-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 14:52:23 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13 libarchive13-dbgsym Architecture: amd64 Version: 3.6.2-1+deb12u4 Distribution: bookworm Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.6.2-1+deb12u4) bookworm; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucariès ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: 7e96c9695ee05d147e96693c4d81da70f6d57fd7 561392 libarchive-dev_3.6.2-1+deb12u4_amd64.deb e0f7087d05ef40733795e2c793951b43fcc7e04d 96088 libarchive-tools-dbgsym_3.6.2-1+deb12u4_amd64.deb ef856051619b31443e8f524f2bbd6edb7e6d6527 75256 libarchive-tools_3.6.2-1+deb12u4_amd64.deb e5dd54dbc1f8a0fed5bc6b920d0dbaf56077e569 1058116 libarchive13-dbgsym_3.6.2-1+deb12u4_amd64.deb 2a0ce53aa8d409e3bf2cbbcd885610f83c56f978 344764 libarchive13_3.6.2-1+deb12u4_amd64.deb 700865522a9d0093537d01cc2d27f34c840c70b0 7970 libarchive_3.6.2-1+deb12u4_amd64-buildd.buildinfo Checksums-Sha256: 9d173c1490028e7e1bdf6738072c171eec50c90e46ab5f0e0367671fc24b37e8 561392 libarchive-dev_3.6.2-1+deb12u4_amd64.deb 034d59e22c073eb129a3b6afb0a6dfad1ffe15bfc371e63b7a42652d122cea03 96088 libarchive-tools-dbgsym_3.6.2-1+deb12u4_amd64.deb 993efccea54c6c0f91ac09f8380223496ae4586091a13c19075d474e2b95d3c6 75256 libarchive-tools_3.6.2-1+deb12u4_amd64.deb 4c7704d7bf79e84774d44068680bdaf0e23f753f9d7f926665d427376c3c9a6f 1058116 libarchive13-dbgsym_3.6.2-1+deb12u4_amd64.deb ceacf45baae5fdf1ff9b80d9871c17a029c864c928af7620e456454d90c987f3 344764 libarchive13_3.6.2-1+deb12u4_amd64.deb ed347e6043d83d0b257bea368b76feb418bcd9fe3a3773f12e6b1027ee819d95 7970 libarchive_3.6.2-1+deb12u4_amd64-buildd.buildinfo Files: 88c191b340915bf2ac1cd4e3bc947dc7 561392 libdevel optional libarchive-dev_3.6.2-1+deb12u4_amd64.deb 69fef13b0fa8e97fa3bb261fb9e044fd 96088 debug optional libarchive-tools-dbgsym_3.6.2-1+deb12u4_amd64.deb b95d2d4756f931a5d2ff0f4fe38ec821 75256 utils optional libarchive-tools_3.6.2-1+deb12u4_amd64.deb cfd8b389b9b73909c76a931b1b4c0eab 1058116 debug optional libarchive13-dbgsym_3.6.2-1+deb12u4_amd64.deb 694968911369beddfec0dea968aa93de 344764 libs optional libarchive13_3.6.2-1+deb12u4_amd64.deb d16255d7aa22e83b3225ed4c1558a7ac 7970 libs optional libarchive_3.6.2-1+deb12u4_amd64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmn7jT8ACgkQTwt/65ON 6zcwRw/+N8wzOna8hbjwOHzg69lnxtMAiN+icMXQWfUur86I7o9wFYcU5gWxE4HT bj+3k8sFn086WUQ+Fdc/YnJZbyssfFgbMYTEgS7mcybIzm4E3ADxFF/aERATYNgp s5t+rRDJ6+pumz4U8rzCt2pUP39TkJ3l+tzZynbFArHYbIjcUv34TZEfqSYqpr+o YdoEcxlwhN4Zlu3fyTEwaXQjxBVEFWnLtGcB3vs93/XshkzCQRHpS3yfP/a3uRS8 HgX9YQ0Evl9dEJJhlUvAV/WBOqwep58IpCqd45PzYrK9T7wMHMuALkDo+QPoxLlC PRNiNNpRXzYcn6ZNecHf/gsR7YFVRyw+jenaJzoCZB9iyFRseKVHET6WoNutZbpK f5QOGfRVX6U7VGJJJ9iD97T9PqbugtgeercPZQwNbygJnTkkMShHB/by9r6YxuPP yxzAV+3U90oIzCxyUJb4WNssavVI/wyHcZsF4YlZducyk4qgqsu5+MnjaAYUPEzS uNuoZChjze1ytttrrA7uMf3LcyPgBYzTrY92T5qILR/udBpff/W3mTKxHq41ZPno QnUHkbP1o8XXTYEqvOvJchidaf93zdKCc9frOv51uRsbYHw0OCNqjeGWdGjsXyu6 sB9L+GgFIGuPazKeNxvXLrpGM3cbd1aI6/eeQFm8jRyX0fG5AoY= =eDoH -----END PGP SIGNATURE-----