Ubuntu has issued an advisory on June 26: https://ubuntu.com/security/notices/USN-7601-1
CVE: (none) => CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917Status comment: (none) => Patches available from UbuntuSource RPM: (none) => libarchive-3.6.2-5.4.mga9.src.rpm
After following a lot of links, I think these are the patches: CVE-2025-5917 https://github.com/CTSRD-CHERI/cheribsd/pull/2401/commits/9d2e4c9903e71194d5805652f2f4fa98b7b7cdc3 CVE-2025-5916 https://github.com/libarchive/libarchive/pull/2568/commits/bce70c4c26864df2a8d6953e7db6e4b156253508 CVE-2025-5915 https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c CVE-2025-5914 https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209 Assigning to you, Nicolas, as you seem to look after this pkg.
Assignee: bugsquad => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c. (CVE-2025-5914) Heap buffer over read in copy_from_lzss_window() at archive_read_support_format_rar.c. (CVE-2025-5915) Integer overflow while reading warc files at archive_read_support_format_warc.c. (CVE-2025-5916) Off by one error in build_ustar_entry_name() at archive_write_set_format_pax.c. (CVE-2025-5917) References: https://ubuntu.com/security/notices/USN-7601-1 ======================== Updated packages in core/updates_testing: ======================== bsdcat-3.6.2-5.5.mga9 bsdcpio-3.6.2-5.5.mga9 bsdtar-3.6.2-5.5.mga9 lib(64)archive13-3.6.2-5.5.mga9 lib(64)archive-devel-3.6.2-5.5.mga9 from SRPM: libarchive-3.6.2-5.5.mga9.src.rpm
Status comment: Patches available from Ubuntu => (none)Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNED
MGA9-64 server Plasma Wayland on Compaq H000SB No installation issues. Ref bug 30023 for testing $ cd Documents/ $ ls airco/ firefox.exe mysite/ rss_8_1.rdf sqlit/ testtransfig.gif xlst/ bugs/ Frans-Bruynseelspad.pdf php/ ruby/ testcups.pdf testtransfig.pdf dcmtk.txt httpd.conf qa/ server.js testpoppler/ testtransfig.png django/ libcaptest/ rss_4.1_1.rdf soup.txt testtexstudio.log testtransfig.ps erlang/ libxml/ rss_5.3_1.rdf soup.txt.gpg testtexstudio.tex testtransfig.tex expat/ man_nmap_ru.txt rss_7_1.rdf soup.txt.orig testtransfig.fig volkstuintjes/ $ bsdtar -c -f ~/archtar * Opened archtar with ark, all seems included and can be opened. $ cd ~/tmp/ $ bsdtar -x -f /home/tester9/archtar Checked contents of tmp: all files and folders are there OK.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
installing bsdtar-3.6.2-5.5.mga9.x86_64.rpm lib64archive13-3.6.2-5.5.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: lib64archive13 ################################################################################################## 2/2: bsdtar ################################################################################################## 1/2: removing bsdtar-3.6.2-5.4.mga9.x86_64 ################################################################################################## 2/2: removing lib64archive13-3.6.2-5.4.mga9.x86_64 ################################################################################################## LC_ALL=C urpmi bsdcpio installing bsdcpio-3.6.2-5.5.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: bsdcpio ################################################################################################## ark works but since lastest update strace not shows evidence of the library gnome-boxes works annd strace shows openat(AT_FDCWD, "/lib64/libarchive.so.13", O_RDONLY|O_CLOEXEC) = 3 rpm2cpio ~/rpmfile.rpm|bsdcpio -idmv extract with success the content of the rpm Looks good to me
CC: (none) => andrewsfarm
Keywords: (none) => advisory
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
(In reply to katnatek from comment #4) > > ark works but since lastest update strace not shows evidence of the library > Strange, since urpmq shows ark as requiring the library. Perhaps, for whatever reason, your test didn't trigger using it.
libarchive is only used in ark for the "kerfuffle_libarchive.so" and "kerfuffle_libarchive_readonly.so" plug-ins. It appears that those are used for formats that ark doesn't support natively: "Libarchive plugin: supports everything else by using the libarchive library and optionally the lrzip, lzop and zstd binaries."
CC: (none) => dan
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0200.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
(In reply to Dan Fandrich from comment #7) > libarchive is only used in ark for the "kerfuffle_libarchive.so" and > "kerfuffle_libarchive_readonly.so" plug-ins. It appears that those are used > for formats that ark doesn't support natively: "Libarchive plugin: supports > everything else by using the libarchive library and optionally the lrzip, > lzop and zstd binaries." Perhaps something I install makes ark changes behavior, in bug#33757 comment#4 strace shows the library, so just to be extra sure I test this time with gnome-boxes