Skip to content

libarchive: Fix CVE-2026-5121 integer overflow in zisofs block pointer allocation#9

Merged
Zeno-sole merged 1 commit intomasterfrom
fix/CVE-2026-5121
May 8, 2026
Merged

libarchive: Fix CVE-2026-5121 integer overflow in zisofs block pointer allocation#9
Zeno-sole merged 1 commit intomasterfrom
fix/CVE-2026-5121

Conversation

@deepin-ci-robot
Copy link
Copy Markdown
Contributor

@deepin-ci-robot deepin-ci-robot commented Apr 15, 2026

Security Update

  • Fix CVE-2026-5121: integer overflow in zisofs block pointer allocation
  • Package: libarchive

Vulnerability Details

On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow and potentially arbitrary code execution.

Changes

  • Added patch to validate pz_log2_bs in parse_rockridge_ZF1()
  • Updated debian/changelog

Upstream Fix

libarchive/libarchive@c3cb1c5

Testing

  • Build verification recommended
  • Patch applied successfully with quilt

@deepin-ci-robot
libarchive: Fix CVE-2026-5121 integer overflow in zisofs block pointe…
6afdb37 
…r allocation

On 32-bit systems, an integer overflow vulnerability exists in the zisofs
block pointer allocation logic. A remote attacker can exploit this by
providing a specially crafted ISO9660 image, which can lead to a heap
buffer overflow and potentially arbitrary code execution.

Upstream: libarchive/libarchive@c3cb1c5
@deepin-ci-robot
Copy link
Copy Markdown
Contributor Author

deepin-ci-robot commented Apr 15, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tsic404 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 15, 2026

TAG Bot

TAG: 3.7.2-1deepin2
EXISTED: no
DISTRIBUTION: unstable

@Zeno-sole
Copy link
Copy Markdown

Zeno-sole commented May 8, 2026

/integrate

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 8, 2026

AutoIntegrationPr Bot
auto integrate with pr url: deepin-community/Repository-Integration#3950
PrNumber: 3950
PrBranch: auto-integration-25532427038

@deepin-community-ci-bot deepin-community-ci-bot Bot mentioned this pull request May 8, 2026
Open
@Zeno-sole Zeno-sole merged commit eb6226d into master May 8, 2026
7 of 10 checks passed
This was referenced May 8, 2026
Open
Open
Open
Open
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BLumia BLumia Awaiting requested review from BLumia

@justforlxz justforlxz Awaiting requested review from justforlxz

Assignees

No one assigned

Labels

generated-by-ai

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@deepin-ci-robot @Zeno-sole @UTsweetyfish