-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 09 Nov 2025 20:14:45 +0100 Source: libarchive Architecture: source Version: 3.4.3-2+deb11u3 Distribution: bullseye-security Urgency: medium Maintainer: Peter Pentchev <[email protected]> Changed-By: Bastien Roucariès <[email protected]> Closes: 1107621 1107623 1107624 1107626 Changes: libarchive (3.4.3-2+deb11u3) bullseye-security; urgency=medium . * Non-maintainer upload by the LTS Team. * Fix CVE-2025-5914 (Closes: #1107621) A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition. * Fix CVE-2025-5916 (Closes: #1107623) A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. * Fix CVE-2025-5917 (Closes: #1107626) A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation. * Fix CVE-2025-5918 (Closes: #1107624) A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. Checksums-Sha1: 55e170220f9c8936323b42655d35bbb9bf223fc5 2543 libarchive_3.4.3-2+deb11u3.dsc 53f1400ac71778d14615a66f89e04403548fae76 4811508 libarchive_3.4.3.orig.tar.xz b56d21a38824b2997fe0cb600df4c802b608377a 833 libarchive_3.4.3.orig.tar.xz.asc 9788f473b34aa7bc8922c2c5e80239150ae7c2dc 40632 libarchive_3.4.3-2+deb11u3.debian.tar.xz 40afd7e3c19bf03d92a4cf570073ff910d74c0d1 5664 libarchive_3.4.3-2+deb11u3_source.buildinfo Checksums-Sha256: b0d05f440f8944a668850de28891ec686ed7b69ffb511a515ba4c2bf8b219e44 2543 libarchive_3.4.3-2+deb11u3.dsc 0bfc3fd40491768a88af8d9b86bf04a9e95b6d41a94f9292dbc0ec342288c05f 4811508 libarchive_3.4.3.orig.tar.xz e43bdc701140383c9e4d90070a684026c05407c95b8fa26a71b20f19a704df89 833 libarchive_3.4.3.orig.tar.xz.asc ffc19257c88c9820a28c49f1a156ee73a26eddd2750c9104a70a1408ace8b995 40632 libarchive_3.4.3-2+deb11u3.debian.tar.xz f2f971a56fdc89810fa2b9f7ef67a5277d63b1f5ef223f2c377e4999029b0b6a 5664 libarchive_3.4.3-2+deb11u3_source.buildinfo Files: 8d9b628ad27165e2151cbf01f39c28e5 2543 libs optional libarchive_3.4.3-2+deb11u3.dsc 4b216ea3015ecf8ae555a2026f9a6b73 4811508 libs optional libarchive_3.4.3.orig.tar.xz 74a851a5f2d12379fcd0205526805919 833 libs optional libarchive_3.4.3.orig.tar.xz.asc f3969a3e873494cf75ae2fada5922905 40632 libs optional libarchive_3.4.3-2+deb11u3.debian.tar.xz 507ca039976dcbba8fd314c95bc2e27c 5664 libs optional libarchive_3.4.3-2+deb11u3_source.buildinfo
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmkTeYkACgkQADoaLapB CF+yMBAAsWzRGE3Sx+zCp93e9+vptVtcOizkAsyWIuNEruaTNPk7DSofwfdCe0Z5 P4t7SpuwoNtc0SVeIdlm3mJmepK841U1oWbHqHjz7C42z0ekCNHmkPj6EJY74zm3 Ez/eSqI4wIwV7O6IpW34FQAZMRYhHYvSQiKlTQNyv+DnmM6iOjl85+3OS7i3yGhr zTGjFK84Yw4CGjtGs7CED+tY4mX7zh0vOZbpybfFNExO4DSb1A6ElJEBMZpGnR7U MJxvQNlaLRHLYG2jMJ6GGmoT0IXKHB7gwQG60RfyEhodN+QQtxCCwZtv/PnjOQdi AvNf0majfffrZHovs7hLWW4lIlBLX8rS4VfIbyn4WZ59UbWnijyYnpIM4iurtbxK wpWqjbjL8kt2XjwPyVmElCL9sv27xN6Vg48FEO9NGLQ4yYErzJsK4n7zRnx+zpg4 IyLjpe2Fs/56jv0hRQKdlA8ZjYpPifPdg+r1ArTmn6QmBWAIzgXYTWt2DSmV+kXI Vl9AFF0Q3Fv2mvERPoak1Zj2DmTrSUG3kMXxo2T/Qx6rvvzoc+DulqCsmtSBNgS1 oDfToDPlEQ8zMpORJZnoyVR6EAm4rSY99ieE2ZEAE1Y51uwhotnxth2PiRQ9ZLfc RtiKi9vib+PlgSBXZ5a78f4AzN/d0SSZ3Dr5jb/fS2RzpKXaoc4= =nSs7 -----END PGP SIGNATURE-----
pgpM3yMPYFJaI.pgp
Description: PGP signature
