Aug 18, 2025 |
Severity
3
CVSS
(AV:L/AC:M/Au:N/C:N/I:P/A:P)
Published
Mar 2, 2025
Added
Apr 24, 2025
Modified
Aug 18, 2025
Description
list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
Solutions
ubuntu-upgrade-libarchive-toolsubuntu-upgrade-libarchive13ubuntu-upgrade-libarchive13t64
References
- CVE-2025-25724
- https://attackerkb.com/topics/CVE-2025-25724
- CWE-252
- UBUNTU-USN-7454-1
- URL-https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92
- URL-https://github.com/Ekkosun/pocs/blob/main/bsdtarbug
- URL-https://github.com/libarchive/libarchive/blob/b439d586f53911c84be5e380445a8a259e19114c/tar/util.c#L751-L752
- URL-https://ubuntu.com/security/notices/USN-7454-1
- URL-https://www.cve.org/CVERecord?id=CVE-2025-25724
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.