- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Peter Pentchev
- Date:
- 2026-05-06 17:55:01 UTC
- Severity:
- normal
- Tags:
[ Reason ] Revert a change made by the same person that smuggled the backdoor into xz. See #1068047 for more details. [ Impact ] In the discussion in the upstream bugtracker, the consensus is that the reverted change may not really introduce any vulnerability, but still some concerns were expressed regarding some unlikely scenarios. It might be a safer bet to revert it, just in case. [ Tests ] None yet. [ Risks ] The change reverting the previous one is straightforward, limited to a specific piece of code (specific error logging in the bsdtar(1) command-line tool), and changes the source code back to using the same error reporting functions that are used elsewhere throughout the bsdtar and libarchive source code. Thus, IMHO the risks are negligible, if any. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Introduce a patch that uses libarchive's own error reporting functions instead of unchecked fprintf().
Right, so it seems that I was a bit impatient filing this bug, right after I got the "processing" e-mail from the archive for libarchive-3.7.2-2 in unstable, but before I got the "accepted" one... and before I had noticed the d-d-a e-mail about the paused archive processing. So yeah, this is still a pre-upload approval request, but it will apparently need to wait until 3.7.2-2 makes it into unstable :) Thanks in advance, and sorry for the bother! G'luck, Peter
Hi, Please go ahead. However I wonder if you also want to wait for a patch for https://github.com/libarchive/libarchive/issues/2107 and include that? If so please un-confirm this bug and provide an updated debdiff when ready. Thanks,
Hi, This request was approved for 12.6 but not uploaded in time; is it still relevant for 12.7? Thanks,
hi Peter, Can you rebase your changes post 12.8 to have it included in 12.9? Regards, Salvatore
Hi Peter, There is an upcoming point release for bookworm soon, are you still interested in getting that in? Regards, Salvatore
package release.debian.org tags 1068106 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: libarchive Version: 3.6.2-1+deb12u3 Explanation: fix integer overflow issues [CVE-2025-5914 CVE-2025-5916], buffer over read issue [CVE-2025-5915], buffer overlow issue [CVE-2025-5917]
package release.debian.org tags 1068106 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details ============== Package: libarchive Version: 3.6.2-1+deb12u3 Explanation: fix integer overflow issues [CVE-2025-5914 CVE-2025-5916], buffer over read issue [CVE-2025-5915], buffer overlow issue [CVE-2025-5917]
Control: tags -1 +confirmed -pending It was pointed out that I mixed up two different changes to the same package here. Fixing. Regards, Adam
Control: tags -1 +confirmed -pending It was pointed out that I mixed up two different changes to the same package here. Fixing. Regards, Adam
Hi Peter, There is little time yet for the next one, do you have time to rebase those on top of the changes from Moritz, so on top of 3.6.2-1+deb12u3 as 3.6.2-1+deb12u4? Regards, Salvatore
Things have moved on again, so this would now need to be rebased on top of 3.6.2-1+deb12u4 to become 3.6.2-1+deb12u5. Note that the window for the penultimate bookworm point release is closing this coming weekend. Regards, Adam