-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 14:52:23 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13 libarchive13-dbgsym Architecture: mipsel Version: 3.6.2-1+deb12u4 Distribution: bookworm Urgency: medium Maintainer: mipsel Build Daemon (mipsel-osuosl-05) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.6.2-1+deb12u4) bookworm; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucariès ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: 65ac9e433b20cac08bd0aed5a4332a9d4d4ac2b3 589836 libarchive-dev_3.6.2-1+deb12u4_mipsel.deb 3911b257dc83bbaad5510b02b69d30d6373eef6a 93792 libarchive-tools-dbgsym_3.6.2-1+deb12u4_mipsel.deb 9903d1d45a9e5ad10b5f782b7b1a16787b370dea 74596 libarchive-tools_3.6.2-1+deb12u4_mipsel.deb df8ea468a104677a5e5108ec5d3a07f9c74389a3 1071520 libarchive13-dbgsym_3.6.2-1+deb12u4_mipsel.deb 3f508ee8f0a8a1109e7fc706568620ad02137877 325312 libarchive13_3.6.2-1+deb12u4_mipsel.deb 5b41b6b700adaa6a8f9f50bbbdfae74e518f4e85 7760 libarchive_3.6.2-1+deb12u4_mipsel-buildd.buildinfo Checksums-Sha256: 5d7846e1461c68bbd0e88cb3da29472e4638ef4e6dc6e8b51d5e189eb1a3213d 589836 libarchive-dev_3.6.2-1+deb12u4_mipsel.deb 4399c446a00c6902104c5ddaf4c0931b5e68e67386bbdb93b59c13f2fff1c977 93792 libarchive-tools-dbgsym_3.6.2-1+deb12u4_mipsel.deb 0c8d4aa8431929b80ba94992fcae3ce760351933124359726c50e867d48848cf 74596 libarchive-tools_3.6.2-1+deb12u4_mipsel.deb 55d9fd6d168d887ac0f76009c2e8d4ce40712063baa6d962cb492971bcf73af6 1071520 libarchive13-dbgsym_3.6.2-1+deb12u4_mipsel.deb af35ba559f8e510b8bd1d10e2f22da530eefa88663dca49433043b75c0a0a2fb 325312 libarchive13_3.6.2-1+deb12u4_mipsel.deb 32953989ac7a4ecbe3233ce13238bd1a4758da769eaeb1d8bc91c78a8371c86d 7760 libarchive_3.6.2-1+deb12u4_mipsel-buildd.buildinfo Files: 6c90bae5c88d91b4e62261061a7ae085 589836 libdevel optional libarchive-dev_3.6.2-1+deb12u4_mipsel.deb e88966437304b97f4263e7c21242edd5 93792 debug optional libarchive-tools-dbgsym_3.6.2-1+deb12u4_mipsel.deb 9ad4ffe2003f44fbbe1224b5dd1ba570 74596 utils optional libarchive-tools_3.6.2-1+deb12u4_mipsel.deb c50c5576be8d5430020850fe1c44ca16 1071520 debug optional libarchive13-dbgsym_3.6.2-1+deb12u4_mipsel.deb 7d22472eb4cda86218dfb373e0e64581 325312 libs optional libarchive13_3.6.2-1+deb12u4_mipsel.deb 8e80eec26adbebd651d8a0eb18758930 7760 libs optional libarchive_3.6.2-1+deb12u4_mipsel-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4ZxaH3zEHAF/GhnCHrk2gTKeWggFAmn7jbQACgkQHrk2gTKe WgiItBAAj3BywV5JjplGXa5AxRITCyGQX8MA9JT5z98JFyf0Mncza1wvw21LdJI4 /IdOAD4cOtxHpHWDIgVvOEzonM/r/devIjwCJftCJD7TyqrlOIcB3mrO6BKU/i4C 6yR6pVBMoI8+vEp5HkXxCN/VMkw+rxRnQNAA7VYGblkB8iS+y0/1j5xy/wPx6Dn6 CvxUdhEdNZKs7/xstxNFAy88bScnb7pamdDQqQwuihQLjrcAiTG+0w4IT+rTqIWu VJztfpLsL3Z1u6cPuU2OKzSjvXL9QBTkQo1y8lj4m8ITj8HGl9acp2PtPdO05PaQ OkyOvC1uyZwJlFah2wGYCIMEN65020eLUrQuqU6aiv1R1X4qb1TLL7DR5tO9TlJK i++1hZYceFdcabVuVbcxhSql7zz1ra2nXLi7AdZufpzYetr+zfoOsA8iC+zKCUcG P54TcCr6L6Tbjj3VHYbX+/t7L/rWSYqP40TBEfMDcOE7X6/FsuTQnqNmkRbpqPl6 dtRmLapCi5HnvDNhbHtyPfbb3PAJdEl1FWZew4nlfkgmOLCv4+F40z/0BzpGrGr1 cMQMBg19EvgIGJtLiqYmF0+ZDUOQkEZXe2zqRgmukbLzKPKtZnvF6hFErb5/tnU/ dwKnXh0d7Hifbd+HV3UUaKYzdBEolGRmbVJJxUAMieN1ixPdIjg= =/M2f -----END PGP SIGNATURE-----