-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 14:52:23 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13 libarchive13-dbgsym Architecture: mips64el Version: 3.6.2-1+deb12u4 Distribution: bookworm Urgency: medium Maintainer: mipsel Build Daemon (mipsel-osuosl-03) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.6.2-1+deb12u4) bookworm; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucariès ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: f2832a1d34280d206c94e6eb005dec1010ef8276 579828 libarchive-dev_3.6.2-1+deb12u4_mips64el.deb 02c8f9ead635e4113fda6320cb8a7732d5b63213 96060 libarchive-tools-dbgsym_3.6.2-1+deb12u4_mips64el.deb 901752bf5f6c73ea4aa5c6f42601d47da435158b 72448 libarchive-tools_3.6.2-1+deb12u4_mips64el.deb 5d4e1b9d63682ed72a45f812049cf6a44ed6acaf 1079316 libarchive13-dbgsym_3.6.2-1+deb12u4_mips64el.deb e28817c2f47eff46e04a6b5d42d7cb33dab58d48 309584 libarchive13_3.6.2-1+deb12u4_mips64el.deb ef927a5d7250e2d1abe9a035c2a3073a32563c04 7801 libarchive_3.6.2-1+deb12u4_mips64el-buildd.buildinfo Checksums-Sha256: 11790d9e82776b856316bc84faace0d35b29d0f132cb8dda88456a03b5b65fe2 579828 libarchive-dev_3.6.2-1+deb12u4_mips64el.deb 7a1997a4fd11d5c39a8077e888103335f23eeba436c0ee3cc318a1ed6699e8f0 96060 libarchive-tools-dbgsym_3.6.2-1+deb12u4_mips64el.deb 49180ce79d8e2c7323ea6d69421161f57149df5e1d91d2cdaad5c7873765d4ef 72448 libarchive-tools_3.6.2-1+deb12u4_mips64el.deb f60ceca0df708fffae7219b7ac05cad4deb88707c0a9b770e33cc2d579e7eed2 1079316 libarchive13-dbgsym_3.6.2-1+deb12u4_mips64el.deb b42829a78e6b589150cc9b0123be09cc2bd64bfd32b527c51265f972366005cf 309584 libarchive13_3.6.2-1+deb12u4_mips64el.deb ebe2c00b955c944f0a90c5b8b5eec1b18fdcec7551c42515124d46c6cc3e7f44 7801 libarchive_3.6.2-1+deb12u4_mips64el-buildd.buildinfo Files: 5d328f7c629f4e160a1fc49ce6957f35 579828 libdevel optional libarchive-dev_3.6.2-1+deb12u4_mips64el.deb 7794dbf4650fa6da9b06973aeeefeda9 96060 debug optional libarchive-tools-dbgsym_3.6.2-1+deb12u4_mips64el.deb 1acb9cd4d6ba0ca844818a374f9ebe15 72448 utils optional libarchive-tools_3.6.2-1+deb12u4_mips64el.deb e3871def383dddc6a336569081cad843 1079316 debug optional libarchive13-dbgsym_3.6.2-1+deb12u4_mips64el.deb 75f41231b4ab1b458d9152907fd327c4 309584 libs optional libarchive13_3.6.2-1+deb12u4_mips64el.deb 3885a8d4c6824dd0932d670809f198b3 7801 libs optional libarchive_3.6.2-1+deb12u4_mips64el-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7sd7jtCtE5bBJ1Hx/qmHKZssfSAFAmn7jaIACgkQ/qmHKZss fSATwQ/9G3BavlHujAupkMY84iEp0B0qHIBCuxKicriEQsTFuKTdIO+JvA8//VaZ wkWnhIgE/jE5A2fA5heXyOQaUC+Y2BxtmvyYlUDxIf50bLTb9+9ev/KgaP9Zl/PS JktYsrV+QQItGzLCv/Vr+5NDhgJKcURuW0Og2F/jPtoF8mBi5Rh9/k4bCJqn3f/7 bzpfuRlDbTWPNsw/Ymoa25mSaDA1X/4kvEQAJz4b1PQA2+h6c9918pjcmRbYaaQw KSx5uuvzMb6LqjzPDkRk4wiLVXifDprTrPkOXO5eg3esWpLki+GPMUIiJmh0xrB1 jx6YZ1gMnbYkYvskK+MUxWtWsZer4vs49eD9tqXsxNW6T0UY70T5wOEEQfQ7PuQP BsdqTHc+1W94E5vPgGuzoLkNh+p3XCUuIcHraiJ9+CEq5i1ogOikyBHnXToYQZbG ctNZfekCBKH1nt2FWYiLnGivG587ymsrcw4mRR2fL+RYfaYV/un27aTrRZZV6Tkg lTZAtcpdQRgZ79txlOhTSjy/WAS+2k1X2CsFo5SAnsbMM6iRFSM720+5phIyJm6N ZNx/GGK9OddaH/cB5aqd9KGZaYGrh738atIZ7iJcydaF6UDustSd1fdSRc7rpr/O dFrlMbQbmBvPhHddhtCbjOE3Na+IHXiDSCJPNFFrP41SAIZDPGE= =Uuxp -----END PGP SIGNATURE-----