From 8ce6b784498f45a18513dfb96e71756a75978883 Mon Sep 17 00:00:00 2001
From: mbauman <154641+mbauman@users.noreply.github.com>
Date: Sun, 19 Oct 2025 19:26:33 +0000
Subject: [PATCH] [create-pull-request] automated change

---
 .../2025/JLSEC-0000-mns68s11b-cadmb0.md       | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s11d-wqwurz.md       | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s11e-1m7ej8m.md      | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s11f-16fg9sm.md      | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s11g-19b5c6z.md      | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s126-1tcks4h.md      | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s129-epe6u2.md       | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s12a-xxujrt.md       | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s12b-1ltikks.md      | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s12b-1on5p9b.md      | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s12c-1ht52i0.md      | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s12d-zhzsnx.md       | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s12e-ffc4an.md       | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s12e-i1r4k9.md       | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s12f-10ok6wp.md      | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s12g-1gfe2ox.md      | 24 ++++++++++++++
 .../2025/JLSEC-0000-mns68s135-zc3l9o.md       | 32 +++++++++++++++++++
 17 files changed, 416 insertions(+)
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s11b-cadmb0.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s11d-wqwurz.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s11e-1m7ej8m.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s11f-16fg9sm.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s11g-19b5c6z.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s126-1tcks4h.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s129-epe6u2.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s12a-xxujrt.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s12b-1ltikks.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s12b-1on5p9b.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s12c-1ht52i0.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s12d-zhzsnx.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s12e-ffc4an.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s12e-i1r4k9.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s12f-10ok6wp.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s12g-1gfe2ox.md
 create mode 100644 advisories/published/2025/JLSEC-0000-mns68s135-zc3l9o.md

diff --git a/advisories/published/2025/JLSEC-0000-mns68s11b-cadmb0.md b/advisories/published/2025/JLSEC-0000-mns68s11b-cadmb0.md
new file mode 100644
index 0000000..cd4a20d
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s11b-cadmb0.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s11b-cadmb0"
+modified = 2025-10-19T19:26:25.343Z
+upstream = ["CVE-2021-36976"]
+references = ["http://seclists.org/fulldisclosure/2022/Mar/27", "http://seclists.org/fulldisclosure/2022/Mar/28", "http://seclists.org/fulldisclosure/2022/Mar/29", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375", "https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libarchive/OSV-2021-557.yaml", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SE5NJQNM22ZE5Z55LPAGCUHSBQZBKMKC/", "https://security.gentoo.org/glsa/202208-26", "https://support.apple.com/kb/HT213182", "https://support.apple.com/kb/HT213183", "https://support.apple.com/kb/HT213193", "http://seclists.org/fulldisclosure/2022/Mar/27", "http://seclists.org/fulldisclosure/2022/Mar/28", "http://seclists.org/fulldisclosure/2022/Mar/29", "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32375", "https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libarchive/OSV-2021-557.yaml", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SE5NJQNM22ZE5Z55LPAGCUHSBQZBKMKC/", "https://security.gentoo.org/glsa/202208-26", "https://support.apple.com/kb/HT213182", "https://support.apple.com/kb/HT213183", "https://support.apple.com/kb/HT213193"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.7.4+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-36976"
+imported = 2025-10-19T19:26:25.343Z
+modified = 2024-11-21T06:14:25.400Z
+published = 2021-07-20T07:15:07.950Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-36976"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-36976"
+```
+
+# libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block ...
+
+libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s11d-wqwurz.md b/advisories/published/2025/JLSEC-0000-mns68s11d-wqwurz.md
new file mode 100644
index 0000000..d39a160
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s11d-wqwurz.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s11d-wqwurz"
+modified = 2025-10-19T19:26:25.345Z
+upstream = ["CVE-2021-23177"]
+references = ["https://access.redhat.com/security/cve/CVE-2021-23177", "https://bugzilla.redhat.com/show_bug.cgi?id=2024245", "https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad", "https://github.com/libarchive/libarchive/issues/1565", "https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html", "https://access.redhat.com/security/cve/CVE-2021-23177", "https://bugzilla.redhat.com/show_bug.cgi?id=2024245", "https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad", "https://github.com/libarchive/libarchive/issues/1565", "https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.5.2+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-23177"
+imported = 2025-10-19T19:26:25.345Z
+modified = 2024-11-21T05:51:19.970Z
+published = 2022-08-23T16:15:09.280Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-23177"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-23177"
+```
+
+# An improper link resolution flaw while extracting an archive can lead to changing the access control...
