-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 11:36:34 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13t64 libarchive13t64-dbgsym Architecture: ppc64el Version: 3.7.4-4+deb13u1 Distribution: trixie Urgency: medium Maintainer: ppc64el Build Daemon (ppc64el-osuosl-02) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13t64 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.7.4-4+deb13u1) trixie; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucaries ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: 844a8f0c65f32cd1c1b548055640f52b45b1dd98 612152 libarchive-dev_3.7.4-4+deb13u1_ppc64el.deb f8489303ab1804cccc4157787f381ea9be41b0f0 120276 libarchive-tools-dbgsym_3.7.4-4+deb13u1_ppc64el.deb fef1ba3f5c7b7bdf9c66982ebd43fac85edbecf4 89652 libarchive-tools_3.7.4-4+deb13u1_ppc64el.deb ba7293d02d9473245cb752f7e58fdf8852c78b8c 1099924 libarchive13t64-dbgsym_3.7.4-4+deb13u1_ppc64el.deb 789e1be005af66c701094565e0509a42b508faac 389688 libarchive13t64_3.7.4-4+deb13u1_ppc64el.deb b7b3a4cc832602e618816da09deab188d13b6ffe 7675 libarchive_3.7.4-4+deb13u1_ppc64el-buildd.buildinfo Checksums-Sha256: b18ee87307a4b0caf82f95455fd211684a8b5ce905f365aa95311b828ada24ae 612152 libarchive-dev_3.7.4-4+deb13u1_ppc64el.deb 0c36126614d2bd0463f8330670d57a9ddadb282a817253a6cf3f3bdaff796cac 120276 libarchive-tools-dbgsym_3.7.4-4+deb13u1_ppc64el.deb ce0a1556b4dfc84c8ee71e9d79a2151016698689b063b2d4b57783d8610feb4a 89652 libarchive-tools_3.7.4-4+deb13u1_ppc64el.deb 1da44de9676ae5d0559245b4d61d494d2e94d557df30322f28bc44199f2ff152 1099924 libarchive13t64-dbgsym_3.7.4-4+deb13u1_ppc64el.deb 6ffc13de7089d192ae23adfffaa81c59f5dfcb266c67aded0188173dd8c3c322 389688 libarchive13t64_3.7.4-4+deb13u1_ppc64el.deb 62acf5807f26db0fd8d544ae2c7a0ce6ee8c991b38f8905ff6fb1c4725e5921c 7675 libarchive_3.7.4-4+deb13u1_ppc64el-buildd.buildinfo Files: c31d909f721c0d9867827d1ef1757cf2 612152 libdevel optional libarchive-dev_3.7.4-4+deb13u1_ppc64el.deb a1378728bb96bff1b89e336e2b6a5449 120276 debug optional libarchive-tools-dbgsym_3.7.4-4+deb13u1_ppc64el.deb 6c31f4ca089b2b667e982e38d4eec6da 89652 utils optional libarchive-tools_3.7.4-4+deb13u1_ppc64el.deb 84850b414a1ddae9a274623a6eb7b90f 1099924 debug optional libarchive13t64-dbgsym_3.7.4-4+deb13u1_ppc64el.deb 4f3b68111287e7589a1ab2f8f9c0d3ed 389688 libs optional libarchive13t64_3.7.4-4+deb13u1_ppc64el.deb b36ded94e2f88e733a08d0ccfb99d36a 7675 libs optional libarchive_3.7.4-4+deb13u1_ppc64el-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9ibmwdV9gdKNbK7oV8ucRsMTpuMFAmn7kKEACgkQV8ucRsMT puMEORAAg9CH7RF8dwOMMwDUMEJjZ8CfMSdVtCl9Yq4KlgWOYJDk/qFVjn+D7v8z SSZfXMPhciD+1bwvnxSKgb+fzt9clWIKf0gfXRoOJlONchYkapZFST46trcBKC4g d1CZgGzUBSSk2X4oUqsBMCftf4zlHwMgWP+WMoTgGu7dKwdDWFogUAT3wUrsVbRt Ss+M6MvQo5D+Wdjh+YrSeYYOEaigSnmGtQNfkExHDESxPXvwn6Qo+sxRs7/h4AxP SfHZKozYpwCe0/q+B4OcMN8FvnjrSsQRInLnep44Z7t9XdyXJL9FTmzsLRYhfz2T gL4Cd0acvb+wdfazE9m5bUk6J08T0gpajYVEAXD5A7Sqg2BPYMo8/LKU3p67g/pv O3HusxDGv1ECSaS+rRcUjvIvXWSs3P72BaEJBUybABA3cSYUbbSeI5XovgVM73Fv B9owITDYc0T1oNNbCB+vZyKQtnHHgUqOnZdB1RAadWkQkXZWBQuA4vCRrIwBUWSY 7ZS0f5qk1gPg0Plc+g9I+bLMflyXnMbOK9wwvQ8qoTD1aCcYND2xAwoA0cjXqa4T QLB7wGkwu9+GxsdNUBiHxyTrF2poVlsANz6szGJNccmFfmeun2kAjGcnjU5L037t D6tXNBs+c79D5x1DLSFi68+fG0szlG0wRA5VdQ+134obJGvEGTo= =bM4g -----END PGP SIGNATURE-----