-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 14:52:23 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13 libarchive13-dbgsym Architecture: i386 Version: 3.6.2-1+deb12u4 Distribution: bookworm Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.6.2-1+deb12u4) bookworm; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucariès ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: bbce760801b4028eb3aefaddb1f5515e03baeccf 609804 libarchive-dev_3.6.2-1+deb12u4_i386.deb 31bfa793bad4559cb09025287779f44353be1819 88304 libarchive-tools-dbgsym_3.6.2-1+deb12u4_i386.deb 1d4e5874686d9b03644c73a8c9db9748ea751329 78388 libarchive-tools_3.6.2-1+deb12u4_i386.deb e6068beb767a21e3d5fa16acdecf88784b676210 972896 libarchive13-dbgsym_3.6.2-1+deb12u4_i386.deb 15b792e587191fe505635c0c8743341873a185bf 386516 libarchive13_3.6.2-1+deb12u4_i386.deb b8c026e6e4ab924254db62f37c15e865c92a5164 7882 libarchive_3.6.2-1+deb12u4_i386-buildd.buildinfo Checksums-Sha256: 16be0c3b6093a0d14cdd7fa7f022c5bea90a6f27e8e0bba01ab683f8141ae10f 609804 libarchive-dev_3.6.2-1+deb12u4_i386.deb cfe56778b834531728e5cbbea2af549f277283dd4033b4470fd030295e9e0ba3 88304 libarchive-tools-dbgsym_3.6.2-1+deb12u4_i386.deb c43e944fe2e26619f92a383228ba63ae8b9d17e464fbd9474e6b030b98a11066 78388 libarchive-tools_3.6.2-1+deb12u4_i386.deb f3ea6b6f9236efdf372ebdaad0e070bb0509cf5aab48be3b31ccd7d996650882 972896 libarchive13-dbgsym_3.6.2-1+deb12u4_i386.deb 9526a6d4dc0e219b4d3ed4e4e53a0fbc707c79de27bdfdd20ebfdeb97cac4ee6 386516 libarchive13_3.6.2-1+deb12u4_i386.deb 955de6cfc0cdc37aef940a72a1adb5a075dede9472d410dac0513591d4238c77 7882 libarchive_3.6.2-1+deb12u4_i386-buildd.buildinfo Files: 4b5a009837d2a45862485b7b074038fb 609804 libdevel optional libarchive-dev_3.6.2-1+deb12u4_i386.deb f4015af5c09556e1a06d3052d5098559 88304 debug optional libarchive-tools-dbgsym_3.6.2-1+deb12u4_i386.deb 7ee2c57bd0d39d166eaa0aa0a1eb6abc 78388 utils optional libarchive-tools_3.6.2-1+deb12u4_i386.deb 8068f185c12aaa716836b4c8a72c8753 972896 debug optional libarchive13-dbgsym_3.6.2-1+deb12u4_i386.deb f74b3f3a74facce8b7202647973c71fc 386516 libs optional libarchive13_3.6.2-1+deb12u4_i386.deb f7957d060513da62ef3835798b228a05 7882 libs optional libarchive_3.6.2-1+deb12u4_i386-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEb5EwsJvHBEjqIJYIbheoBegwXLIFAmn7jW8ACgkQbheoBegw XLIlrg//f6auMsidoMZzp4oO9vrz3+ZP7EsBFhsXPBI0Sed5IR0X/DgdVDAkdTFV CHmgtn5ztE2zhlyYwRvRRd98iuooI9SMwXUo2DSHfOVhNgBvl6ijZgqY9Sxy1i4u G0mOwzWbqnKnr4j87C25UEq5la065vqyNvETnSj43m/bja8aat2ruHp2bH9+rIM5 sXNPjbWnysoH9adkMI+HCt+GHGCCarXnbmt5G8/5NmsYkHAi9O0qikRDC1CXQNLw V88Ih1BaoFwDsHy7qczymfdGrTaWknOAyZcwxpfUd2ZFMwi01xnUtEQcFiAHUc8G SeOGsvEsnNowpOgBZ+o3ufiHzIeNADh3WiPGwn8Jha+lsmhsg2gHQ2j1H4Ao+KcV j4ACabkda0z5qzQ7dfa4551SUvW5LofHv00OlWPvftOStBhKbwhVwcdcDUae6Q77 n6PXCoHCJ9KKpDNMj9c5bmxy0ksIs2zbotyjS3WrfQrM3p1BbpOJ/mRKY/JDuAsS pya5zPFuBrjBXmfg0VU61U4nI9LpetdPjQ38iWsBBc+SHXtoVJjDPJIBWalZ5Ohf TOv3PxMCLDZf4hyK474gfdzgDW0eSb3gXR3R9ZnhOj03A33FTFsQqWKPaeR/sX0k rqrBLxlyODs7ewl/imUzs7szG1aggb1HjxE4WZ1BPaRO8VZ8gwU= =Iisu -----END PGP SIGNATURE-----