-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 24 Apr 2026 14:52:23 +0700 Source: libarchive Binary: libarchive-dev libarchive-tools libarchive-tools-dbgsym libarchive13 libarchive13-dbgsym Architecture: s390x Version: 3.6.2-1+deb12u4 Distribution: bookworm Urgency: medium Maintainer: s390x Build Daemon (zandonai) Changed-By: Arnaud Rebillout Description: libarchive-dev - Multi-format archive and compression library (development files) libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other archive too libarchive13 - Multi-format archive and compression library (shared library) Closes: 1107624 1130753 1131444 1131446 1133002 Changes: libarchive (3.6.2-1+deb12u4) bookworm; urgency=medium . * Non-maintainer upload by the LTS team. . [ Bastien Roucariès ] * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. . [ Arnaud Rebillout ] * Fix CVE-2026-4111 (Closes: #1130753) A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives. * Fix CVE-2026-4424 (Closes: #1131446) A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. * Fix CVE-2026-4426 (Closes: #1131444) A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition. * Fix CVE-2026-5121 (Closes: #1133002) A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. Checksums-Sha1: c4e0feefcdf0fb561a56722cb96fd45e09e8bf44 534296 libarchive-dev_3.6.2-1+deb12u4_s390x.deb 39b25102e85f235dd519bfc4b93b30cc199adb49 90680 libarchive-tools-dbgsym_3.6.2-1+deb12u4_s390x.deb f96f342e6051fb18eb118f490046f700abb140e5 72472 libarchive-tools_3.6.2-1+deb12u4_s390x.deb 4846c507411e804bdadd839cec54deb6987b430a 1019444 libarchive13-dbgsym_3.6.2-1+deb12u4_s390x.deb 2d30871b9766e298ff5190e182337e70d6b0985d 318416 libarchive13_3.6.2-1+deb12u4_s390x.deb 36f57e32553c687ba60e000b7f6cef89fc2407c5 7841 libarchive_3.6.2-1+deb12u4_s390x-buildd.buildinfo Checksums-Sha256: 8215482ae61857bdfd164c581c4d0deb827b68ec6ff3515a0d09d4751f90687c 534296 libarchive-dev_3.6.2-1+deb12u4_s390x.deb f0915e9665e5a36983b7d1b3a61d19a88cff5d1842cb421fc2808ace1c46bc94 90680 libarchive-tools-dbgsym_3.6.2-1+deb12u4_s390x.deb 8c2adeef55c2efb0a77ca80d3aaaf22056316e3e6bcba24e585708cfb13577c6 72472 libarchive-tools_3.6.2-1+deb12u4_s390x.deb 742c7a2a080ada272cbe35febd8d3edbb83ee27ef2cf309b7fe72f2e53c643e4 1019444 libarchive13-dbgsym_3.6.2-1+deb12u4_s390x.deb 7984fa31fabc8e162def0660ca96e3f8c87169a7b6306222a529419c55fe2017 318416 libarchive13_3.6.2-1+deb12u4_s390x.deb fbe82bf1c2027677b99cec749fb96d25eb6901cd134b384de897d0c9ac91185b 7841 libarchive_3.6.2-1+deb12u4_s390x-buildd.buildinfo Files: 1690be307e88835b330a9b8328860b78 534296 libdevel optional libarchive-dev_3.6.2-1+deb12u4_s390x.deb d6b4187218d7f5319376aede79c37da2 90680 debug optional libarchive-tools-dbgsym_3.6.2-1+deb12u4_s390x.deb 09384a1e0ce17ce303d6257c2d434c32 72472 utils optional libarchive-tools_3.6.2-1+deb12u4_s390x.deb f4c6fa92d6b7235863488b4125b53495 1019444 debug optional libarchive13-dbgsym_3.6.2-1+deb12u4_s390x.deb 4ce0cd4b7df38775b10b9a119f35beb7 318416 libs optional libarchive13_3.6.2-1+deb12u4_s390x.deb c0e06b89e63f70361d9d9d1dc975ba4c 7841 libs optional libarchive_3.6.2-1+deb12u4_s390x-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEENly2ANlpa4eeqnluvVOPI7pYNpgFAmn7jWYACgkQvVOPI7pY NpiF6xAAnoLtBtim8q/k0v2uuvcfJyu4Kr9uX8YE6zx6qtR8EMzE/dPyJboeoiCN Vgph6/0Wk1we9con2Gni8RXZCsdx13Ao/xIaikWPyY6PABHRl7RSpwNbVd4ZEjAT /GwDzm+qXXCGGG7pOEycjpgl+8me7l2M71w3/gvSsmajgu2MxY8IuLBMgvCI4lz9 3v/yRlMbMmSa0WQgW63Ka97HKXbqbT6MNOplSy+bvHRM7cfDGiqcFlL5gdnC3c59 VaLhV1F2Ockd88+qdJj0X3Gpw0KBfg18tfJuaCht9l20mB2edDJA2sJrR4ToelNF QXlG/jnsiKG24qIhMhy9bdf0Hmh86sIfg2jV/g8BQRmLcW4dYrTVLuvLTLx3HVk1 rpxUqnQpiaz7Qs+8TP2r9Pe5L80V8mP82sAwKkiQDYrmbkOOOxlFLBauchdJdrNK Nqd1FxSQ7ESnaeSJir3vq57MdAfeonLhg2qQ9WTBtgN0hq8+2IAWD/qailTn6qUx HUP2z6irhWc33/P5y20XV1PO/kQToz+92XyXoA4sfccQmeh8Z5ppbQ4iriEnf48n 5j1AeqHiQxfTVDn/skXjIWmX78WCZ0eVpASCulBVCqoGAGvSIdEqmgqKpBuzpgl/ nTmw7ym2WSHlN9wBA4NVO1M5BgTz09mGL3gneJeu/p6agf1vSks= =sHQh -----END PGP SIGNATURE-----