-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 11:36:34 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13t64 libarchive13t64-dbgsym Architecture: arm64 Version: 3.7.4-4+deb13u1 Distribution: trixie Urgency: medium Maintainer: arm64 Build Daemon (arm-conova-01) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13t64 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.7.4-4+deb13u1) trixie; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucaries ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: 828e2e388d6d74c6458aae95387ad73bc8a28dbb 550840 libarchive-dev_3.7.4-4+deb13u1_arm64.deb 935345cb487dc213a91172d48c29f75a22fdfc7e 120480 libarchive-tools-dbgsym_3.7.4-4+deb13u1_arm64.deb aa83d1bdef3811fb5f660a0d4e76308d56f8f025 85244 libarchive-tools_3.7.4-4+deb13u1_arm64.deb 751e74295ef32874447b15a00850e24aae6b12cd 1043788 libarchive13t64-dbgsym_3.7.4-4+deb13u1_arm64.deb caa4a31b37d67f3a86d5dcd664e03101c3f98fdf 324064 libarchive13t64_3.7.4-4+deb13u1_arm64.deb e9099ba8939f0867ca7da8c3fa7b67ce90952e92 7645 libarchive_3.7.4-4+deb13u1_arm64-buildd.buildinfo Checksums-Sha256: a1fdb862fe37ade8afc16f154e879657dcb6df90088b5f5393636efe21d71149 550840 libarchive-dev_3.7.4-4+deb13u1_arm64.deb 9def5b151c881ca9e3762ace943fb9c89b4bcb27ba19bd865f8349aa3ea78ad3 120480 libarchive-tools-dbgsym_3.7.4-4+deb13u1_arm64.deb 9816e0c71811e53c2cd5d4be8e2f0916e9c964204fa5d7b886e0e9b25f91bd36 85244 libarchive-tools_3.7.4-4+deb13u1_arm64.deb 4c10f7d1b9480a4c224fabbb203bdeb680dea45d31522071b37939d67adced6e 1043788 libarchive13t64-dbgsym_3.7.4-4+deb13u1_arm64.deb 9dc7897bc1c83b03a69c581018010fbd9723ce199b99433639343d8b3a5bcf81 324064 libarchive13t64_3.7.4-4+deb13u1_arm64.deb e2179468a011d944e3f8ca2575d0c90a8af60c5644ac4af1356907e354977296 7645 libarchive_3.7.4-4+deb13u1_arm64-buildd.buildinfo Files: 7ae4362ac83f870bb2fd9d712936d908 550840 libdevel optional libarchive-dev_3.7.4-4+deb13u1_arm64.deb f84014c219936b6eab1cfa9da35b3930 120480 debug optional libarchive-tools-dbgsym_3.7.4-4+deb13u1_arm64.deb c1117611ece9a3b480cad667b5b72ded 85244 utils optional libarchive-tools_3.7.4-4+deb13u1_arm64.deb eaaa5feffff50815f24312a81c21fe36 1043788 debug optional libarchive13t64-dbgsym_3.7.4-4+deb13u1_arm64.deb 8f783e240ef6b6868ebd7608c4773282 324064 libs optional libarchive13t64_3.7.4-4+deb13u1_arm64.deb 5379becac73d9f078a366e5bfd54aa7d 7645 libs optional libarchive_3.7.4-4+deb13u1_arm64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO4qAQUSIo2p/kVRf8U6eOZMpj68FAmn7kFEACgkQ8U6eOZMp j6+fVw//XhIPBACePjjtmIaaj7eUXbdOp77A4VmP/nz+9aC6E1Npma3f5QkhjvW7 tFvQOeMHRC93zA/gZqt5C7DnLZXUmQ4mTemRU25Jg49JUXh8iYiq6q07ns4CcbRX CGbt2wDAb9abM38PeNmHeDTe7nA6GMGn307yMuXQe/I8o3V/3j+MsispGXMDnD5P P0gDehWUtlUmlxsLzIwFbuzo5b4D4Vofz3fZV071NDfkBljvqlbIklTBx6ObTzT9 aTAr6T0hDIBs9uxzk6Ot+HblbyKhMBhBgcrG2HZfZ80Dz1BcXun0OkCfjo8+ltZg ZRTLgZOZZmN8rbDSbiP6nwvRiAfvC8YkVvJxlrl8EhPIzYAEbuq8JxuntpJal1IG DmlwXSpawzUcKvennwEaVHeWb36TqCj599VNnBZM7jDTUwpgcre+cwe8VUBxnLiX wUlta8QVds9A8xI23ho6P3JMcjmHZ2uEGtkaORFfj8A4tb/wSSODZ3PzAKakgIDa bgmyxMY76ZOQjqg0xUtmgRlkpQ9hLer8dDbmt17tZAiR/RS+ddjLdHM4ASqkibBJ JhC3267PYf18j23F3FNc2vZMO5iAqvmfk+tcUWvgp/VQ/RpNbCpGuRij/lXDGB+z Wgu1XBgrK5/ZIqQ4fJhhCF8kfLTO7MxMJweRhHTMT+c31yUlgvw= =5XDu -----END PGP SIGNATURE-----