-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 11:36:34 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13t64 libarchive13t64-dbgsym Architecture: s390x Version: 3.7.4-4+deb13u1 Distribution: trixie Urgency: medium Maintainer: s390x Build Daemon (zani) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13t64 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.7.4-4+deb13u1) trixie; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucaries ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: a79846390426e7a49b575e9a9b1e6ac7bc2e54be 569380 libarchive-dev_3.7.4-4+deb13u1_s390x.deb 1f4b0197587eacd43d202867a277c620a69eea84 116380 libarchive-tools-dbgsym_3.7.4-4+deb13u1_s390x.deb 60cc9ca0cf933fed965aa362f1afba9ae10a0ade 86256 libarchive-tools_3.7.4-4+deb13u1_s390x.deb 968d07e306b26d1df3faf721f945bf3b396506cd 1063340 libarchive13t64-dbgsym_3.7.4-4+deb13u1_s390x.deb c0ab6c35b3ecbbfda1fee6947c3b280dfd919487 350104 libarchive13t64_3.7.4-4+deb13u1_s390x.deb 5f9c22af47eee281e7230f6019a0136301351594 7520 libarchive_3.7.4-4+deb13u1_s390x-buildd.buildinfo Checksums-Sha256: 7803e4a2140e2e457f6e54b77ef8c994729731da283a1715298b812009724bd3 569380 libarchive-dev_3.7.4-4+deb13u1_s390x.deb c92e108097f06f2ace9af6770117c323fffef232ccc8a83ef5f1e1aebebd0bfc 116380 libarchive-tools-dbgsym_3.7.4-4+deb13u1_s390x.deb 5a075262fde616129377b9cb439cf43fa750c2424edb786938956216c39ebba8 86256 libarchive-tools_3.7.4-4+deb13u1_s390x.deb a347ee666111e8c88204a84d0e89f6abb7c218790615a127adf41289d780bbbd 1063340 libarchive13t64-dbgsym_3.7.4-4+deb13u1_s390x.deb 63592928842a7b756d8f96ddb0cd8bc0ace273a8d466ad1ea8aa4f8b29a7f2d5 350104 libarchive13t64_3.7.4-4+deb13u1_s390x.deb 632ccf3aa5192d1cbebdf1880d1c9a6a380ac1391ca5fc9b23a091a3e7d134c3 7520 libarchive_3.7.4-4+deb13u1_s390x-buildd.buildinfo Files: 061a2e6779599562571d188e9ce48ee7 569380 libdevel optional libarchive-dev_3.7.4-4+deb13u1_s390x.deb 80c44cdaf989088a2fe4ea957e7e102c 116380 debug optional libarchive-tools-dbgsym_3.7.4-4+deb13u1_s390x.deb 6a59e428e7c1227a55a1373ad2486068 86256 utils optional libarchive-tools_3.7.4-4+deb13u1_s390x.deb 339eacb855f31eaa195eff213342d502 1063340 debug optional libarchive13t64-dbgsym_3.7.4-4+deb13u1_s390x.deb be021984f5e911f0b3a30c33f2f8dcfc 350104 libs optional libarchive13t64_3.7.4-4+deb13u1_s390x.deb 11383374067a770d225d5391f89b9cd5 7520 libs optional libarchive_3.7.4-4+deb13u1_s390x-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEgh4msZ+e2PZfd5KckaCrxAR3BY0FAmn7lW0ACgkQkaCrxAR3 BY3XGBAAkMrH/P5hPeDYQE5FXum5StifWW6Fif4N4t1Bul6NW/JHAVX9sWIh7V89 U+6ugsV7IL+kO5TYjsapqKwkRDI4AQvoSypffnqe0cDYPbDZSr0TAFvoglnQVgtB EhxSdV45woHnnfCjukbnCLM4VJd6z25WDHiNIe6HPSeMo76uf9W1205aWKT/TLll U5mj5Lk4YqG3RAZ/RIIMBY9LLqNMbJXnK+AW9AeUVGtGd1a9yel+caRVkJdhAEQl smGSn0IWpX0csTnMKxdwLcl5ztQbYA9rXP30FPsSm5phaxkfRCwQ+1iwUrd+LPyz /sy+Rqm3u5brBphGATNyrWEHVnnhI8JIKFoWoW8ReGqm4erDYxMa9ax1ce38q61D x9e6JwxL3cwONaN0tBG6hMeGVzeK96Xd0KbfTvbLKJh0SihH6zNusA5rFnxDTfVL me/PgI8q9TQBCBBHKpb7AUGuiBf6GWPaAE4yyCf1id10CuFJ+8HkldsqFoRtjZ7C 1XjlOKAezC4tmahohjEnWdIXfn30yWkDdVFTzFG9TtBYBAq6L3v7/pUMDkazH53l 7Pfi64qUmmQxypD0gBUmjYP0wS2oBw4nSDJfCHGDaWLPCj51Sfv/lS8MFp36Aam2 /tL+lo4p5a1jLpPY9F1XUwPmlcdyGxFUmoPv9MKhnshnL1gCCyo= =J33F -----END PGP SIGNATURE-----