-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 24 Apr 2026 11:36:34 +0700
Source: libarchive
Architecture: source
Version: 3.7.4-4+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Arnaud Rebillout <arnaudr@debian.org>
Closes: 1107624 1130753 1131444 1131446 1133002
Changes:
 libarchive (3.7.4-4+deb13u1) trixie; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
 .
   [ Bastien Roucaries ]
   * Fix CVE-2025-5918 (Closes: #1107624)
     A vulnerability has been identified in the libarchive library. This flaw
     can be triggered when file streams are piped into bsdtar, potentially
     allowing for reading past the end of the file.  This out-of-bounds read
     can lead to unintended consequences, including unpredictable program
     behavior, memory corruption, or a denial-of-service condition.
 .
   [ Arnaud Rebillout ]
   * Fix CVE-2026-4111 (Closes: #1130753)
     A flaw was identified in the RAR5 archive decompression logic of the
     libarchive library, specifically within the archive_read_data() processing
     path. When a specially crafted RAR5 archive is processed, the
     decompression routine may enter a state where internal logic prevents
     forward progress.  This condition results in an infinite loop that
     continuously consumes CPU resources. Because the archive passes checksum
     validation and appears structurally valid, affected applications cannot
     detect the issue before processing. This can allow attackers to cause
     persistent denial-of-service conditions in services that automatically
     process archives.
   * Fix CVE-2026-4424 (Closes: #1131446)
     A flaw was found in libarchive. This heap out-of-bounds read vulnerability
     exists in the RAR archive processing logic due to improper validation of
     the LZSS sliding window size after transitions between compression
     methods. A remote attacker can exploit this by providing a specially
     crafted RAR archive, leading to the disclosure of sensitive heap memory
     information without requiring authentication or user interaction.
   * Fix CVE-2026-4426 (Closes: #1131444)
     A flaw was found in libarchive. An Undefined Behavior vulnerability exists
     in the zisofs decompression logic, caused by improper validation of a
     field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote
     attacker can exploit this by supplying a specially crafted ISO file. This
     can lead to incorrect memory allocation and potential application crashes,
     resulting in a denial-of-service (DoS) condition.
   * Fix CVE-2026-5121 (Closes: #1133002)
     A flaw was found in libarchive. On 32-bit systems, an integer overflow
     vulnerability exists in the zisofs block pointer allocation logic. A
     remote attacker can exploit this by providing a specially crafted ISO9660
     image, which can lead to a heap buffer overflow. This could potentially
     allow for arbitrary code execution on the affected system.
Checksums-Sha1:
 f4e73729afd1782c681214e257e77aa9d1ebd3d0 2634 libarchive_3.7.4-4+deb13u1.dsc
 9abaf161e4ee81e70072a3ebda99593ce66d9fdd 5417660 libarchive_3.7.4.orig.tar.xz
 27bcb1b2d4ec7d3d00080d5be81aa308c10b192a 659 libarchive_3.7.4.orig.tar.xz.asc
 f42bb7eb4629ae7c260f31509b461fa01bb2bfbf 40084 libarchive_3.7.4-4+deb13u1.debian.tar.xz
 fbb462195f4e5443557c0d4ea9c1ea1144a141eb 5792 libarchive_3.7.4-4+deb13u1_source.buildinfo
Checksums-Sha256:
 0579aa62c9b547a520fd3af48382b1b071c75dde75643c5063fc5f5dcb80545b 2634 libarchive_3.7.4-4+deb13u1.dsc
 f887755c434a736a609cbd28d87ddbfbe9d6a3bb5b703c22c02f6af80a802735 5417660 libarchive_3.7.4.orig.tar.xz
 400b72233b64fae8d93a180f7330d0015a48fe93cdfb56329190b4d1a099d816 659 libarchive_3.7.4.orig.tar.xz.asc
 72da9703b642c6c9bc0432704f1ad14919c57f743336396b5f8aefaf9bf79874 40084 libarchive_3.7.4-4+deb13u1.debian.tar.xz
 ff12d5e0b47243f9d436a3859bb576299d6f50c345e9b34bd05c6a9ac865a029 5792 libarchive_3.7.4-4+deb13u1_source.buildinfo
Files:
 7f9f79b29dba7a5d9f71b1636ebdf22f 2634 libs optional libarchive_3.7.4-4+deb13u1.dsc
 1bab4c1b443ecf4f23ff9881665e680a 5417660 libs optional libarchive_3.7.4.orig.tar.xz
 bb62fc1dacf10c65c72484fb9ca49d6a 659 libs optional libarchive_3.7.4.orig.tar.xz.asc
 17a631918e938a9994054f29bd8768e6 40084 libs optional libarchive_3.7.4-4+deb13u1.debian.tar.xz
 dcc71b05879f4781d283f6d5247e766f 5792 libs optional libarchive_3.7.4-4+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEE0Kl7ndbut+9n4bYs5yXoeRRgAhYFAmn5cZQTHGFybmF1ZHJA
ZGViaWFuLm9yZwAKCRDnJeh5FGACFpBXD/4yVdHpdFdhbFEVJx3v4DZEdDbmu34b
fQQN9Uz/1b0hJXLqN8Ht4tdYhga09jRyoEEFyBLZHfZS7kS9RgPcvd2p38AJWj62
51Ay0lNNtbhZq1GxXXUv1v/V0wkL9KVLXmZ2sJDsd98GhjlV3fggPkk8tDBSI+XF
aP0vMUVj1xc4cn/M+4VUYSCGDg0WEXkq1N1zFx6UyHEiZX1JYKKJPLpdnqtV34D/
6PTlhesXTg2SzAZ2E9OOJD/NvHvVNpz1xJu3LQ09VTFrb0O/C0IzjOw2YL11xTeu
PKOgjirjLLj8uOiC/UgMo3TJbUamhDHCL6Tro52ndzxbxxo8cFbVbNUQc3oN4cvD
ISvwVZ44dz9JWqsjQ680plxzobLHjm0AT5pjjUMVUZfQDB4Gk5Q1FxpfLMdbl0Wc
Zn6uRSUWCkAWhSWHcbI2NsGTZpix3kyt2PdlbQcF6RVi6KyJCZqjQE3herwPeJCu
n4Z2+XBi8tS0Fqz5YG3mf4odu14WGS64s3w/n5nlZ5mv2Zqxww/925Wu/8HSQydw
NLqsVovLBfmhRkYoPAXtlXRau2vnFGcsfKhu6+pQ66oZyKhSUB0hr3DHqVVIl+D1
LReIOV+J0PTur7rmOFeV/qNjk9sxTRxHAlXGWgh2FmlLZKFRFgzdYG54p/LppSlc
uOzWdzFFVTuFrQ==
=oyy3
-----END PGP SIGNATURE-----