-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4563-1 [email protected]
https://www.debian.org/lts/security/ Arnaud Rebillout
May 05, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libarchive
Version : 3.4.3-2+deb11u4
CVE ID : CVE-2026-4111 CVE-2026-4424 CVE-2026-4426 CVE-2026-5121
Debian Bug : 1130753 1131444 1131446 1133002
Multiple vulnerabilities have been discovered in libarchive, a
multi-format archive and compression C library, which also provides the
following command-line tools: bsdcat, bsdcpio, bsdtar and bsdunzip.
CVE-2026-4111
A flaw was identified in the RAR5 archive decompression logic of the
libarchive library, specifically within the archive_read_data()
processing path. When a specially crafted RAR5 archive is processed,
the decompression routine may enter a state where internal logic
prevents forward progress. This condition results in an infinite loop
that continuously consumes CPU resources. Because the archive passes
checksum validation and appears structurally valid, affected
applications cannot detect the issue before processing. This can allow
attackers to cause persistent denial-of-service conditions in services
that automatically process archives.
CVE-2026-4424
A flaw was found in libarchive. This heap out-of-bounds read
vulnerability exists in the RAR archive processing logic due to
improper validation of the LZSS sliding window size after transitions
between compression methods. A remote attacker can exploit this by
providing a specially crafted RAR archive, leading to the disclosure
of sensitive heap memory information without requiring authentication
or user interaction.
CVE-2026-4426
A flaw was found in libarchive. An Undefined Behavior vulnerability
exists in the zisofs decompression logic, caused by improper
validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge
extensions. A remote attacker can exploit this by supplying a
specially crafted ISO file. This can lead to incorrect memory
allocation and potential application crashes, resulting in a
denial-of-service (DoS) condition.
CVE-2026-5121
A flaw was found in libarchive. On 32-bit systems, an integer overflow
vulnerability exists in the zisofs block pointer allocation logic. A
remote attacker can exploit this by providing a specially crafted
ISO9660 image, which can lead to a heap buffer overflow. This could
potentially allow for arbitrary code execution on the affected system.
For Debian 11 bullseye, these problems have been fixed in version
3.4.3-2+deb11u4.
We recommend that you upgrade your libarchive packages.
For the detailed security status of libarchive please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libarchive
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE0Kl7ndbut+9n4bYs5yXoeRRgAhYFAmn5bYkACgkQ5yXoeRRg
AhaiWg/8CFYOQe4T1Edd5pZHGiw6uzN7x50ljsnfks5lp8EtKSdRJZsateCPduiK
Yk9vGt3YHljyCWYERJzw+ZgmuXD7bLQnPVgjard44qDJL5NHuXQ7OUMKfvhLd6HH
b2iCigi5LzRJeXQBxIMXu7vsM/V0Gn60VtxgCP2g6y2ve1NYIC2bdQmqJ3NsS3+t
tMCRzyu3GxpyAxX8w/SUYQC+yZYnC1RthY6iDMWuDZj1yQmE+zrPMtxKvWn2Rkl3
gImrmZc8qHnJE9Li+TtIh5yt/UzNYjuhFD8I16Y65beeBZhbgxegPJxbb+OOauAQ
4tvcJzux8U5GYHMDU3mlttICP6IMWm2UpO4Uv2jueV0le0BnWc1yp7aG45w0K5ou
NLvaaMM+AaSpOPFpwobwBW3sj7Yvkkckyw06v8v22JyRx0fYW6oWdLtusdFPcaHR
AWt+D8TJ03IVs9skH04eJHWBZAkovILw1+1PMRmVDmN4QV93gYQTvmrXodx3oT8+
BnwO9Z6AqS2Lp5PwbgpGRvDn2ni8e3v4FU0PBZkWpFqoCKbJeUprF920oHqwmUo3
zO46fQvHwuW6eg1ScCazn7C/FA74fQtKzoWB1NLBN8O1CPnUto9JLE+q1Y1Au6rh
/+EPe8oBJogoP4hnc/sthfn9wdjEx60dILs3Xf6LTuh9VPLltsU=
=8l8N
-----END PGP SIGNATURE-----
