-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 11:36:34 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13t64 libarchive13t64-dbgsym Architecture: amd64 Version: 3.7.4-4+deb13u1 Distribution: trixie Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13t64 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.7.4-4+deb13u1) trixie; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucaries ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: d49831908027b5e5eba062e21e5a4ce770725896 566252 libarchive-dev_3.7.4-4+deb13u1_amd64.deb 36f5a7a4506ffb73230782f5dda4cf6f7dc24b02 120384 libarchive-tools-dbgsym_3.7.4-4+deb13u1_amd64.deb ed3bbef07e32431593e4a79e74a9bbe1390ca000 87620 libarchive-tools_3.7.4-4+deb13u1_amd64.deb 3c927715f55441c481719486846e8c27e7648ed6 1077108 libarchive13t64-dbgsym_3.7.4-4+deb13u1_amd64.deb 48241cf426371a2a003fb094c450f954586287c1 350192 libarchive13t64_3.7.4-4+deb13u1_amd64.deb 65a7173e1e36d01ef35bb143aa7fac885f94eb48 7658 libarchive_3.7.4-4+deb13u1_amd64-buildd.buildinfo Checksums-Sha256: 50e36b476a0c31c90607e498a8ea2d8a17c78fa44d6f84b280d426fa6ddbfb82 566252 libarchive-dev_3.7.4-4+deb13u1_amd64.deb e7ba265e9ceba44956ba92af474805b2c9987d286bb39accc4f476f66a50bcdb 120384 libarchive-tools-dbgsym_3.7.4-4+deb13u1_amd64.deb 2b5a2e176e77aa2939d9144d3422f5e291f713ec62281a6c9699cd49fdd80e3e 87620 libarchive-tools_3.7.4-4+deb13u1_amd64.deb c559c112d87c4ad6b3dc13de636e968cee9fb1321c578723f6d08f846ecddc50 1077108 libarchive13t64-dbgsym_3.7.4-4+deb13u1_amd64.deb 12e06195a899e8db371803ed70111fc7302573d3ed84e967d3d48ef2d543ace8 350192 libarchive13t64_3.7.4-4+deb13u1_amd64.deb eeced6d5fcb6cd5b9410b651dced8c50851cf525c01c7ded6ce8d01e0c8f406b 7658 libarchive_3.7.4-4+deb13u1_amd64-buildd.buildinfo Files: bd3fc02fc6b2301c9ce64fef376059c4 566252 libdevel optional libarchive-dev_3.7.4-4+deb13u1_amd64.deb 86813cd3b10b97c0a43cf60f47910c24 120384 debug optional libarchive-tools-dbgsym_3.7.4-4+deb13u1_amd64.deb 418f82234ba53600d2ab911d536c3723 87620 utils optional libarchive-tools_3.7.4-4+deb13u1_amd64.deb 280071fbd2abf49acf88fdaca056b1e2 1077108 debug optional libarchive13t64-dbgsym_3.7.4-4+deb13u1_amd64.deb 83f24237c142f5f485720ad944e2d692 350192 libs optional libarchive13t64_3.7.4-4+deb13u1_amd64.deb cd15b9b142f200a5860b54bbd6acc018 7658 libs optional libarchive_3.7.4-4+deb13u1_amd64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmn7kDMACgkQTwt/65ON 6zeVGw//SJZCqjtNgW+60+zjI7MngJhp37U/3SKghoGJ+INseV9a5Cg52PAxUBfr ubHhFH2PzeD9mfjfZgwEmMTIKNETAbW8rcNZxV3DLJViHMVbEYMEI9eVsqceCK8M kFAmrbn+vkkrQlwAJcA0r+VIZEVHLLDvzeByVZwpVKn3xKKBqaABQLp7AAKbswJ4 Clix6w/lLMgKgLKchHyiAJ9B8a31nKoyTOVFK97z/AsjVwl3CUzA9PS7Jwzx3TFK H/Ep5DfTDsKiGoKDbqreCSkoY+KzNafLZujH3UdNgyPu8akyNwTUvlMWhicTm/2n 8xmrd3BFFpkeNJnGCET58x1iifrYQeOXm6/NSRpZtMrY14iLT02Ct1AySFLienTW /PGnFPIJXw08FHWL5CGUSvKmrDm2UYvYG/yPRqK0pnu7F7wQlzuYjqDt2CEWpXeh AK/IGgjwGndzcoISKThiYTDIzgDCiwJV5vs12IkLqX/J/deV5Gdsw+eWK2ldc/6q byHj6VL1KL/7jSJ9xbTFnSGvjYnhVXvePAQx9dwJtstK+CX1iTj3uEtuGGmfb6M0 yPS+9LLVs7z8m/sxvVq7LALHYPf87cPgdKn6F7YpA6yPUUeJG4xFg+OevQVrhu7h xPBbZaavIl8oPHjq2+b2WULVwaye88Ux+/JXkWOhpLkiv8RFMGU= =8Ubb -----END PGP SIGNATURE-----