Debian Patches
Status for libarchive/3.7.4-4
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| typos.patch | Correct some typographical errors. | Peter Pentchev <roam@ringlet.net> | yes | 2022-03-29 | ||
| fix-OOB-in-rar-delta-filter-2148.patch | fix: OOB in rar delta filter (#2148) Ensure that `src` won't move ahead of `dst`, so `src` will not OOB. Since `dst` won't move in this function, and we are only increasing `src` position, this check should be enough. It should be safe to early return because this function does not allocate resources. |
Wei-Cheng Pan <legnaleurc@gmail.com> | no | https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 | 2024-04-29 | |
| fix-OOB-in-rar-audio-filter-2149.patch | fix: OOB in rar audio filter (#2149) This patch ensures that `src` won't move ahead of `dst`, so `src` will not OOB. Similar situation like in a1cb648. |
Wei-Cheng Pan <legnaleurc@gmail.com> | no | https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b | 2024-04-29 | |
| rar4-reader-protect-copy_from_lzss_window_to_unp-217.patch | rar4 reader: protect copy_from_lzss_window_to_unp() (#2172) copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where both of its callers were holding a `size_t`. A lzss opcode chain could be constructed that resulted in a negative copy length, which when passed into memcpy would result in a very, very large positive number. Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to properly bounds-check length. In addition, this patch also ensures that `length` is not itself larger than the destination buffer. |
"Dustin L. Howett" <dustin@howett.net> | yes | debian upstream | https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1 | 2024-05-09 |
| CVE-2025-1632-25724.patch | fix CVE-2025-1632 and CVE-2025-25724 | Peter Kästle <peter@piie.net> | no | upstream, https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532 | 2025-04-27 | |
| CVE-2025-5914.patch | rar: Fix double free with over 4 billion nodes (#2598) If a system is capable of handling 4 billion nodes in memory, a double free could occur because of an unsigned integer overflow leading to a realloc call with size argument of 0. Eventually, the client will release that memory again, triggering a double free. |
Tobias Stoeckmann <tobias@stoeckmann.org> | no | debian | upstream, https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209 | 2025-07-24 |
| CVE-2025-5915.patch | rar: Fix heap-buffer-overflow (#2599) A filter block size must not be larger than the lzss window, which is defined by dictionary size, which in turn can be derived from unpacked file size. . While at it, improve error messages and fix lzss window wrap around logic. . Fixes https://github.com/libarchive/libarchive/issues/2565 |
Tobias Stoeckmann <tobias@stoeckmann.org> | no | debian | upstream, https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c | 2025-07-24 |
| CVE-2025-5916.patch | warc: Prevent signed integer overflow (#2568) If a warc archive claims to have more than INT64_MAX - 4 content bytes, the inevitable failure to skip all these bytes could lead to parsing data which should be ignored instead. . The test case contains a conversation entry with that many bytes and if the entry is not properly skipped, the warc implementation would read the conversation data as a new file entry. |
Tobias Stoeckmann <tobias@stoeckmann.org> | no | debian | upstream, https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403 | 2025-07-24 |
| CVE-2025-5917.patch | Fix overflow in build_ustar_entry (#2588) The calculations for the suffix and prefix can increment the endpoint for a trailing slash. Hence the limits used should be one lower than the maximum number of bytes. . Without this patch, when this happens for both the prefix and the suffix, we end up with 156 + 100 bytes, and the write of the null at the end will overflow the 256 byte buffer. This can be reproduced by running ``` mkdir -p foo/bar bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar ``` when bsdtar is compiled with Address Sanitiser, although I originally noticed this by accident with a genuine filename on a CHERI capability system, which faults immediately on the buffer overflow. |
Brian Campbell <Brian.Campbell@ed.ac.uk> | no | debian | upstream, https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85 | 2025-07-24 |
All known versions for source package 'libarchive'
- 3.7.4-4 (trixie, sid, forky)
- 3.6.2-1+deb12u3 (bookworm)
- 3.6.2-1+deb12u2 (bookworm-security)