Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted libarchive 3.4.3-2+deb11u4 (source) into oldoldstable-security
Date: Tue, 05 May 2026 04:00:16 +0000
Signed by: Arnaud Rebillout <arnaudr@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 04 May 2026 16:30:19 +0700
Source: libarchive
Architecture: source
Version: 3.4.3-2+deb11u4
Distribution: bullseye-security
Urgency: medium
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Arnaud Rebillout <arnaudr@debian.org>
Closes: 1130753 1131444 1131446 1133002
Changes:
 libarchive (3.4.3-2+deb11u4) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * Fix CVE-2026-4111 (Closes: #1130753)
     A flaw was identified in the RAR5 archive decompression logic of the
     libarchive library, specifically within the archive_read_data() processing
     path. When a specially crafted RAR5 archive is processed, the
     decompression routine may enter a state where internal logic prevents
     forward progress.  This condition results in an infinite loop that
     continuously consumes CPU resources. Because the archive passes checksum
     validation and appears structurally valid, affected applications cannot
     detect the issue before processing. This can allow attackers to cause
     persistent denial-of-service conditions in services that automatically
     process archives.
   * Fix CVE-2026-4424 (Closes: #1131446)
     A flaw was found in libarchive. This heap out-of-bounds read vulnerability
     exists in the RAR archive processing logic due to improper validation of
     the LZSS sliding window size after transitions between compression
     methods. A remote attacker can exploit this by providing a specially
     crafted RAR archive, leading to the disclosure of sensitive heap memory
     information without requiring authentication or user interaction.
   * Fix CVE-2026-4426 (Closes: #1131444)
     A flaw was found in libarchive. An Undefined Behavior vulnerability exists
     in the zisofs decompression logic, caused by improper validation of a
     field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote
     attacker can exploit this by supplying a specially crafted ISO file. This
     can lead to incorrect memory allocation and potential application crashes,
     resulting in a denial-of-service (DoS) condition.
   * Fix CVE-2026-5121 (Closes: #1133002)
     A flaw was found in libarchive. On 32-bit systems, an integer overflow
     vulnerability exists in the zisofs block pointer allocation logic. A
     remote attacker can exploit this by providing a specially crafted ISO9660
     image, which can lead to a heap buffer overflow. This could potentially
     allow for arbitrary code execution on the affected system.
Checksums-Sha1:
 f2d1c17b4f9064b752e62a9b93c47799b3975bd7 2572 libarchive_3.4.3-2+deb11u4.dsc
 53f1400ac71778d14615a66f89e04403548fae76 4811508 libarchive_3.4.3.orig.tar.xz
 b56d21a38824b2997fe0cb600df4c802b608377a 833 libarchive_3.4.3.orig.tar.xz.asc
 ddf2a7ebd3f9c9e2c25cca01c51bdd7a1df72301 44852 libarchive_3.4.3-2+deb11u4.debian.tar.xz
 5f022238bb80af86bd8b0c7e99354036244d35f5 5792 libarchive_3.4.3-2+deb11u4_source.buildinfo
Checksums-Sha256:
 06497f051be9eae8924d62c3aba5837741f0ed8b2a3bc36e5c98fd4e9ef81278 2572 libarchive_3.4.3-2+deb11u4.dsc
 0bfc3fd40491768a88af8d9b86bf04a9e95b6d41a94f9292dbc0ec342288c05f 4811508 libarchive_3.4.3.orig.tar.xz
 e43bdc701140383c9e4d90070a684026c05407c95b8fa26a71b20f19a704df89 833 libarchive_3.4.3.orig.tar.xz.asc
 3a495053c96fa56274ad967255b0e5e63b2fb5af3e6f86eb687206dfae007ab8 44852 libarchive_3.4.3-2+deb11u4.debian.tar.xz
 b2bd74783184e79fdd38c35d0ee3b5b73861e4bf3971d6da619c066c87843bf5 5792 libarchive_3.4.3-2+deb11u4_source.buildinfo
Files:
 4f6e8082b2336b427e21e2af2a524af8 2572 libs optional libarchive_3.4.3-2+deb11u4.dsc
 4b216ea3015ecf8ae555a2026f9a6b73 4811508 libs optional libarchive_3.4.3.orig.tar.xz
 74a851a5f2d12379fcd0205526805919 833 libs optional libarchive_3.4.3.orig.tar.xz.asc
 3f3852a989013225980823215f2a32ff 44852 libs optional libarchive_3.4.3-2+deb11u4.debian.tar.xz
 be48c8812fefb4efe4d55afd324cb29c 5792 libs optional libarchive_3.4.3-2+deb11u4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEE0Kl7ndbut+9n4bYs5yXoeRRgAhYFAmn5aIQTHGFybmF1ZHJA
ZGViaWFuLm9yZwAKCRDnJeh5FGACFnOWD/42XR33ev6MnQ/gZekTls6jZr4gSF1S
dkRBXVp+xFp5B3G4/2+Qld2yDfhjXIvWbh49DcNj2SRI5Aa3Dd1dMDObamEtJXD8
avxhaklsqJY2S+38AMQUwneua3AR0wT5qxfzKoCMzCxeXe8EoO843J5iBIkxY3fO
7MA8zWW4Usm94ohHqEAFaL9x/z/6n2litmy/fE3oQboVkafrUiMk861SEyrJX+Je
ro9v4uLuvgtWrVLLeYo8geu5kVrReAd+czHQ+NGTbvYR1cYXbqexBPdJtpjw7tlZ
PUKOiNefGlvNhOmbssAWS4xExRCjUM6iyo1pBm94aOuBHXae/BoKtZHLy+fVKd+d
Ha51+xEmNpSauCJWS+8WCC/9dMrdGY74AHidZ2Fhwt2YJf4fAO5oGt/DvFErtSNG
PmEu1BP8KRCuYsHYMzFMR3EtysZzi5fyykvm1Y+hZQ6NNWB4VpZTTmwIkuW1z4PL
sVxuVKUAbLB9q/zusETc4eoHw0pXsbWAC7mmHpwQA2GH+lVebMUwuvvgE+3mv5aP
YCQSepvCEuZw/xXneIupaH3XX5N8MUqDUw54BfgBvKGtoBbFT5F2WASh6Or4D6Nm
So6QJQE3Mwshb2wXFUfl5dgtkX0v+uaYHQK8rjWt6Ppep8AqLXi/mCk/mQNMApzs
LwWSzKohSAaxVg==
=0lmf
-----END PGP SIGNATURE-----
News for package libarchive
