libarchive - Debian Package Tracker

general

source: libarchive (main)
version: 3.7.4-4
maintainer: Peter Pentchev (DMD)
arch: any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.4.3-2+deb11u1
o-o-sec: 3.4.3-2+deb11u2
oldstable: 3.6.2-1+deb12u3
old-sec: 3.6.2-1+deb12u2
stable: 3.7.4-4
testing: 3.7.4-4
unstable: 3.7.4-4

versioned links

3.4.3-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.4.3-2+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.2-1+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.2-1+deb12u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.7.4-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libarchive-dev
libarchive-tools (3 bugs: 0, 2, 1, 0)
libarchive13t64 (1 bugs: 0, 0, 1, 0)

action needed

A new upstream version is available: 3.8.0 high

A new upstream version 3.8.0 is available, you should consider packaging it.

Created: 2024-09-16 Last update: 2025-11-11 10:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-5918: A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

Created: 2025-06-09 Last update: 2025-11-09 23:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-5918: A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

Created: 2025-08-09 Last update: 2025-11-09 23:30

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2025-07-30 Last update: 2025-11-11 11:30

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 3.8.2-1, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit bbd3aa2e9e9c821d20fd995e2ca352656dfade6b
Author: Bastien Roucariès <rouca@debian.org>
Date:   Sun Nov 9 18:44:19 2025 +0100

    Refresh patches

commit 6cb95b1f9d801cdc16e16efbea7e1a2ec6fc7547
Author: Bastien Roucariès <rouca@debian.org>
Date:   Sun Nov 9 18:28:45 2025 +0100

    New upstream version

commit 7e223c65e77741e4500689bb5be8d6d25a4ebf54
Merge: a0855723 30e4c277
Author: Bastien Roucariès <rouca@debian.org>
Date:   Sun Nov 9 18:25:10 2025 +0100

    Update upstream source from tag 'upstream/3.8.2'
    
    Update to upstream version '3.8.2'
    with Debian dir 0ac8532c602c6b24dcfffe958246ad5af125e143

commit a0855723c7fe093222b04d72caeecdc3c591f940
Author: Bastien Roucariès <rouca@debian.org>
Date:   Sun Nov 9 18:23:24 2025 +0100

    Improve watch file

commit c71391aebd16d597dea69807e16d0747883e52f5
Author: Peter Pentchev <roam@debian.org>
Date:   Tue Feb 18 15:39:42 2025 +0200

    Update the changelog file

commit 25cfcf1d73b5c4019f223e7fa0e3d993ee1c3aaf
Author: Peter Pentchev <roam@debian.org>
Date:   Mon Feb 17 14:33:14 2025 +0200

    Let dh_auto_test handle parallel running by itself

commit e0c866f9786e8f208464c7e38a54a926577e99f2
Author: Peter Pentchev <roam@debian.org>
Date:   Mon Feb 17 14:32:51 2025 +0200

    No longer create the en_US.UTF-8 locale for the tests

commit 95d2b32958bfb87fae2aff655aac3f44f18334e3
Author: Peter Pentchev <roam@debian.org>
Date:   Mon Feb 17 14:26:24 2025 +0200

    Use the C.UTF-8 locale for testing

commit ea7a06e99985c40d0ae57a86a2c84760a6d9a593
Author: Peter Pentchev <roam@debian.org>
Date:   Tue Feb 18 12:21:05 2025 +0200

    Salsa CI: temporarily disable reprotest

commit a5f985c66875f378c02b7bcb94b00b6e25ac2931
Author: Peter Pentchev <roam@debian.org>
Date:   Tue Feb 18 12:06:08 2025 +0200

    Add the unzip-test-env patch to fix a test

commit 6e2659d47cd4f52bfc30493dee3de3488e3d1e3d
Author: Peter Pentchev <roam@debian.org>
Date:   Mon Feb 17 15:10:24 2025 +0200

    Dump the logfiles for failed tests

commit 9f707c3de2b4a96f3d9b6270ae851e5577e2b837
Author: Peter Pentchev <roam@debian.org>
Date:   Mon Feb 17 14:18:16 2025 +0200

    Use the now-canonical Salsa CI pipeline definition

commit 10767f759bf9a67dd862992475f1ece63b5dd8c5
Author: Peter Pentchev <roam@debian.org>
Date:   Mon Feb 17 14:06:53 2025 +0200

    Add the year 2025 to my debian/* copyright notice

commit 953b1fbbb8b50fb8b872cd5816c87bd1a953597c
Author: Peter Pentchev <roam@debian.org>
Date:   Mon Feb 17 14:03:50 2025 +0200

    Run the test suite by default
    
    To invert the check/nocheck DEB_BUILD_OPTIONS logic, it is enough to
    drop our check altogether, since we use a recent version of
    debhelper that checks for "nocheck" automatically before
    invoking the test target at all.
    
