Dominique Leuenberger
7b43fa7295
- Update to 3.8.7: * CAB: fix NULL pointer dereference during skip (#2900) * CAB: Fix Heap OOB Write in CAB LZX decoder (#2919) * cpio: various fixes and improvements (#2899, #2908, #2910, #2939) * contrib/untar: fix out-of-bounds read (#2903) * iso9660: fix undefined behavior (#2897) * iso9660: fix posibble heap buffer overflow on 32-bit systems (#2934) * libarchive: fix handling of option failures (#2871) * libarchive: do not continue with truncated numbers (#2911) * libarchive: lzop and grzip filter support (#2947) * RAR: fix LZSS window size mismatch after PPMd block (#2898) - Added add-missing-tests.patch: the distributed tarball is missing a test file, add it back - Removed libarchive-3.8.6-add-missing-test.patch - update to 3.8.6: * fix incompatibility with Nettle 4.x (boo#1257934) * fix NULL pointer dereference in archive_acl_from_text_w() (boo#1260998) * bsdunzip: fix ISO week year and Gregorian year confusion * 7zip: fix SEGV in check_7zip_header_in_sfx via ELF offset validation (boo#1260999) * 7zip: fix out-of-bounds access on ELF 64-bit header (boo#1261000) * RAR5 reader: fix infinite loop in rar5 decompression (boo#1261001) * RAR5 reader: fix potential memory leak (boo#1261002) * RAR5: fix SIGSEGV when archive_read_support_format_rar5 is called twice * CAB reader: fix memory leak on repeated calls to archive_read_support_format_cab * mtree reader: Fix file descriptor leak in mtree parser cleanup (boo#1261003) * various small bugfixes in code and documentation - the distributed tarball is missing a test file, add it back add libarchive-3.8.6-add-missing-test.patch - Update to 3.8.5: * bsdtar: fix regression from 3.8.4 zero-length pattern issue bugfix (#2809) * various small bugfixes in code and documentation - Remove libarchive-3.8.4-tar-fix-tests.patch to fix tests - Update to 3.8.4: * bsdtar: Fix zero-length pattern issue * lib: Fix regression introduced in libarchive 3.8.2 when walking enterable but unreadable directories - add libarchive-3.8.4-tar-fix-tests.patch to fix tests - Update to 3.8.3: * lib: Create temporary files in the target directory (boo#1254340) * lha: Fix for an out-of-bounds buffer overrun when using p[H_LEVEL_OFFSET] (boo#1254341) * 7-zip: Fix a buffer overrun when reading truncated 7zip headers (boo#1254342) * lz4 and zstd: Support both lz4 and zstd data with leading skippable frames - update upstream signing key - update to 3.8.2: Security fixes: * 7zip: Fix out of boundary access * tar reader: fix checking the result of the strftime (CVE-2025-25724) Notable bugfixes: * bsdtar: Allow filename to have CRLF endings * lib: archive_read_data: handle sparse holes at end of file correctly * lib: improve filter process handling * lib: fix error checking in writing files * lib: handle possible errors from system calls * lib: avoid leaking file descriptors into subprocesses * lib: parse_date: handle dates in 2038 and beyond if time_t is big enough * RAR5 reader: fix multiple issues in extra field parsing function * RAR5 reader: early fail when file declares data for a dir entry * tar writer: fix replacing a regular file with a dir for ARCHIVE_EXTRACT_SAFE_WRITES * tar reader (Windows): check WCS pathname in header_gnutar before overwriting * tar reader: fix an infinite loop when parsing V headers * zip writer: fix a memory leak if write callback error early * zip writer: fix writing with ZSTD compression * zstd write filter: enable Zstandard's checksum feature - update to 3.8.1: * libarchive: fix FILE_skip regression * compress: Prevent call stack overflow * iso9660: always check archive_string_ensure return value * tar: Support negative time values with pax * tar: Reset accumulated header state after reading macOS metadata blob * tar: Keep block alignment after pax error * tar: Handle extra bytes after sparse entries - includes changes from 3.8.0: * bsdtar: support --mtime and --clamp-mtime * 7-zip reader: improve self-extracting archive detection * xar: xmllite support for the XAR reader and writer * zip writer: added XZ, LZMA, ZSTD and BZIP2 support * zip writer: added LZMA + RISCV BCJ filter * rar: do not skip past EOF while reading (boo#1244159) * rar: fix double free with over 4 billion nodes (boo#1244160) * rar: