diff --git a/fix-bsdunzip-test.patch b/fix-bsdunzip-test.patch new file mode 100644 index 0000000..e93c084 --- /dev/null +++ b/fix-bsdunzip-test.patch @@ -0,0 +1,19 @@ +commit 64e2e88ec326dd37fcb85c9a9d21fa43444a0a59 +Author: Bernhard M. Wiedemann +Date: Wed May 22 10:13:47 2024 +0200 + + Fix test failure on openSUSE:Leap:15.5 + +diff --git a/unzip/test/test_I.c b/unzip/test/test_I.c +index 5d31ce8d..92e5ce59 100644 +--- a/unzip/test/test_I.c ++++ b/unzip/test/test_I.c +@@ -45,7 +45,7 @@ DEFINE_TEST(test_I) + #endif + + extract_reference_file(reffile); +- r = systemf("%s -I UTF-8 %s >test.out 2>test.err", testprog, reffile); ++ r = systemf("env -uLC_ALL LC_CTYPE=en_US.UTF-8 %s -I UTF-8 %s >test.out 2>test.err", testprog, reffile); + assertEqualInt(0, r); + assertNonEmptyFile("test.out"); + assertEmptyFile("test.err"); diff --git a/lib-suffix.patch b/lib-suffix.patch index a3eecc5..aed7e43 100644 --- a/lib-suffix.patch +++ b/lib-suffix.patch @@ -1,10 +1,17 @@ -Index: libarchive-3.4.3/libarchive/CMakeLists.txt +Index: libarchive-3.7.0/libarchive/CMakeLists.txt =================================================================== ---- libarchive-3.4.3.orig/libarchive/CMakeLists.txt -+++ libarchive-3.4.3/libarchive/CMakeLists.txt -@@ -255,8 +255,8 @@ IF(ENABLE_INSTALL) - # How to install the libraries - INSTALL(TARGETS archive archive_static +--- libarchive-3.7.0.orig/libarchive/CMakeLists.txt ++++ libarchive-3.7.0/libarchive/CMakeLists.txt +@@ -265,13 +265,13 @@ IF(ENABLE_INSTALL) + IF(BUILD_SHARED_LIBS) + INSTALL(TARGETS archive + RUNTIME DESTINATION bin +- LIBRARY DESTINATION lib +- ARCHIVE DESTINATION lib) ++ LIBRARY DESTINATION lib${LIB_SUFFIX} ++ ARCHIVE DESTINATION lib${LIB_SUFFIX}) + ENDIF(BUILD_SHARED_LIBS) + INSTALL(TARGETS archive_static RUNTIME DESTINATION bin - LIBRARY DESTINATION lib - ARCHIVE DESTINATION lib) @@ -13,10 +20,10 @@ Index: libarchive-3.4.3/libarchive/CMakeLists.txt INSTALL_MAN(${libarchive_MANS}) INSTALL(FILES ${include_HEADERS} DESTINATION include) ENDIF() -Index: libarchive-3.4.3/build/cmake/CreatePkgConfigFile.cmake +Index: libarchive-3.7.0/build/cmake/CreatePkgConfigFile.cmake =================================================================== ---- libarchive-3.4.3.orig/build/cmake/CreatePkgConfigFile.cmake -+++ libarchive-3.4.3/build/cmake/CreatePkgConfigFile.cmake +--- libarchive-3.7.0.orig/build/cmake/CreatePkgConfigFile.cmake ++++ libarchive-3.7.0/build/cmake/CreatePkgConfigFile.cmake @@ -29,5 +29,5 @@ CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DI # And install it, of course ;). IF(ENABLE_INSTALL) diff --git a/libarchive-3.6.2.tar.xz b/libarchive-3.6.2.tar.xz deleted file mode 100644 index 608063a..0000000 --- a/libarchive-3.6.2.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9e2c1b80d5fbe59b61308fdfab6c79b5021d7ff4ff2489fb12daf0a96a83551d -size 5213196 diff --git a/libarchive-3.6.2.tar.xz.asc b/libarchive-3.6.2.tar.xz.asc deleted file mode 100644 index b0b9865..0000000 --- a/libarchive-3.6.2.tar.xz.asc +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQGzBAABCgAdFiEE2yx88bTCZfrvVuP8WEihi48UGEsFAmOTTgMACgkQWEihi48U -GEsIrgv6ApeOuR8LQt9p2PUBHxcQbyXXtjJSP6VpKCE5PfwonjpVt3+vlFKenFko -BjXvDARtlAX2SU17UYIGlpHfGF7dofke3JykRPKwjQfT8bxu/+QdwaJjjyEyHCGI -3sdPkrK7TGDc9/R5imsBAq30hDX3Cwpmdv8IBT5G/sjdXmXPGog1E7GjUFHO0ADE -GqpOhvyxUzjPln1RRpT0KVTgHBN/GJosM/Wwt615s8MqmRgxgi/EwZAc1p2QuIwS -KjCHIQ6GdONNMPWxxJY0kI8ifXmhGiBseIyECIFah7eUhqmQfWnwgL7p3bb0A2r8 -UMX8IvW79n5Er6U3r0SbS+kIhirq8YH8jUvCgkH5cYjU9vTcCYYnhY3/nz+lFW06 -2CZzKwwTUARPjhPJnqPLmf6IQPLJ25g92zauQE1tQ7s1OWnSMdjE4F+nBeNRlAEr -wXwOuINhaH/d0ujxb7fgEtzmj9iETGnNfa6MAVw8+u6fIbjBZO/8atp1askbAPPl -SYPNnQ/2 -=9Ggs ------END PGP SIGNATURE----- diff --git a/libarchive-3.7.4.tar.xz b/libarchive-3.7.4.tar.xz new file mode 100644 index 0000000..360ad33 --- /dev/null +++ b/libarchive-3.7.4.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f887755c434a736a609cbd28d87ddbfbe9d6a3bb5b703c22c02f6af80a802735 +size 5417660 diff --git a/libarchive-3.7.4.tar.xz.asc b/libarchive-3.7.4.tar.xz.asc new file mode 100644 index 0000000..acfe79b --- /dev/null +++ b/libarchive-3.7.4.tar.xz.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- + +iQGzBAABCgAdFiEE2yx88bTCZfrvVuP8WEihi48UGEsFAmYre4IACgkQWEihi48U +GEvAuwwAmsnbql7+1CW9RuBHitOvHyIL6sHbjR0Hd3ruI9s3FMevMBzPjpb5MgOU +/D+o0amv1Tv/QSJAid1siZIumgur2hzqglNMK5FkoajpZ1UjYASHHxFoh5qkRKvW +Ws/ViXMVGB2DlyydzzjFwa0JAAK/IpD9uKPPr6rgt+cRBibkWXuJILbmzi/DF1XH +zlp/5FGwzY4/zhqbXgz11ZhX3gacdLd68+xsYbSII2JvZ2yb2zsS+0ia3skUawEj +QMKzdpErqO+RedsRiJG9fjA65Q1hKWpMoWMuKZWLX+v0iv/OHv57RzLelmPy6Ohw +0/PwCHFzFmOfu2LZd+mCWsrYaBrezGJq9tm+pAsCXSxcj3LuQwZ6d8/wgtS5CeNE ++LoHCbzAcI5WiyU3wbw1qvulVDewL+j0rQoj23Lj2z9ry2K94NMpYji3JMkWI8dS +QXitZd29uZ9l5Jf5Kz9BLHOoO1Q8bEOGB33dLpT+UIjFoJ6wqxNXef6OAECoHGH0 +OnEtTuAX +=kNTk +-----END PGP SIGNATURE----- diff --git a/libarchive.changes b/libarchive.changes index 736b6ea..08de6b8 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -1,13 +1,80 @@ +------------------------------------------------------------------- +Wed May 22 08:32:02 UTC 2024 - Danilo Spinella + +- Fix bsdunzip test failing due to a locale issue + * fix-bsdunzip-test.patch + +------------------------------------------------------------------- +Tue Apr 30 08:05:28 UTC 2024 - Danilo Spinella + +- Update to 3.7.4: + * rar: Fix OOB in rar e8 filter (CVE-2024-26256, bsc#1222911) + * zip: Fix out of boundary access + * 7zip: Limit amount of properties + * bsdtar: Fix error handling around strtol() usages + * passphrase: Improve newline handling on Windows + * passphrase: Never allow empty passwords + * rar: Fix "File CRC Error" when extracting specific rar4 archives + * xar: Avoid infinite link loop + * zip: Update AppleDouble support for directories + * zstd: Implement core detection +- Update to 3.7.3: + * PCRE2 support + * add trailing letter b to bsdtar(1) substitute pattern + * add support for long options "--group" and "--owner" to tar(1) + * Fix possible vulnerability in tar error reporting introduced in f27c173 + * ISO9660: preserve the natural order of links + * rar5: fix decoding unicode filenames on Windows + * rar5: fix infinite loop if during rar5 decompression the last block produced no data + * xz filter: fix incorrect eof at the end of an lzip member + * zip: fix end-of-data marker processing when decompressing zip archives + * multiple bsdunzip(1) fixes + * filetime truncation fix on Windows +- Fix rpmlint warning about summary being too long + +------------------------------------------------------------------- +Fri Dec 29 18:39:00 UTC 2023 - Dirk Müller + +- skip write tests on 32bit, they OOM + +------------------------------------------------------------------- +Sun Sep 17 08:53:58 UTC 2023 - Dirk Müller + +- update to 3.7.2: + * Multiple vulnerabilities have been fixed in the PAX writer + * bsdunzip(1) now correctly handles arguments following an + -x after the zipfile + * zstd filter now supports the "long" write option + * SEGV and stack buffer overflow in verbose mode of cpio + * bsdunzip updated to match latest upstream code + * miscellaneous functional bugfixes + + +------------------------------------------------------------------- +Mon Jul 24 06:36:59 UTC 2023 - Bernhard Wiedemann + +- update to 3.7.0 + * bsdunzip port from FreeBSD + * fix 2 year 2038 issues + ------------------------------------------------------------------- Fri Dec 23 07:57:09 UTC 2022 - Dirk Müller - update to 3.6.2 (bsc#1205629, CVE-2022-36227) - * NULL pointer dereference vulnerability in archive_write.c + * NULL pointer dereference vulnerability in archive_write.c * include ZSTD in Windows builds (#1688) * SSL fixes on Windows (#1714, #1723, #1724) * rar5 reader: fix possible garbled output with bsdtar -O (#1745) * mtree reader: support reading mtree files with tabs (#1783) * various small fixes for issues found by CodeQL +- Drop upstream merged CVE-2022-36227.patch + +------------------------------------------------------------------- +Tue Nov 22 14:20:36 UTC 2022 - Danilo Spinella + +- Fix CVE-2022-36227, Handle a calloc returning NULL + (CVE-2022-36227, bsc#1205629) + * CVE-2022-36227.patch ------------------------------------------------------------------- Fri Apr 8 17:01:05 UTC 2022 - Dirk Müller @@ -19,7 +86,15 @@ Fri Apr 8 17:01:05 UTC 2022 - Dirk Müller * RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0) * fix heap use after free in archive_read_format_rar_read_data() (OSS-Fuzz 44547, 52efa50) * fix null dereference in read_data_compressed() (OSS-Fuzz 44843, 1271f77) - * fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715) + * fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715) +- Drop upstream merged fix-CVE-2022-26280.patch + +------------------------------------------------------------------- +Tue Apr 7 16:28:45 UTC 2022 - Danilo Spinella + +- Fix CVE-2022-26280 out-of-bounds read via the component zipx_lzma_alone_init + (CVE-2022-26280, bsc#1197634) + * fix-CVE-2022-26280.patch ------------------------------------------------------------------- Thu Feb 24 19:18:32 UTC 2022 - Ferdinand Thiessen @@ -34,7 +109,19 @@ Thu Feb 24 19:18:32 UTC 2022 - Ferdinand Thiessen * tar: respect "--ignore-zeros" in c, r and u modes * reduced size of application binaries * internal code optimizations -- Drop upstream merged fix-following-symlinks.patch +- Drop upstream merged: + * fix-following-symlinks.patch + * fix-CVE-2021-36976.patch + +------------------------------------------------------------------- +Mon Feb 23 14:44:21 UTC 2022 - Danilo Spinella + +- Fix CVE-2021-36976 use-after-free in copy_string + (CVE-2021-36976, bsc#1188572) + * fix-CVE-2021-36976.patch +- The following issues have already been fixed in this package but + weren't previously mentioned in the changes file: + CVE-2017-5601, bsc#1022528, bsc#1189528 ------------------------------------------------------------------- Mon Nov 29 09:00:26 UTC 2021 - Adrian Schröter @@ -48,7 +135,7 @@ Sun Nov 7 19:13:11 UTC 2021 - Andreas Stieger - update to 3.5.2: * CPIO: Support for PWB and v7 binary cpio formats - * ZIP reader: Support of deflate algorithm in symbolic link decompression + * ZIP reader: Support of deflate algorithm in symbolic link decompression * security: fix handling of symbolic link ACLs on Linux (boo#1192425) * security: never follow symlinks when setting file flags on Linux (boo#1192426) * security: do not follow symlinks when processing the fixup list (boo#1192427) @@ -58,7 +145,27 @@ Sun Nov 7 19:13:11 UTC 2021 - Andreas Stieger * ZIP reader: fix excessive read for padded zip * CAB reader: fix double free * handle short writes from archive_write_callback - +- Drop upstream mereged: + * CVE-2021-23177.patch + * CVE-2021-31566.patch + * bsc1192427.patch + +------------------------------------------------------------------- +Fri Oct 21 14:18:01 UTC 2021 - Danilo Spinella + +- Fix CVE-2021-31566, modifies file flags of symlink target + (CVE-2021-31566, bsc#1192426.patch) + CVE-2021-31566.patch +- Fix bsc#1192427, processing fixup entries may follow symbolic links + bsc1192427.patch + +------------------------------------------------------------------- +Mon Sep 12 14:07:20 UTC 2021 - Danilo Spinella + +- Fix CVE-2021-23177, extracting a symlink with ACLs modifies ACLs of target + (CVE-2021-23177, bsc#1192425) + * CVE-2021-23177.patch + ------------------------------------------------------------------- Wed Jan 6 16:11:01 UTC 2021 - Dirk Müller @@ -149,7 +256,7 @@ Fri Nov 22 13:17:53 UTC 2019 - Adrian Schröter ------------------------------------------------------------------- Sun Aug 18 12:33:05 UTC 2019 - Ismail Dönmez -- Switch to cmake build +- Switch to cmake build - Add lib-suffix.patch to honor LIB_SUFFIX - Add fix-zstd-test.patch to fix zstd test - Add fix-soversion.patch to fix the soversion to 13 as autotools @@ -331,7 +438,7 @@ Tue Nov 11 12:07:46 UTC 2014 - jsegitz@novell.com ------------------------------------------------------------------- Wed May 28 17:18:59 UTC 2014 - crrodriguez@opensuse.org -- libarchive-xattr.patch, fix subtle wrong library check +- libarchive-xattr.patch, fix subtle wrong library check that causes this package to depend on libattr when it should be using glibc. @@ -351,15 +458,15 @@ Tue Aug 20 05:34:09 UTC 2013 - crrodriguez@opensuse.org ------------------------------------------------------------------- Mon Aug 19 21:14:38 UTC 2013 - crrodriguez@opensuse.org -- libarchive-openssl.patch: Call OPENSSL_config where needed, - otherwise on systems configured to use openSSL engines such +- libarchive-openssl.patch: Call OPENSSL_config where needed, + otherwise on systems configured to use openSSL engines such as via-padlock wont benefit from hardware acceleration. ------------------------------------------------------------------- Fri Aug 16 20:07:27 UTC 2013 - andreas.stieger@gmx.de - update to 3.1.2 - This is a maintenance update to fix issues with the new RAR + This is a maintenance update to fix issues with the new RAR seeking feature. - libarchive's new website moved to http://www.libarchive.org. @@ -428,22 +535,22 @@ Tue Aug 7 18:47:14 UTC 2012 - dimstar@opensuse.org ------------------------------------------------------------------- Mon May 7 08:35:39 UTC 2012 - werner@suse.de -- Enforce usage of reentrant versions of libc functions +- Enforce usage of reentrant