Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:libarchive User: [email protected] Usertags: pu
[ Reason ] Fix no-dsa issues: CVE-2025-5918 CVE-2026-4111 CVE-2026-4424 CVE-2026-4426 CVE-2026-5121 All of those were just fixed in Debian LTS bullseye, and I'm now proposing those fixes for trixie and bookworm. I reached out to the maintainers of libarchive and got an ack from Syed (CCed to this bug report). [ Impact ] Users are vulnerable to those CVEs. [ Tests ] CVE-2025-5918, CVE-2026-4111, CVE-2026-4426 and CVE-2026-5121 comes with a test case. Note that CVE-2026-4426 and CVE-2026-5121 are in fact fixed by the same patch, although there was two separate pull requests upstream, and only the second one came with a test case. CVE-2026-4424 doesn't have any test case, but the fix is very small and applies cleanly. [ Risks ] All of the patches are targeted fixes and apply cleanly. Except for CVE-2025-5918 (applied by Rouca), it is not trivial, however, it comes with a test case, and it was released in Debian LTS back in November 2025 (in version 3.4.3-2+deb11u3), no issues were reported. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Fix CVE-2025-5918 (Closes: #1107624) * Fix CVE-2026-4111 (Closes: #1130753) * Fix CVE-2026-4424 (Closes: #1131446) * Fix CVE-2026-4426 (Closes: #1131444) * Fix CVE-2026-5121 (Closes: #1133002) * Move debian/gitlab-ci.yml -> debian/salsa-ci.yml [ Other info ] Debusine results: https://debusine.debian.net/debian/developers/work-request/627284/ Commits at: https://salsa.debian.org/arnaudr/libarchive/-/tree/debian/trixie?ref_type=heads Thanks, Arnaud
diff -Nru libarchive-3.7.4/debian/changelog libarchive-3.7.4/debian/changelog --- libarchive-3.7.4/debian/changelog 2025-07-24 21:40:32.000000000 +0700 +++ libarchive-3.7.4/debian/changelog 2026-04-24 11:36:34.000000000 +0700 @@ -1,3 +1,50 @@ +libarchive (3.7.4-4+deb13u1) trixie; urgency=medium + + * Non-maintainer upload by the LTS team. + + [ Bastien Roucaries ] + * Fix CVE-2025-5918 (Closes: #1107624) + A vulnerability has been identified in the libarchive library. This flaw + can be triggered when file streams are piped into bsdtar, potentially + allowing for reading past the end of the file. This out-of-bounds read + can lead to unintended consequences, including unpredictable program + behavior, memory corruption, or a denial-of-service condition. + + [ Arnaud Rebillout ] + * Fix CVE-2026-4111 (Closes: #1130753) + A flaw was identified in the RAR5 archive decompression logic of the + libarchive library, specifically within the archive_read_data() processing + path. When a specially crafted RAR5 archive is processed, the + decompression routine may enter a state where internal logic prevents + forward progress. This condition results in an infinite loop that + continuously consumes CPU resources. Because the archive passes checksum + validation and appears structurally valid, affected applications cannot + detect the issue before processing. This can allow attackers to cause + persistent denial-of-service conditions in services that automatically + process archives. + * Fix CVE-2026-4424 (Closes: #1131446) + A flaw was found in libarchive. This heap out-of-bounds read vulnerability + exists in the RAR archive processing logic due to improper validation of + the LZSS sliding window size after transitions between compression + methods. A remote attacker can exploit this by providing a specially + crafted RAR archive, leading to the disclosure of sensitive heap memory + information without requiring authentication or user interaction. + * Fix CVE-2026-4426 (Closes: #1131444) + A flaw was found in libarchive. An Undefined Behavior vulnerability exists + in the zisofs decompression logic, caused by improper validation of a + field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote + attacker can exploit this by supplying a specially crafted ISO file. This + can lead to incorrect memory allocation and potential application crashes, + resulting in a denial-of-service (DoS) condition. + * Fix CVE-2026-5121 (Closes: #1133002) + A flaw was found in libarchive. On 32-bit systems, an integer overflow + vulnerability exists in the zisofs block pointer allocation logic. A + remote attacker can exploit this by providing a specially crafted ISO9660 + image, which can lead to a heap buffer overflow. This could potentially + allow for arbitrary code execution on the affected system. + + -- Arnaud Rebillout <[email protected]> Fri, 24 Apr 2026 11:36:34 +0700 + libarchive (3.7.4-4) unstable; urgency=medium * Add the CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, and diff -Nru libarchive-3.7.4/debian/gitlab-ci.yml libarchive-3.7.4/debian/gitlab-ci.yml --- libarchive-3.7.4/debian/gitlab-ci.yml 2025-07-24 21:40:32.000000000 +0700 +++ libarchive-3.7.4/debian/gitlab-ci.yml 1970-01-01 08:00:00.000000000 +0800 @@ -1,3 +0,0 @@ -include: - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml diff -Nru libarchive-3.7.4/debian/patches/CVE-2025-5918_1.patch libarchive-3.7.4/debian/patches/CVE-2025-5918_1.patch --- libarchive-3.7.4/debian/patches/CVE-2025-5918_1.patch 1970-01-01 08:00:00.000000000 +0800 +++ libarchive-3.7.4/debian/patches/CVE-2025-5918_1.patch 2026-04-24 11:36:34.000000000 +0700 @@ -0,0 +1,214 @@ +From: Tobias Stoeckmann <[email protected]> +Date: Tue, 15 Apr 2025 06:02:17 +0200 +Subject: Do not skip past EOF while reading (#2584) + +Make sure to not skip past end of file for better error messages. One +such example is now visible with rar testsuite. You can see the +difference already by an actually not useless use of cat: + +``` +$ cat .../test_read_format_rar_ppmd_use_after_free.rar | bsdtar -t +bsdtar: Archive entry has empty or unreadable filename ... skipping. +bsdtar: Archive entry has empty or unreadable filename ... skipping. +bsdtar: