CVE-2025-25724

Publication date 2 March 2025

Last updated 23 April 2025

Ubuntu priority

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libarchive	25.04 plucky	Fixed 3.7.7-0ubuntu2.1
	24.10 oracular	Fixed 3.7.4-1ubuntu0.2
	24.04 LTS noble	Fixed 3.7.2-2ubuntu0.4
	22.04 LTS jammy	Fixed 3.6.0-1ubuntu1.4
	20.04 LTS focal	Fixed 3.4.0-2ubuntu1.5
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Needs evaluation

Notes

mdeslaur

same commit as CVE-2025-1632

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libarchive	Upstream: https://github.com/libarchive/libarchive/pull/2532 Upstream: c9bc934

References

Related Ubuntu Security Notices (USN)