1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109830: unblock: libarchive/3.7.4-4

    From Peter Pentchev@21:1/5 to All on Thu Jul 24 17:10:01 2025
    XPost: linux.debian.devel.release

    --RmP6CyFLMSnBpmjm
    Content-Type: text/plain; charset=us-ascii
    Content-Disposition: inline

    Package: release.debian.org
    Severity: normal
    X-Debbugs-Cc: [email protected], [email protected]
    Control: affects -1 + src:libarchive
    User: [email protected]
    Usertags: unblock

    Please unblock package libarchive; this is a pre-approval request
    before I upload the package to unstable.

    [ Reason ]
    Apply four patches taken from later upstream releases for security
    issues tracked by the security team as CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, and CVE-2025-5917.

    [ Impact ]
    Programs using libarchive may be tricked into mishandling specific
    types of archives, with effects ranging from undefined behavior to
    data disclosure.

    [ Tests ]
    Some of the patches also add tests to libarchive's unit test suite.

    [ Risks ]
    IMHO low; the fixes have been approved by the upstream authors and
    included in later libarchive releases.

    [ Checklist ]
    [x] all changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in testing

    unblock libarchive/3.7.4-4


    --RmP6CyFLMSnBpmjm
    Content-Type: text/plain; charset=us-ascii
    Content-Disposition: attachment; filename="libarchive_3.7.4-4.debdiff" Content-Transfer-Encoding: quoted-printable

    diff -Nru libarchive-3.7.4/debian/changelog libarchive-3.7.4/debian/changelog --- libarchive-3.7.4/debian/changelog 2025-04-27 23:19:29.000000000 +0300
    +++ libarchive-3.7.4/debian/changelog 2025-07-24 17:40:32.000000000 +0300
    @@ -1,3 +1,11 @@
    +libarchive (3.7.4-4) unstable; urgency=medium
    +
    + * Add the CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, and
    + CVE-2025-5917 patches.
    + Closes: #1107621, #1107622, #1107623, #1107626
    +
    + -- Peter Pentchev <[email protected]> Thu, 24 Jul 2025 17:40:32 +0300
    +
    libarchive (3.7.4-3) unstable; urgency=medium

    * Rename the CVE-2025-1632 patch to CVE-2025-1632-25724, use the exact
    diff -Nru libarchive-3.7.4/debian/patches/CVE-2025-5914.patch libarchive-3.7.4/debian/patches/CVE-2025-5914.patch
    --- libarchive-3.7.4/debian/patches/CVE-2025-5914.patch 1970-01-01 02:00:00.000000000 +0200
    +++ libarchive-3.7.4/debian/patches/CVE-2025-5914.patch 2025-07-24 16:53:30.000000000 +0300
    @@ -0,0 +1,32 @@
    +Description: rar: Fix double free with over 4 billion nodes (#2598)
    + If a system is capable of handling 4 billion nodes in memory, a d
  • From Ivo De Decker@21:1/5 to Peter Pentchev on Sat Jul 26 14:10:03 2025
    XPost: linux.debian.devel.release

    Control: tags -1 confirmed moreinfo

    Hi,

    On Thu, Jul 24, 2025 at 05:56:23PM +0300, Peter Pentchev wrote:
    Please unblock package libarchive; this is a pre-approval request
    before I upload the package to unstable.

    Please go ahead with the upload and remove the moreinfo tag from this unblock request once the new upload has been in unstable for a few days, and you think it's ready to migrate.

    Thanks,

    Ivo

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Peter Pentchev@21:1/5 to Ivo De Decker on Sat Jul 26 16:40:01 2025
    XPost: linux.debian.devel.release

    On Sat, Jul 26, 2025 at 12:03:26PM +0000, Ivo De Decker wrote:
    Control: tags -1 confirmed moreinfo

    Hi,

    On Thu, Jul 24, 2025 at 05:56:23PM +0300, Peter Pentchev wrote:
    Please unblock package libarchive; this is a pre-approval request
    before I upload the package to unstable.

    Please go ahead with the upload and remove the moreinfo tag from this unblock request once the new upload has been in unstable for a few days, and you think
    it's ready to migrate.

    Thanks! I just uploaded it with a very, very minor change: a fixed DEP-3
    header for the new CVE-2025-5916.patch file.

    I will follow its progress through the buildd and autopkgtest infrastructure.

    G'luck,
    Peter

    --
    Peter Pentchev [email protected] [email protected] [email protected]
    PGP key: https://www.ringlet.net/roam/roam.key.asc
    Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmiE5JQACgkQZR7vsCUn 3xMeQA//bFk0/kG7IFYwCuZHmnNjY49NJWDJbeUYPxho/0+/NjSnuIYiQ5qxwwXK Ws5/A/BVmJoUoBhJpMccL3xXvjmWnVfWQDx3r1Os9tJLrbqokGjhfKsXN2ZzQQC+ QdMzcycfsxHXCkEEYWLJ6wiqoK8gTN8pfJqWXqB0BEL5/j1orNWz/nhbAbDHwd58 K53S/C7808iQf3OB/qv2YT3p0m2kPCt7Av51AvjdA5sjqHbIVZjjWm5iBknu48A/ PXU0DH00YG5D9u9E6inM7dUTgq3HG2YkGHYVUAHcYECWfpzins0Z4vZJ1QZVPEX0 QYVsUDFwQHAgixthLDEtB99h1qIfRtAoJmcC9TRx3fGPxaHl8xM9jWAgg/zolBrj SB/F5Cn6NT+A7ecama3rS7uFO05Ke/oSvu+3+yTnfrhD4f46XjIugaZTludUAKt5 Rg5JF/jubQTVm/EJwFusTBI48RiDrYy1tIr7sE6sBPdKmwloeiF9Xn96lA9TQwyW VFrk5OIKLI3ZWoNd5yCmFOrLFQFjPD+X987B3wAGyDbs9Dfwsh5spLzT3Qu7cxpx 64fmxHT9i6gAFOJRVyl1lcvmgAoxHikUSQSzTAGjVKgBD4WZTQ66UpUx9shBkvWO DxcSwHD7K7lZH2BfwVOl4lzxFhbWh2PM7Tphoc0FtoPY2+q6gAM=
    =pDID