Truncated input file (needed 119 bytes, only 0 available) +bsdtar: Error exit delayed from previous errors. +``` + +compared to + +``` +$ bsdtar -tf .../test_read_format_rar_ppmd_use_after_free.rar +bsdtar: Archive entry has empty or unreadable filename ... skipping. +bsdtar: Archive entry has empty or unreadable filename ... skipping. +bsdtar: Error exit delayed from previous errors. +``` + +Since the former cannot lseek, the error is a different one +(ARCHIVE_FATAL vs ARCHIVE_EOF). The piped version states explicitly that +truncation occurred, while the latter states EOF because the skip past +the end of file was successful. + +Signed-off-by: Tobias Stoeckmann <[email protected]> +(cherry picked from commit dcbf1e0ededa95849f098d154a25876ed5754bcf) +origin: https://github.com/libarchive/libarchive/commit/dcbf1e0ededa95849f098d154a25876ed5754bcf +--- + libarchive/archive_read_open_fd.c | 13 ++++++++++--- + libarchive/archive_read_open_file.c | 33 +++++++++++++++++++++++++-------- + libarchive/archive_read_open_filename.c | 16 ++++++++++++---- + libarchive/test/test_read_format_rar.c | 6 +++--- + 4 files changed, 50 insertions(+), 18 deletions(-) + +diff --git a/libarchive/archive_read_open_fd.c b/libarchive/archive_read_open_fd.c +index 739fa37..3f975ab 100644 +--- a/libarchive/archive_read_open_fd.c ++++ b/libarchive/archive_read_open_fd.c +@@ -52,6 +52,7 @@ + struct read_fd_data { + int fd; + size_t block_size; ++ int64_t size; + char use_lseek; + void *buffer; + }; +@@ -95,6 +96,7 @@ archive_read_open_fd(struct archive *a, int fd, size_t block_size) + if (S_ISREG(st.st_mode)) { + archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino); + mine->use_lseek = 1; ++ mine->size = st.st_size; + } + #if defined(__CYGWIN__) || defined(_WIN32) + setmode(mine->fd, O_BINARY); +@@ -151,9 +153,14 @@ file_skip(struct archive *a, void *client_data, int64_t request) + if (skip == 0) + return (0); + +- if (((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) && +- ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0)) +- return (new_offset - old_offset); ++ if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) { ++ if (old_offset >= mine->size || ++ skip > mine->size - old_offset) { ++ /* Do not seek past end of file. */ ++ errno = ESPIPE; ++ } else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0) ++ return (new_offset - old_offset); ++ } + + /* If seek failed once, it will probably fail again. */ + mine->use_lseek = 0; +diff --git a/libarchive/archive_read_open_file.c b/libarchive/archive_read_open_file.c +index 10f872b..c7c1090 100644 +--- a/libarchive/archive_read_open_file.c ++++ b/libarchive/archive_read_open_file.c +@@ -52,6 +52,7 @@ + struct read_FILE_data { + FILE *f; + size_t block_size; ++ int64_t size; + void *buffer; + char can_skip; + }; +@@ -90,6 +91,7 @@ archive_read_open_FILE(struct archive *a, FILE *f) + archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino); + /* Enable the seek optimization only for regular files. */ + mine->can_skip = 1; ++ mine->size = st.st_size; + } else + mine->can_skip = 0; + +@@ -129,6 +131,7 @@ file_skip(struct archive *a, void *client_data, int64_t request) + #else + long skip = (long)request; + #endif ++ int64_t old_offset, new_offset; + int skip_bits = sizeof(skip) * 8 - 1; + + (void)a; /* UNUSED */ +@@ -152,19 +155,33 @@ file_skip(struct archive *a, void *client_data, int64_t request) + + #ifdef __ANDROID__ + /* fileno() isn't safe on all platforms ... see above. */ +- if (lseek(fileno(mine->f), skip, SEEK_CUR) < 0) ++ old_offset = lseek(fileno(mine->f), 0, SEEK_CUR); + #elif HAVE__FSEEKI64 +- if (_fseeki64(mine->f, skip, SEEK_CUR) != 0) ++ old_offset = _ftelli64(mine->f); + #elif HAVE_FSEEKO +- if (fseeko(mine->f, skip, SEEK_CUR) != 0) ++ old_offset = ftello(mine->f); + #else +- if (fseek(mine->f, skip, SEEK_CUR) != 0) ++ old_offset = ftell(mine->f); + #endif +- { +- mine->can_skip = 0; +- return (0); ++ if (old_offset >= 0) { ++ if (old_offset < mine->size && ++ skip <= mine->size - old_offset) { ++#ifdef __ANDROID__ ++ new_offset = lseek(fileno(mine->f), skip, SEEK_CUR); ++#elif HAVE__FSEEKI64 ++ new_offset = _fseeki64(mine->f, skip, SEEK_CUR); ++#elif HAVE_FSEEKO ++ new_offset = fseeko(mine->f, skip, SEEK_CUR); ++#else ++ new_offset = fseek(mine->f, skip, SEEK_CUR); ++#endif ++ if (new_offset >= 0) ++ return (new_offset - old_offset); ++ } + } +- return (request); ++ ++ mine->can_skip = 0; ++ return (0); + } + + +diff --git a/libarchive/archive_read_open_filename.c b/libarchive/archive_read_open_filename.c +index d5856d9..c405471 100644 +--- a/libarchive/archive_read_open_filename.c ++++ b/libarchive/archive_read_open_filename.c +@@ -74,6 +74,7 @@ struct read_file_data { + size_t block_size; + void *buffer; + mode_t st_mode; /* Mode bits for opened file. */ ++ int64_t size; + char use_lseek; + enum fnt_e { FNT_STDIN, FNT_MBS, FNT_WCS } filename_type; + union { +@@ -400,8 +401,10 @@ file_open(struct archive *a, void *client_data) + mine->st_mode = st.st_mode; + + /* Disk-like inputs can use lseek(). */ +- if (is_disk_like) ++ if (is_disk_like) { + mine->use_lseek = 1; ++ mine->size = st.st_size; ++ } + + return (ARCHIVE_OK); + fail: +@@ -495,9 +498,14 @@ file_skip_lseek(struct archive *a, void *client_data, int64_t request) + skip = max_skip; + } + +- if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0 && +- (new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0) +- return (new_offset - old_offset); ++ if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) { ++ if (old_offset >= mine->size || ++ skip > mine->size - old_offset) { ++ /* Do not seek past end of file. */ ++ errno = ESPIPE; ++ } else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0) ++ return (new_offset - old_offset); ++ } + + /* If lseek() fails, don't bother trying