-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 11:36:34 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13t64 libarchive13t64-dbgsym Architecture: i386 Version: 3.7.4-4+deb13u1 Distribution: trixie Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-csail-01) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13t64 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.7.4-4+deb13u1) trixie; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucaries ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: f6c91ff4487f0a8fbe106386c6b6d2e7f9f53871 612244 libarchive-dev_3.7.4-4+deb13u1_i386.deb fdd3d9f583ca6b23a2aae16bf09e14f27516e6c1 110860 libarchive-tools-dbgsym_3.7.4-4+deb13u1_i386.deb 8043a2086b0786f193e7dd5df9077d1fa703696d 90832 libarchive-tools_3.7.4-4+deb13u1_i386.deb d120f193932d6136af608e85afd02aa3c696266b 989464 libarchive13t64-dbgsym_3.7.4-4+deb13u1_i386.deb 0056e5fdb6ccfca9e5d9f0400b2fab61bd6757a6 391224 libarchive13t64_3.7.4-4+deb13u1_i386.deb 49026c3c17efba0cce02205cbcf9d65deb0d57cf 7547 libarchive_3.7.4-4+deb13u1_i386-buildd.buildinfo Checksums-Sha256: 836f1988709e59a1a086bf90e86f32f1a7c789d55a432e043662db32d9bb95d0 612244 libarchive-dev_3.7.4-4+deb13u1_i386.deb 0315d51c19b3b3afa60abab052a75d1175e15f18060966b1fa681e2cbede607e 110860 libarchive-tools-dbgsym_3.7.4-4+deb13u1_i386.deb 5972cacb5b98ff6873ca840d569769b21612c826a02638a87219509761f23a5c 90832 libarchive-tools_3.7.4-4+deb13u1_i386.deb 310f6c98144325e615062a015dbede77609587ea386d54a550f310c7eebde522 989464 libarchive13t64-dbgsym_3.7.4-4+deb13u1_i386.deb 5101e88c86f011a29af73f584d133e2896b51dbd643ce74593cbfef9728033d7 391224 libarchive13t64_3.7.4-4+deb13u1_i386.deb 6805bc0a04021c5b3beb73d1a94b07a9ee6d0e9639258053f775a9d973aa4e8a 7547 libarchive_3.7.4-4+deb13u1_i386-buildd.buildinfo Files: 1184ae784d446b809be740b304fa7273 612244 libdevel optional libarchive-dev_3.7.4-4+deb13u1_i386.deb 9882c926859b0b310903592bb91ba07a 110860 debug optional libarchive-tools-dbgsym_3.7.4-4+deb13u1_i386.deb 84ce9e99835da03f6b4920a72d422245 90832 utils optional libarchive-tools_3.7.4-4+deb13u1_i386.deb 2c32e8c237eecf294a31d7a7732a8460 989464 debug optional libarchive13t64-dbgsym_3.7.4-4+deb13u1_i386.deb af7e4af8d0a8d92cfde7a343adb95b7f 391224 libs optional libarchive13t64_3.7.4-4+deb13u1_i386.deb 55a722e34c4c373de62edbb962cc276e 7547 libs optional libarchive_3.7.4-4+deb13u1_i386-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBDWXQb2umOtH4DRpYg9P9sm2dfEFAmn7kE8ACgkQYg9P9sm2 dfEQWg/9HaSwGXcIRM/3DxyW3Gy8mvsV8f4fexMveDSaI2rU68nhRiKMSD8owmFS helV4p1XSXhNwiK/7+6HVTcmhKa8LDIAk54qVuUeDptBA+/+TOUUUjadW8IhoAAV t207IBjzaUUIRBon/cv3SMkxfsS3rgHrRep+jlZwT9tGzSlV33LmkkcK/Y4PJUB4 7vCqXHlzuYhWkzifc25/Ymw2eT+zcN8gOGRbgBioCHvB7dFQDHDoSp9PMfR44Yvx budoMROebfESEvjpz7l2pvqdHDnKrMdAyjWa3HDgBOx2vUP3YptOFH57G/7yohOP spPtFE2mRUZ93ZHLdmo32ysG57idOsNLradjYQJutvFUX8wWnqtLLAAdr55y0Rs/ 0J7YUL327H7Q6G/cHqBmfl2zzHvBvurFKY4Geo5xYWknO9LBmKm68r9fqfQ8Vbl+ 5+InZJKaOz7tAbt+0x0Q7zseCjy9TxnGqiZLGJZh6Rqa3exj5oqME3uZk+dzEE7z pn74XRU4r26zVFCPT5xOuPHDIINHI9FIJipRCiUH6btTNYyjNGJYwFhrkiB5A+JK FOYAeeQDtiyEfI+wGZLTjOqxmGeBCTf1wsJCS9aAIz5mMlJgPV39iz2nQqaDgaOV Fk+GQ97CCdHOCo7t1n0ZtKj2P/IHXcnZ4vkI33jwbX3UbJVpjzk= =+7Ch -----END PGP SIGNATURE-----