Your message dated Sat, 26 Apr 2025 09:20:46 +0000
with message-id <e1u8bii-009ph3...@fasolo.debian.org>
and subject line Bug#1103494: fixed in libarchive 3.7.4-2
has caused the Debian Bug report #1103494,
regarding [SECURITY] [PATCH] Fix for CVE-2025-1632 in libarchive
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103494
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libarchive
Version: libarchive-3.7.4-1.1
Severity: important
Tags: security patch
Usertags:CVE-2025-1632
<https://security-tracker.debian.org/tracker/CVE-2025-25724>
Dear Maintainer,
I'm submitting a patch forCVE-2025-
<https://security-tracker.debian.org/tracker/CVE-2025-25724>1632 in the
libarchive package.
Vulnerability details:
- CVE ID:CVE-2025-
<https://security-tracker.debian.org/tracker/CVE-2025-25724>1632
- Description: (up to version 3.7.7) fix NULL ptr dereference issue inside
- Affected versions: All versions prior to 3.7.7
- Fixed upstream
in:https://github.com/libarchive/libarchive/pull/2532/commits/0a35ab97fae6fb9acecab46b570c14e3be1646e7
<https://github.com/libarchive/libarchive/pull/2532/commits/6636f89f5fe08a20de3b2d034712c781d3a67985>
A vulnerability was found in libarchive up to 3.7.7. It has been classified as
problematic. This affects the function list of the file bsdunzip.c. The
manipulation leads to null pointer dereference. It is possible to launch the
attack on the local host. The exploit has been disclosed to the public and may
be used.
Error poc:https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc
My patch by detecting NULL return of archive_entry_pathname()
and replacing it by "INVALID PATH" string.
The patch has been tested on Debian sid and works correctly.
Thank you for considering this contribution.
Best regards,
Bo Liu
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 3.7.4-2
Done: Peter Pentchev <r...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Pentchev <r...@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 26 Apr 2025 11:34:57 +0300
Source: libarchive
Architecture: source
Version: 3.7.4-2
Distribution: unstable
Urgency: high
Maintainer: Peter Pentchev <r...@debian.org>
Changed-By: Peter Pentchev <r...@debian.org>
Closes: 1103494
Changes:
libarchive (3.7.4-2) unstable; urgency=high
.
* Acknowledge NMU; thanks, Salvatore!
* Point to the debian/trixie branch in the gbp.conf file since
the master branch in the repository already contains changes that
did not make it in time for the Trixie freeze.
* Add the CVE-2025-1632 patch. Closes: #1103494
* Add the year 2025 to my debian/* copyright notice.
Checksums-Sha1:
f9a91936a6c7958fb933be44de91358ec0569ea9 2714 libarchive_3.7.4-2.dsc
e94e491499f5ecfd2282202842f6be9dae765782 27968 libarchive_3.7.4-2.debian.tar.xz
Checksums-Sha256:
a8e423ea4d54730655157f39ccef65b9a53bf1663a5365cd7da5ec8bcaf726cc 2714
libarchive_3.7.4-2.dsc
4d5adbc30aee9a0ebbe54b164422fd6b5d19a568b4a54814ab9d1e7e749c4ca7 27968
libarchive_3.7.4-2.debian.tar.xz
Files:
5c8e4ca2979b51cf79af330be0c68e96 2714 libs optional libarchive_3.7.4-2.dsc
8945e1b23dec4474bfeefbbf48730d29 27968 libs optional
libarchive_3.7.4-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmgMnLgQHHJvYW1AZGVi
aWFuLm9yZwAKCRBlHu+wJSffE+BND/oCZAu2xG13Q9lcVvzQMP+/98T75MgIL7aj
ZBmNZCROzI7rzIGGC2loVKBsM/OdduoLMKT+G2MFHa6gtzb/ERZPvATufCeUOoK4
7RYKhXammsv8SsfNcG+kQk54i6M3qM7VbU0Dy/H6HHP0Pzr4TrDBSdRgYTtvQzfh
UpAfVC4HYHtUmS+5YkTKjqFGs8BzAuEAHUD4XZo1eamtPEn7tW60kJxdRoA0+A+5
5esRNwTlLwzgJ6UqYib26RqLK9/81zz71/OxqbeWhlLMBCLg4zySvaJypGWwvegE
rfxwW4CCLl4nIeGodhenT8ydZ+7RwPLExodGL4SIaWC572/uTZwpAwhRevWMJRw4
M5ES3Ox5ctKy4M0yIHBVVmKcx+GRtx2qsfnk6/akXrNaNUdV3u+O7G94pfGINO6z
MKGERuWE3RHkFSOpKoIIY70vobn0qtJZcBj6hNlkgO6qzBQSZZsX6sn1bybEd6RO
qNLzbJF3FmcGKFgQSzI/2xyy65EMgnfRxp2exJsGnVX8HWQtEuOCD6mhHVGQlxuT
zRT5Ne4EzE1PWEoNAdejbw5qx8prjhSZrXlAw3rdlipmH9y1WYlZ1HjXIZ/l1OEm
A8W43EiA1laXHSKkkEUQL3e0BYgBwTp3eNI2St0FfifkWMjiwnLnEghbVRwZnDKs
mYXK1H7+Pg==
=ALyd
-----END PGP SIGNATURE-----
pgp6D40er2BDq.pgp
Description: PGP signature
--- End Message ---