again. */ + mine->use_lseek = 0; +diff --git a/libarchive/test/test_read_format_rar.c b/libarchive/test/test_read_format_rar.c +index dce567a..fce44a9 100644 +--- a/libarchive/test/test_read_format_rar.c ++++ b/libarchive/test/test_read_format_rar.c +@@ -3829,8 +3829,8 @@ DEFINE_TEST(test_read_format_rar_ppmd_use_after_free) + assertA(ARCHIVE_OK == archive_read_next_header(a, &ae)); + assertA(archive_read_data(a, buf, sizeof(buf)) <= 0); + +- /* Test EOF */ +- assertA(1 == archive_read_next_header(a, &ae)); ++ /* Test for truncation */ ++ assertA(ARCHIVE_FATAL == archive_read_next_header(a, &ae)); + + assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); + assertEqualInt(ARCHIVE_OK, archive_read_free(a)); +@@ -3856,7 +3856,7 @@ DEFINE_TEST(test_read_format_rar_ppmd_use_after_free2) + assertA(archive_read_data(a, buf, sizeof(buf)) <= 0); + + /* Test EOF */ +- assertA(1 == archive_read_next_header(a, &ae)); ++ assertA(ARCHIVE_FATAL == archive_read_next_header(a, &ae)); + + assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); + assertEqualInt(ARCHIVE_OK, archive_read_free(a)); diff -Nru libarchive-3.7.4/debian/patches/CVE-2025-5918_2.patch libarchive-3.7.4/debian/patches/CVE-2025-5918_2.patch --- libarchive-3.7.4/debian/patches/CVE-2025-5918_2.patch 1970-01-01 08:00:00.000000000 +0800 +++ libarchive-3.7.4/debian/patches/CVE-2025-5918_2.patch 2026-04-24 11:36:34.000000000 +0700 @@ -0,0 +1,47 @@ +From: Tobias Stoeckmann <[email protected]> +Date: Tue, 27 May 2025 17:09:12 +0200 +Subject: Fix FILE_skip regression + +The fseek* family of functions return 0 on success, not the new offset. +This is only true for lseek. + +Fixes https://github.com/libarchive/libarchive/issues/2641 +Fixes dcbf1e0ededa95849f098d154a25876ed5754bcf + +Signed-off-by: Tobias Stoeckmann <[email protected]> +origin: https://github.com/libarchive/libarchive/commit/51b4c35bb38b7df4af24de7f103863dd79129b01 +--- + libarchive/archive_read_open_file.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/libarchive/archive_read_open_file.c b/libarchive/archive_read_open_file.c +index c7c1090..538e65d 100644 +--- a/libarchive/archive_read_open_file.c ++++ b/libarchive/archive_read_open_file.c +@@ -131,7 +131,7 @@ file_skip(struct archive *a, void *client_data, int64_t request) + #else + long skip = (long)request; + #endif +- int64_t old_offset, new_offset; ++ int64_t old_offset, new_offset = -1; + int skip_bits = sizeof(skip) * 8 - 1; + + (void)a; /* UNUSED */ +@@ -169,11 +169,14 @@ file_skip(struct archive *a, void *client_data, int64_t request) + #ifdef __ANDROID__ + new_offset = lseek(fileno(mine->f), skip, SEEK_CUR); + #elif HAVE__FSEEKI64 +- new_offset = _fseeki64(mine->f, skip, SEEK_CUR); ++ if (_fseeki64(mine->f, skip, SEEK_CUR) == 0) ++ new_offset = _ftelli64(mine->f); + #elif HAVE_FSEEKO +- new_offset = fseeko(mine->f, skip, SEEK_CUR); ++ if (fseeko(mine->f, skip, SEEK_CUR) == 0) ++ new_offset = ftello(mine->f); + #else +- new_offset = fseek(mine->f, skip, SEEK_CUR); ++ if (fseek(mine->f, skip, SEEK_CUR) == 0) ++ new_offset = ftell(mine->f); + #endif + if (new_offset >= 0) + return (new_offset - old_offset); diff -Nru libarchive-3.7.4/debian/patches/CVE-2025-5918-pre1.patch libarchive-3.7.4/debian/patches/CVE-2025-5918-pre1.patch --- libarchive-3.7.4/debian/patches/CVE-2025-5918-pre1.patch 1970-01-01 08:00:00.000000000 +0800 +++ libarchive-3.7.4/debian/patches/CVE-2025-5918-pre1.patch 2026-04-24 11:36:34.000000000 +0700 @@ -0,0 +1,315 @@ +From: Tobias Stoeckmann <[email protected]> +Date: Sun, 6 Apr 2025 22:34:37 +0200 +Subject: Improve lseek handling (#2564) + +The skip functions are limited to 1 GB for cases in which libarchive +runs on a system with an off_t or long with 32 bits. This has negative +impact on 64 bit systems. + +Instead, make sure that _all_ subsequent functions truncate properly. +Some of them already did and some had regressions for over 10 years. + +Tests pass on Debian 12 i686 configured with --disable-largefile, i.e. +running with an off_t with 32 bits. + +Casts added where needed to still pass MSVC builds. + +--------- + +Signed-off-by: Tobias Stoeckmann <[email protected]> +(cherry picked from commit 89b8c35ff4b5addc08a85bf5df02b407f8af1f6c) +origin: backport, https://github.com/libarchive/libarchive/commit/89b8c35ff4b5addc08a85bf5df02b407f8af1f6c +--- + libarchive/archive_read.c | 6 ---- + libarchive/archive_read_disk_posix.c | 3 +- + libarchive/archive_read_open_fd.c | 29 ++++++++++++----- + libarchive/archive_read_open_file.c | 56 ++++++++++++++++++++++++++++++++- + libarchive/archive_read_open_filename.c | 37 ++++++++++++++++------ + libarchive/test/read_open_memory.c | 2 +- + libarchive/test/test_sparse_basic.c | 6 ++-- + libarchive/test/test_tar_large.c | 2 +- + 8 files changed, 111 insertions(+), 30 deletions(-) + +diff --git a/libarchive/archive_read.c b/libarchive/archive_read.c +index d71fc2b..78f01bf 100644 +--- a/libarchive/archive_read.c ++++ b/libarchive/archive_read.c +@@ -176,15 +176,9 @@ client_skip_proxy(struct archive_read_filter *self, int64_t request) + return 0; + + if (self->archive->client.skipper != NULL) { +- /* Seek requests over 1GiB are broken down into +- * multiple seeks. This avoids overflows when the +- * requests get passed through 32-bit arguments. */ +- int64_t skip_limit = (int64_t)1 << 30; + int64_t total = 0; + for (;;) { + int64_t get, ask = request; +- if (ask > skip_limit) +- ask = skip_limit; + get = (self->archive->client.skipper) + (&self->archive->archive, self->data, ask); + total += get; +diff --git a/libarchive/archive_read_disk_posix.c b/libarchive/archive_read_disk_posix.c +index 76a4fa4..99db2e3 100644 +--- a/libarchive/archive_read_disk_posix.c ++++ b/libarchive/archive_read_disk_posix.c +@@ -778,7 +778,8 @@ _archive_read_data_block(struct archive *_a, const void **buff, + */ + if (t->current_sparse->offset > t->entry_total) { + if (lseek(t->entry_fd, +- (off_t)t->current_sparse->offset, SEEK_SET) < 0) { ++ (off_t)t->current_sparse->offset, SEEK_SET) != ++ t->current_sparse->offset) { + archive_set_error(&a->archive, errno, "Seek error"); + r = ARCHIVE_FATAL; + a->archive.state = ARCHIVE_STATE_FATAL; +diff --git a/libarchive/archive_read_open_fd.c b/libarchive/archive_read_open_fd.c +index 3ee2423..739fa37 100644 +--- a/libarchive/archive_read_open_fd.c ++++ b/libarchive/archive_read_open_fd.c +@@ -131,7 +131,7 @@ static int64_t + file_skip(struct archive *a, void *client_data, int64_t request) + { + struct read_fd_data *mine = (struct read_fd_data *)client_data; +- int64_t skip = request; ++ off_t skip = (off_t)request; + int64_t old_offset, new_offset; + int skip_bits = sizeof(skip) * 8 - 1; /* off_t is a signed type. */ + +@@ -140,15 +140,15 @@ file_skip(struct archive *a, void *client_data, int64_t request) + + /* Reduce a request that would overflow the 'skip' variable. */ + if (sizeof(request) > sizeof(skip)) { +- int64_t max_skip = ++ const int64_t max_skip = + (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1; + if (request > max_skip) +- skip = max_skip; ++ skip = (off_t)max_skip; + } + +- /* Reduce request to the next smallest multiple of block_size */ +- request = (request / mine->block_size) * mine->block_size; +- if (request == 0) ++ /* Reduce 'skip' to the next smallest multiple of block_size */ ++ skip = (off_t)(((int64_t)skip / mine->block_size) * mine->block_size); ++ if (skip == 0) + return (0); + + if (((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) && +@@ -178,11 +178,24 @@ static int64_t + file_seek(struct archive *a, void *client_data, int64_t request, int whence) + { + struct read_fd_data *mine = (struct read_fd_data *)client_data; ++ off_t seek = (off_t)request; + int64_t r; ++ int seek_bits = sizeof(seek) * 8 - 1; /* off_t is a signed type. */ + + /* We use off_t here because lseek() is declared that way. */ +- /* See above for notes about when off_t is less than 64 bits. */ +- r = lseek(mine->fd, request, whence); ++ ++ /* Reduce a request that would overflow the 'seek' variable. */ ++ if (sizeof(request) > sizeof(seek)) { ++ const int64_t max_seek = ++ (((int64_t)1 << (seek_bits - 1)) - 1) * 2 + 1; ++ const int64_t min_seek = ~max_seek; ++ if (request > max_seek) ++ seek = (off_t)max_seek; ++ else if (request < min_seek) ++ seek = (off_t)min_seek; ++ } ++ ++ r = lseek(mine->fd, seek, whence); + if (r >= 0) + return r; + +diff --git a/libarchive/archive_read_open_file.c b/libarchive/archive_read_open_file.c +index dcf1d46..10f872b 100644 +--- a/libarchive/archive_read_open_file.c ++++ b/libarchive/archive_read_open_file.c +@@ -144,7 +144,7 @@ file_skip(struct archive *a, void *client_data, int64_t request) + + /* If request is too big for a long or an off_t, reduce it. */ + if (sizeof(request) > sizeof(skip)) { +- int64_t max_skip = ++ const int64_t max_skip = + (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1; + if (request > max_skip) + skip = max_skip; +@@ -167,6 +167,60 @@ file_skip(struct archive *a, void *client_data, int64_t request) + return (request); + } + ++ ++/* ++ * TODO: Store the offset and use it in the read callback. ++ */ ++static int64_t ++FILE_seek(struct archive *a, void *client_data, int64_t request, int whence) ++{ ++ struct read_FILE_data *mine = (struct read_FILE_data *)client_data; ++#if HAVE__FSEEKI64 ++ int64_t seek = request; ++#elif HAVE_FSEEKO ++ off_t seek = (off_t)request; ++#else ++ long seek = (long)request; ++#endif ++ int seek_bits = sizeof(seek) * 8 - 1; ++ (void)a; /* UNUSED */ ++ ++ /* Reduce a request that would overflow the 'seek' variable. */ ++ if (sizeof(request) > sizeof(seek)) { ++ const int64_t max_seek = ++ (((int64_t)1 << (seek_bits - 1)) - 1) * 2 + 1; ++ const int64_t min_seek = ~max_seek; ++ if (request > max_seek) ++ seek = max_seek; ++ else if (request < min_seek) ++ seek = min_seek; ++ } ++ ++#ifdef __ANDROID__ ++ /* Newer Android versions have fseeko...to meditate. */ ++ int64_t ret = lseek(fileno(mine->f), seek, whence); ++ if (ret >= 0) { ++ return ret; ++ } ++#elif HAVE__FSEEKI64 ++ if (_fseeki64(mine->f, seek, whence) == 0) { ++ return _ftelli64(mine->f); ++ } ++#elif HAVE_FSEEKO ++ if (fseeko(mine->f, seek, whence) == 0) { ++ return ftello(mine->f); ++ } ++#else ++ if (fseek(mine->f, seek, whence) == 0) { ++ return ftell(mine->f); ++ } ++#endif ++ /* If we arrive here, the input is corrupted or truncated so fail. */ ++ archive_set_error(a, errno, "Error seeking in FILE* pointer"); ++ return (ARCHIVE_FATAL); ++} ++ ++ + static int + file_close(struct archive *a, void *client_data) + { +diff --git a/libarchive/archive_read_open_filename.c b/libarchive/archive_read_open_filename.c +index dd2e160..d5856d9 100644 +--- a/libarchive/archive_read_open_filename.c ++++ b/libarchive/archive_read_open_filename.c +@@ -479,20 +479,24 @@ file_skip_lseek(struct archive *a, void *client_data, int64_t request) + struct read_file_data *mine = (struct read_file_data *)client_data; + #if defined(_WIN32) && !defined(__CYGWIN__) + /* We use _lseeki64() on Windows. */ +- int64_t old_offset, new_offset; ++ int64_t old_offset, new_offset, skip = request; + #else +- off_t old_offset, new_offset; ++ off_t old_offset, new_offset, skip = (off_t)request; + #endif ++ int skip_bits = sizeof(skip) * 8 - 1; + + /* We use off_t here because lseek() is declared that way. */ + +- /* TODO: Deal with case where off_t isn't 64 bits. +- * This shouldn't be a problem on Linux or other POSIX +- * systems, since the configuration logic for libarchive +- * tries to obtain a 64-bit off_t. +- */ ++ /* Reduce a request that would overflow the 'skip' variable. */ ++ if (sizeof(request) > sizeof(skip)) { ++ const