Sync from SUSE:SLFO:Main libarchive revision 7a6a9993ae8151b1ce521ac993b8da35

CVE-2024-57970.patch

@@ -1,31 +0,0 @@
-From ca233156bfecef7fe713fe7bb86decfda728e364 Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Wed, 4 Dec 2024 10:41:12 -0800
-Subject: [PATCH] Handle truncation in the middle of a GNU long linkname
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Thanks to gbdngb12 김동건 for reporting this.
-
-Resolves Issue #2415
----
- libarchive/archive_read_support_format_tar.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
-index 4aaf1b90ce..b1344ae57d 100644
---- a/libarchive/archive_read_support_format_tar.c
-+++ b/libarchive/archive_read_support_format_tar.c
-@@ -1146,7 +1146,9 @@ header_gnu_longlink(struct archive_read *a, struct tar *tar,
- 	struct archive_string linkpath;
- 	archive_string_init(&linkpath);
- 	err = read_body_to_string(a, tar, &linkpath, h, unconsumed);
--	archive_entry_set_link(entry, linkpath.s);
-+	if (err == ARCHIVE_OK) {
-+		archive_entry_set_link(entry, linkpath.s);
-+	}
- 	archive_string_free(&linkpath);
- 	return (err);
- }
-

CVE-2025-1632.patch

@@ -1,58 +0,0 @@
-From 0a35ab97fae6fb9acecab46b570c14e3be1646e7 Mon Sep 17 00:00:00 2001
-From: Peter Kaestle <peter@piie.net>
-Date: Wed, 5 Mar 2025 15:34:44 +0100
-Subject: [PATCH] unzip/bsdunzip.c: fix NULL ptr dereference issue inside
- list()
-
-Fix CVE-2025-1632 by detecting NULL return of archive_entry_pathname()
-and replacing it by "INVALID PATH" string.
-
-Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc
-
-Signed-off-by: Peter Kaestle <peter@piie.net>
----
- unzip/bsdunzip.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
-index 7c8cafc3e..4a9028b79 100644
---- a/unzip/bsdunzip.c
-+++ b/unzip/bsdunzip.c
-@@ -876,6 +876,7 @@ list(struct archive *a, struct archive_entry *e)
- 	char buf[20];
- 	time_t mtime;
- 	struct tm *tm;
-+	const char *pathname;
- 
- 	mtime = archive_entry_mtime(e);
- 	tm = localtime(&mtime);
-@@ -884,22 +885,25 @@ list(struct archive *a, struct archive_entry *e)
- 	else
- 		strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
- 
-+	pathname = archive_entry_pathname(e);
-+	if (!pathname)
-+		pathname = "";
- 	if (!zipinfo_mode) {
- 		if (v_opt == 1) {
- 			printf(" %8ju  %s   %s\n",
- 			    (uintmax_t)archive_entry_size(e),
--			    buf, archive_entry_pathname(e));
-+			    buf, pathname);
- 		} else if (v_opt == 2) {
- 			printf("%8ju  Stored  %7ju   0%%  %s  %08x  %s\n",
- 			    (uintmax_t)archive_entry_size(e),
- 			    (uintmax_t)archive_entry_size(e),
- 			    buf,
- 			    0U,
--			    archive_entry_pathname(e));
-+			    pathname);
- 		}
- 	} else {
- 		if (Z1_opt)
--			printf("%s\n",archive_entry_pathname(e));
-+			printf("%s\n", pathname);
- 	}
- 	ac(archive_read_data_skip(a));
- }
-

CVE-2025-25724.patch

@@ -1,34 +0,0 @@
-From 6636f89f5fe08a20de3b2d034712c781d3a67985 Mon Sep 17 00:00:00 2001
-From: Peter Kaestle <peter@piie.net>
-Date: Wed, 5 Mar 2025 15:01:14 +0100
-Subject: [PATCH] tar/util.c: fix NULL pointer dereference issue on strftime
-
-Fix CVE-2025-25724 by detecting NULL return of localtime_r(&tim, &tmbuf),
-which could happen in case tim is incredible big.
-
-In case this error is triggered, put an "INVALID DATE" string into the
-outbuf.
-
-Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdtarbug
-
-Signed-off-by: Peter Kaestle <peter@piie.net>
----
- tar/util.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/tar/util.c b/tar/util.c
-index 3b099cb5f..f3cbdf0bb 100644
---- a/tar/util.c
-+++ b/tar/util.c
-@@ -749,7 +749,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
- #else
- 	ltime = localtime(&tim);
- #endif
--	strftime(tmp, sizeof(tmp), fmt, ltime);
-+	if (ltime)
-+		strftime(tmp, sizeof(tmp), fmt, ltime);
-+	else
-+		sprintf(tmp, "-- -- ----");
- 	fprintf(out, " %s ", tmp);
- 	safe_fprintf(out, "%s", archive_entry_pathname(entry));
-