+
+An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s11e-1m7ej8m.md b/advisories/published/2025/JLSEC-0000-mns68s11e-1m7ej8m.md
new file mode 100644
index 0000000..b0dbe23
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s11e-1m7ej8m.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s11e-1m7ej8m"
+modified = 2025-10-19T19:26:25.346Z
+upstream = ["CVE-2021-31566"]
+references = ["https://access.redhat.com/security/cve/CVE-2021-31566", "https://bugzilla.redhat.com/show_bug.cgi?id=2024237", "https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043", "https://github.com/libarchive/libarchive/issues/1566", "https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html", "https://access.redhat.com/security/cve/CVE-2021-31566", "https://bugzilla.redhat.com/show_bug.cgi?id=2024237", "https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043", "https://github.com/libarchive/libarchive/issues/1566", "https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.5.2+0"]
+
+[[jlsec_sources]]
+id = "CVE-2021-31566"
+imported = 2025-10-19T19:26:25.346Z
+modified = 2024-11-21T06:05:55.217Z
+published = 2022-08-23T16:15:09.337Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-31566"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2021-31566"
+```
+
+# An improper link resolution flaw can occur while extracting an archive leading to changing modes, ti...
+
+An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s11f-16fg9sm.md b/advisories/published/2025/JLSEC-0000-mns68s11f-16fg9sm.md
new file mode 100644
index 0000000..638ef45
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s11f-16fg9sm.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s11f-16fg9sm"
+modified = 2025-10-19T19:26:25.347Z
+upstream = ["CVE-2022-36227"]
+references = ["https://bugs.gentoo.org/882521", "https://github.com/libarchive/libarchive/blob/v3.0.0a/libarchive/archive_write.c#L215", "https://github.com/libarchive/libarchive/issues/1754", "https://lists.debian.org/debian-lts-announce/2023/01/msg00034.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V67OO2UUQAUJS3IK4JZPF6F3LUCBU6IS/", "https://security.gentoo.org/glsa/202309-14", "https://bugs.gentoo.org/882521", "https://github.com/libarchive/libarchive/blob/v3.0.0a/libarchive/archive_write.c#L215", "https://github.com/libarchive/libarchive/issues/1754", "https://lists.debian.org/debian-lts-announce/2023/01/msg00034.html", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V67OO2UUQAUJS3IK4JZPF6F3LUCBU6IS/", "https://security.gentoo.org/glsa/202309-14"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.7.4+0"]
+
+[[jlsec_sources]]
+id = "CVE-2022-36227"
+imported = 2025-10-19T19:26:25.347Z
+modified = 2024-11-21T07:12:37.697Z
+published = 2022-11-22T02:15:11.003Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-36227"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2022-36227"
+```
+
+# In libarchive before 3.6.2, the software does not check for an error after calling calloc function t...
+
+In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s11g-19b5c6z.md b/advisories/published/2025/JLSEC-0000-mns68s11g-19b5c6z.md
new file mode 100644
index 0000000..79b7ebe
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s11g-19b5c6z.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s11g-19b5c6z"
+modified = 2025-10-19T19:26:25.348Z
+upstream = ["CVE-2023-30571"]
+references = ["https://github.com/libarchive/libarchive/issues/1876", "https://groups.google.com/g/libarchive-announce", "https://github.com/libarchive/libarchive/issues/1876", "https://groups.google.com/g/libarchive-announce"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.7.4+0"]
+
+[[jlsec_sources]]
+id = "CVE-2023-30571"
+imported = 2025-10-19T19:26:25.348Z
+modified = 2025-01-14T17:15:11.673Z
+published = 2023-05-29T20:15:09.513Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-30571"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2023-30571"
+```
+
+# Libarchive through 3.6.2 can cause directories to have world-writable permissions
+
+Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask() call inside archive_write_disk_posix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask 0 setting. Such a race condition could lead to implicit directory creation with permissions 0777 (without the sticky bit), which means that any low-privileged local user can delete and rename files inside those directories.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s126-1tcks4h.md b/advisories/published/2025/JLSEC-0000-mns68s126-1tcks4h.md