int64_t max_skip = ++ (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1; ++ if (request > max_skip) ++ skip = max_skip; ++ } ++ + if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0 && +- (new_offset = lseek(mine->fd, request, SEEK_CUR)) >= 0) ++ (new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0) + return (new_offset - old_offset); + + /* If lseek() fails, don't bother trying again. */ +@@ -540,11 +544,24 @@ static int64_t + file_seek(struct archive *a, void *client_data, int64_t request, int whence) + { + struct read_file_data *mine = (struct read_file_data *)client_data; ++ off_t seek = (off_t)request; + int64_t r; ++ int seek_bits = sizeof(seek) * 8 - 1; + + /* We use off_t here because lseek() is declared that way. */ +- /* See above for notes about when off_t is less than 64 bits. */ +- r = lseek(mine->fd, request, whence); ++ ++ /* Reduce a request that would overflow the 'seek' variable. */ ++ if (sizeof(request) > sizeof(seek)) { ++ const int64_t max_seek = ++ (((int64_t)1 << (seek_bits - 1)) - 1) * 2 + 1; ++ const int64_t min_seek = ~max_seek; ++ if (request > max_seek) ++ seek = (off_t)max_seek; ++ else if (request < min_seek) ++ seek = (off_t)min_seek; ++ } ++ ++ r = lseek(mine->fd, seek, whence); + if (r >= 0) + return r; + +diff --git a/libarchive/test/read_open_memory.c b/libarchive/test/read_open_memory.c +index 6d2468c..9262ab9 100644 +--- a/libarchive/test/read_open_memory.c ++++ b/libarchive/test/read_open_memory.c +@@ -167,7 +167,7 @@ memory_read_skip(struct archive *a, void *client_data, int64_t skip) + + (void)a; /* UNUSED */ + /* We can't skip by more than is available. */ +- if ((off_t)skip > (off_t)(mine->end - mine->p)) ++ if (skip > mine->end - mine->p) + skip = mine->end - mine->p; + /* Always do small skips by prime amounts. */ + if (skip > 71) +diff --git a/libarchive/test/test_sparse_basic.c b/libarchive/test/test_sparse_basic.c +index 0350df1..192570a 100644 +--- a/libarchive/test/test_sparse_basic.c ++++ b/libarchive/test/test_sparse_basic.c +@@ -605,7 +605,8 @@ DEFINE_TEST(test_sparse_basic) + verify_sparse_file(a, "file2", sparse_file2, 20); + /* Encoded non sparse; expect a data block but no sparse entries. */ + verify_sparse_file(a, "file3", sparse_file3, 0); +- verify_sparse_file(a, "file4", sparse_file4, 2); ++ if (sizeof(off_t) > 4) ++ verify_sparse_file(a, "file4", sparse_file4, 2); + + assertEqualInt(ARCHIVE_OK, archive_read_free(a)); + +@@ -632,7 +633,8 @@ DEFINE_TEST(test_sparse_basic) + verify_sparse_file(a, "file1", sparse_file1, 0); + verify_sparse_file(a, "file2", sparse_file2, 0); + verify_sparse_file(a, "file3", sparse_file3, 0); +- verify_sparse_file(a, "file4", sparse_file4, 0); ++ if (sizeof(off_t) > 4) ++ verify_sparse_file(a, "file4", sparse_file4, 0); + + assertEqualInt(ARCHIVE_OK, archive_read_free(a)); + +diff --git a/libarchive/test/test_tar_large.c b/libarchive/test/test_tar_large.c +index 7ff3fee..bf20a9d 100644 +--- a/libarchive/test/test_tar_large.c ++++ b/libarchive/test/test_tar_large.c +@@ -175,7 +175,7 @@ memory_read_skip(struct archive *a, void *_private, int64_t skip) + } + if (private->filebytes > 0) { + if (private->filebytes < skip) +- skip = (off_t)private->filebytes; ++ skip = private->filebytes; + private->filebytes -= skip; + } else { + skip = 0; diff -Nru libarchive-3.7.4/debian/patches/CVE-2026-4111-1.patch libarchive-3.7.4/debian/patches/CVE-2026-4111-1.patch --- libarchive-3.7.4/debian/patches/CVE-2026-4111-1.patch 1970-01-01 08:00:00.000000000 +0800 +++ libarchive-3.7.4/debian/patches/CVE-2026-4111-1.patch 2026-04-24 11:36:34.000000000 +0700 @@ -0,0 +1,302 @@ +From: Tim Kientzle <[email protected]> +Date: Sun, 1 Mar 2026 10:04:01 -0800 +Subject: Infinite loop in Rar5 decompression + +Found by: Elhanan Haenel + +Origin: backport, https://github.com/libarchive/libarchive/commit/ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4 +--- + Makefile.am | 2 + + libarchive/test/CMakeLists.txt | 1 + + libarchive/test/test_read_format_rar5_loop_bug.c | 53 ++++++ + .../test/test_read_format_rar5_loop_bug.rar.uu | 189 +++++++++++++++++++++ + 4 files changed, 245 insertions(+) + create mode 100644 libarchive/test/test_read_format_rar5_loop_bug.c + create mode 100644 libarchive/test/test_read_format_rar5_loop_bug.rar.uu + +diff --git a/Makefile.am b/Makefile.am +index ae596b7..afe456f 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -513,6 +513,7 @@ libarchive_test_SOURCES= \ + libarchive/test/test_read_format_rar_invalid1.c \ + libarchive/test/test_read_format_rar_overflow.c \ + libarchive/test/test_read_format_rar5.c \ ++ libarchive/test/test_read_format_rar5_loop_bug.c \ + libarchive/test/test_read_format_raw.c \ + libarchive/test/test_read_format_tar.c \ + libarchive/test/test_read_format_tar_concatenated.c \ +@@ -891,6 +892,7 @@ libarchive_test_EXTRA_DIST=\ + libarchive/test/test_read_format_rar5_invalid_dict_reference.rar.uu \ + libarchive/test/test_read_format_rar5_leftshift1.rar.uu \ + libarchive/test/test_read_format_rar5_leftshift2.rar.uu \ ++ libarchive/test/test_read_format_rar5_loop_bug.rar.uu \ + libarchive/test/test_read_format_rar5_multiarchive.part01.rar.uu \ + libarchive/test/test_read_format_rar5_multiarchive.part02.rar.uu \ + libarchive/test/test_read_format_rar5_multiarchive.part03.rar.uu \ +diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt +index 0baf2de..a683109 100644 +--- a/libarchive/test/CMakeLists.txt ++++ b/libarchive/test/CMakeLists.txt +@@ -157,6 +157,7 @@ IF(ENABLE_TEST) + test_read_format_rar_filter.c + test_read_format_rar_overflow.c + test_read_format_rar5.c ++ test_read_format_rar5_loop_bug.c + test_read_format_raw.c + test_read_format_tar.c + test_read_format_tar_concatenated.c +diff --git a/libarchive/test/test_read_format_rar5_loop_bug.c b/libarchive/test/test_read_format_rar5_loop_bug.c +new file mode 100644 +index 0000000..77dd78c +--- /dev/null ++++ b/libarchive/test/test_read_format_rar5_loop_bug.c +@@ -0,0 +1,53 @@ ++/*- ++ * Copyright (c) 2026 Tim Kientzle ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++#include "test.h" ++ ++DEFINE_TEST(test_read_format_rar5_loop_bug) ++{ ++ const char *reffile = "test_read_format_rar5_loop_bug.rar"; ++ struct archive_entry *ae; ++ struct archive *a; ++ const void *buf; ++ size_t size; ++ la_int64_t offset; ++ ++ extract_reference_file(reffile); ++ assert((a = archive_read_new()) != NULL); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, reffile, 10240)); ++ ++ // This has just one entry ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); ++ ++ // Read blocks until the end of the entry ++ while (ARCHIVE_OK == archive_read_data_block(a, &buf, &size, &offset)) { ++ } ++ ++ assertEqualIntA(a, ARCHIVE_EOF, archive_read_next_header(a, &ae)); ++ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); ++ assertEqualInt(ARCHIVE_OK, archive_free(a)); ++} +diff --git a/libarchive/test/test_read_format_rar5_loop_bug.rar.uu b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu +new file mode 100644 +index 0000000..3e47004 +--- /dev/null ++++ b/libarchive/test/test_read_format_rar5_loop_bug.rar.uu +@@ -0,0 +1,189 @@ ++begin 644 test_read_format_rar5_loop_bug.rar ++M4F%R(1H'`0#%&C,R`P$``)T-9%L.`@+P0`"`@`P`@`,``6'(WFP@`?\7_U/^ ++M8@!.`B`H```````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++5```````````````````Y^;*!`@4` ++` ++end diff -Nru libarchive-3.7.4/debian/patches/CVE-2026-4111-2.patch libarchive-3.7.4/debian/patches/CVE-2026-4111-2.patch --- libarchive-3.7.4/debian/patches/CVE-2026-4111-2.patch 1970-01-01 08:00:00.000000000 +0800 +++ libarchive-3.7.4/debian/patches/CVE-2026-4111-2.patch 2026-04-24 11:36:34.000000000 +0700 @@ -0,0 +1,26 @@ +From: Tim Kientzle <[email protected]> +Date: Sun, 1 Mar 2026 20:24:56 -0800 +Subject: Reject filters when the block length is nonsensical + +Credit: Grzegorz Antoniak @antekone + +Origin: upstream, https://github.com/libarchive/libarchive/commit/7273d04803a1e5a482f26d8d0fbaf2b204a72168 +--- + libarchive/archive_read_support_format_rar5.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c +index e8846a5..1a8a156 100644 +--- a/libarchive/archive_read_support_format_rar5.c ++++ b/libarchive/archive_read_support_format_rar5.c +@@ -2919,7 +2919,9 @@ static int parse_filter(struct archive_read* ar, const uint8_t* p) { + if(block_length < 4 || + block_length > 0x400000 || + filter_type > FILTER_ARM || +- !is_valid_filter_block_start(rar, block_start)) ++ !is_valid_filter_block_start(rar, block_start) || ++ (rar->cstate.window_size > 0 && ++ (ssize_t)block_length > rar->cstate.window_size >> 1)) + { + archive_set_error(&ar->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Invalid filter encountered"); diff -Nru libarchive-3.7.4/debian/patches/CVE-2026-4424-1.patch libarchive-3.7.4/debian/patches/CVE-2026-4424-1.patch --- libarchive-3.7.4/debian/patches/CVE-2026-4424-1.patch 1970-01-01 08:00:00.000000000 +0800 +++ libarchive-3.7.4/debian/patches/CVE-2026-4424-1.patch 2026-04-24 11:36:34.000000000 +0700 @@ -0,0 +1,55 @@ +From: elhananhaenel <[email protected]> +Date: Sat, 7 Mar 2026 22:32:09 +0200 +Subject: rar: fix LZSS window size mismatch after PPMd block + +When a PPMd-compressed block updates dictionary_size, the LZSS window +from a prior block is not reallocated. The allocation guard only checks +if dictionary_size is zero or the window pointer is NULL, not whether +the existing window is large enough. This allows copy_from_lzss_window() +to read past the allocated buffer. + +Fix the guard to also check whether the current window is undersized. +Add bounds checks in copy_from_lzss_window() and parse_filter() as +defense in depth. + +Origin: upstream, https://github.com/libarchive/libarchive/commit/d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375 +--- + libarchive/archive_read_support_format_rar.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 85b738a..0240af7 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -2474,7 +2474,8 @@ parse_codes(struct archive_read *a) + return (r); + } + +- if (!rar->dictionary_size || !rar->lzss.window) ++ if (!rar->dictionary_size || !rar->lzss.window || ++ (rar->lzss.mask + 1) < rar->dictionary_size) + { + /* Seems as though dictionary sizes are not used. Even so, minimize + * memory usage as much as possible. +@@ -3078,6 +3079,11 @@ copy_from_lzss_window(struct archive_read *a, uint8_t *buffer, + + windowoffs = lzss_offset_for_position(&rar->lzss, startpos); + firstpart = lzss_size(&rar->lzss) - windowoffs; ++ if (length > lzss_size(&rar->lzss)) { ++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, ++ "Bad RAR file data"); ++ return (ARCHIVE_FATAL); ++ } + if (firstpart < 0) { + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, + "Bad RAR file data"); +@@ -3240,7 +3246,8 @@ parse_filter(struct archive_read *a, const uint8_t *bytes, uint16_t length, uint + else + blocklength = prog ? prog->oldfilterlength : 0; + +- if (blocklength > rar->dictionary_size) ++ if (blocklength > rar->dictionary_size || ++ blocklength > (uint32_t)(rar->lzss.mask + 1)) + return 0; + + registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS; diff -Nru libarchive-3.7.4/debian/patches/CVE-2026-4424-2.patch libarchive-3.7.4/debian/patches/CVE-2026-4424-2.patch --- libarchive-3.7.4/debian/patches/CVE-2026-4424-2.patch 1970-01-01 08:00:00.000000000 +0800 +++ libarchive-3.7.4/debian/patches/CVE-2026-4424-2.patch 2026-04-24 11:36:34.000000000 +0700 @@ -0,0 +1,22 @@ +From: elhananhaenel <[email protected]> +Date: Sun, 8 Mar 2026 15:29:46 +0200 +Subject: Fix -Wsign-compare: cast mask+1 to unsigned int + +Origin: upstream, https://github.com/libarchive/libarchive/commit/e1907c5832b6489c7b4198b0825f857c93a03c10 +--- + libarchive/archive_read_support_format_rar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 0240af7..5be42c7 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -2475,7 +2475,7 @@ parse_codes(struct archive_read *a) + } + + if (!rar->dictionary_size || !rar->lzss.window || +- (rar->lzss.mask + 1) < rar->dictionary_size) ++ (unsigned int)(rar->lzss.mask + 1) < rar->dictionary_size) + { + /* Seems as though dictionary sizes are not used. Even so, minimize + * memory usage as much as possible. diff -Nru libarchive-3.7.4/debian/patches/CVE-2026-4426_CVE-2026-5121.patch libarchive-3.7.4/debian/patches/CVE-2026-4426_CVE-2026-5121.patch --- libarchive-3.7.4/debian/patches/CVE-2026-4426_CVE-2026-5121.patch 1970-01-01 08:00:00.000000000 +0800 +++ libarchive-3.7.4/debian/patches/CVE-2026-4426_CVE-2026-5121.patch 2026-04-24 11:36:34.000000000 +0700 @@ -0,0 +1,1286 @@ +From: elhananhaenel <[email protected]> +Date: Thu, 19 Mar 2026 16:43:29 +0200 +Subject: [PATCH] Add regression test for zisofs 32-bit heap overflow + +A crafted ISO with pz_log2_bs=2 and pz_uncompressed_size=0xFFFFFFF9 +causes an integer overflow in the block pointer allocation in +zisofs_read_data(). On 32-bit, (ceil+1)*4 wraps size_t to 0, malloc(0) +returns a tiny buffer, and the code writes ~4GB past it. + +The pz_log2_bs validation fix prevents this. Add a regression test with +a crafted 48KB ISO that triggers the overflow on unfixed 32-bit builds. + +Origin: upstream, https://github.com/libarchive/libarchive/commit/a2a73a8f14b3208c7f6acbbc93265254a7c1efd0 +--- + Makefile.am | 2 + + libarchive/archive_read_support_format_iso9660.c | 8 + + libarchive/test/CMakeLists.txt | 1 + + .../test/test_read_format_iso_zisofs_overflow.c | 104 ++++++ + ...=> test_read_format_iso_zisofs_overflow.iso.uu} | 401 ++++----------------- + 5 files changed, 179 insertions(+), 337 deletions(-) + create mode 100644 libarchive/test/test_read_format_iso_zisofs_overflow.c + create mode 100644 libarchive/test/test_read_format_iso_zisofs_overflow.iso.uu + +diff --git a/Makefile.am b/Makefile.am +index afe456f..de3c2f2 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -498,6 +498,7 @@ libarchive_test_SOURCES= \ + libarchive/test/test_read_format_isorr_new_bz2.c \ + libarchive/test/test_read_format_isorr_rr_moved.c \ + libarchive/test/test_read_format_isozisofs_bz2.c \ ++ libarchive/test/test_read_format_iso_zisofs_overflow.c \ + libarchive/test/test_read_format_lha.c \ + libarchive/test/test_read_format_lha_bugfix_0.c \ + libarchive/test/test_read_format_lha_filename.c \ +@@ -842,6 +843,7 @@ libarchive_test_EXTRA_DIST=\ + libarchive/test/test_read_format_iso_rockridge_rr_moved.iso.Z.uu \ + libarchive/test/test_read_format_iso_xorriso.iso.Z.uu \ + libarchive/test/test_read_format_iso_zisofs.iso.Z.uu \ ++ libarchive/test/test_read_format_iso_zisofs_overflow.iso.uu \ + libarchive/test/test_read_format_lha_bugfix_0.lzh.uu \ + libarchive/test/test_read_format_lha_filename_cp932.lzh.uu \ + libarchive/test/test_read_format_lha_filename_utf16.lzh.uu \ +diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c +index db5cdb6..2a65ebf 100644 +--- a/libarchive/archive_read_support_format_iso9660.c ++++ b/libarchive/archive_read_support_format_iso9660.c +@@ -2645,6 +2645,14 @@ parse_rockridge_ZF1(struct file_info *file, const unsigned char *data, + /* paged zlib */ + file->pz = 1; + file->pz_log2_bs = data[3]; ++ if (file->pz_log2_bs < 15 || file->pz_log2_bs > 17) { ++ /* TODO: Return an error here instead of silently ++ * disabling zisofs. That requires propagating an ++ * error return through parse_rockridge() and its ++ * callers. */ ++ file->pz = 0; ++ return; ++ } + file->pz_uncompressed_size = archive_le32dec(&data[4]); + } + } +diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt +index a683109..4c056fa 100644 +--- a/libarchive/test/CMakeLists.txt ++++ b/libarchive/test/CMakeLists.txt +@@ -142,6 +142,7 @@ IF(ENABLE_TEST) + test_read_format_isorr_new_bz2.c + test_read_format_isorr_rr_moved.c + test_read_format_isozisofs_bz2.c ++ test_read_format_iso_zisofs_overflow.c + test_read_format_lha.c + test_read_format_lha_bugfix_0.c + test_read_format_lha_filename.c +diff --git a/libarchive/test/test_read_format_iso_zisofs_overflow.c b/libarchive/test/test_read_format_iso_zisofs_overflow.c +new file mode 100644 +index 0000000..bad52b1 +--- /dev/null ++++ b/libarchive/test/test_read_format_iso_zisofs_overflow.c +@@ -0,0 +1,104 @@ ++/*- ++ * Copyright (c) 2025 ++ * All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++#include "test.h" ++ ++/* ++ * Verify that a crafted ISO9660 image with an invalid zisofs block-size ++ * exponent (pz_log2_bs) is handled gracefully. ++ * ++ * The ZF extension in the Rock Ridge entry stores pz_log2_bs as a raw ++ * byte from the image. The zisofs spec only permits values 15-17. ++ * Values outside that range can cause: ++ * - Undefined behavior via oversized bit shifts (any platform) ++ * - Integer overflow in block pointer allocation on 32-bit platforms, ++ * leading to a heap buffer overflow write ++ * ++ * The test image has pz_log2_bs=2 (out of spec) combined with ++ * pz_uncompressed_size=0xFFFFFFF9. On 32-bit, (ceil+1)*4 overflows ++ * size_t to 0, malloc(0) returns a tiny buffer, and the code attempts ++ * to write ~4GB into it. On 64-bit the allocation is huge and safely ++ * fails. ++ * ++ * We verify the fix by checking archive_entry_size() after reading the ++ * header. When pz_log2_bs validation rejects the bad value (pz=0), ++ * the entry keeps its raw on-disk size (small). Without the fix, ++ * the reader sets the entry size to pz_uncompressed_size (0xFFFFFFF9). ++ * ++ * We intentionally do NOT call archive_read_data() here. Without the ++ * fix, the data-read path triggers a heap buffer overflow