-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 11:36:34 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13t64 libarchive13t64-dbgsym Architecture: armel Version: 3.7.4-4+deb13u1 Distribution: trixie Urgency: medium Maintainer: armel Build Daemon (arm-ubc-04) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13t64 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.7.4-4+deb13u1) trixie; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucaries ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: 5d77b07a987c3ae5313a7943ec1491ead11ca0f3 528972 libarchive-dev_3.7.4-4+deb13u1_armel.deb 35dee866c42895e1d6f14758afa29cc956a248c9 117408 libarchive-tools-dbgsym_3.7.4-4+deb13u1_armel.deb dfecadecb875c8c2a15bee768ac1220a29f2b8c3 82176 libarchive-tools_3.7.4-4+deb13u1_armel.deb c64cdccac79316361e2c07d55a0c8f82782bfc09 1043472 libarchive13t64-dbgsym_3.7.4-4+deb13u1_armel.deb cbf8f9b7ffa84be2d4929e84f221c2d93d114a3d 304056 libarchive13t64_3.7.4-4+deb13u1_armel.deb c8f9f6738371bd78ada632a538848dfed2be2433 7510 libarchive_3.7.4-4+deb13u1_armel-buildd.buildinfo Checksums-Sha256: 8f4796b9b567dd9baf5a9b8cb630f6bd5f40ea62e53c1238e16fe01d5dc046f3 528972 libarchive-dev_3.7.4-4+deb13u1_armel.deb 5f1e6cb76d4bc7e000f0c29adc91a38a4c5e7907dd798b9e5fa25d07c4c49862 117408 libarchive-tools-dbgsym_3.7.4-4+deb13u1_armel.deb aaef5f68651d098692bc6c0cbe8818bdc97dc446659241cbcf2a00808444ad19 82176 libarchive-tools_3.7.4-4+deb13u1_armel.deb e85e5c51127bf2bc0e9e137bbfa3b4d226356434e8f86bcf1440e5c229611140 1043472 libarchive13t64-dbgsym_3.7.4-4+deb13u1_armel.deb 532327b68fd501ec8685a5aa1d9fa6fd74e0baad4d85c06a361ef7bc23f189ea 304056 libarchive13t64_3.7.4-4+deb13u1_armel.deb 5ecf3c7fa1625aca523dd3ddc8a72c847f0ea722cf8db00cc8026fe8ee8d7fca 7510 libarchive_3.7.4-4+deb13u1_armel-buildd.buildinfo Files: 8acd18303f0e5e237399c46efb930dc6 528972 libdevel optional libarchive-dev_3.7.4-4+deb13u1_armel.deb 62d29f7094c75904bd121e00e6cfe81f 117408 debug optional libarchive-tools-dbgsym_3.7.4-4+deb13u1_armel.deb e09f0b2d990d41d7da4dcd61affc3eee 82176 utils optional libarchive-tools_3.7.4-4+deb13u1_armel.deb ce131cb28e9a77d282c9d5f2f5605913 1043472 debug optional libarchive13t64-dbgsym_3.7.4-4+deb13u1_armel.deb f8842b909e272fad3ec45820eeb8a32e 304056 libs optional libarchive13t64_3.7.4-4+deb13u1_armel.deb 4b5095a7393adaf9d4f449cf00b954f3 7510 libs optional libarchive_3.7.4-4+deb13u1_armel-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECx5fXZYVNP9tMtwlK1PZBedPspoFAmn7j48ACgkQK1PZBedP sprPhhAAmY9v9PPfRKqPtYJD/TibQfLDlcjuCAsnF8QZkAIfpguRqle7toecO87o 6u3/uvx0aWYfct73h2Nt1Cd55fmJl12aRFZYZtZ+VZpbYF+fShJeg/83DQil670w 0L1/IJv3VL0nSeUHnulNjA16Qay4RJHCRgUNcY2cTuljtBQk/HYrLDu1n6mfymKm 8Vv5Bwt7GsfT0q7o9HYL+Cdqf6EU+vZFjC2EnLIgQp0+iNAkVpEZkhVC0oCI8ms9 3DKYhMc//txk2d2nuhi5obL1W1ND0PrQUisVFt8/jq6hrT2g+7tFW41s5h0KlChk 8D1aj1cd++DAneeHV0bYk9TE0cKp/2f4VWHBbNiaf8QdyrWQ+YfPjTjApwF3x/d0 XThqwnEUo48DB0V+iFL7Kw9iWoxcIAbDKoZ94ZrMFN8mgF7rpTd++c2Q75IynfEc twgrRtQgaBxw0+amLJpkPHkKZ9+OO06vmqyBLFcVNL/1+Fdkwn0NUCNnkzdr1tbO IFHB/Nv9lBBidQtq450urbjWgyAHlSoYFkzc0wOdkp56UbY1eB5X58WfdWj71eC0 6MjAdV23YpXpsu+xE2t7hnoB0/jjBlJAriLvLQ+SiueRMJRtIbIxT3PcOY7Q9gAt /hHlcG/B2vZn9hyAzK9yzHjsoVXl+TKECmHWEmstxHCqdmQOQ6A= =LIeG -----END PGP SIGNATURE-----