Your message dated Fri, 03 Jul 2026 15:49:23 +0000
with message-id <[email protected]>
and subject line Bug#1132998: fixed in libarchive 3.8.8-1
has caused the Debian Bug report #1132998,
regarding libarchive: CVE-2026-5745
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132998
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libarchive
Version: 3.8.5-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libarchive/libarchive/issues/2904
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libarchive.
CVE-2026-5745[0]:
| A flaw was found in libarchive. A NULL pointer dereference
| vulnerability exists in the ACL parsing logic, specifically within
| the archive_acl_from_text_nl() function. When processing a malformed
| ACL string (such as a bare "d" or "default" tag without subsequent
| fields), the function fails to perform adequate validation before
| advancing the pointer. An attacker can exploit this by providing a
| maliciously crafted archive, causing an application utilizing the
| libarchive API (such as bsdtar) to crash, resulting in a Denial of
| Service (DoS).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-5745
https://www.cve.org/CVERecord?id=CVE-2026-5745
[1] https://github.com/libarchive/libarchive/issues/2904
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 3.8.8-1
Done: Gabriel Barrantes <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gabriel Barrantes <[email protected]> (supplier of updated
libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jul 2026 01:15:33 +0000
Source: libarchive
Architecture: source
Version: 3.8.8-1
Distribution: unstable
Urgency: medium
Maintainer: Gabriel Barrantes <[email protected]>
Changed-By: Gabriel Barrantes <[email protected]>
Closes: 1132998 1141180
Changes:
libarchive (3.8.8-1) unstable; urgency=medium
.
* New upstream release.
- Fix CVE-2026-5745 (Closes: #1132998).
- Fix CVE-2026-14164 (Closes: #1141180).
Checksums-Sha1:
8e9577b3a00817c6bb5ca25352ac7b97cac0fb04 2255 libarchive_3.8.8-1.dsc
b7d1c0cb133f1150cd1aca59e523e1ee0beb0095 6559080 libarchive_3.8.8.orig.tar.xz
3e672c65e4ad24de627730939028d85d89625146 25112 libarchive_3.8.8-1.debian.tar.xz
a1ff36f7075672a150e82b301d6dae0b7e78bd92 6412
libarchive_3.8.8-1_source.buildinfo
Checksums-Sha256:
2916e6bd292a3462432fe30b0bcbcc25a19e6129161942b13bc11c07b5ecce6e 2255
libarchive_3.8.8-1.dsc
3873a88801da067d0528a989af06877710529d50ee8fe6f3970cbb4302efb918 6559080
libarchive_3.8.8.orig.tar.xz
50ff57add316e45fc874162fd081f15470b0dda87f794e3b38fe34fac3923f5a 25112
libarchive_3.8.8-1.debian.tar.xz
d9ee4dc0d3b0dc954e2cc19c01c5b21a568ac15b8aa90eb5f8c428913a695d6d 6412
libarchive_3.8.8-1_source.buildinfo
Files:
2e72cfd92a159d69599ff1da79f4cb99 2255 libs optional libarchive_3.8.8-1.dsc
81a6d70daf20671ea2c5cd4bb1d371ae 6559080 libs optional
libarchive_3.8.8.orig.tar.xz
e92c1ef486adc60ca6b6f2af3d320133 25112 libs optional
libarchive_3.8.8-1.debian.tar.xz
15b711235d8bf20f7fc6fbec87148214 6412 libs optional
libarchive_3.8.8-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmpH0OkQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFOLzDACuEDKcDpyn3PBs1KkGIGC0xZfhbGN9bB6/
Ket1CpWV0JfdpZNB6qR/pZzotXx4nScbi+XdD9NIRll9mlkI7EQMzSkmYYnM8wxC
dWi+YG0+fGWdqU8lBhAzNd4JE2eOaUFYAqXaH0xNgrBJLlVxRKnxqXt6ZfNjaCkv
UBLHZbkXkRpQUuq4jWPhLX9kaVy/2NMMMU7NBst8sUYEExI4o06Lj9AVCiC5Qnd1
szs/SBVtMQeSNphMGi2yZNDHqaebOpH+8aAAAsJPsN5wBeXp+KE2J/xXIs6L0hwc
R4oXzg/zY/ItYuEt/URRUDWEaNo9x93REGbzVGXDFEewxljWId0La3+NrEV4SNyJ
j+QDp8HFDIEh4IY8oZN/2jR+nGxqS7OaGFrgyplmbJ4fD+NXKOBfzrr8FmkYwrcA
k6xk52t4yOOxiqJT89A5ap6R8Q6QyJz87fHNY9LIi8FHoQQ1Ubel101TAseGUmT0
2L6mbjJhGWT0cEiZq91X3KLKE38sDKw=
=EJfz
-----END PGP SIGNATURE-----
pgpIJLDbDdEB0.pgp
Description: PGP signature
--- End Message ---