Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2025-5918

3.9 LOW

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): LOW

created 10 months ago

Libarchive: reading past eof may be triggered for piped file streams

A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

References

https://access.redhat.com/security/cve/CVE-2025-5918 vdb-entryx_refsource_REDHAT
RHBZ#2370877 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2584
https://github.com/libarchive/libarchive/releases/tag/v3.8.0
https://access.redhat.com/security/cve/CVE-2025-5918 vdb-entryx_refsource_REDHAT
RHBZ#2370877 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2584
https://github.com/libarchive/libarchive/releases/tag/v3.8.0
https://access.redhat.com/security/cve/CVE-2025-5918 vdb-entryx_refsource_REDHAT
RHBZ#2370877 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2584
https://github.com/libarchive/libarchive/releases/tag/v3.8.0
https://access.redhat.com/security/cve/CVE-2025-5918 vdb-entryx_refsource_REDHAT
RHBZ#2370877 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2584
https://github.com/libarchive/libarchive/releases/tag/v3.8.0
https://access.redhat.com/security/cve/CVE-2025-5918 vdb-entryx_refsource_REDHAT
RHBZ#2370877 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2584
https://github.com/libarchive/libarchive/releases/tag/v3.8.0
https://access.redhat.com/security/cve/CVE-2025-5918 vdb-entryx_refsource_REDHAT
RHBZ#2370877 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2584
https://github.com/libarchive/libarchive/releases/tag/v3.8.0

Affected products

rhcos

libarchive

<3.8.0

Matching in nixpkgs

pkgs.libarchive

Multi-format archive and compression library

nixos-unstable 3.7.8
- nixpkgs-unstable 3.7.8
- nixos-unstable-small 3.7.8

pkgs.libarchive-qt

Qt based archiving solution with libarchive backend

nixos-unstable 2.0.8
- nixpkgs-unstable 2.0.8
- nixos-unstable-small 2.0.8

pkgs.haskellPackages.libarchive

Haskell interface to libarchive

nixos-unstable 3.0.4.2
- nixpkgs-unstable 3.0.4.2
- nixos-unstable-small 3.0.4.2

pkgs.kodiPackages.vfs-libarchive

LibArchive Virtual Filesystem add-on for Kodi

nixos-unstable 20.1.0
- nixpkgs-unstable 20.1.0
- nixos-unstable-small 20.1.0

pkgs.python311Packages.libarchive-c

Python interface to libarchive

nixos-unstable 5.1
- nixpkgs-unstable 5.1
- nixos-unstable-small 5.1

pkgs.python312Packages.libarchive-c

Python interface to libarchive

nixos-unstable 5.1
- nixpkgs-unstable 5.1
- nixos-unstable-small 5.1

pkgs.python313Packages.libarchive-c

Python interface to libarchive

nixos-unstable 5.1
- nixpkgs-unstable 5.1
- nixos-unstable-small 5.1

pkgs.haskellPackages.archive-libarchive

Common interface using libarchive

nixos-unstable 1.0.0.1
- nixpkgs-unstable 1.0.0.1
- nixos-unstable-small 1.0.0.1

pkgs.haskellPackages.libarchive-conduit

Read many archive formats with libarchive and conduit

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0

pkgs.python311Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

nixos-unstable 21.5.31
- nixpkgs-unstable 21.5.31
- nixos-unstable-small 21.5.31

pkgs.python312Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

nixos-unstable 21.5.31
- nixpkgs-unstable 21.5.31
- nixos-unstable-small 21.5.31

pkgs.python313Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

nixos-unstable 21.5.31
- nixpkgs-unstable 21.5.31
- nixos-unstable-small 21.5.31

Package maintainers

@dschrempf Dominik Schrempf <dominik.schrempf@gmail.com>
@sephalon Stefan Wiehler <me@sephalon.net>
@peterhoeg Peter Hoeg <peter@hoeg.com>
@edwtjo Edward Tjörnhammar <ed@cflags.cc>
@minijackson Rémi Nicole <minijackson@riseup.net>
@nvmd Sergey Kazenyuk <kazenyuk@pm.me>
@aanderse Aaron Andersen <aaron@fosslib.net>
@cpages Carles Pagès <page@ruiec.cat>
@jcumming Jack Cummings <jack@mudshark.org>
@dan4ik605743 Danil Danevich <6057430gu@gmail.com>