Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted libarchive 3.4.3-2+deb11u3 (source) into oldoldstable-security
Date: Tue, 11 Nov 2025 18:10:21 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 09 Nov 2025 20:14:45 +0100
Source: libarchive
Architecture: source
Version: 3.4.3-2+deb11u3
Distribution: bullseye-security
Urgency: medium
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1107621 1107623 1107624 1107626
Changes:
 libarchive (3.4.3-2+deb11u3) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * Fix CVE-2025-5914 (Closes: #1107621)
     A vulnerability has been identified in the
     libarchive library, specifically within the
     archive_read_format_rar_seek_data() function.
     This flaw involves an integer overflow that can
     ultimately lead to a double-free condition.
     Exploiting a double-free vulnerability can result
     in memory corruption, enabling an attacker
     to execute arbitrary code or cause a denial-of-service condition.
   * Fix CVE-2025-5916 (Closes: #1107623)
     A vulnerability has been identified in the libarchive library. This
     flaw involves an integer overflow that can be triggered when
     processing a Web Archive (WARC) file that claims to have more than
     INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC
     archive to induce this overflow, potentially leading to unpredictable
     program behavior, memory corruption, or a denial-of-service condition
     within applications that process such archives using libarchive.
   * Fix CVE-2025-5917 (Closes: #1107626)
     A vulnerability has been identified in the libarchive library. This
     flaw involves an 'off-by-one' miscalculation when handling prefixes
     and suffixes for file names. This can lead to a 1-byte write
     overflow. While seemingly small, such an overflow can corrupt adjacent
     memory, leading to unpredictable program behavior, crashes, or in
     specific circumstances, could be leveraged as a building block for
     more sophisticated exploitation.
   * Fix CVE-2025-5918 (Closes: #1107624)
     A vulnerability has been identified in the
     libarchive library. This flaw can be triggered when
     file streams are piped into bsdtar, potentially
     allowing for reading past the end of the file.
     This out-of-bounds read can lead to unintended
     consequences, including unpredictable program behavior,
     memory corruption, or a denial-of-service condition.
Checksums-Sha1:
 55e170220f9c8936323b42655d35bbb9bf223fc5 2543 libarchive_3.4.3-2+deb11u3.dsc
 53f1400ac71778d14615a66f89e04403548fae76 4811508 libarchive_3.4.3.orig.tar.xz
 b56d21a38824b2997fe0cb600df4c802b608377a 833 libarchive_3.4.3.orig.tar.xz.asc
 9788f473b34aa7bc8922c2c5e80239150ae7c2dc 40632 libarchive_3.4.3-2+deb11u3.debian.tar.xz
 40afd7e3c19bf03d92a4cf570073ff910d74c0d1 5664 libarchive_3.4.3-2+deb11u3_source.buildinfo
Checksums-Sha256:
 b0d05f440f8944a668850de28891ec686ed7b69ffb511a515ba4c2bf8b219e44 2543 libarchive_3.4.3-2+deb11u3.dsc
 0bfc3fd40491768a88af8d9b86bf04a9e95b6d41a94f9292dbc0ec342288c05f 4811508 libarchive_3.4.3.orig.tar.xz
 e43bdc701140383c9e4d90070a684026c05407c95b8fa26a71b20f19a704df89 833 libarchive_3.4.3.orig.tar.xz.asc
 ffc19257c88c9820a28c49f1a156ee73a26eddd2750c9104a70a1408ace8b995 40632 libarchive_3.4.3-2+deb11u3.debian.tar.xz
 f2f971a56fdc89810fa2b9f7ef67a5277d63b1f5ef223f2c377e4999029b0b6a 5664 libarchive_3.4.3-2+deb11u3_source.buildinfo
Files:
 8d9b628ad27165e2151cbf01f39c28e5 2543 libs optional libarchive_3.4.3-2+deb11u3.dsc
 4b216ea3015ecf8ae555a2026f9a6b73 4811508 libs optional libarchive_3.4.3.orig.tar.xz
 74a851a5f2d12379fcd0205526805919 833 libs optional libarchive_3.4.3.orig.tar.xz.asc
 f3969a3e873494cf75ae2fada5922905 40632 libs optional libarchive_3.4.3-2+deb11u3.debian.tar.xz
 507ca039976dcbba8fd314c95bc2e27c 5664 libs optional libarchive_3.4.3-2+deb11u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkTeYkACgkQADoaLapB
CF+yMBAAsWzRGE3Sx+zCp93e9+vptVtcOizkAsyWIuNEruaTNPk7DSofwfdCe0Z5
P4t7SpuwoNtc0SVeIdlm3mJmepK841U1oWbHqHjz7C42z0ekCNHmkPj6EJY74zm3
Ez/eSqI4wIwV7O6IpW34FQAZMRYhHYvSQiKlTQNyv+DnmM6iOjl85+3OS7i3yGhr
zTGjFK84Yw4CGjtGs7CED+tY4mX7zh0vOZbpybfFNExO4DSb1A6ElJEBMZpGnR7U
MJxvQNlaLRHLYG2jMJ6GGmoT0IXKHB7gwQG60RfyEhodN+QQtxCCwZtv/PnjOQdi
AvNf0majfffrZHovs7hLWW4lIlBLX8rS4VfIbyn4WZ59UbWnijyYnpIM4iurtbxK
wpWqjbjL8kt2XjwPyVmElCL9sv27xN6Vg48FEO9NGLQ4yYErzJsK4n7zRnx+zpg4
IyLjpe2Fs/56jv0hRQKdlA8ZjYpPifPdg+r1ArTmn6QmBWAIzgXYTWt2DSmV+kXI
Vl9AFF0Q3Fv2mvERPoak1Zj2DmTrSUG3kMXxo2T/Qx6rvvzoc+DulqCsmtSBNgS1
oDfToDPlEQ8zMpORJZnoyVR6EAm4rSY99ieE2ZEAE1Y51uwhotnxth2PiRQ9ZLfc
RtiKi9vib+PlgSBXZ5a78f4AzN/d0SSZ3Dr5jb/fS2RzpKXaoc4=
=nSs7
-----END PGP SIGNATURE-----
News for package libarchive
