Package: libarchive13t64
Version: 3.7.2-1.1
Severity: important
X-Debbugs-Cc: rra@debian.org

So far it looks like no one has been able to figure out an obvious way
for this to be exploitable, but I wanted to make sure that you were
aware of this upstream issue:

https://github.com/libarchive/libarchive/pull/1609

The author of this commit is the same GitHub account that was used to
create the xz backdoor. Upstream has merged a revert of this change at:

https://github.com/libarchive/libarchive/pull/2101

It may be worth expediting getting this change into Debian in case the potential attacker knows something that we don't. However, I don't have
any reason to currently believe that this is a security vulnerability,
so I've kept the severity at important and not applied the security tag.


-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'unstable-debug'), (1, 'experimental') Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.7.9-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libarchive13t64 depends on:
ii libacl1 2.3.2-1
ii libbz2-1.0 1.0.8-5.1
ii libc6 2.37-15.1
ii liblz4-1 1.9.4-1+b2
ii liblzma5 5.6.1+really5.4.5-1
ii libnettle8t64 3.9.1-2.2
ii libxml2 2.9.14+dfsg-1.3+b2
ii libzstd1 1.5.5+dfsg2-2
ii zlib1g 1:1.3.dfsg-3.1

libarchive13t64 recommends no packages.

Versions of packages libarchive13t64 suggests:
pn lrzip <none>

-- no debconf information

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Mar 29, 2024 at 07:24:13PM -0700, Russ Allbery wrote:

So far it looks like no one has been able to figure out an obvious way
for this to be exploitable, but I wanted to make sure that you were
aware of this upstream issue:

https://github.com/libarchive/libarchive/pull/1609

The author of this commit is the same GitHub account that was used to
create the xz backdoor. Upstream has merged a revert of this change at:

https://github.com/libarchive/libarchive/pull/2101

It may be worth expediting getting this change into Debian in case the potential attacker knows something that we don't. However, I don't have
any reason to currently believe that this is a security vulnerability,
so I've kept the severity at important and not applied the security tag.

I also noticed this, I send an e-mail to security@debian.org about it, 921847da-a715-42c4-b87d-e8a1f0fb541e@schwengle.net. FWIW, this also impacts Debian stable. The commit can be found in tags: v3.7.2 v3.7.1 v3.7.0 v3.6.2 v3.6.1 v3.6.0. Debian stable ships 3.6.2-1

Cheers,
Wesley

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Control: severity -1 serious
Control: found -1 3.6.0-1

Hi Russ,

On Fri, Mar 29, 2024 at 07:24:13PM -0700, Russ Allbery wrote:

Package: libarchive13t64
Version: 3.7.2-1.1
Severity: important
X-Debbugs-Cc: rra@debian.org

So far it looks like no one has been able to figure out an obvious way
for this to be exploitable, but I wanted to make sure that you were
aware of this upstream issue:

https://github.com/libarchive/libarchive/pull/1609

The author of this commit is the same GitHub account that was used to
create the xz backdoor. Upstream has merged a revert of this change at:

https://github.com/libarchive/libarchive/pull/2101

It may be worth expediting getting this change into Debian in case the potential attacker knows something that we don't. However, I don't have
any reason to currently believe that this is a security vulnerability,
so I've kept the severity at important and not applied the security tag.

Let's be on the safe side, and at least make it RC.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)