-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 14:52:23 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13 libarchive13-dbgsym Architecture: armhf Version: 3.6.2-1+deb12u4 Distribution: bookworm Urgency: medium Maintainer: armhf Build Daemon (arm-ubc-03) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.6.2-1+deb12u4) bookworm; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucariès ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: d45fddac0fb0ab6ec9b4a6852d895a8aa51902c4 520728 libarchive-dev_3.6.2-1+deb12u4_armhf.deb 0ae4ce966b94008ba9baf2737fa6406b7707ade7 92596 libarchive-tools-dbgsym_3.6.2-1+deb12u4_armhf.deb 313e01ed386e322973686098cb109de9bfb5f8d2 71028 libarchive-tools_3.6.2-1+deb12u4_armhf.deb b804628b4dd3efd5304dcd906a1767e5968c56c7 1030320 libarchive13-dbgsym_3.6.2-1+deb12u4_armhf.deb 1eeecf0dc90b65cb4c390da913f5cfad33aa4dbe 300980 libarchive13_3.6.2-1+deb12u4_armhf.deb 94963eb45a6f5c788c305b5fa1b222880cd36a4c 7829 libarchive_3.6.2-1+deb12u4_armhf-buildd.buildinfo Checksums-Sha256: 67baf4bceea06b6fde841acbbfb887b3a75e06b99def884bbb1eeb1d396ed057 520728 libarchive-dev_3.6.2-1+deb12u4_armhf.deb 2e58c6b714ab5dc16dfead2b9ef2614e43e99be46d9f3437a11c5cb624852201 92596 libarchive-tools-dbgsym_3.6.2-1+deb12u4_armhf.deb c4f95b3c028cefcb9b44a313f988de35b41bfde49e6e726d89d21a2a1be738d3 71028 libarchive-tools_3.6.2-1+deb12u4_armhf.deb 8e1598316d1834cc62a4aea24f627bdb133211e0b1c3f40726f8529231429951 1030320 libarchive13-dbgsym_3.6.2-1+deb12u4_armhf.deb 639b5b35a8583cbfaa38b54f49ff7f502713865eb9b8224873d63c2c8b7039f7 300980 libarchive13_3.6.2-1+deb12u4_armhf.deb d098a060fa3ab5d229f2253cd83230633c578b180a09008160f2cb256cda4368 7829 libarchive_3.6.2-1+deb12u4_armhf-buildd.buildinfo Files: 4bdeeb9c25ca0df48f124ef2ed7ab417 520728 libdevel optional libarchive-dev_3.6.2-1+deb12u4_armhf.deb 3c23c86444d5606dfc2d7439b83b6c1f 92596 debug optional libarchive-tools-dbgsym_3.6.2-1+deb12u4_armhf.deb f21f8aa57eeb2bed0bb752497ccdf32c 71028 utils optional libarchive-tools_3.6.2-1+deb12u4_armhf.deb bb38326a4f3f60565eae238bf628899f 1030320 debug optional libarchive13-dbgsym_3.6.2-1+deb12u4_armhf.deb 971c7e238e7cc067698bb87ce58d3e2b 300980 libs optional libarchive13_3.6.2-1+deb12u4_armhf.deb 56a121a1173d89eea7da6a2a016b8dd7 7829 libs optional libarchive_3.6.2-1+deb12u4_armhf-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE2kd8oHy+LXk/nybqvzDqKQSGl8UFAmn7jUUACgkQvzDqKQSG l8WGqBAAs8qBIkqLZmC9dft5tUgbO2nbKALDOk9DGQMSGRSuF8zSUxT7npeBzJ3+ KJ4iNSzpPQCCsqMlHKd2a2f6xfgnh6hTM1V54S0sKla22VnXD/n9IMTnLEmvCwMY 9qKIrX9JztYGmLW8xFA9iJtpqbXD4LQgdxglyZBlvBuY7iFAf9TezOyq6L3DB4fv ELHvj56kB5U0S5bmhkTXMWa+xVE3upvQGgTL5ByzbhYctgvBN+QuGrNpWmrtoJcY /y72M5UcJK2kNjAv7zQOzI4KlVlGC5Rl6BzYJYo5+bdNqS2RQR8+74ixG9yXuqOf p0te+lC7ty1iydIQt2eyCbCe9SGPyjq3OK2exeFQjxv0vSihn5tlgCBPdDuSi9BO Qg7/uGKX12yvqSfWcrAfwSqy2B8D1jkGA/50GKiTYVpUJInWDT4iUtooj4GUi8Rj f4aubbUXpibzXTv9lRuUiAElFaJHDSWsjhW3keW/HN2moviOjvufsWb5I7F2MYEV K30gclsTJzct5yhmaevwM1AlYCVbrogXf7B4ig3hIPd5SGeKWJTP51ORoYdMi2X/ gdQd5tx1TIkB6vZ2fU5Q8VbZHbVN2f5hoSdieRdtEQNC6vH8MyLDAiZQtBmOv+e/ uYj9Q1Ez36wlY9M17PFOHPVFNdrtAqwUTvj4+55XI7rmYKNS74E= =snTr -----END PGP SIGNATURE-----