    That sentence was fun to write.
    
    Addresses: !7

commit 50d556603c7dad3a648fdc7f2dda9cb82d91c2b9
Merge: 11e86ba6 446a727a
Author: Salvatore Bonaccorso <carnil@debian.org>
Date:   Mon Nov 4 04:51:17 2024 +0000

    Merge branch 'sid-CVE-2024-20696' into 'master'
    
    rar4 reader: protect copy_from_lzss_window_to_unp() (CVE-2024-20696)
    
    See merge request debian/libarchive!7

commit 446a727a8b1f9a9eca48bfc1461bddb623509976
Author: Salvatore Bonaccorso <carnil@debian.org>
Date:   Fri Nov 1 21:30:45 2024 +0100

    Prepare to release libarchive (3.7.4-1.1).

commit 3638f00009d62400816be52ca51a165ba991929e
Author: Salvatore Bonaccorso <carnil@debian.org>
Date:   Fri Nov 1 21:29:28 2024 +0100

    rar4 reader: protect copy_from_lzss_window_to_unp() (CVE-2024-20696)
    
    Closes: #1086155

commit 11e86ba640412fa057d6181497589be5e71a1982
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 14:36:32 2024 +0300

    Prepare to upload libarchive/3.7.4-1 to unstable

commit ac1daaee12ae898155f49044a54fe0e8c0fe2e33
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 14:35:45 2024 +0300

    Update the changelog file

commit 26f67de58cd1de10d2445a13a26259ba49392e50
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 14:32:04 2024 +0300

    Use debputy's X-Style: black

commit 486dd6b76c61d6ebbd2d096a5f8bd4c98b4dd763
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 14:30:06 2024 +0300

    Update the Debian packaging for libarchive 3.7.4

commit 9b9c9f1996dc960d0b0757244536d788bec50626
Merge: bb7186e9 dc7fcdc3
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 14:17:15 2024 +0300

    Merge libarchive 3.7.4 into the Debian branch

commit bb7186e94a71c85eef09c5e13008449e2a4a7a53
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 14:09:44 2024 +0300

    Update the Debian packaging for libarchive 3.7.3

commit 066a9bd07a54f57cc2e7f56ff37567c4f7ea47e5
Merge: 9d081d15 511546ee
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 12:25:52 2024 +0300

    New upstream version 3.7.3

commit 9d081d15e999e749555222bf79a0853ae964dabf
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 11:36:28 2024 +0300

    Update the changelog file

commit 9a797cd22c3d97009a8059719bc56d7333f84444
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 11:23:52 2024 +0300

    Let debhelper take care of some default dependencies

commit eb72c1f08fab62ddbc6eee3f30f390674163ff91
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 11:18:07 2024 +0300

    Use debhelper compat level 14, use X-DH-Compat

commit 7e14d85d691ec01186a2b0dbbc639f4519883fe3
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 11:07:37 2024 +0300

    Declare compliance with Policy 4.7.0 with no changes

commit c2624323159b75b1b41062af0cea26d84703f56e
Author: Peter Pentchev <roam@debian.org>
Date:   Wed Aug 7 11:06:41 2024 +0300

    Drop a t64-related Lintian override
    
    Lintian was fixed to recognize the t64 package suffix.

commit dfa2cdd2aa2ca38be2b52f660b26964a70ec20a0
Merge: 570bf5b3 63cf3ab9
Author: Salvatore Bonaccorso <carnil@debian.org>
Date:   Mon Jun 3 17:17:44 2024 +0000

    Merge branch 'CVE-2024-26256-fix' into 'master'
    
    fix: OOB in rar e8 filter (CVE-2024-26256) and other rar processing code issues
    
    See merge request debian/libarchive!6

commit 63cf3ab9a3d18a1bf6fa621db7ae9b14fcfc0aa6
Author: Salvatore Bonaccorso <carnil@debian.org>
Date:   Sat Jun 1 15:50:57 2024 +0200

    Prepare to release libarchive (3.7.2-2.1).

