Sync from SUSE:SLFO:Main libarchive revision e768e5a9050a15f673a67aeba0beb6ad

fix-bsdunzip-test.patch

@@ -0,0 +1,19 @@
+commit 64e2e88ec326dd37fcb85c9a9d21fa43444a0a59
+Author: Bernhard M. Wiedemann <bwiedemann@suse.de>
+Date:   Wed May 22 10:13:47 2024 +0200
+
+    Fix test failure on openSUSE:Leap:15.5
+
+diff --git a/unzip/test/test_I.c b/unzip/test/test_I.c
+index 5d31ce8d..92e5ce59 100644
+--- a/unzip/test/test_I.c
++++ b/unzip/test/test_I.c
+@@ -45,7 +45,7 @@ DEFINE_TEST(test_I)
+ #endif
+ 
+ 	extract_reference_file(reffile);
+-	r = systemf("%s -I UTF-8 %s >test.out 2>test.err", testprog, reffile);
++	r = systemf("env -uLC_ALL LC_CTYPE=en_US.UTF-8 %s -I UTF-8 %s >test.out 2>test.err", testprog, reffile);
+ 	assertEqualInt(0, r);
+ 	assertNonEmptyFile("test.out");
+ 	assertEmptyFile("test.err");

lib-suffix.patch

@@ -1,10 +1,17 @@
-Index: libarchive-3.4.3/libarchive/CMakeLists.txt
+Index: libarchive-3.7.0/libarchive/CMakeLists.txt
 ===================================================================
---- libarchive-3.4.3.orig/libarchive/CMakeLists.txt
-+++ libarchive-3.4.3/libarchive/CMakeLists.txt
-@@ -255,8 +255,8 @@ IF(ENABLE_INSTALL)
-   # How to install the libraries
-   INSTALL(TARGETS archive archive_static
+--- libarchive-3.7.0.orig/libarchive/CMakeLists.txt
++++ libarchive-3.7.0/libarchive/CMakeLists.txt
+@@ -265,13 +265,13 @@ IF(ENABLE_INSTALL)
+   IF(BUILD_SHARED_LIBS)
+     INSTALL(TARGETS archive
+             RUNTIME DESTINATION bin
+-            LIBRARY DESTINATION lib
+-            ARCHIVE DESTINATION lib)
++            LIBRARY DESTINATION lib${LIB_SUFFIX}
++            ARCHIVE DESTINATION lib${LIB_SUFFIX})
+   ENDIF(BUILD_SHARED_LIBS)
+   INSTALL(TARGETS archive_static
            RUNTIME DESTINATION bin
 -          LIBRARY DESTINATION lib
 -          ARCHIVE DESTINATION lib)
@@ -13,10 +20,10 @@ Index: libarchive-3.4.3/libarchive/CMakeLists.txt
    INSTALL_MAN(${libarchive_MANS})
    INSTALL(FILES ${include_HEADERS} DESTINATION include)
  ENDIF()
-Index: libarchive-3.4.3/build/cmake/CreatePkgConfigFile.cmake
+Index: libarchive-3.7.0/build/cmake/CreatePkgConfigFile.cmake
 ===================================================================
---- libarchive-3.4.3.orig/build/cmake/CreatePkgConfigFile.cmake
-+++ libarchive-3.4.3/build/cmake/CreatePkgConfigFile.cmake
+--- libarchive-3.7.0.orig/build/cmake/CreatePkgConfigFile.cmake
++++ libarchive-3.7.0/build/cmake/CreatePkgConfigFile.cmake
 @@ -29,5 +29,5 @@ CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DI
  # And install it, of course ;).
  IF(ENABLE_INSTALL)

libarchive-3.6.2.tar.xz.asc

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQGzBAABCgAdFiEE2yx88bTCZfrvVuP8WEihi48UGEsFAmOTTgMACgkQWEihi48U
-GEsIrgv6ApeOuR8LQt9p2PUBHxcQbyXXtjJSP6VpKCE5PfwonjpVt3+vlFKenFko
-BjXvDARtlAX2SU17UYIGlpHfGF7dofke3JykRPKwjQfT8bxu/+QdwaJjjyEyHCGI
-3sdPkrK7TGDc9/R5imsBAq30hDX3Cwpmdv8IBT5G/sjdXmXPGog1E7GjUFHO0ADE
-GqpOhvyxUzjPln1RRpT0KVTgHBN/GJosM/Wwt615s8MqmRgxgi/EwZAc1p2QuIwS
-KjCHIQ6GdONNMPWxxJY0kI8ifXmhGiBseIyECIFah7eUhqmQfWnwgL7p3bb0A2r8
-UMX8IvW79n5Er6U3r0SbS+kIhirq8YH8jUvCgkH5cYjU9vTcCYYnhY3/nz+lFW06
-2CZzKwwTUARPjhPJnqPLmf6IQPLJ25g92zauQE1tQ7s1OWnSMdjE4F+nBeNRlAEr
-wXwOuINhaH/d0ujxb7fgEtzmj9iETGnNfa6MAVw8+u6fIbjBZO/8atp1askbAPPl
-SYPNnQ/2
-=9Ggs
------END PGP SIGNATURE-----

