-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 14:52:23 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13 libarchive13-dbgsym Architecture: arm64 Version: 3.6.2-1+deb12u4 Distribution: bookworm Urgency: medium Maintainer: arm64 Build Daemon (arm-conova-04) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.6.2-1+deb12u4) bookworm; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucariès ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: 63cc31bf08f1f538911f9cbbde57227a41d0c846 544736 libarchive-dev_3.6.2-1+deb12u4_arm64.deb b244b5cc0bcd4b63dcf9efbd0182ab9e53a422ee 95448 libarchive-tools-dbgsym_3.6.2-1+deb12u4_arm64.deb 821bdffff25d369fdf053713c39f812a74c2cd78 72988 libarchive-tools_3.6.2-1+deb12u4_arm64.deb c0683e5c6775ce4f7bfaacae1448716f138aaaf2 1022444 libarchive13-dbgsym_3.6.2-1+deb12u4_arm64.deb 710db457a8cf68fd67db6e07a308e389f102a94f 318108 libarchive13_3.6.2-1+deb12u4_arm64.deb 608b87bfdb0bb3daaf4bbfa3f845dcba707d68aa 7985 libarchive_3.6.2-1+deb12u4_arm64-buildd.buildinfo Checksums-Sha256: c419fe6963b6abe8330fc4e9d14381ee99ec1cd7a51d16a40143c1bf0b7ba479 544736 libarchive-dev_3.6.2-1+deb12u4_arm64.deb 5c6828b164042ee2781812cb75f78af411e387ec1da58e64de4432c4dde05a6c 95448 libarchive-tools-dbgsym_3.6.2-1+deb12u4_arm64.deb c5348d034eaa3a1f0cb529f47cb9ecf7550ba5682846d341c1984ea3974c862d 72988 libarchive-tools_3.6.2-1+deb12u4_arm64.deb e061df11a7067ce787137d9d2ae8f3388374e5d8b11913a2d957011594d64656 1022444 libarchive13-dbgsym_3.6.2-1+deb12u4_arm64.deb 04fa92e0fac6c44d41259802692d1ca065b65fb7909b9419a2f0e496de442fdb 318108 libarchive13_3.6.2-1+deb12u4_arm64.deb 559bbe5b6d623fd7c991faaf891a2ba6e16e7c4ffa25423ff38bfb19db2076c7 7985 libarchive_3.6.2-1+deb12u4_arm64-buildd.buildinfo Files: a25137b335734b01a6d108e43dbdd22c 544736 libdevel optional libarchive-dev_3.6.2-1+deb12u4_arm64.deb 69ee54ffb997d43367f609914262f9ef 95448 debug optional libarchive-tools-dbgsym_3.6.2-1+deb12u4_arm64.deb 23892ce4da2e13427b61d554284e06ca 72988 utils optional libarchive-tools_3.6.2-1+deb12u4_arm64.deb addab582d836e67ba50473a02583e804 1022444 debug optional libarchive13-dbgsym_3.6.2-1+deb12u4_arm64.deb fe0b78a25ba8958bed4ed856d13e5752 318108 libs optional libarchive13_3.6.2-1+deb12u4_arm64.deb 302be34286c992e82995017b5759ff20 7985 libs optional libarchive_3.6.2-1+deb12u4_arm64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEYxmcRLDHP0tCCM0oScpU3dYulLgFAmn7jTgACgkQScpU3dYu lLgtCRAAlkqI10uGXYUGLoXRbca85Kqm030UEOjxfcwGU4cb7XKQEFdPc/tw6jN+ ugeZjNqiXdFQZdkK4UqSFEFq/WE/nlnNsgnvzA1JyIPegvyuKzqpb70ZocsThkY0 oDYEs+kq2TrYt+VV5GNoYDVl0Z4KntDG+5dCPEBTowg231nR3p1slQ3E44vG5uTh zLb1wkTQbVqTz9q9K+r1nHZCTEScvAGPnOsv8e7R6sQsWao6eImQzUPeXBSXYzJg jn/Tr75G9Zc0tW9t8comXv0oNLsG8/bxbW2LSOGjEUMupdbw9kW5GL7eetG8sS+y p6AZ3pu4acqdYcckvpIlNdOyg6t/V/l+UKO/LbheAppzT4KqxfMbjdJBMAIUvmk4 184Id7OIkYKfYP2HI4IwsRqSEuvOZQ8u8GuG+mtHkL81ZMYpdO6sH6vacvi/rPOI /HPAuyurtbeqgqXWMKSy6b4/K1mcCEpncJ1uFOLTtP9GqHAWV1AUiGGt1pdyQUMK D0hgZGg/5vpzjbixs16Qu6EGvNF2Lx6Jd0FS5Uk8VD74SvNiWmHUEEVJcSL/H/xN BYRXbbHQe8MhmkKSBl/6AMxAOWn1tJhIzkgySpUu8bDwLJaisxqz3OIH34iUQgAh nNx3n6HZZmIALQbEIwyY+ZZNTV2X7oNwg3I/AQhcdaekMHxyDZY= =Oieh -----END PGP SIGNATURE-----