new file mode 100644
index 0000000..2acc40f
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s126-1tcks4h.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s126-1tcks4h"
+modified = 2025-10-19T19:26:25.374Z
+upstream = ["CVE-2024-26256"]
+references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26256", "http://www.openwall.com/lists/oss-security/2024/06/04/2", "http://www.openwall.com/lists/oss-security/2024/06/05/1", "https://github.com/LeSuisse/nixpkgs/commit/81b82a2934521dffef76f7ca305d8d4e22fe7262", "https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237.patch", "https://github.com/libarchive/libarchive/releases/tag/v3.7.4", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWANFZ6NEMXFCALXWI2AFKYBOLONAVFC/", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TWAMR5TY47UKVYMWQXB34CWSBNTRYMBV/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26256", "https://www.openwall.com/lists/oss-security/2024/06/04/2"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.7.4+0"]
+
+[[jlsec_sources]]
+id = "CVE-2024-26256"
+imported = 2025-10-19T19:26:25.349Z
+modified = 2025-01-08T16:03:05.373Z
+published = 2024-04-09T17:15:47.507Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-26256"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2024-26256"
+```
+
+# Libarchive Remote Code Execution Vulnerability
+
+Libarchive Remote Code Execution Vulnerability
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s129-epe6u2.md b/advisories/published/2025/JLSEC-0000-mns68s129-epe6u2.md
new file mode 100644
index 0000000..ac7fab8
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s129-epe6u2.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s129-epe6u2"
+modified = 2025-10-19T19:26:25.377Z
+upstream = ["CVE-2024-48957"]
+references = ["https://github.com/libarchive/libarchive/compare/v3.7.4...v3.7.5", "https://github.com/libarchive/libarchive/pull/2149", "https://github.com/terrynini/CVE-Reports/blob/main/CVE-2024-48957/README.md"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = [">= 3.7.4+0, < 3.7.9+0"]
+
+[[jlsec_sources]]
+id = "CVE-2024-48957"
+imported = 2025-10-19T19:26:25.377Z
+modified = 2025-09-29T21:35:07.130Z
+published = 2024-10-10T02:15:02.990Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-48957"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2024-48957"
+```
+
+# execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-b...
+
+execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s12a-xxujrt.md b/advisories/published/2025/JLSEC-0000-mns68s12a-xxujrt.md
new file mode 100644
index 0000000..1366ce7
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s12a-xxujrt.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s12a-xxujrt"
+modified = 2025-10-19T19:26:25.378Z
+upstream = ["CVE-2024-48958"]
+references = ["https://github.com/libarchive/libarchive/compare/v3.7.4...v3.7.5", "https://github.com/libarchive/libarchive/pull/2148", "https://github.com/terrynini/CVE-Reports/tree/main/CVE-2024-48958"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = [">= 3.7.4+0, < 3.7.9+0"]
+
+[[jlsec_sources]]
+id = "CVE-2024-48958"
+imported = 2025-10-19T19:26:25.378Z
+modified = 2025-09-29T21:36:20.980Z
+published = 2024-10-10T02:15:03.057Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-48958"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2024-48958"
+```
+
+# execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-b...
+
+execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s12b-1ltikks.md b/advisories/published/2025/JLSEC-0000-mns68s12b-1ltikks.md
new file mode 100644
index 0000000..e68ada4
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s12b-1ltikks.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s12b-1ltikks"
+modified = 2025-10-19T19:26:25.379Z
+upstream = ["CVE-2025-25724"]
+references = ["https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92", "https://github.com/Ekkosun/pocs/blob/main/bsdtarbug", "https://github.com/libarchive/libarchive/blob/b439d586f53911c84be5e380445a8a259e19114c/tar/util.c#L751-L752"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.7.9+0"]
+
+[[jlsec_sources]]
+id = "CVE-2025-25724"
+imported = 2025-10-19T19:26:25.379Z
+modified = 2025-07-17T15:56:36.083Z
+published = 2025-03-02T02:15:36.603Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-25724"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-25724"
+```
+
+# list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value,...