lib-suffix.patch

@@ -1,42 +0,0 @@
-Index: b/libarchive/CMakeLists.txt
-===================================================================
---- a/libarchive/CMakeLists.txt
-+++ b/libarchive/CMakeLists.txt
-@@ -266,13 +266,13 @@ IF(ENABLE_INSTALL)
-   IF(BUILD_SHARED_LIBS)
-     INSTALL(TARGETS archive
-             RUNTIME DESTINATION bin
--            LIBRARY DESTINATION lib
--            ARCHIVE DESTINATION lib)
-+            LIBRARY DESTINATION lib${LIB_SUFFIX}
-+            ARCHIVE DESTINATION lib${LIB_SUFFIX})
-   ENDIF(BUILD_SHARED_LIBS)
-   INSTALL(TARGETS archive_static
-           RUNTIME DESTINATION bin
--          LIBRARY DESTINATION lib
--          ARCHIVE DESTINATION lib)
-+          LIBRARY DESTINATION lib${LIB_SUFFIX}
-+          ARCHIVE DESTINATION lib${LIB_SUFFIX})
-   INSTALL_MAN(${libarchive_MANS})
-   INSTALL(FILES ${include_HEADERS} DESTINATION include)
- ENDIF()
-Index: b/build/cmake/CreatePkgConfigFile.cmake
-===================================================================
---- a/build/cmake/CreatePkgConfigFile.cmake
-+++ b/build/cmake/CreatePkgConfigFile.cmake
-@@ -4,7 +4,7 @@
- # Set the required variables (we use the same input file as autotools)
- SET(prefix ${CMAKE_INSTALL_PREFIX})
- SET(exec_prefix \${prefix})
--SET(libdir \${exec_prefix}/lib)
-+SET(libdir \${exec_prefix}/lib${LIB_SUFFIX})
- SET(includedir \${prefix}/include)
- # Now, this is not particularly pretty, nor is it terribly accurate...
- # Loop over all our additional libs
-@@ -29,5 +29,5 @@ CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DI
- # And install it, of course ;).
- IF(ENABLE_INSTALL)
-   INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/build/pkgconfig/libarchive.pc
--          DESTINATION "lib/pkgconfig")
-+          DESTINATION "lib${LIB_SUFFIX}/pkgconfig")
- ENDIF()

libarchive-3.7.7.tar.xz.asc

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQGzBAABCgAdFiEE2yx88bTCZfrvVuP8WEihi48UGEsFAmcLhAYACgkQWEihi48U
-GEvyiwv7B3V7pViPWDiSzWVz4ZDf2ooCr9T71z9VwMn/fJD9roMI8bxzgmCbsVcq
-tFWsoQcFfB3pj2hfD/VL6yYclL8Wj+qYFap7iVqHW55yqL6EIiQcgrwbQp8VecL/
-oRZaFngsNApR3DpaCespkga9JazyT6J9vUZkBZpYAWgk1hpUcGmFGquOM+6raadU
-b7I6be+a1rSbg10cwFTzk0rdg3tenDSB+GfOVI0ifBmtTlfMxLgBBz45UBFg26Bi
-FzIsRrbGXz7aM+Kq5Y9PHnbsxCQXhXdeNXanYtfdnf44nmHv+3DfM2d6KQGRr7Q9
-M5g/OWvJxWyOYcNC14HGLMzAbY7nvQauOoFV4+QoXesSRnxmw/H8T6UNhsRv5kbr
-okqmlofJmhn/xLgOzwsgHCwwRINh0iaEfxpXKyKGqAEcF8pUCFm40NDaNc+s19uo
-W9oPYIVLEdQMZfUKdgRSjVYHVOmd/cBaQtqFlU9+WJeABVlq35u2fYb5ZmMUJ/Fh
-43mpllMc
-=9DT8
------END PGP SIGNATURE-----

