Control: severity -1 serious Control: found -1 3.6.0-1 Hi Russ,
On Fri, Mar 29, 2024 at 07:24:13PM -0700, Russ Allbery wrote: > Package: libarchive13t64 > Version: 3.7.2-1.1 > Severity: important > X-Debbugs-Cc: r...@debian.org > > So far it looks like no one has been able to figure out an obvious way > for this to be exploitable, but I wanted to make sure that you were > aware of this upstream issue: > > https://github.com/libarchive/libarchive/pull/1609 > > The author of this commit is the same GitHub account that was used to > create the xz backdoor. Upstream has merged a revert of this change at: > > https://github.com/libarchive/libarchive/pull/2101 > > It may be worth expediting getting this change into Debian in case the > potential attacker knows something that we don't. However, I don't have > any reason to currently believe that this is a security vulnerability, > so I've kept the severity at important and not applied the security tag. Let's be on the safe side, and at least make it RC. Regards, Salvatore