+
+list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s12b-1on5p9b.md b/advisories/published/2025/JLSEC-0000-mns68s12b-1on5p9b.md
new file mode 100644
index 0000000..15a2de5
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s12b-1on5p9b.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s12b-1on5p9b"
+modified = 2025-10-19T19:26:25.379Z
+upstream = ["CVE-2025-1632"]
+references = ["https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc", "https://vuldb.com/?ctiid.296619", "https://vuldb.com/?id.296619", "https://vuldb.com/?submit.496460", "https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.7.9+0"]
+
+[[jlsec_sources]]
+id = "CVE-2025-1632"
+imported = 2025-10-19T19:26:25.379Z
+modified = 2025-03-25T15:41:41.683Z
+published = 2025-02-24T14:15:11.590Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-1632"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-1632"
+```
+
+# A vulnerability was found in libarchive up to 3.7.7
+
+A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s12c-1ht52i0.md b/advisories/published/2025/JLSEC-0000-mns68s12c-1ht52i0.md
new file mode 100644
index 0000000..ce24f12
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s12c-1ht52i0.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s12c-1ht52i0"
+modified = 2025-10-19T19:26:25.380Z
+upstream = ["CVE-2024-48615"]
+references = ["https://github.com/88Sanghy88/crash-test", "https://github.com/libarchive/libarchive/releases/download/v3.7.6/libarchive-3.7.6.tar.gz", "https://github.com/88Sanghy88/crash-test"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.7.9+0"]
+
+[[jlsec_sources]]
+id = "CVE-2024-48615"
+imported = 2025-10-19T19:26:25.380Z
+modified = 2025-04-14T14:36:30.827Z
+published = 2025-03-28T15:15:45.023Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-48615"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2024-48615"
+```
+
+# Null Pointer Dereference vulnerability in libarchive 3.7.6 and earlier when running program bsdtar i...
+
+Null Pointer Dereference vulnerability in libarchive 3.7.6 and earlier when running program bsdtar in function header_pax_extension at rchive_read_support_format_tar.c:1844:8.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s12d-zhzsnx.md b/advisories/published/2025/JLSEC-0000-mns68s12d-zhzsnx.md
new file mode 100644
index 0000000..dbf8711
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s12d-zhzsnx.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s12d-zhzsnx"
+modified = 2025-10-19T19:26:25.381Z
+upstream = ["CVE-2025-5914"]
+references = ["https://access.redhat.com/errata/RHSA-2025:14130", "https://access.redhat.com/errata/RHSA-2025:14135", "https://access.redhat.com/errata/RHSA-2025:14137", "https://access.redhat.com/errata/RHSA-2025:14141", "https://access.redhat.com/errata/RHSA-2025:14142", "https://access.redhat.com/errata/RHSA-2025:14525", "https://access.redhat.com/errata/RHSA-2025:14528", "https://access.redhat.com/errata/RHSA-2025:14594", "https://access.redhat.com/errata/RHSA-2025:14644", "https://access.redhat.com/errata/RHSA-2025:14808", "https://access.redhat.com/errata/RHSA-2025:14810", "https://access.redhat.com/errata/RHSA-2025:14828", "https://access.redhat.com/errata/RHSA-2025:15024", "https://access.redhat.com/errata/RHSA-2025:15709", "https://access.redhat.com/errata/RHSA-2025:15827", "https://access.redhat.com/errata/RHSA-2025:15828", "https://access.redhat.com/errata/RHSA-2025:16524", "https://access.redhat.com/errata/RHSA-2025:18219", "https://access.redhat.com/security/cve/CVE-2025-5914", "https://bugzilla.redhat.com/show_bug.cgi?id=2370861", "https://github.com/libarchive/libarchive/pull/2598", "https://github.com/libarchive/libarchive/releases/tag/v3.8.0", "https://github.com/libarchive/libarchive/pull/2598"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.8.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2025-5914"
+imported = 2025-10-19T19:26:25.381Z
+modified = 2025-10-16T09:15:35.380Z
+published = 2025-06-09T20:15:26.123Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-5914"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-5914"
+```
+
+# A vulnerability has been identified in the libarchive library, specifically within the archive_read_...
