Package: libarchive Version: libarchive-3.7.4-1.1 Severity: important Tags: security patch Usertags:CVE-2025-1632 <https://security-tracker.debian.org/tracker/CVE-2025-25724>
Dear Maintainer, I'm submitting a patch forCVE-2025- <https://security-tracker.debian.org/tracker/CVE-2025-25724>1632 in the libarchive package. Vulnerability details: - CVE ID:CVE-2025- <https://security-tracker.debian.org/tracker/CVE-2025-25724>1632 - Description: (up to version 3.7.7) fix NULL ptr dereference issue inside - Affected versions: All versions prior to 3.7.7 - Fixed upstream in:https://github.com/libarchive/libarchive/pull/2532/commits/0a35ab97fae6fb9acecab46b570c14e3be1646e7 <https://github.com/libarchive/libarchive/pull/2532/commits/6636f89f5fe08a20de3b2d034712c781d3a67985> A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Error poc:https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc My patch by detecting NULL return of archive_entry_pathname() and replacing it by "INVALID PATH" string. The patch has been tested on Debian sid and works correctly. Thank you for considering this contribution. Best regards, Bo Liu
