-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 11:36:34 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13t64 libarchive13t64-dbgsym Architecture: riscv64 Version: 3.7.4-4+deb13u1 Distribution: trixie Urgency: medium Maintainer: riscv64 Build Daemon (rv-osuosl-04) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13t64 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.7.4-4+deb13u1) trixie; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucaries ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: 934370b5679fa9d4a4aff399b1cd339245e8e814 1161188 libarchive-dev_3.7.4-4+deb13u1_riscv64.deb 9bcc699042f494db06bef4c37f8d369a20c55a61 116296 libarchive-tools-dbgsym_3.7.4-4+deb13u1_riscv64.deb 9e83a31cb67ab7ce8c84176652f2ad3c77712cd8 86600 libarchive-tools_3.7.4-4+deb13u1_riscv64.deb f8be18fbcd2d9c1f27754de8f26634aa0a45ca06 1021868 libarchive13t64-dbgsym_3.7.4-4+deb13u1_riscv64.deb 05eec8239472ef1f1a855756ae8907820db44974 367280 libarchive13t64_3.7.4-4+deb13u1_riscv64.deb 8ecb091f26e41a10812feb663cb0bd2eb9271625 7623 libarchive_3.7.4-4+deb13u1_riscv64-buildd.buildinfo Checksums-Sha256: f36dae08698f0004a1edb124622e56e9b5d9742c41a82c327ef62ee8ffa07276 1161188 libarchive-dev_3.7.4-4+deb13u1_riscv64.deb a648ff86a9f701a4e80b29d40f80641385935e1fc1c9614ec0c7fb41af84aa9f 116296 libarchive-tools-dbgsym_3.7.4-4+deb13u1_riscv64.deb a429d1e1658646a7d1e8eeb0fd417065e6116e25c32b0d1f61271152e18c1609 86600 libarchive-tools_3.7.4-4+deb13u1_riscv64.deb 285841e19973bfedaf28b611d3e4542f6164e7178dab61a6133540037d5200e3 1021868 libarchive13t64-dbgsym_3.7.4-4+deb13u1_riscv64.deb 1d39781c6bf0232365ece22e59745430d9e842ce347c355f860d924c5830f33a 367280 libarchive13t64_3.7.4-4+deb13u1_riscv64.deb 2e40ebfe8e7cbade84d2811d89831c1bd4a6829dd58fffd86fc42f29211fa845 7623 libarchive_3.7.4-4+deb13u1_riscv64-buildd.buildinfo Files: 6a0e252c987f212679bc8af18e0ebab9 1161188 libdevel optional libarchive-dev_3.7.4-4+deb13u1_riscv64.deb f6841863d2da6a39bd88ef2e9662fa02 116296 debug optional libarchive-tools-dbgsym_3.7.4-4+deb13u1_riscv64.deb a9f1c989ad832cb14f3e0b855f84d281 86600 utils optional libarchive-tools_3.7.4-4+deb13u1_riscv64.deb 7fd18f312aac6c081c9ecc0a49c9e13f 1021868 debug optional libarchive13t64-dbgsym_3.7.4-4+deb13u1_riscv64.deb 16b1c7d1a283200e9cfda049ad8deb49 367280 libs optional libarchive13t64_3.7.4-4+deb13u1_riscv64.deb b621fdab5009b0df3f45f0085190db94 7623 libs optional libarchive_3.7.4-4+deb13u1_riscv64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEgLDDByWcR07HDSHyNVgvumj7+mMFAmn7uhQACgkQNVgvumj7 +mPIpxAAh8OpxvG3aAJztZXukLy5HwTyFSTZmtg8UKxciFFpTtOnWcrXqPRS9xB9 6wspR36GmP127OBYVLxKtVEQUQRigMOy9FqXCQDTW19YU8oni5jkl1OP6tUhC3JO cht5Ekv+0FOLwujk8da1wiAbSwVKYSkzLRqdv79aIoAS0YSojtHS298u+4ok+bjW Iiv5Pq6T8SXd5+HokDZ5CR0NesilYTzQdRblhZ1lOhd07IzbWljbkhIkvYWiKOue tcdf+FkHZXiPimy871gBa2F6E9EdH0SC2PymnfbtaMZ0J31aznifyVYYyT+xX5Si V3DXW10RYgp0Reop7p4U8UfgLIJmlRQ+C2gsIse3PdJpKDioRwncSd1HWT0M9dDl Vqz9xS1ke+dEbMYiBzQ4F2d4hsXMaikVm+V1C1C5Wyf8/gcfZI3GYQFrDEwKNyCS poV5rrjLEwyKExLE9flFlD5IAISHyyOjU5CNagLd9nSEKDEeRdbY5ZaFzeg6cyM3 99wgYLCRevUOjR6+AU8ZQk2Dsykrh/U9QQMHRJ3tol+pj3+sG8CuG7kmuA/J1uSD ek3/dPeseEKzusqkEM/SbqfDdoktTveEgYcbtrkK65KSQTjAXHJvk/SpHFsaNioB WLkC4YBBoK6y7AgzrK9lSSoGdr/HRuh62rTkABJxvJAAa0ioZGg= =m14W -----END PGP SIGNATURE-----