+
+A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s12e-ffc4an.md b/advisories/published/2025/JLSEC-0000-mns68s12e-ffc4an.md
new file mode 100644
index 0000000..70fe2fd
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s12e-ffc4an.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s12e-ffc4an"
+modified = 2025-10-19T19:26:25.382Z
+upstream = ["CVE-2025-5915"]
+references = ["https://access.redhat.com/security/cve/CVE-2025-5915", "https://bugzilla.redhat.com/show_bug.cgi?id=2370865", "https://github.com/libarchive/libarchive/pull/2599", "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.8.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2025-5915"
+imported = 2025-10-19T19:26:25.382Z
+modified = 2025-08-25T02:28:51.487Z
+published = 2025-06-09T20:15:26.317Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-5915"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-5915"
+```
+
+# A vulnerability has been identified in the libarchive library
+
+A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s12e-i1r4k9.md b/advisories/published/2025/JLSEC-0000-mns68s12e-i1r4k9.md
new file mode 100644
index 0000000..b627975
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s12e-i1r4k9.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s12e-i1r4k9"
+modified = 2025-10-19T19:26:25.382Z
+upstream = ["CVE-2025-5916"]
+references = ["https://access.redhat.com/security/cve/CVE-2025-5916", "https://bugzilla.redhat.com/show_bug.cgi?id=2370872", "https://github.com/libarchive/libarchive/pull/2568", "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.8.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2025-5916"
+imported = 2025-10-19T19:26:25.382Z
+modified = 2025-08-15T18:12:06.987Z
+published = 2025-06-09T20:15:27.170Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-5916"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-5916"
+```
+
+# A vulnerability has been identified in the libarchive library
+
+A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s12f-10ok6wp.md b/advisories/published/2025/JLSEC-0000-mns68s12f-10ok6wp.md
new file mode 100644
index 0000000..9142272
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s12f-10ok6wp.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s12f-10ok6wp"
+modified = 2025-10-19T19:26:25.383Z
+upstream = ["CVE-2025-5917"]
+references = ["https://access.redhat.com/security/cve/CVE-2025-5917", "https://bugzilla.redhat.com/show_bug.cgi?id=2370874", "https://github.com/libarchive/libarchive/pull/2588", "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.8.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2025-5917"
+imported = 2025-10-19T19:26:25.383Z
+modified = 2025-08-15T18:16:42.910Z
+published = 2025-06-09T20:15:27.330Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-5917"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-5917"
+```
+
+# A vulnerability has been identified in the libarchive library
+
+A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s12g-1gfe2ox.md b/advisories/published/2025/JLSEC-0000-mns68s12g-1gfe2ox.md
new file mode 100644
index 0000000..3880c3e
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s12g-1gfe2ox.md
@@ -0,0 +1,24 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s12g-1gfe2ox"
+modified = 2025-10-19T19:26:25.384Z
+upstream = ["CVE-2025-5918"]
+references = ["https://access.redhat.com/security/cve/CVE-2025-5918", "https://bugzilla.redhat.com/show_bug.cgi?id=2370877", "https://github.com/libarchive/libarchive/pull/2584", "https://github.com/libarchive/libarchive/releases/tag/v3.8.0"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.8.0+0"]
+
+[[jlsec_sources]]
+id = "CVE-2025-5918"
+imported = 2025-10-19T19:26:25.384Z
+modified = 2025-08-15T18:35:04.390Z
+published = 2025-06-09T20:15:27.493Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-5918"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2025-5918"
+```
+
+# A vulnerability has been identified in the libarchive library
+
+A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.
+
diff --git a/advisories/published/2025/JLSEC-0000-mns68s135-zc3l9o.md b/advisories/published/2025/JLSEC-0000-mns68s135-zc3l9o.md
new file mode 100644
index 0000000..a7a88f3
--- /dev/null
+++ b/advisories/published/2025/JLSEC-0000-mns68s135-zc3l9o.md
@@ -0,0 +1,32 @@
+```toml
+schema_version = "1.7.3"
+id = "JLSEC-0000-mns68s135-zc3l9o"
+modified = 2025-10-19T19:26:25.409Z
+aliases = ["CVE-2024-57970"]
+references = ["https://github.com/libarchive/libarchive/issues/2415", "https://github.com/libarchive/libarchive/pull/2422"]
+
+[[affected]]
+pkg = "LibArchive_jll"
+ranges = ["< 3.7.9+0"]
+
+[[jlsec_sources]]
+id = "CVE-2024-57970"
+imported = 2025-10-19T19:26:25.389Z
+modified = 2025-02-18T17:15:19.130Z
+published = 2025-02-16T04:15:21.843Z
+url = "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-57970"
+html_url = "https://nvd.nist.gov/vuln/detail/CVE-2024-57970"
+[[jlsec_sources]]
+id = "EUVD-2024-53870"
+imported = 2025-10-19T19:26:26.846Z
+modified = 2025-02-18T17:05:13.000Z
+published = 2025-02-16T00:00:00.000Z
+url = "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2024-53870"
+html_url = "https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-53870"
+fields = ["affected"]
+```
+
+# libarchive through 3.7.7 has a heap-based buffer over-read in header_gnu_longlink in archive_read_su...
+
+libarchive through 3.7.7 has a heap-based buffer over-read in header_gnu_longlink in archive_read_support_format_tar.c via a TAR archive because it mishandles truncation in the middle of a GNU long linkname.
+