Detections
Analytics

CentOS 9 : libarchive-3.5.3-5.el9

medium Nessus Plugin ID 238237

Language:

Synopsis

The remote CentOS host is missing a security update for bsdcat.

Description

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the libarchive-3.5.3-5.el9 build changelog.

 - list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
 (CVE-2025-25724)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the CentOS 9 Stream bsdcat package.

See Also

https://kojihub.stream.centos.org/koji/buildinfo?buildID=78688

Plugin Details

Severity: Medium

ID: 238237

File Name: centos9_libarchive-3_5_3-5_78688.nasl

Version: 1.1

Type: local

Agent: unix

Published: 6/11/2025

Updated: 6/11/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.5

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:L/AC:H/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2025-25724

CVSS v3

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.5

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:centos:centos:9, p-cpe:/a:centos:centos:bsdcat, p-cpe:/a:centos:centos:bsdcpio, p-cpe:/a:centos:centos:libarchive, p-cpe:/a:centos:centos:libarchive-devel, p-cpe:/a:centos:centos:bsdtar

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/CentOS/release, Host/CentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/9/2025

Vulnerability Publication Date: 12/19/2024

Reference Information

CVE: CVE-2025-25724

IAVA: 2024-A-0834