commit 53e257d77ccfbc4eb1f1b35d72e231fdfdfe39bf
Author: Salvatore Bonaccorso <carnil@debian.org>
Date:   Sat Jun 1 15:50:21 2024 +0200

    fix: OOB in rar audio filter

commit 1fb04b93922f2af9e2496070b3b57ec40d0ee098
Author: Salvatore Bonaccorso <carnil@debian.org>
Date:   Sat Jun 1 15:49:30 2024 +0200

    fix: OOB in rar delta filter

commit fc5ac18bb47d0d83005447fe3f472ab6d3a7f40a
Author: Salvatore Bonaccorso <carnil@debian.org>
Date:   Sat Jun 1 09:42:40 2024 +0200

    fix: OOB in rar e8 filter (CVE-2024-26256)
    
    Closes: #1072107

commit 570bf5b3b8c18880b47d3f86d1cbfccecc21b012
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Mar 30 20:11:13 2024 +0200

    Prepare to upload libarchive/3.7.2-2 to unstable

commit 32a1d0761ad222ccb724e5d449c3076d97a063a3
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Mar 30 20:10:38 2024 +0200

    Make it clear that static builds are not fine yet

commit 78ee040c9a5d810758a430a7f59f68a03657ded2
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Mar 30 20:10:12 2024 +0200

    Update the changelog file

commit 31fcf28c3be82824c34dd115c7465748adb2b787
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Mar 30 20:03:13 2024 +0200

    Add the robust-error-reporting upstream patch
    
    Closes: #1068047

commit a5c0608da44a15e2df72e848a0297dc914a7c90b
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Mar 30 19:18:04 2024 +0200

    Switch the pkg-config dependency over to pkgconf

commit c7b3c420bb5c27902fda85dd37afa59aed249171
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Mar 30 19:14:52 2024 +0200

    Update the changelog file

commit b688794f1961faf81c7a86c9c9c2c63bbbe8a160
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Mar 30 19:14:04 2024 +0200

    Re-sort the dependencies lists in debian/control

commit ce26139fe9a04891f8787a614a8b8de21ea4a8be
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Mar 30 19:11:48 2024 +0200

    Add the year 2024 to my debian/* copyright notice

commit c3c3334e261e95b6e0a8339af36ff791243d0e84
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Mar 30 19:09:25 2024 +0200

    Revert "Add a (failing for the present) static minitar autopkgtest"
    
    The added -dev package dependences are not enough; libarchive's own
    configure mechanism needs to be adjusted.

commit 0dac1c6d61227efd9bf177e2396658bed5fcde99
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Mar 30 12:17:33 2024 +0200

    Import Lukas Märdian's 64-bit time_t NMU. Thanks!

commit ceab59f3c267168619ee85a8fd413c45ae621dd0
Merge: 9b80cc31 fa2288b9
Author: Peter Pentchev <roam@debian.org>
Date:   Tue Nov 21 07:30:52 2023 +0000

    Merge branch 'pc_deps' into 'master'
    
    libarchive-dev: depend on -dev packages to fix pkg-config --static --libs
    
    See merge request debian/libarchive!5

commit 9b80cc31366f8aba5621ab0651ea588681bdfa89
Author: Peter Pentchev <roam@debian.org>
Date:   Tue Nov 21 09:29:10 2023 +0200

    Add a (failing for the present) static minitar autopkgtest
    
    Add an autopkgtest that tries to build the minitar program with
    static linking. As noted in #1056317, this will currently fail due to
    insufficient dependencies for the libarchive-dev package.

commit fa2288b9fbd0c0f38281801c83726f53ef75e884
Author: Luca Boccassi <bluca@debian.org>
Date:   Mon Nov 20 15:18:01 2023 +0000

    libarchive-dev: depend on -dev packages to fix pkg-config --static --libs
    
    libarchive.pc lists:
    
    Libs.private: -lnettle -lacl -llzma -lzstd -llz4 -lbz2 -lz  -lxml2
    
    Those using 'pkg-config --static --libs archive' till now had to install
    all these dependencies by hand. List them explicitly, as it is commonly
    done due to the lack of automated toolings in the Debian build process.
    
    Closes: #1056317

commit 2836b280c1617840f28b4c431feec9ae065e5eab
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Oct 14 18:29:02 2023 +0300

    Prepare to upload libarchive/3.7.2-1 to unstable

commit 615d9201fd4482234171ce478662556fd8d1aca3
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Oct 14 18:17:44 2023 +0300

    Update the changelog file

commit 794aca391d412f0f4dbfe0f12d24e89b97b8957e
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Oct 14 18:07:05 2023 +0300

    Add the test-zstd-32bit upstream patch

commit 71bee3a35cd64cb3c6ade9998edb166abedde6fc
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Oct 14 18:04:20 2023 +0300

    Correct the Last-Update date in a patch I added today

commit 76975d1a75dd46e0b709534777c88c07480ef8d5
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Oct 14 18:01:54 2023 +0300