versions of libc functions ------------------------------------------------------------------- Mon Feb 13 18:19:49 UTC 2012 - dvaleev@suse.com -- fix failed tests on ppc +- fix failed tests on ppc ------------------------------------------------------------------- Wed Feb 8 10:57:45 UTC 2012 - idonmez@suse.com -- Use %makeinstall to be SLES compatible +- Use %makeinstall to be SLES compatible ------------------------------------------------------------------- Thu Dec 22 11:27:05 UTC 2011 - werner@suse.de -- For SLES11 work around missing rpm macro +- For SLES11 work around missing rpm macro ------------------------------------------------------------------- Tue Dec 6 16:00:48 UTC 2011 - coolo@suse.com @@ -468,8 +575,8 @@ Fri Sep 30 08:15:50 UTC 2011 - coolo@suse.com ------------------------------------------------------------------- Tue Apr 19 13:23:09 UTC 2011 - idoenmez@novell.com -- Add suport for xz and xar archives -- Add libarchive-2.8.4-iso9660-data-types.patch: +- Add suport for xz and xar archives +- Add libarchive-2.8.4-iso9660-data-types.patch: fix ISO9660 reader data type mismatches ------------------------------------------------------------------- @@ -516,7 +623,7 @@ Sat Sep 6 17:54:11 CEST 2008 - mrueckert@suse.de ------------------------------------------------------------------- Wed Aug 15 12:58:06 CEST 2007 - ro@suse.de -- fix dependency of devel package +- fix dependency of devel package ------------------------------------------------------------------- Tue Aug 7 16:47:22 CEST 2007 - mrueckert@suse.de @@ -542,7 +649,7 @@ Mon Jul 30 14:31:32 CEST 2007 - mrueckert@suse.de Fri Jun 8 01:35:37 CEST 2007 - ro@suse.de - added ldconfig to post scripts -- remove minitar objects (leave binary there for now) +- remove minitar objects (leave binary there for now) ------------------------------------------------------------------- Sun Apr 8 20:53:59 CEST 2007 - mrueckert@suse.de diff --git a/libarchive.spec b/libarchive.spec index 6fcf434..01c1b10 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -1,7 +1,7 @@ # # spec file for package libarchive # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,9 +30,9 @@ %bcond_without ext2fs %endif Name: libarchive -Version: 3.6.2 +Version: 3.7.4 Release: 0 -Summary: Utility and C library to create and read several different streaming archive formats +Summary: Utility and C library to create and read several streaming archive formats License: BSD-2-Clause Group: Productivity/Archiving/Compression URL: https://www.libarchive.org/ @@ -42,6 +42,10 @@ Source2: libarchive.keyring Source1000: baselibs.conf Patch1: lib-suffix.patch Patch2: fix-soversion.patch +# PATCH-FIX-SUSE danilo.spinella@suse.com +# bsdunzip test fails because of a locale issue, set locale properly to fix it +# It will be fixed in the next release +Patch3: fix-bsdunzip-test.patch BuildRequires: cmake BuildRequires: libacl-devel BuildRequires: libbz2-devel @@ -171,7 +175,11 @@ Static library for libarchive %cmake_build %check -%ctest +exclude="" +%ifarch %arm %ix86 ppc s390 +exclude="-E test_write_filter" +%endif +%ctest $exclude %install %cmake_install @@ -188,6 +196,7 @@ sed -i -e '/Libs.private/d' %{buildroot}%{_libdir}/pkgconfig/libarchive.pc %{_bindir}/bsdcat %{_bindir}/bsdcpio %{_bindir}/bsdtar +%{_bindir}/bsdunzip %{_mandir}/man1/* %{_mandir}/man5/*