fix heap-buffer-overflow (boo#1244161) * warc: prevent signed integer overflow (boo#1244162) * tar: fix overflow in build_ustar_entry (boo#1244163) * bsdtar: don't hardlink negative inode files together * gz: allow setting the original filename for gzip compressed files * lib: improve lseek handling * lib: support @-prefixed Unix epoch timestamps as date strings * rar: support large headers on 32 bit systems * tar reader: Improve LFS support on 32 bit systems - drop lib-suffix.patch, different implementation upstream - spec file clean-up, removing currently unused -static - Update to 3.7.9: * fix regression regarding GNU sparse entries - Update to 3.7.8: * 7zip reader: add SPARC and POWERPC filter support for non-LZMA compressors * tar reader: Ignore ustar size when pax size is present * tar writer: Fix bug when -s/a/b/ used more than once with b flag * libarchive: Handle ARCHIVE_FILTER_LZOP in archive_read_append_filter * libarchive: Adding missing seeker function to archive_read_open_FILE() - inludes the previously patched security fixes, dropping: CVE-2025-1632.patch, CVE-2025-25724.patch, CVE-2024-57970.patch - Fix CVE-2025-1632, null pointer dereference in bsdunzip.c (CVE-2025-1632, bsc#1237606) * CVE-2025-1632.patch - Fix CVE-2025-25724, Buffer Overflow vulnerability in libarchive (CVE-2025-25724, bsc#1238610) * CVE-2025-25724.patch - Fix CVE-2024-57970, heap-based buffer over-read in header_gnu_longlink because it mishandles truncation (CVE-2024-57970, bsc#1237233) * CVE-2024-57970.patch - Update to 3.7.7: * gzip: prevent a hang when processing a malformed gzip inside a gzip * tar: don't crash on truncated tar archives * tar: fix two leaks in tar header parsing * 7-zip: read/write symlink paths as UTF-8 * cpio: exit with an error code if an entry could not be extracted * rar5: report encrypted entries * tar: fix truncation of entry pathnames in specific archives - Update to 3.7.6: * tar: clean up linkpath between entries * tar: fix memory leaks when processing symlinks or parsing pax headers * iso: be more cautious about parsing ISO-9660 timestamps - Version 3.7.5 changes: * fix multiple vulnerabilities identified by SAST * cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing * lzop: prevent integer overflow * rar4: protect copy_from_lzss_window_to_unp() (CVE-2024-20696, bsc#1225971) * rar4: fix CVE-2024-26256 (CVE-2024-26256, bsc#1225972) * rar4: fix OOB in delta and audio filter * rar4: fix out of boundary access with large files * rar4: add boundary checks to rgb filter * rar4: fix OOB access with unicode filenames * rar5: clear 'data ready' cache on window buffer reallocs * rpm: calculate huge header sizes correctly * unzip: unify EOF handling * util: fix out of boundary access in mktemp functions * uu: stop processing if lines are too long * 7zip: fix issue when skipping first file in 7zip archive that is a multiple of 65536 bytes * ar: fix archive entries having no type * lha: do not allow negative file sizes * lha: fix integer truncation on 32-bit systems * shar: check strdup return value * rar5: don't try to read rediculously long names * xar: fix another infinite loop and expat error handling * many Windows fixes, cleanups and improvements - Drop fix-soversion.patch, fix-bsdunzip-test.patch * Fixed upstream - Update lib-suffix.patch * Add LIB_SUFFIX to libdir path in the pkg-config file - Fix bsdunzip test failing due to a locale issue * fix-bsdunzip-test.patch - Update to 3.7.4: * rar: Fix OOB in rar e8 filter (CVE-2024-26256, bsc#1222911) * zip: Fix out of boundary access * 7zip: Limit amount of properties * bsdtar: Fix error handling around strtol() usages * passphrase: Improve newline handling on Windows * passphrase: Never allow empty passwords * rar: Fix "File CRC Error" when extracting specific rar4 archives * xar: Avoid infinite link loop * zip: Update AppleDouble support for directories * zstd: Implement core detection - Update to 3.7.3: * PCRE2 support * add trailing letter b to bsdtar(1) substitute pattern * add support for long options "--group" and "--owner" to tar(1) * Fix possible vulnerability in tar error reporting introduced in f27c173 * ISO9660: preserve the natural order of links * rar5: fix decoding unicode filenames on Windows * rar5: fix infinite loop if during rar5 decompression the last block produced no data * xz filter: fix incorrect eof at the end of an lzip member * zip: fix end-of-data marker processing when decompressing zip archives * multiple bsdunzip(1) fixes * filetime truncation fix on Windows - Fix rpmlint warning about summary being too long - skip write tests on 32bit, they OOM - update to 3.7.2: * Multiple vulnerabilities have been fixed in the PAX writer * bsdunzip(1) now correctly handles arguments following an -x after the zipfile * zstd filter now supports the "long" write option * SEGV and stack buffer overflow in verbose mode of cpio * bsdunzip updated to match latest upstream code * miscellaneous functional bugfixes - update to 3.7.0 * bsdunzip port from FreeBSD * fix 2 year 2038 issues - update to 3.6.2 (bsc#1205629, CVE-2022-36227) * NULL pointer dereference vulnerability in archive_write.c * include ZSTD in Windows builds (#1688) * SSL fixes on Windows (#1714, #1723, #1724) * rar5 reader: fix possible garbled output with bsdtar -O (#1745) * mtree reader: support reading mtree files with tabs (#1783) * various small fixes for issues found by CodeQL - Drop upstream merged CVE-2022-36227.patch - Fix CVE-2022-36227, Handle a calloc returning NULL (CVE-2022-36227, bsc#1205629) * CVE-2022-36227.patch - update to 3.6.1: * 7zip reader: fix PPMD read beyond boundary (#1671) * ZIP reader: fix possible out of bounds read (OSS-Fuzz 38766 #1672) * ISO reader: fix possible heap buffer overflow in read_children() (OSS-Fuzz 38764, #1685) * RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0) * fix heap use after free in archive_read_format_rar_read_data() (OSS-Fuzz 44547, 52efa50) * fix null dereference in read_data_compressed() (OSS-Fuzz 44843, 1271f77) * fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715) - Drop upstream merged fix-CVE-2022-26280.patch - Fix CVE-2022-26280 out-of-bounds read via the component zipx_lzma_alone_init (CVE-2022-26280, bsc#1197634) * fix-CVE-2022-26280.patch - Update to 3.6.0 * Fix use-after-free bug (CVE-2021-36976) * tar: new option "--no-read-sparse" * tar: threads support for zstd * RAR reader: filter support * RAR5 reader: self-extracting archive support * ZIP reader: zstd decompression support * tar: respect "--ignore-zeros" in c, r and u modes * reduced size of application binaries * internal code optimizations - Drop upstream merged: * fix-following-symlinks.patch * fix-CVE-2021-36976.patch - Fix CVE-2021-36976 use-after-free in copy_string (CVE-2021-36976, bsc#1188572) * fix-CVE-2021-36976.patch - The following issues have already been fixed in this package but weren't previously mentioned in the changes file: CVE-2017-5601, bsc#1022528, bsc#1189528 - fix permission settings on following symlinks (fix-following-symlinks.patch) this fixes also wrong permissions of /var/tmp in factory systems CVE-2021-31566 - update to 3.5.2: * CPIO: Support for PWB and v7 binary cpio formats * ZIP reader: Support of deflate algorithm in symbolic link decompression * security: fix handling of symbolic link ACLs on Linux (boo#1192425) * security: never follow symlinks when setting file flags on Linux (boo#1192426) * security: do not follow symlinks when processing the fixup list (boo#1192427) * fix extraction of hardlinks to symlinks * 7zip reader and writer fixes * RAR reader fixes * ZIP reader: fix excessive read for padded zip * CAB reader: fix double free * handle short writes from archive_write_callback - Drop upstream mereged: * CVE-2021-23177.patch * CVE-2021-31566.patch * bsc1192427.patch - Fix CVE-2021-31566, modifies file flags of symlink target (CVE-2021-31566, bsc#1192426.patch) CVE-2021-31566.patch - Fix bsc#1192427, processing fixup entries may follow symbolic links bsc1192427.patch - Fix CVE-2021-23177, extracting a symlink with ACLs modifies ACLs of target (CVE-2021-23177, bsc#1192425) * CVE-2021-23177.patch - update to 3.5.1: * various compilation fixes (#1461, #1462, #1463, #1464) * fixed undefined behavior in a function in warc reader (#1465) - Update to version 3.5.0 New features: * mtree digest reader support (#1347) * completed support for UTF-8 encoding conversion (#1389) * minor API enhancements (#1258, #1405) * support for system extended