Source: libarchive Version: 3.8.5-1 Severity: important Tags: security upstream Forwarded: https://github.com/libarchive/libarchive/issues/2904 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libarchive. CVE-2026-5745[0]: | A flaw was found in libarchive. A NULL pointer dereference | vulnerability exists in the ACL parsing logic, specifically within | the archive_acl_from_text_nl() function. When processing a malformed | ACL string (such as a bare "d" or "default" tag without subsequent | fields), the function fails to perform adequate validation before | advancing the pointer. An attacker can exploit this by providing a | maliciously crafted archive, causing an application utilizing the | libarchive API (such as bsdtar) to crash, resulting in a Denial of | Service (DoS). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-5745 https://www.cve.org/CVERecord?id=CVE-2026-5745 [1] https://github.com/libarchive/libarchive/issues/2904 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
