Package: libarchive13t64 Version: 3.7.2-1.1 Severity: important X-Debbugs-Cc: r...@debian.org
So far it looks like no one has been able to figure out an obvious way for this to be exploitable, but I wanted to make sure that you were aware of this upstream issue: https://github.com/libarchive/libarchive/pull/1609 The author of this commit is the same GitHub account that was used to create the xz backdoor. Upstream has merged a revert of this change at: https://github.com/libarchive/libarchive/pull/2101 It may be worth expediting getting this change into Debian in case the potential attacker knows something that we don't. However, I don't have any reason to currently believe that this is a security vulnerability, so I've kept the severity at important and not applied the security tag. -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'unstable-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.7.9-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libarchive13t64 depends on: ii libacl1 2.3.2-1 ii libbz2-1.0 1.0.8-5.1 ii libc6 2.37-15.1 ii liblz4-1 1.9.4-1+b2 ii liblzma5 5.6.1+really5.4.5-1 ii libnettle8t64 3.9.1-2.2 ii libxml2 2.9.14+dfsg-1.3+b2 ii libzstd1 1.5.5+dfsg2-2 ii zlib1g 1:1.3.dfsg-3.1 libarchive13t64 recommends no packages. Versions of packages libarchive13t64 suggests: pn lrzip <none> -- no debconf information