-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 24 Apr 2026 14:52:23 +0700
Source: libarchive
Architecture: source
Version: 3.6.2-1+deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Arnaud Rebillout <arnaudr@debian.org>
Closes: 1107624 1130753 1131444 1131446 1133002
Changes:
 libarchive (3.6.2-1+deb12u4) bookworm; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
 .
   [ Bastien Roucariès ]
   * Fix CVE-2025-5918 (Closes: #1107624)
     A vulnerability has been identified in the libarchive library. This flaw
     can be triggered when file streams are piped into bsdtar, potentially
     allowing for reading past the end of the file.  This out-of-bounds read
     can lead to unintended consequences, including unpredictable program
     behavior, memory corruption, or a denial-of-service condition.
 .
   [ Arnaud Rebillout ]
   * Fix CVE-2026-4111 (Closes: #1130753)
     A flaw was identified in the RAR5 archive decompression logic of the
     libarchive library, specifically within the archive_read_data() processing
     path. When a specially crafted RAR5 archive is processed, the
     decompression routine may enter a state where internal logic prevents
     forward progress.  This condition results in an infinite loop that
     continuously consumes CPU resources. Because the archive passes checksum
     validation and appears structurally valid, affected applications cannot
     detect the issue before processing. This can allow attackers to cause
     persistent denial-of-service conditions in services that automatically
     process archives.
   * Fix CVE-2026-4424 (Closes: #1131446)
     A flaw was found in libarchive. This heap out-of-bounds read vulnerability
     exists in the RAR archive processing logic due to improper validation of
     the LZSS sliding window size after transitions between compression
     methods. A remote attacker can exploit this by providing a specially
     crafted RAR archive, leading to the disclosure of sensitive heap memory
     information without requiring authentication or user interaction.
   * Fix CVE-2026-4426 (Closes: #1131444)
     A flaw was found in libarchive. An Undefined Behavior vulnerability exists
     in the zisofs decompression logic, caused by improper validation of a
     field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote
     attacker can exploit this by supplying a specially crafted ISO file. This
     can lead to incorrect memory allocation and potential application crashes,
     resulting in a denial-of-service (DoS) condition.
   * Fix CVE-2026-5121 (Closes: #1133002)
     A flaw was found in libarchive. On 32-bit systems, an integer overflow
     vulnerability exists in the zisofs block pointer allocation logic. A
     remote attacker can exploit this by providing a specially crafted ISO9660
     image, which can lead to a heap buffer overflow. This could potentially
     allow for arbitrary code execution on the affected system.
Checksums-Sha1:
 3819c1de76fa3d85bcc4ea4fb4c3eafb07236886 2569 libarchive_3.6.2-1+deb12u4.dsc
 35c971132e4ecb1679418d1713e328e415aac569 5213196 libarchive_3.6.2.orig.tar.xz
 9c5ae31f3a3850ea301c1db8ccbd312f01e572ff 659 libarchive_3.6.2.orig.tar.xz.asc
 4dae3f4f73e9d0e884eda52135a56f5970111a5f 40000 libarchive_3.6.2-1+deb12u4.debian.tar.xz
 5a77056fa2e82010fe150f33f15bc44d80ad3f19 5792 libarchive_3.6.2-1+deb12u4_source.buildinfo
Checksums-Sha256:
 ab90e3b9c8b525255d4c33775f5db94ae97044d5e7e9507f1034b2c300182b48 2569 libarchive_3.6.2-1+deb12u4.dsc
 9e2c1b80d5fbe59b61308fdfab6c79b5021d7ff4ff2489fb12daf0a96a83551d 5213196 libarchive_3.6.2.orig.tar.xz
 c6f1cdc29571dd6b09d3776ae98404a81b2dbe970a2bd9dc0bd9ed183ca49b71 659 libarchive_3.6.2.orig.tar.xz.asc
 8144870ef70a09d57a5aea9bc6a00ae0493e829b542d78f5312969b10f1ea322 40000 libarchive_3.6.2-1+deb12u4.debian.tar.xz
 5b3c1827e8d5e72baee4359719139a128dbcd69d5e2678971c0020f0fd8cb14b 5792 libarchive_3.6.2-1+deb12u4_source.buildinfo
Files:
 b4d8a9822782d8d4ce3bc8aaf9bd7a6b 2569 libs optional libarchive_3.6.2-1+deb12u4.dsc
 72cbb3c085624c825f627bfc8f52ce53 5213196 libs optional libarchive_3.6.2.orig.tar.xz
 fce14a9cae1725d38f714aa23a48e7da 659 libs optional libarchive_3.6.2.orig.tar.xz.asc
 e7ad9be1f1d2ae16618de83372378efe 40000 libs optional libarchive_3.6.2-1+deb12u4.debian.tar.xz
 c77327a0d085aca2ba63b7c8a504b9ef 5792 libs optional libarchive_3.6.2-1+deb12u4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEE0Kl7ndbut+9n4bYs5yXoeRRgAhYFAmn5etQTHGFybmF1ZHJA
ZGViaWFuLm9yZwAKCRDnJeh5FGACFo1BD/9Fa/RGOvmjLoggGE7EFQ8N1ZldaCUH
3mYxjOlRHSR1I6h45y1ZLgVB0o6RSGN+UDeVd7ctGMCJWAkSmyaPssXoknbAtSU7
bgEiSslsUbHm/CEo/9J/PMaM8Sb30Bgoa1mCtwoz4ntehXyZiBeZi51mIJOKsQcv
bRb2A75H3sSh4LpMd7v8XQL6x0gxjBcQnbBiCELe1WwHHzQGbglizPD3/OSncMGR
oInNvKiLyMK0LTvjRAfGpxHxsmSyjDS2J6xWCHliF78KQehLrRPvGOjEIjxP898S
ZGjRpCVcPVIJZj1390ynphtg+rEnXQT7Yq6wxuQT7iTI2JpfGaSwkYhaPrXS1GKt
UaM7rDLHe08DHIuFSjx3nhnRxc5nmQONkfbeI4sMo9C5Bi25o0DgV7s4XChYmixO
iUfZvlPt60I1xHml+pw3Z+d5o9q/ykwj2bWBVcYQb9HrHozjBhg1osX68FceSgTN
9gaQTSOxcwhdKyVW5BTis2AGrZlY3BYpPGcvUW10JZl2BZ0o/En7Xn4AGOg+p7Yn
Tpg0jHed0fqNyErQJxlnENR+jme40YeRWGAuaANHEWn7LiPu9letNiA4Mfj0hz7D
N+C1osYh1h8/K0JgJ9j9+FHYafp/V7f7akMupTVNu1BUHIBdI4cylypdlwC0rXnu
IHJuXrPSXHC5XQ==
=Vsko
-----END PGP SIGNATURE-----