    Update the Debian packaging for libarchive 3.7.2

commit ba231c3c44b3dd6d70319a0bb6568fb112519d08
Merge: 6fc0196a f462bbeb
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Oct 14 17:50:05 2023 +0300

    Update upstream source from tag 'upstream/3.7.2'
    
    Update to upstream version '3.7.2'
    with Debian dir c0d3a770a95f2b67d53db9255cf4a6f511204ce4

commit 6fc0196abb142944a8e369be74f2659614853ec4
Author: Peter Pentchev <roam@debian.org>
Date:   Sat Oct 14 17:48:47 2023 +0300

    Update the changelog file

Created: 2025-02-17 Last update: 2025-11-10 22:30

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-09-21 Last update: 2025-09-21 16:04

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-08-15 Last update: 2025-08-27 05:00

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2025-5918: (needs triaging) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-06-09 Last update: 2025-11-09 23:30

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2025-5918: (needs triaging) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-06-09 Last update: 2025-11-09 23:30

debian/patches: 7 patches to forward upstream low

Among the 9 debian patches available in version 3.7.4-4 of the package, we noticed the following issues:

7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-10-15 Last update: 2025-07-27 12:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-08-07 17:31

news

[rss feed]

[2025-08-27] Accepted libarchive 3.6.2-1+deb12u3 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2025-07-30] libarchive 3.7.4-4 MIGRATED to testing (Debian testing watch)
[2025-07-26] Accepted libarchive 3.7.4-4 (source) into unstable (Peter Pentchev)
[2025-05-08] libarchive 3.7.4-3 MIGRATED to testing (Debian testing watch)
[2025-04-27] Accepted libarchive 3.7.4-3 (source) into unstable (Peter Pentchev)
[2025-04-26] Accepted libarchive 3.7.4-2 (source) into unstable (Peter Pentchev)
[2024-11-11] Accepted libarchive 3.4.3-2+deb11u2 (source) into oldstable-security (Adrian Bunk)
[2024-11-11] Accepted libarchive 3.6.2-1+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2024-11-10] libarchive 3.7.4-1.1 MIGRATED to testing (Debian testing watch)
[2024-11-09] Accepted libarchive 3.6.2-1+deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2024-11-03] Accepted libarchive 3.7.4-1.1 (source) into unstable (Salvatore Bonaccorso)
[2024-08-09] libarchive 3.7.4-1 MIGRATED to testing (Debian testing watch)
[2024-08-07] Accepted libarchive 3.7.4-1 (source) into unstable (Peter Pentchev)
[2024-06-09] Accepted libarchive 3.6.2-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2024-06-06] libarchive 3.7.2-2.1 MIGRATED to testing (Debian testing watch)
[2024-06-05] Accepted libarchive 3.6.2-1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
[2024-06-03] Accepted libarchive 3.7.2-2.1 (source) into unstable (Salvatore Bonaccorso)
[2024-04-25] libarchive 3.7.2-2 MIGRATED to testing (Debian testing watch)
[2024-03-31] Accepted libarchive 3.7.2-2 (source) into unstable (Peter Pentchev)
[2024-02-29] Accepted libarchive 3.7.2-1.1 (source) into unstable (Lukas Märdian)
[2024-01-31] Accepted libarchive 3.7.2-1.1~exp1 (source) into experimental (Steve Langasek)
[2023-10-18] libarchive 3.7.2-1 MIGRATED to testing (Debian testing watch)
[2023-10-14] Accepted libarchive 3.7.2-1 (source) into unstable (Peter Pentchev)
[2023-01-30] Accepted libarchive 3.3.3-4+deb10u3 (source) into oldstable (Thorsten Alteholz)
[2022-12-27] libarchive 3.6.2-1 MIGRATED to testing (Debian testing watch)
[2022-12-27] libarchive 3.6.2-1 MIGRATED to testing (Debian testing watch)
[2022-12-24] Accepted libarchive 3.6.2-1 (source) into unstable (Peter Pentchev)
[2022-11-22] Accepted libarchive 3.3.3-4+deb10u2 (source) into oldstable (Sylvain Beucler)
[2022-04-30] Accepted libarchive 3.2.2-2+deb9u3 (source all amd64) into oldoldstable (Thorsten Alteholz)
[2022-04-02] libarchive 3.6.0-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 10
RC: 0
I&N: 7
M&W: 2
F&P: 1
patch: 1

links

homepage
lintian (0, 2)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.7.7-0ubuntu3
3 bugs
patches for 3.7.7-0ubuntu3