Alpine: multiple libarchive packages: security update to 3.7.9-r0

medium Tenable Self-Hosted Container Security Plugin ID 424790

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- libarchive through 3.7.7 has a heap-based buffer over-read in header_gnu_longlink in
archive_read_support_format_tar.c via a TAR archive because it mishandles truncation in the middle of a
GNU long linkname. (CVE-2024-57970)

- A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects
the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is
possible to launch the attack on the local host. The exploit has been disclosed to the public and may be
used. The vendor was contacted early about this disclosure but did not respond in any way. (CVE-2025-1632)

- list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which
can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a
verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
(CVE-2025-25724)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-57970

https://security.alpinelinux.org/vuln/CVE-2025-1632

https://security.alpinelinux.org/vuln/CVE-2025-25724

Plugin Details

Severity: Medium

ID: 424790

Version: Revision 1.18

Type: Local

Published: 4/8/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-25724

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 4.8

Threat Score: 1.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/19/2024

Reference Information

CVE: CVE-2024-57970, CVE-2025-1632, CVE-2025-25724

IAVA: 2024-A-0834