diff -pruN 3.6.0-1/debian/changelog 3.6.0-1ubuntu1/debian/changelog
--- 3.6.0-1/debian/changelog	2022-03-30 10:04:33.000000000 +0000
+++ 3.6.0-1ubuntu1/debian/changelog	2022-04-06 20:33:16.000000000 +0000
@@ -1,3 +1,14 @@
+libarchive (3.6.0-1ubuntu1) jammy; urgency=medium
+
+  * Sync with Debian. (LP: #1967127)
+    - Includes upstream fixes for CVE-2021-36976
+  * debian/rules: fix broken check for nocheck DEB_BUILD_OPTION
+  * SECURITY UPDATE: possible out-of-bounds read
+    - Cherry-pick CVE-2022-26280.patch to fix zipx_lzma_alone_init()
+    - CVE-2022-26280
+
+ -- Jeremy Bicha <jbicha@ubuntu.com>  Wed, 06 Apr 2022 16:33:16 -0400
+
 libarchive (3.6.0-1) unstable; urgency=medium
 
   * New upstream version (Closes: #1007120):
diff -pruN 3.6.0-1/debian/control 3.6.0-1ubuntu1/debian/control
--- 3.6.0-1/debian/control	2022-03-30 10:04:33.000000000 +0000
+++ 3.6.0-1ubuntu1/debian/control	2022-03-30 12:34:41.000000000 +0000
@@ -1,6 +1,7 @@
 Source: libarchive
 Priority: optional
-Maintainer: Peter Pentchev <roam@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Peter Pentchev <roam@debian.org>
 Build-Depends: debhelper-compat (= 13),
                pkg-config,
                libbz2-dev,
diff -pruN 3.6.0-1/debian/patches/CVE-2022-26280.patch 3.6.0-1ubuntu1/debian/patches/CVE-2022-26280.patch
--- 3.6.0-1/debian/patches/CVE-2022-26280.patch	1970-01-01 00:00:00.000000000 +0000
+++ 3.6.0-1ubuntu1/debian/patches/CVE-2022-26280.patch	2022-03-30 12:34:41.000000000 +0000
@@ -0,0 +1,27 @@
+From: Tim Kientzle <kientzle@acm.org>
+Date: Thu, 24 Mar 2022 10:35:00 +0100
+Subject: ZIP reader: fix possible out-of-bounds read in
+ zipx_lzma_alone_init()
+
+Fixes #1672
+
+https://security-tracker.debian.org/tracker/CVE-2022-26280
+
+(cherry picked from commit cfaa28168a07ea4a53276b63068f94fce37d6aff)
+---
+ libarchive/archive_read_support_format_zip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
+index 38ada70..9d6c900 100644
+--- a/libarchive/archive_read_support_format_zip.c
++++ b/libarchive/archive_read_support_format_zip.c
+@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip)
+ 	 */
+ 
+ 	/* Read magic1,magic2,lzma_params from the ZIPX stream. */
+-	if((p = __archive_read_ahead(a, 9, NULL)) == NULL) {
++	if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) {
+ 		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ 		    "Truncated lzma data");
+ 		return (ARCHIVE_FATAL);
diff -pruN 3.6.0-1/debian/patches/series 3.6.0-1ubuntu1/debian/patches/series
--- 3.6.0-1/debian/patches/series	2022-03-30 10:04:33.000000000 +0000
+++ 3.6.0-1ubuntu1/debian/patches/series	2022-03-30 12:34:41.000000000 +0000
@@ -1 +1,2 @@
 typos.patch
+CVE-2022-26280.patch
diff -pruN 3.6.0-1/debian/rules 3.6.0-1ubuntu1/debian/rules
--- 3.6.0-1/debian/rules	2022-03-30 10:04:33.000000000 +0000
+++ 3.6.0-1ubuntu1/debian/rules	2022-03-30 12:34:41.000000000 +0000
@@ -22,7 +22,7 @@ execute_before_dh_install:
 	find debian -name '*.la' -delete
 
 override_dh_auto_test:
-ifneq (,$(filter check,$(DEB_BUILD_OPTIONS)))
+ifeq (,$(findstring nocheck, $(DEB_BUILD_OPTIONS)))
 ifneq (,$(shell locale -a | grep en_US.utf8))
 	_VERBOSITY_LEVEL=1 dh_auto_test --parallel
 else