On Fri, Mar 29, 2024 at 07:24:13PM -0700, Russ Allbery wrote: > So far it looks like no one has been able to figure out an obvious way > for this to be exploitable, but I wanted to make sure that you were > aware of this upstream issue: > > https://github.com/libarchive/libarchive/pull/1609 > > The author of this commit is the same GitHub account that was used to > create the xz backdoor. Upstream has merged a revert of this change at: > > https://github.com/libarchive/libarchive/pull/2101 > > It may be worth expediting getting this change into Debian in case the > potential attacker knows something that we don't. However, I don't have > any reason to currently believe that this is a security vulnerability, > so I've kept the severity at important and not applied the security tag.
I also noticed this, I send an e-mail to secur...@debian.org about it, 921847da-a715-42c4-b87d-e8a1f0fb5...@schwengle.net. FWIW, this also impacts Debian stable. The commit can be found in tags: v3.7.2 v3.7.1 v3.7.0 v3.6.2 v3.6.1 v3.6.0. Debian stable ships 3.6.2-1 Cheers, Wesley