CVE-2025-25724

Publication date 2 March 2025

Last updated 17 July 2025

Ubuntu priority

Cvss 3 Severity Score

Description

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libarchive	25.10 questing	Fixed 3.7.7-0ubuntu2.1
	25.04 plucky	Fixed 3.7.7-0ubuntu2.1
	24.10 oracular	Fixed 3.7.4-1ubuntu0.2
	24.04 LTS noble	Fixed 3.7.2-2ubuntu0.4
	22.04 LTS jammy	Fixed 3.6.0-1ubuntu1.4
	20.04 LTS focal	Fixed 3.4.0-2ubuntu1.5
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Needs evaluation

Notes

mdeslaur

same commit as CVE-2025-1632

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libarchive	Upstream: https://github.com/libarchive/libarchive/pull/2532 Upstream: c9bc934

Severity score breakdown

Parameter	Value
Base score	4.0 · Medium
Attack vector	Local
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	Low
Availability impact	Low
Vector	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

References

Related Ubuntu Security Notices (USN)

USN-7454-1
libarchive vulnerabilities
23 April 2025