attributes (#1409) * support for decompression of symbolic links in zipx archives (#1435) Important bugfixes * fixed extraction of archives with hard links pointing to itself (#1381) * cpio fixes (#1387, #1388) * fixed uninitialized size in rar5_read_data (#1408) * fixed memory leaks in error case of archive_write_open() functions (#1456) - Drop libarchive-3.4.3-fix_test_write_disk_secure.patch, fixed upstream. - fix build with binutils submitted to Factory, adding upstream libarchive-3.4.3-fix_test_write_disk_secure.patch - Update to version 3.4.3 * support for pzstd compressed files (#1357) * support for RHT.security.selinux tar extended attribute (#1348) * various zstd fixes and improvements (#1342 #1352 #1359) * child process handling fixes (#1372) - Switch back to cmake build now that cmake-mini exists, this will no longer create a build-cycle. - Update to version 3.4.2 New features: * support for atomic file extraction (bsdtar -x --safe-writes) (#1289) * support for mbed TLS (PolarSSL) (#1301) Important bugfixes: * security fixes in RAR5 reader (#1280 #1326) * compression buffer fix in XAR writer (#1317) * fix uname and gname longer than 32 characters in PAX writer (#1319) * fix segfault when archiving hard links in ISO9660 and XAR writers (#1325) * fix support for extracting 7z archive entries with Delta filter (#987) - Revert back to autoconf, cmake introduces a cycle. Leave cmake patches in since they are basically correct and might be useful in the future. - Update to version 3.4.1 New features: * Unicode filename support for reading lha/lzh archives * New pax write option "xattrhdr" Important bugfixes: * security fixes in wide string processing (#1276 #1298) * security fixes in RAR5 reader (#1212 #1217 #1296) CVE-2019-19221 * security fixes and optimizations to write filter logic (#351) * security fix related to use of readlink(2) (1dae5a5) * sparse file handling fixes (#1218 #1260) - Drop CVE-2019-19221.patch and fix-zstd-test.patch, fixed upstream - fix bsc#1157569 CVE-2019-19221.patch out-of-bounds read in libarchive - Switch to cmake build - Add lib-suffix.patch to honor LIB_SUFFIX - Add fix-zstd-test.patch to fix zstd test - Add fix-soversion.patch to fix the soversion to 13 as autotools - Add lz4 and zstd support - Add BuildRequires on liblz4-devel and libzstd-devel - Update to version 3.4.0 * Support for file and directory symlinks on Windows * Read support for RAR 5.0 archives * Read support for ZIPX archives with xz, lzma, ppmd8 and bzip2 compression * Support for non-recursive list and extract * New tar option: --exclude-vcs * Improved file attribute support on Linux and file flags support on FreeBSD * Fix reading Android APK archives (#1055 ) * Fix problems related to unreadable directories (#1167) * A two-digit number of OSS-Fuzz issues was resolved in this release including CVE-2019-18408 - Add libarchive.keyring and validate the tarball signature - Drop all security patches, fixed upstream: * CVE-2018-1000877.patch * CVE-2018-1000878.patch * CVE-2018-1000879.patch * CVE-2018-1000880.patch * CVE-2019-1000019.patch * CVE-2019-1000020.patch - Added patches: * CVE-2019-1000019.patch Fixes 7zip crash (boo#1124341) * CVE-2019-1000020.patch ISO9660 infinite loop fixed (boo#1124342) - Added patches: * CVE-2018-1000877.patch, which fixes a double free vulnerability in RAR decoder (CVE-2018-1000877 bsc#1120653) * CVE-2018-1000878.patch, which fixes a Use-After-Free vulnerability in RAR decoder (CVE-2018-1000878 bsc#1120654) * CVE-2018-1000879.patch, which fixes a NULL Pointer Dereference vulnerability in ACL parser (CVE-2018-1000879 bsc#1120656) * CVE-2018-1000880.patch, which fixes an improper input validation vulnerability in WARC parser (CVE-2018-1000880 bsc#1120659) - Make use of %license macro - Applied spec-cleaner - Fix RPM groups. Remove idempotent %if..