libarchive-3.8.1.tar.xz.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEE2yx88bTCZfrvVuP8WEihi48UGEsFAmg8rVcACgkQWEihi48U
+GEsW5wv/aI/LDzxpFqr9JU1RY3PAn9uRngxVx+SRX1tdCKpeSwfjhq4gyTHjhQt+
+nP0F1z3Lo+w7AHSOVm3/DNfv906qXQEVG5AoSiztFJqNKFA2cWs+2ZgnlHFGgsu/
+IQugr7duGIm+zuPukQwPtI6P7EFwNTH3mAkU+J+Kb5nKxR4bLtgt/FL9Hl7rQR6y
+5uq5ykPBeSLAHyugWi2Ie0uki8efCLO9ha1eIlGqIaavsvYfFvleCRgsghW9bQ+8
+NGsVKjO2RWfQsSlzszJQRZaIPdV4EIP4boqfIMS1GCxhXjMVkdeDC3x1Dql9iqV3
+0xAafErxHQiXB54vgrRkgeeLUoCxNkSLFYWQt1fwufZobGCmF+BwNnIUJe77uTRF
+Gg3Eqk7Fcs77whoSClA4HYs/LL+PH9uU7XHDenUzeQMpmzrXD8qiMsFnPUa0yyQa
+XCBp+f5bUI/LhDCkCkWf+Tzky2RQIqlSgqiFUoVVby7WiUHQLTVol6E2GGROusYN
+5s1paMN8
+=YxiC
+-----END PGP SIGNATURE-----

libarchive.changes

@@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Thu Jun  5 21:05:40 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update to 3.8.1:
+  * libarchive: fix FILE_skip regression
+  * compress: Prevent call stack overflow
+  * iso9660: always check archive_string_ensure return value
+  * tar: Support negative time values with pax
+  * tar: Reset accumulated header state after reading macOS metadata blob
+  * tar: Keep block alignment after pax error
+  * tar: Handle extra bytes after sparse entries
+- includes changes from 3.8.0:
+  * bsdtar: support --mtime and --clamp-mtime
+  * 7-zip reader: improve self-extracting archive detection
+  * xar: xmllite support for the XAR reader and writer
+  * zip writer: added XZ, LZMA, ZSTD and BZIP2 support
+  * zip writer: added LZMA + RISCV BCJ filter
+  * rar: do not skip past EOF while reading (boo#1244159)
+  * rar: fix double free with over 4 billion nodes (boo#1244160)
+  * rar: fix heap-buffer-overflow (boo#1244161)
+  * warc: prevent signed integer overflow (boo#1244162)
+  * tar: fix overflow in build_ustar_entry (boo#1244163)
+  * bsdtar: don't hardlink negative inode files together
+  * gz: allow setting the original filename for gzip compressed files
+  * lib: improve lseek handling
+  * lib: support @-prefixed Unix epoch timestamps as date strings
+  * rar: support large headers on 32 bit systems
+  * tar reader: Improve LFS support on 32 bit systems
+- drop lib-suffix.patch, different implementation upstream
+- spec file clean-up, removing currently unused -static
+
+-------------------------------------------------------------------
+Sat Apr  5 08:28:47 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Update to 3.7.9:
+  * fix regression regarding GNU sparse entries
+
+-------------------------------------------------------------------
+Sun Mar 23 18:15:43 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Update to 3.7.8:
+  * 7zip reader: add SPARC and POWERPC filter support for non-LZMA compressors
+  * tar reader: Ignore ustar size when pax size is present
+  * tar writer: Fix bug when -s/a/b/ used more than once with b flag
+  * libarchive: Handle ARCHIVE_FILTER_LZOP in archive_read_append_filter
+  * libarchive: Adding missing seeker function to archive_read_open_FILE()
+- inludes the previously patched security fixes, dropping:
+  CVE-2025-1632.patch, CVE-2025-25724.patch, CVE-2024-57970.patch
+
 -------------------------------------------------------------------
 Tue Mar 11 15:54:34 UTC 2025 - Marius Grossu <marius.grossu@suse.com>
 

libarchive.spec

@@ -2,6 +2,7 @@
 # spec file for package libarchive
 #
 # Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,19 +19,8 @@
 
