-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 14:52:23 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13 libarchive13-dbgsym Architecture: armel Version: 3.6.2-1+deb12u4 Distribution: bookworm Urgency: medium Maintainer: armel Build Daemon (arm-ubc-01) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.6.2-1+deb12u4) bookworm; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucariès ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: 3ab079df5d0853afcfff1734ab16d2a45e38f66e 520660 libarchive-dev_3.6.2-1+deb12u4_armel.deb f6476b4304b8d2972f1a265ff4d251242f1d27c9 92000 libarchive-tools-dbgsym_3.6.2-1+deb12u4_armel.deb 58b2aedc4063a60a654ab6fc832002700f632ea0 70512 libarchive-tools_3.6.2-1+deb12u4_armel.deb 00f0252e7130bb778918b1539487f6d803507ea3 1016816 libarchive13-dbgsym_3.6.2-1+deb12u4_armel.deb df6a3f4efa7c492089fbc217e74f3320398980e5 297988 libarchive13_3.6.2-1+deb12u4_armel.deb c8819dd1b0c4294a6dd2c44caeb1d15b429a783c 7827 libarchive_3.6.2-1+deb12u4_armel-buildd.buildinfo Checksums-Sha256: 237d48cc9cfc400c9da2a0d06d944b072d616830ab2e5c3ba3c4000adace6b90 520660 libarchive-dev_3.6.2-1+deb12u4_armel.deb b0b8ce236103223afce70d5c8942bb7c06911c2395109d0e54e69e0fdd5b1548 92000 libarchive-tools-dbgsym_3.6.2-1+deb12u4_armel.deb b9ffe423417d6e7f9d17a21dd8829f06b1d08cf52a2df285c1a401b82d62b385 70512 libarchive-tools_3.6.2-1+deb12u4_armel.deb 5c13666d748ba79aadc24e2879a1faa9675519c3f6224011dd8c6f3aafca999a 1016816 libarchive13-dbgsym_3.6.2-1+deb12u4_armel.deb 516a9be83b645ccded376961b132036659bdab3f43b6f8362ccd2f14bbb9467c 297988 libarchive13_3.6.2-1+deb12u4_armel.deb 7c8b8e729135aaf4a1c40d1c86af7b07cedcf2a9621b5f4ed68b5a14cca324de 7827 libarchive_3.6.2-1+deb12u4_armel-buildd.buildinfo Files: 6a6f76c10134e35d9f54fc44d742611f 520660 libdevel optional libarchive-dev_3.6.2-1+deb12u4_armel.deb eb96d5ba004cbcee60797d1ca052db7b 92000 debug optional libarchive-tools-dbgsym_3.6.2-1+deb12u4_armel.deb 660c9e8495aaf9f5919cdc3963839992 70512 utils optional libarchive-tools_3.6.2-1+deb12u4_armel.deb fd72584beb1ecce702db6a666ed35684 1016816 debug optional libarchive13-dbgsym_3.6.2-1+deb12u4_armel.deb d983fdbf4313c67a1ffa32c1870932d0 297988 libs optional libarchive13_3.6.2-1+deb12u4_armel.deb 3225a31af6743634f01e133fcfb1fe8d 7827 libs optional libarchive_3.6.2-1+deb12u4_armel-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0Ha//LlsGOpbQ/H4xqCFmsOWgoYFAmn7jU0ACgkQxqCFmsOW goZtaQ//Uqp1FuZSBcVpcWoQ4whnGU8brasz7IQheQTjWFDxXOTIo/lHalHFSDvI 3zKtYQQkgBjAuBiNBbR/q0TMRgBjEkjFdhPBJbLuer/E0hJyHBKrvQh8H9w2lW4w +YtjY8fX6iRnwnAhbzo4Q1guO44wbs+loarwoRtA9CjjCv3TL4D0DqVey78Afuia MrJRX8KPbwO98sRAOZCpQrD4Ftod0fAXI7+7lXYlsR7kvnNdhtq1UPAZDhJAhXEG yBh63hztDk6iL4OTNZBAaBdgP00MLkxL7P9yvtdP6gWznFw0FSyNAwOpuJ7U2x+V PZVMls+SMyxPW1kxpnqHvN6ab43JVCnMawIqwphglmZmdfcnalYfIdBvKh01WU9L 4iIu4Y6bZN4JTEy0/AZwholpOBM4nuUdsWXboR2aIovIrfu4mIjs6i+O3HW5WmTi KZe8KOrljNryxOtF9IMROaf11VVgLcDeTpcjRlM/KBLCNz95OogQIjg3E+KE9JI2 6s1ImWC5TtqKo3qmDd5Nwzt5qmjl1ZoqjnZXUdI9RAMwOirnMssxMDv57Z76IOf3 JdOezgOtKd5tUfbUHg4IKipCpIZs1/xhM01GT1P0n3cIXiZ9gGA08kDwWurauoYY wIfaV8orPUycM/ukIpwYTekvwgEPM1xG0AQFKsGMm2hHsD81/do= =43Sr -----END PGP SIGNATURE-----