ALAS2023-2025-1091

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1091
Advisory Released Date: 2025-08-08
Advisory Updated Date: 2025-08-08
Severity: Medium
Issue Overview:

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions. (CVE-2025-5915)

A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation. (CVE-2025-5917)


Affected Packages:

libarchive


Issue Correction:
Run dnf update libarchive --releasever 2023.8.20250808 or dnf update --advisory ALAS2023-2025-1091 --releasever 2023.8.20250808 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    bsdtar-debuginfo-3.7.4-2.amzn2023.0.4.aarch64
    bsdcpio-3.7.4-2.amzn2023.0.4.aarch64
    libarchive-debugsource-3.7.4-2.amzn2023.0.4.aarch64
    bsdunzip-debuginfo-3.7.4-2.amzn2023.0.4.aarch64
    bsdunzip-3.7.4-2.amzn2023.0.4.aarch64
    libarchive-debuginfo-3.7.4-2.amzn2023.0.4.aarch64
    bsdcpio-debuginfo-3.7.4-2.amzn2023.0.4.aarch64
    libarchive-3.7.4-2.amzn2023.0.4.aarch64
    bsdcat-3.7.4-2.amzn2023.0.4.aarch64
    bsdcat-debuginfo-3.7.4-2.amzn2023.0.4.aarch64
    libarchive-devel-3.7.4-2.amzn2023.0.4.aarch64
    bsdtar-3.7.4-2.amzn2023.0.4.aarch64

src:
    libarchive-3.7.4-2.amzn2023.0.4.src

x86_64:
    bsdtar-debuginfo-3.7.4-2.amzn2023.0.4.x86_64
    bsdcat-3.7.4-2.amzn2023.0.4.x86_64
    bsdcpio-3.7.4-2.amzn2023.0.4.x86_64
    libarchive-debugsource-3.7.4-2.amzn2023.0.4.x86_64
    bsdcpio-debuginfo-3.7.4-2.amzn2023.0.4.x86_64
    libarchive-debuginfo-3.7.4-2.amzn2023.0.4.x86_64
    libarchive-devel-3.7.4-2.amzn2023.0.4.x86_64
    bsdunzip-debuginfo-3.7.4-2.amzn2023.0.4.x86_64
    bsdunzip-3.7.4-2.amzn2023.0.4.x86_64
    bsdtar-3.7.4-2.amzn2023.0.4.x86_64
    bsdcat-debuginfo-3.7.4-2.amzn2023.0.4.x86_64
    libarchive-3.7.4-2.amzn2023.0.4.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-5915, CVE-2025-5917

Mitre: CVE-2025-5915, CVE-2025-5917