on 32-bit ++ * that silently corrupts the process heap, causing later tests to ++ * crash rather than this one. ++ */ ++DEFINE_TEST(test_read_format_iso_zisofs_overflow) ++{ ++ const char reffile[] = "test_read_format_iso_zisofs_overflow.iso"; ++ struct archive *a; ++ struct archive_entry *ae; ++ int r = ARCHIVE_OK; ++ int found_regular_file = 0; ++ ++ extract_reference_file(reffile); ++ assert((a = archive_read_new()) != NULL); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a)); ++ assertEqualIntA(a, ARCHIVE_OK, ++ archive_read_open_filename(a, reffile, 10240)); ++ ++ while ((r = archive_read_next_header(a, &ae)) == ARCHIVE_OK || ++ r == ARCHIVE_WARN) { ++ /* ++ * With the fix, pz_log2_bs=2 is rejected and pz is set ++ * to 0, so the entry keeps its small raw size from the ++ * ISO directory record. Without the fix, zisofs sets ++ * the entry size to pz_uncompressed_size (0xFFFFFFF9). ++ * ++ * We intentionally do NOT call archive_read_data(). ++ * Without the fix, the data-read path triggers a heap ++ * buffer overflow on 32-bit that silently corrupts the ++ * process heap, causing later tests to crash rather ++ * than this one. ++ */ ++ if (archive_entry_filetype(ae) == AE_IFREG) { ++ la_int64_t sz = archive_entry_size(ae); ++ failure("entry \"%s\" has size %jd" ++ "; expected < 1 MiB" ++ " (if size is 4294966265 = 0xFFFFFFF9, the" ++ " pz_log2_bs validation is missing)", ++ archive_entry_pathname(ae), (intmax_t)sz); ++ assert(sz < 1024 * 1024); ++ found_regular_file = 1; ++ } ++ } ++ ++ /* Iteration must have completed normally. */ ++ assertEqualInt(ARCHIVE_EOF, r); ++ ++ /* The PoC image contains a regular file; if we never saw one, ++ * something is wrong with the test image. */ ++ assert(found_regular_file); ++ ++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a)); ++ assertEqualInt(ARCHIVE_OK, archive_read_free(a)); ++} +diff --git a/libarchive/test/test_read_format_iso_zisofs_overflow.iso.uu b/libarchive/test/test_read_format_iso_zisofs_overflow.iso.uu +new file mode 100644 +index 0000000000..5e7dcc3750 +--- /dev/null ++++ b/libarchive/test/test_read_format_iso_zisofs_overflow.iso.uu +@@ -0,0 +1,1096 @@ ++begin 664 test_read_format_iso_zisofs_overflow.iso ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````!0T0P,#$!```````````````````````````````````````` ++M````4$]#7U=2251%`````````````````````````````````````````!@` ++M```````8```````````````````````````````````````````!```!`0`` ++M`0`("``*````````"A(`````````````$@`````B`!,````````3``@````` ++M"`!Z`1D,`````@```0```0$````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M``````````````````````````````````````````````$````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M`````````````````````````````````````````/]#1#`P,0$````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M`````````````0`3`````0`````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M``````````````````````````````````````````!5`!,````````3``@` ++M````"`!Z`1D,`````@```0```0$`4U`'`;[O`%!8+`'M00````!![0(````` ++M```"``````````````````````$````````!(@`3````````$P`(``````@` ++M>@$9#`````(```$```$!`7T`%````````!00"``````($'H!&0P````````! ++M```!#D]615)&3$]7+D))3CLQ`%I&$`%P>@0"^?O__P````!.31$!`$]615)& ++M3$]7+D))3E!8+`&D@0````"!I`$````````!``````````````````````(` ++M```````"```````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M`````````````#?D4Y;)V]8'^?O__P0"``!!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1! ++M0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%" ++M0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1! ++M0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%" ++M0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1! ++M0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%" ++M0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1! ++M0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%" ++M0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1! ++M0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%" ++M0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1! ++M0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%" ++M0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1! ++M0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%" ++M0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1! ++M0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%" ++M0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1! ++M0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%" ++M0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1! ++M0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%" ++M0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1! ++M0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%" ++M0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)# ++M1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$04)#1$%"0T1!0D-$ ++M04)#1``````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++M```````````````````````````````````````````````````````````` ++,```````````````` ++` ++end diff -Nru libarchive-3.7.4/debian/patches/series libarchive-3.7.4/debian/patches/series --- libarchive-3.7.4/debian/patches/series 2025-07-24 21:40:32.000000000 +0700 +++ libarchive-3.7.4/debian/patches/series 2026-04-24 11:36:34.000000000 +0700 @@ -7,3 +7,11 @@ CVE-2025-5915.patch CVE-2025-5916.patch CVE-2025-5917.patch +CVE-2025-5918-pre1.patch +CVE-2025-5918_1.patch +CVE-2025-5918_2.patch +CVE-2026-4111-1.patch +CVE-2026-4111-2.patch +CVE-2026-4424-1.patch +CVE-2026-4424-2.patch +CVE-2026-4426_CVE-2026-5121.patch diff -Nru libarchive-3.7.4/debian/salsa-ci.yml libarchive-3.7.4/debian/salsa-ci.yml --- libarchive-3.7.4/debian/salsa-ci.yml 1970-01-01 08:00:00.000000000 +0800 +++ libarchive-3.7.4/debian/salsa-ci.yml 2026-04-24 11:36:34.000000000 +0700 @@ -0,0 +1,6 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'trixie'
