-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 11:36:34 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13t64 libarchive13t64-dbgsym Architecture: armhf Version: 3.7.4-4+deb13u1 Distribution: trixie Urgency: medium Maintainer: armhf Build Daemon (arm-conova-01) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13t64 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.7.4-4+deb13u1) trixie; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucaries ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: fba185b15eef7a4c88a49ee28e789dc3cc21691a 527428 libarchive-dev_3.7.4-4+deb13u1_armhf.deb 9f162d611e5763a4cf560a46afee60952f78cc4a 118412 libarchive-tools-dbgsym_3.7.4-4+deb13u1_armhf.deb 6323cd4fbdabca643a530682279d525b28653deb 83404 libarchive-tools_3.7.4-4+deb13u1_armhf.deb 22184d682e5c00b61081ecb9ae56efe637e21488 1057824 libarchive13t64-dbgsym_3.7.4-4+deb13u1_armhf.deb 188701e84d1e89e69b2ad52bfb8ded063d5f916a 306976 libarchive13t64_3.7.4-4+deb13u1_armhf.deb af97dab6764544ef613d286ff736a16f2509f45f 7524 libarchive_3.7.4-4+deb13u1_armhf-buildd.buildinfo Checksums-Sha256: 1f563e12708e62681b766a0a9295b10bda028bc0c92d5ee34ebab1574b3f0992 527428 libarchive-dev_3.7.4-4+deb13u1_armhf.deb 4d3508dbbd5257375f462ef558eea31533e9a743c2af28a3390f70e2dc28c785 118412 libarchive-tools-dbgsym_3.7.4-4+deb13u1_armhf.deb 11f9836741dcfc95b058f9a3559cdaec26f2bd314955be05de1391c3aa5b3c28 83404 libarchive-tools_3.7.4-4+deb13u1_armhf.deb a953c309c786e274ee98404fbd033278666e26d2057933f7d1b2fb218ab8e2cc 1057824 libarchive13t64-dbgsym_3.7.4-4+deb13u1_armhf.deb 872e4c151b17036a0a02bcf1f298b3cb8a916308d2ea388ff20248b20ffd0f08 306976 libarchive13t64_3.7.4-4+deb13u1_armhf.deb a27384f7c9ad150de8aba07b1fb0798276fc354f9c6c45402b8f58e35d0c0174 7524 libarchive_3.7.4-4+deb13u1_armhf-buildd.buildinfo Files: 8ca82a1b9b140b8e8ff7a6623a18c93d 527428 libdevel optional libarchive-dev_3.7.4-4+deb13u1_armhf.deb 01120308f82fc7c73cf67980d29fcfc5 118412 debug optional libarchive-tools-dbgsym_3.7.4-4+deb13u1_armhf.deb ae281a3f7b64bb53dc159fff75960ceb 83404 utils optional libarchive-tools_3.7.4-4+deb13u1_armhf.deb dc55101883ef73259cd1d92b287fb4fd 1057824 debug optional libarchive13t64-dbgsym_3.7.4-4+deb13u1_armhf.deb 81e3c1299265b598f2abb9a068fcca02 306976 libs optional libarchive13t64_3.7.4-4+deb13u1_armhf.deb 185fd6a67da1561a30eba000aeeb4de5 7524 libs optional libarchive_3.7.4-4+deb13u1_armhf-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEO4qAQUSIo2p/kVRf8U6eOZMpj68FAmn7jj0ACgkQ8U6eOZMp j6+4Rw//ch6Dw2l8mj5/BX3yejVJVcSPXqpehlOlmNE8C0Lj3ul9bgQi8IWrLH9W YtdkqBn6i8GHNZn2UeWHPvxYASQzlz/K8wmNb3QDjunKOtwWZwkMZg6ZSo9QQM3+ ThIAbhyxmkHY9UlM78wViGSQBjRJfXWpGk8BlbtpRsOG6zCGlgCLlD/8iFvzXmnH /n9pj8cFVzuMFKVzcJ6lfzE9lw4jGSeCSDSCohoxDbkpV3AmLRZAnlbfXECW9M3d zBu1x4DXBfqqq/cEveJKP9VTBwroUcABywzaD2Y5RVX501e29OeCasWvkXOZKmxK dkQEthONJlNVQ57oK7ywRvQdodhAu3PCe7SdZBXkzyJTRX8CLTyFj11xW56TQyo0 IrNJHHlGDGc62CnxAAUk6QLqmii21pr1D/YpQyNUBfpzijMsOSJ3qcIP4xoM9DJV FmJ3jHAxsjElsjVzhNVlNmSd8Uh7heFn/KWgxWuk1uhQeYoe/q/s/v0SD4EzlI7H umQnMnG+jn9zjQ0lVl/v44r7X8tUbtJxrrRoczxHHvRQ4BnSbB6n7QFmqJKxIvE1 3zwJ4fJx2avBY3iI3Fk8fMYu2U6KjPvzSKGFauTzOe3Tckm4/CAYC3W4nP55009f Td1+XOnKkvxSjh756O+blkn9uvAI9eCsKbIPH2mO7UEfZ+KwUFk= =CFyy -----END PGP SIGNATURE-----