libarchive-3.7.4.tar.xz.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEE2yx88bTCZfrvVuP8WEihi48UGEsFAmYre4IACgkQWEihi48U
+GEvAuwwAmsnbql7+1CW9RuBHitOvHyIL6sHbjR0Hd3ruI9s3FMevMBzPjpb5MgOU
+/D+o0amv1Tv/QSJAid1siZIumgur2hzqglNMK5FkoajpZ1UjYASHHxFoh5qkRKvW
+Ws/ViXMVGB2DlyydzzjFwa0JAAK/IpD9uKPPr6rgt+cRBibkWXuJILbmzi/DF1XH
+zlp/5FGwzY4/zhqbXgz11ZhX3gacdLd68+xsYbSII2JvZ2yb2zsS+0ia3skUawEj
+QMKzdpErqO+RedsRiJG9fjA65Q1hKWpMoWMuKZWLX+v0iv/OHv57RzLelmPy6Ohw
+0/PwCHFzFmOfu2LZd+mCWsrYaBrezGJq9tm+pAsCXSxcj3LuQwZ6d8/wgtS5CeNE
++LoHCbzAcI5WiyU3wbw1qvulVDewL+j0rQoj23Lj2z9ry2K94NMpYji3JMkWI8dS
+QXitZd29uZ9l5Jf5Kz9BLHOoO1Q8bEOGB33dLpT+UIjFoJ6wqxNXef6OAECoHGH0
+OnEtTuAX
+=kNTk
+-----END PGP SIGNATURE-----

libarchive.changes

@@ -1,3 +1,62 @@
+-------------------------------------------------------------------
+Wed May 22 08:32:02 UTC 2024 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix bsdunzip test failing due to a locale issue
+  * fix-bsdunzip-test.patch
+
+-------------------------------------------------------------------
+Tue Apr 30 08:05:28 UTC 2024 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Update to 3.7.4:
+    * rar: Fix OOB in rar e8 filter (CVE-2024-26256, bsc#1222911)
+    * zip: Fix out of boundary access
+    * 7zip: Limit amount of properties
+    * bsdtar: Fix error handling around strtol() usages
+    * passphrase: Improve newline handling on Windows
+    * passphrase: Never allow empty passwords
+    * rar: Fix "File CRC Error" when extracting specific rar4 archives
+    * xar: Avoid infinite link loop
+    * zip: Update AppleDouble support for directories
+    * zstd: Implement core detection
+- Update to 3.7.3:
+    * PCRE2 support
+    * add trailing letter b to bsdtar(1) substitute pattern
+    * add support for long options "--group" and "--owner" to tar(1)
+    * Fix possible vulnerability in tar error reporting introduced in f27c173
+    * ISO9660: preserve the natural order of links
+    * rar5: fix decoding unicode filenames on Windows
+    * rar5: fix infinite loop if during rar5 decompression the last block produced no data
+    * xz filter: fix incorrect eof at the end of an lzip member
+    * zip: fix end-of-data marker processing when decompressing zip archives
+    * multiple bsdunzip(1) fixes
+    * filetime truncation fix on Windows
+- Fix rpmlint warning about summary being too long
+
+-------------------------------------------------------------------
+Fri Dec 29 18:39:00 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- skip write tests on 32bit, they OOM
+
+-------------------------------------------------------------------
+Sun Sep 17 08:53:58 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 3.7.2:
+  * Multiple vulnerabilities have been fixed in the PAX writer
+  * bsdunzip(1) now correctly handles arguments following an
+    -x after the zipfile
+  * zstd filter now supports the "long" write option
+  * SEGV and stack buffer overflow in verbose mode of cpio
+  * bsdunzip updated to match latest upstream code
+  * miscellaneous functional bugfixes
+
+
+-------------------------------------------------------------------
+Mon Jul 24 06:36:59 UTC 2023 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- update to 3.7.0
+  * bsdunzip port from FreeBSD
+  * fix 2 year 2038 issues
+
 -------------------------------------------------------------------
 Fri Dec 23 07:57:09 UTC 2022 - Dirk Müller <dmueller@suse.com>
 
@@ -8,6 +67,14 @@ Fri Dec 23 07:57:09 UTC 2022 - Dirk Müller <dmueller@suse.com>
   * rar5 reader: fix possible garbled output with bsdtar -O (#1745)
   * mtree reader: support reading mtree files with tabs (#1783)
   * various small fixes for issues found by CodeQL
+- Drop upstream merged CVE-2022-36227.patch
+
+-------------------------------------------------------------------
+Tue Nov 22 14:20:36 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2022-36227, Handle a calloc returning NULL
+  (CVE-2022-36227, bsc#1205629)
+  * CVE-2022-36227.patch
 
