-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 14:52:23 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13 libarchive13-dbgsym Architecture: ppc64el Version: 3.6.2-1+deb12u4 Distribution: bookworm Urgency: medium Maintainer: ppc64el Build Daemon (ppc64el-osuosl-01) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.6.2-1+deb12u4) bookworm; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucariès ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: b25a77ce227fded17a6d85fb6d6aff9d07ede737 608648 libarchive-dev_3.6.2-1+deb12u4_ppc64el.deb 353ead7bc1e03c3d026e0fbc40af5c543635a92a 95116 libarchive-tools-dbgsym_3.6.2-1+deb12u4_ppc64el.deb 66584431d0e1d8785c01e3b6779d002969800777 77308 libarchive-tools_3.6.2-1+deb12u4_ppc64el.deb 65aab562876952daf40ec92cf04bd55fc880ca34 1076080 libarchive13-dbgsym_3.6.2-1+deb12u4_ppc64el.deb 88e2f0fce5465f6a3253f868f060c3fcd08e278d 386268 libarchive13_3.6.2-1+deb12u4_ppc64el.deb f60d2de577be7335a10c7b4322773c798e8041b3 8000 libarchive_3.6.2-1+deb12u4_ppc64el-buildd.buildinfo Checksums-Sha256: 0f478b2effc39d7f8d06b6713938b5626ab8929244bf90867ac25323d9aaa85b 608648 libarchive-dev_3.6.2-1+deb12u4_ppc64el.deb 0156a7e1117df2a39b8eefff46d2663951dc8378c73f4102b589369364867a8a 95116 libarchive-tools-dbgsym_3.6.2-1+deb12u4_ppc64el.deb d9732b7c319c548023849e96d8049060521339765c06ce189a542a96acd75297 77308 libarchive-tools_3.6.2-1+deb12u4_ppc64el.deb 5511e2410c5e57b999a02e20456e58d45e5e4ae905d85a3db3adc6d7cf9f3f98 1076080 libarchive13-dbgsym_3.6.2-1+deb12u4_ppc64el.deb f66f846928cb5754dd64ca413be05b99e5b03400852f6eab07002a4691d01b2d 386268 libarchive13_3.6.2-1+deb12u4_ppc64el.deb e288c3181ef4ee9bca0ccf041e793543e8a18bb8c652c77c48cd7c17f98bc5dc 8000 libarchive_3.6.2-1+deb12u4_ppc64el-buildd.buildinfo Files: 81fd7dae36dd905fd9697140a71de55c 608648 libdevel optional libarchive-dev_3.6.2-1+deb12u4_ppc64el.deb c9733da07f619f69582ce4b3f6cca006 95116 debug optional libarchive-tools-dbgsym_3.6.2-1+deb12u4_ppc64el.deb 3214c11ef057a5195de09f1e3d0b7e3d 77308 utils optional libarchive-tools_3.6.2-1+deb12u4_ppc64el.deb edc5db202177dfd3dd032c54b7f5798e 1076080 debug optional libarchive13-dbgsym_3.6.2-1+deb12u4_ppc64el.deb 7ff3ff0153926bf0c52dd589d2f2c68d 386268 libs optional libarchive13_3.6.2-1+deb12u4_ppc64el.deb 0b422479b5c28f3967f6646f9ef98e1e 8000 libs optional libarchive_3.6.2-1+deb12u4_ppc64el-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEETLpi2USYGUNSlYhoNINNphgym2QFAmn7jWAACgkQNINNphgy m2RupRAAgjLrr4ozH2cqCWimTVQpykiaaVHsU/7YNvnVVcevWV3pZfWaW80xaHBc JIK9nkxx4WXI62e8LGTMc+FH4e6C0Qr4HsjsjKFo6jk+mEFXfEiYtwxqhh++cr8T M1eA9NOHY/j8e1ksp1gdPZp4i0lf+rDUu/uk6N2sH09mdKmOvN6tpTczTn9pCUfQ BIlUXGK6k1xobBEF+ARafYuk0m66mcdr6jHD48Vv5G43iIXtq30KY4Jijwql5rNE RYvU4fSaQhMQbSH2NWwFgknzGBAWxZXA8ZHKdkew5v9hSt87eHiBUTiNP9KvvKOi eMcQSV6SnMN1+k2ZB41ODiV9XE83tSs887R27kU2edpT00iN2T5BUvh/jdr2pcGG 2jNGcY4CqMuJm2NTt15q/Ot/WfB3LPViLJ8/RvUb3pdyaSE2ahE04KPBC8t4UcLC 5yPMZZLvvSIZr9hK05A4zQDYtmes8v+FsdtO04yHoSy5f0vpued6AIVfeSX0TgDU IxJxNHECHMzNo9y3lmxGQ5dyEWs2vWfrAn2+MS4Buff9kr6GJq2HWLaarqFR1KcC AZ7h2O5cW6oN5AhGhm3hkiOKuDcPvN0yNgdk6CZTsmkk9A6PGKrUoZjv9B1KLIVy p69z2bo5H6uAI0TcLjTNVQNdBs7EQCgqCCv3XkzcHfkbWV1bdMU= =oTKp -----END PGP SIGNATURE-----