#1037093 libarchive: CVE-2023-30571

Package:
src:libarchive
Source:
src:libarchive
Submitter:
Salvatore Bonaccorso
Date:
2026-01-08 13:27:03 UTC
Severity:
normal
Tags:
#1037093#5
Date:
2023-06-04 13:04:47 UTC
From:
To:
Hi,

The following vulnerability was published for libarchive.

CVE-2023-30571[0]:
| Libarchive through 3.6.2 can cause directories to have world-writable
| permissions. The umask() call inside archive_write_disk_posix.c
| changes the umask of the whole process for a very short period of
| time; a race condition with another thread can lead to a permanent
| umask 0 setting. Such a race condition could lead to implicit
| directory creation with permissions 0777 (without the sticky bit),
| which means that any low-privileged local user can delete and rename
| files inside those directories.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-30571
https://www.cve.org/CVERecord?id=CVE-2023-30571
[1] https://github.com/libarchive/libarchive/issues/1876

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1037093#10
Date:
2026-01-08 02:20:16 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1037093@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Le Gonidec <vv221@debian.org> (supplier of updated libarchive package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 08 Jan 2026 02:46:50 +0100
Source: libarchive
Architecture: source
Version: 3.8.4-1
Distribution: unstable
Urgency: medium
Maintainer: Gabriel Barrantes <gabriel.barrantes.dev@outlook.com>
Changed-By: Antoine Le Gonidec <vv221@debian.org>
Closes: 1037093 1122503
Changes:
 libarchive (3.8.4-1) unstable; urgency=medium
 .
   [ Gabriel Barrantes ]
   * New upstream release.
     - CVE-2025-60753 (Closes: #1037093).
   * Update debian/libarchive13t64.symbols.
   * Remove upstream-vcs-tag setting from debian/gbp.conf.
   * Delete debian/README.Debian, as it is no longer applicable.
   * Add debian/.gitignore.
   * Make minor improvements to debian/upstream/metadata.
   * Update debian/copyright file years, fix some typos.
   * Adopt the package (Closes: #1122503).
   * Drop obsolete patches:
     - debian/patches/typos.patch: forwarded upstream
     - debian/patches/test-locale-C.UTF-8.patch: originally added to help
       reprotest CI, but reprotest has since been replaced by debrebuild
       and tests now pass without it
 .
   [ Peter Pentchev ]
   * Run the test suite by default at package build time.
   * Add the year 2025 to my debian/* copyright notice.
   * Update the Salsa CI configuration:
     - use the now-canonical pipeline definition
     - temporarily disable reprotest, it interferes with some of
       the unit tests run at build time
   * Always run the unit test suite at build time:
     - dump the logfiles for failed tests
     - add the unzip-test-env patch to fix a test
     - use the C.UTF-8 locale for testing
     - no longer create the en_US.UTF-8 locale for the tests
     - let dh_auto_test handle parallel running by itself
 .
   [ Antoine Le Gonidec ]
   * Add myself as Uploader.
Checksums-Sha1:
 d6f5c07cdb8060bca8bfd83d43271898800e1812 2094 libarchive_3.8.4-1.dsc
 54149864f9359027d75f8608d3d01de5303e1be5 8534210 libarchive_3.8.4.orig.tar.gz
 5ebd1de2ede96b4fa1864e259e8ede1d750da1f3 833 libarchive_3.8.4.orig.tar.gz.asc
 be336bbd1b785e73764f335077c663070fbf6e72 24920 libarchive_3.8.4-1.debian.tar.xz
 c480f06031aaec7c6922481e0a897a10908fef98 6760 libarchive_3.8.4-1_amd64.buildinfo
Checksums-Sha256:
 7475ecf13a5a756c0c0a4fe53481a4db20ff1641509d6cf2a094fbcba80c1ed9 2094 libarchive_3.8.4-1.dsc
 b2c75b132a0ec43274d2867221befcb425034cd038e465afbfad09911abb1abb 8534210 libarchive_3.8.4.orig.tar.gz
 7f064361ba950f87d304b9194b2d80d582f890462c80c8b172ad8db6c7ca0f5c 833 libarchive_3.8.4.orig.tar.gz.asc
 3a55c3ba12aa9378b7ff6dacdb59bb8acda0736fe64d4a9853aa89fc5e03fb5c 24920 libarchive_3.8.4-1.debian.tar.xz
 da343fd4e8c9c1e80b85a978bb6852998ebf22005f9170b05bef8b1083e2f4df 6760 libarchive_3.8.4-1_amd64.buildinfo
Files:
 21d0b066ace989e214b02575a87342a1 2094 libs optional libarchive_3.8.4-1.dsc
 752186064c9646a3ef4cead02b53d323 8534210 libs optional libarchive_3.8.4.orig.tar.gz
 918711c6ac4dc612e8f449e625c2166a 833 libs optional libarchive_3.8.4.orig.tar.gz.asc
 5dbb8cf0808f4fbbcd575fcbbe886041 24920 libs optional libarchive_3.8.4-1.debian.tar.xz
 9354e324eb456269c72a4987067eb919 6760 libs optional libarchive_3.8.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSUsdxM90hewW6X7Jhja3j5HOuA2AUCaV8PdQAKCRBja3j5HOuA
2G59AP94eQ96V2fpz3J4YfKmtqpYBjiJ8k51Lkv0WLAzcc3ftgEAxsW7hfHJJmgF
Zop8XmZR7Zz/RaeR5sVtQu+Hm6N4UwE=
=yXSB
-----END PGP SIGNATURE-----