 %define somajor 13
 %define libname libarchive%{somajor}
-%if 0%{?centos_version} || 0%{?rhel_version}
-%if 0%{?centos_version} <= 600 || 0%{?rhel_version <= 700}
-%bcond_without	static_libs
-%bcond_with	openssl
-%bcond_with	ext2fs
-%endif
-%else
-%bcond_with	static_libs
-%bcond_without	openssl
-%bcond_without	ext2fs
-%endif
 Name:           libarchive
-Version:        3.7.7
+Version:        3.8.1
 Release:        0
 Summary:        Utility and C library to create and read several streaming archive formats
 License:        BSD-2-Clause
@@ -40,30 +30,19 @@ Source0:        https://github.com/libarchive/libarchive/releases/download/v%{ve
 Source1:        https://github.com/libarchive/libarchive/releases/download/v%{version}/libarchive-%{version}.tar.xz.asc
 Source2:        libarchive.keyring
 Source1000:     baselibs.conf
-Patch1:         lib-suffix.patch
-# PATCH-FIX-UPSTREAM CVE-2024-57970.patch bsc#1237233 antonio.teixeira@suse.com
-Patch2:         CVE-2024-57970.patch
-# PATCH-FIX-UPSTREAM bsc#1238610 marius.grossu@suse.com CVE-2025-25724
-Patch3:         CVE-2025-25724.patch
-# PATCH-FIX-UPSTREAM bsc#1237606 marius.grossu@suse.com CVE-2025-1632
-Patch4:         CVE-2025-1632.patch
 BuildRequires:  cmake
-BuildRequires:  libacl-devel
-BuildRequires:  libbz2-devel
-BuildRequires:  liblz4-devel
-BuildRequires:  libtool
-BuildRequires:  libxml2-devel
-BuildRequires:  libzstd-devel
 BuildRequires:  ninja
 BuildRequires:  pkgconfig
-BuildRequires:  xz-devel
-BuildRequires:  zlib-devel
-%if %{with ext2fs}
-BuildRequires:  libext2fs-devel
-%endif
-%if %{with openssl}
-BuildRequires:  libopenssl-devel
-%endif
+BuildRequires:  pkgconfig(bzip2)
+BuildRequires:  pkgconfig(expat)
+BuildRequires:  pkgconfig(ext2fs)
+BuildRequires:  pkgconfig(libacl)
+BuildRequires:  pkgconfig(libcrypto)
+BuildRequires:  pkgconfig(liblz4)
+BuildRequires:  pkgconfig(liblzma)
+BuildRequires:  pkgconfig(libxml-2.0)
+BuildRequires:  pkgconfig(libzstd)
+BuildRequires:  pkgconfig(zlib) >= 1.2.1
 
 %description
 Libarchive is a programming library that can create and read several
@@ -141,13 +120,12 @@ compression, archive format detection and decoding, and archive data
 I/O. It should be very easy to add new formats, new compression
 methods, or new ways of reading/writing archives.
 
-%package -n libarchive-devel
+%package devel
 Summary:        Development files for libarchive
 Group:          Development/Libraries/C and C++
 Requires:       %{libname} = %{version}
-Requires:       glibc-devel
 
-%description -n libarchive-devel
+%description devel
 Libarchive is a programming library that can create and read several
 different streaming archive formats, including most popular tar
 variants and several cpio formats. It can also write shar archives and
@@ -158,64 +136,48 @@ and 6.
 
 This package contains the development files.
 
-%package static-devel
-Summary:        Static library for libarchive
-Group:          Development/Libraries/C and C++
-Requires:       %{name}-devel = %{version}
-
-%description static-devel
-Static library for libarchive
-
 %prep
-%setup -q
-%autopatch -p1
+%autosetup -p1
 
 %build
 %define __builder ninja
 %cmake
 %cmake_build
 
+%install
+%cmake_install
+rm "%{buildroot}%{_mandir}/man5/"{tar,cpio,mtree}.5*
+rm "%{buildroot}%{_libdir}/libarchive.a"
+
 %check
 exclude=""
-%ifarch %arm %ix86 ppc s390
+%ifarch %{arm} %{ix86} ppc s390
 exclude="-E test_write_filter"
 %endif
 %ctest $exclude
 
-%install
-%cmake_install
-
-find %{buildroot} -type f -name "*.la" -delete -print
-rm "%{buildroot}%{_libdir}/libarchive.a"
-rm "%{buildroot}%{_mandir}/man5/"{tar,cpio,mtree}.5*
-sed -i -e '/Libs.private/d' %{buildroot}%{_libdir}/pkgconfig/libarchive.pc
-
-%post   -n %{libname} -p /sbin/ldconfig
-%postun -n %{libname} -p /sbin/ldconfig
+%ldconfig_scriptlets -n %{libname}
 
 %files -n bsdtar
+%license COPYING
 %{_bindir}/bsdcat
 %{_bindir}/bsdcpio
 %{_bindir}/bsdtar
 %{_bindir}/bsdunzip
-%{_mandir}/man1/*
-%{_mandir}/man5/*
+%{_mandir}/man1/*.1%{?ext_man}
+%{_mandir}/man5/*.5%{?ext_man}
 
 %files -n %{libname}
 %license COPYING
 %doc NEWS
-%{_libdir}/libarchive.so.*
+%{_libdir}/libarchive.so.%{somajor}{,.*}
 
-%files -n libarchive-devel
+%files devel
+%license COPYING
 %doc examples/
-%{_mandir}/man3/*
+%{_mandir}/man3/*.3%{?ext_man}
 %{_libdir}/libarchive.so
 %{_includedir}/archive*
 %{_libdir}/pkgconfig/libarchive.pc
 
-%if %{with static_libs}
-%files static-devel
-%{_libdir}/%{name}.a
-%endif
-
 %changelog