Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2025-5917

2.8 LOW

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

created 10 months ago

Libarchive: off by one error in build_ustar_entry_name() at archive_write_set_format_pax.c

A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation.

References

https://access.redhat.com/security/cve/CVE-2025-5917 vdb-entryx_refsource_REDHAT
RHBZ#2370874 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2588
https://github.com/libarchive/libarchive/releases/tag/v3.8.0
https://access.redhat.com/security/cve/CVE-2025-5917 vdb-entryx_refsource_REDHAT
RHBZ#2370874 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2588
https://github.com/libarchive/libarchive/releases/tag/v3.8.0
https://access.redhat.com/security/cve/CVE-2025-5917 vdb-entryx_refsource_REDHAT
RHBZ#2370874 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2588
https://github.com/libarchive/libarchive/releases/tag/v3.8.0
https://access.redhat.com/security/cve/CVE-2025-5917 vdb-entryx_refsource_REDHAT
RHBZ#2370874 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2588
https://github.com/libarchive/libarchive/releases/tag/v3.8.0
https://access.redhat.com/security/cve/CVE-2025-5917 vdb-entryx_refsource_REDHAT
RHBZ#2370874 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2588
https://github.com/libarchive/libarchive/releases/tag/v3.8.0
https://access.redhat.com/security/cve/CVE-2025-5917 vdb-entryx_refsource_REDHAT
RHBZ#2370874 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2588
https://github.com/libarchive/libarchive/releases/tag/v3.8.0
https://access.redhat.com/security/cve/CVE-2025-5917 vdb-entryx_refsource_REDHAT
RHBZ#2370874 x_refsource_REDHATissue-tracking
https://github.com/libarchive/libarchive/pull/2588
https://github.com/libarchive/libarchive/releases/tag/v3.8.0

Affected products

rhcos

libarchive

<3.8.0

Matching in nixpkgs

pkgs.libarchive

Multi-format archive and compression library

nixos-unstable 3.7.8
- nixpkgs-unstable 3.7.8
- nixos-unstable-small 3.7.8

pkgs.libarchive-qt

Qt based archiving solution with libarchive backend

nixos-unstable 2.0.8
- nixpkgs-unstable 2.0.8
- nixos-unstable-small 2.0.8

pkgs.haskellPackages.libarchive

Haskell interface to libarchive

nixos-unstable 3.0.4.2
- nixpkgs-unstable 3.0.4.2
- nixos-unstable-small 3.0.4.2

pkgs.kodiPackages.vfs-libarchive

LibArchive Virtual Filesystem add-on for Kodi

nixos-unstable 20.1.0
- nixpkgs-unstable 20.1.0
- nixos-unstable-small 20.1.0

pkgs.python311Packages.libarchive-c

Python interface to libarchive

nixos-unstable 5.1
- nixpkgs-unstable 5.1
- nixos-unstable-small 5.1

pkgs.python312Packages.libarchive-c

Python interface to libarchive

nixos-unstable 5.1
- nixpkgs-unstable 5.1
- nixos-unstable-small 5.1

pkgs.python313Packages.libarchive-c

Python interface to libarchive

nixos-unstable 5.1
- nixpkgs-unstable 5.1
- nixos-unstable-small 5.1

pkgs.haskellPackages.archive-libarchive

Common interface using libarchive

nixos-unstable 1.0.0.1
- nixpkgs-unstable 1.0.0.1
- nixos-unstable-small 1.0.0.1

pkgs.haskellPackages.libarchive-conduit

Read many archive formats with libarchive and conduit

nixos-unstable 0.1.0.0
- nixpkgs-unstable 0.1.0.0
- nixos-unstable-small 0.1.0.0

pkgs.python311Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

nixos-unstable 21.5.31
- nixpkgs-unstable 21.5.31
- nixos-unstable-small 21.5.31

pkgs.python312Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

nixos-unstable 21.5.31
- nixpkgs-unstable 21.5.31
- nixos-unstable-small 21.5.31

pkgs.python313Packages.extractcode-libarchive

ScanCode Toolkit plugin to provide pre-built binary libraries and utilities and their locations

nixos-unstable 21.5.31
- nixpkgs-unstable 21.5.31
- nixos-unstable-small 21.5.31

Package maintainers

@dschrempf Dominik Schrempf <dominik.schrempf@gmail.com>
@sephalon Stefan Wiehler <me@sephalon.net>
@peterhoeg Peter Hoeg <peter@hoeg.com>
@edwtjo Edward Tjörnhammar <ed@cflags.cc>
@minijackson Rémi Nicole <minijackson@riseup.net>
@nvmd Sergey Kazenyuk <kazenyuk@pm.me>
@aanderse Aaron Andersen <aaron@fosslib.net>
@cpages Carles Pagès <page@ruiec.cat>
@jcumming Jack Cummings <jack@mudshark.org>
@dan4ik605743 Danil Danevich <6057430gu@gmail.com>