 -------------------------------------------------------------------
 Fri Apr  8 17:01:05 UTC 2022 - Dirk Müller <dmueller@suse.com>
@@ -20,6 +87,14 @@ Fri Apr  8 17:01:05 UTC 2022 - Dirk Müller <dmueller@suse.com>
   * fix heap use after free in archive_read_format_rar_read_data() (OSS-Fuzz 44547, 52efa50)
   * fix null dereference in read_data_compressed() (OSS-Fuzz 44843, 1271f77)
   * fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715)
+- Drop upstream merged fix-CVE-2022-26280.patch
+
+-------------------------------------------------------------------
+Tue Apr  7 16:28:45 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2022-26280 out-of-bounds read via the component zipx_lzma_alone_init
+  (CVE-2022-26280, bsc#1197634)
+  * fix-CVE-2022-26280.patch
 
 -------------------------------------------------------------------
 Thu Feb 24 19:18:32 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de>
@@ -34,7 +109,19 @@ Thu Feb 24 19:18:32 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de>
   * tar: respect "--ignore-zeros" in c, r and u modes
   * reduced size of application binaries
   * internal code optimizations
-- Drop upstream merged fix-following-symlinks.patch
+- Drop upstream merged:
+  * fix-following-symlinks.patch
+  * fix-CVE-2021-36976.patch
+
+-------------------------------------------------------------------
+Mon Feb 23 14:44:21 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2021-36976 use-after-free in copy_string
+  (CVE-2021-36976, bsc#1188572)
+  * fix-CVE-2021-36976.patch
+- The following issues have already been fixed in this package but
+  weren't previously mentioned in the changes file:
+  CVE-2017-5601, bsc#1022528, bsc#1189528
 
 -------------------------------------------------------------------
 Mon Nov 29 09:00:26 UTC 2021 - Adrian Schröter <adrian@suse.de>
@@ -58,6 +145,26 @@ Sun Nov  7 19:13:11 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
   * ZIP reader: fix excessive read for padded zip
   * CAB reader: fix double free
   * handle short writes from archive_write_callback
+- Drop upstream mereged:
+  * CVE-2021-23177.patch
+  * CVE-2021-31566.patch
+  * bsc1192427.patch
+
+-------------------------------------------------------------------
+Fri Oct 21 14:18:01 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2021-31566, modifies file flags of symlink target
+  (CVE-2021-31566, bsc#1192426.patch)
+  CVE-2021-31566.patch
+- Fix bsc#1192427, processing fixup entries may follow symbolic links
+  bsc1192427.patch
+
+-------------------------------------------------------------------
+Mon Sep 12 14:07:20 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2021-23177, extracting a symlink with ACLs modifies ACLs of target
+  (CVE-2021-23177, bsc#1192425)
+  * CVE-2021-23177.patch
 
 -------------------------------------------------------------------
 Wed Jan  6 16:11:01 UTC 2021 - Dirk Müller <dmueller@suse.com>

libarchive.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libarchive
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -30,9 +30,9 @@
 %bcond_without	ext2fs
 %endif
 Name:           libarchive
-Version:        3.6.2
+Version:        3.7.4
 Release:        0
-Summary:        Utility and C library to create and read several different streaming archive formats
+Summary:        Utility and C library to create and read several streaming archive formats
 License:        BSD-2-Clause
 Group:          Productivity/Archiving/Compression
 URL:            https://www.libarchive.org/
@@ -42,6 +42,10 @@ Source2:        libarchive.keyring
 Source1000:     baselibs.conf
 Patch1:         lib-suffix.patch
 Patch2:         fix-soversion.patch
+# PATCH-FIX-SUSE danilo.spinella@suse.com
+# bsdunzip test fails because of a locale issue, set locale properly to fix it
+# It will be fixed in the next release
+Patch3:         fix-bsdunzip-test.patch
 BuildRequires:  cmake
 BuildRequires:  libacl-devel
 BuildRequires:  libbz2-devel
@@ -171,7 +175,11 @@ Static library for libarchive
 %cmake_build
 
 %check
-%ctest
+exclude=""
+%ifarch %arm %ix86 ppc s390
+exclude="-E test_write_filter"
+%endif
+%ctest $exclude
 
 %install
 %cmake_install
@@ -188,6 +196,7 @@ sed -i -e '/Libs.private/d' %{buildroot}%{_libdir}/pkgconfig/libarchive.pc
 %{_bindir}/bsdcat
 %{_bindir}/bsdcpio
 %{_bindir}/bsdtar
+%{_bindir}/bsdunzip
 %{_mandir}/man1/*
 %{_mandir}/man5/*