%endif guards. Diversify summaries. Set CFLAGS instead of re-defining optflags with itself. - update to version 3.3.3 * Avoid super-linear slowdown on malformed mtree files * Many fixes for building with Visual Studio * NO_OVERWRITE doesn't change existing directory attributes * New support for Zstandard read and write filters - Fixes CVE-2017-14501, CVE-2017-14502, CVE-2017-14503 - fix-CVE-2017-14166.patch is obsolete - update to version 3.3.2 * NFSv4 ACL support for Linux (librichacl) - fix-CVE-2017-14166.patch (boo#1057514) - update to version 3.3.1 * Security & Feature release Details are not documented from upstream yet fix-extract-over-links.patch and libarchive-openssl.patch obsoleted - fix extracting over symlinks: fix-extract-over-links.patch the problem is solved upstream different, but git master is too different atm. - update to version 3.2.2 Unspecified security fixes, but at least: * CVE-2016-8687 * CVE-2016-8689 * CVE-2016-8688 * CVE-2016-5844 * CVE-2016-6250 * CVE-2016-5418 - obsoletes fix-build.patch - make bsdtar require a matching libarchive version to avoid missing symbol errors - update to version 3.2.1 Fixes a number of security issues: CVE-2015-8934, CVE-2015-8933, CVE-2015-8917, CVE-2016-4301, CVE-2016-4300 - and fixing the build (fix-build.patch) - limit size of symlinks in cpio archives (CVE-2016-4809, boo#984990) CVE-2016-4809.patch - 4GB _constraints for ppc64le only, it would break other archs - update to version 3.2.0 * Fixes CVE-2016-1541 * Fixes CVE-2015-8928 * changes are only documented in git history * updated openssl patch * new bsdcat utility - removed obsolete patches for: * CVE-2013-0211.patch * directory-traversal-fix.patch * libarchive-xattr.patch - add _constraints memory 4096MB to avoid ppc64le build failure - build static lib on RHEL 7 - RHEL/CentOS build fix, skipping autoreconf - add CVE for previous change - fix a directory traversal in cpio tool (bnc#920870) directory-traversal-fix.patch CVE-2015-2304 - Added CVE-2013-0211.patch to fix CVE-2013-0211 (bnc#800024) - libarchive-xattr.patch, fix subtle wrong library check that causes this package to depend on libattr when it should be using glibc. - add optional -static-devel library package, intended to publish pixz for CentOS / RHEL, default off - skip some dependencies not required for pixz on CentOS / RHEL - remove artificial dependencies on libacl-devel, libbz2-devel, zlib-devel from libarchive-devel. - libarchive-openssl.patch: Call OPENSSL_config where needed, otherwise on systems configured to use openSSL engines such as via-padlock wont benefit from hardware acceleration. - update to 3.1.2 This is a maintenance update to fix issues with the new RAR seeking feature. - libarchive's new website moved to http://www.libarchive.org. - Explicitly list libattr-devel as BuildRequires (and sort those) - Use %libname macro to be consistent throughout the spec file - Update to version 3.1.1: + Fix an issue with the soname versioning in builds of libarchive using cmake - Removed patchs; fixed and merged on upstream release: * libarchive-fix-checks.patch * libarchive-ppc64.patch - The soname has changed and pass to 13. - libarchive-ppc64.patch: fix http://code.google.com/p/libarchive/issues/detail?id=277 test_option_b and test_option_nodump are failing on ppc64 - license update: BSD-2-Clause The COPYING file shows that the package is predominantly BSD-2-Clause licensed - Update to version 3.0.4: + libarchive development moved to http://libarchive.github.com/ - Changes from version 3.0.2: + Various fixes merged from FreeBSD + Symlink support in Zip reader and writer + Robustness fixes to 7Zip reader - Changes from version 3.0.1b: + 7Zip reader + Small fixes to ISO and Zip to improve robustness with corrupted input + Improve streaming Zip reader's support for uncompressed entries + New seeking Zip reader supports SFX Zip archives + Build fixes on Windows - For more changes since 2.8.5, please see NEWS file - Update URL Tag to represent new home of the project. - Rename libarchive2 to libarchive12, following upstreams soname bumps. - Add libarchive-fix-checks.patch: Fix gcc 4.7 side effects. - Drop libarchive-test-fuzz.patch: fixed upstream. - Drop libarchive-ignore-sigpipe-in-test-suite.patch: fixed upstream. - Drop libarchive-2.5.5_handle_ENOSYS_from_lutimes.patch: upstream rejected the patch. Seems to be too theoretical problem. - Enforce usage of reentrant versions of libc functions - fix failed tests on ppc - Use %makeinstall to be SLES compatible - For SLES11 work around missing rpm macro - rename main package to libarchive - Update to libarchive 2.8.5 (from werner) * Fix issue 134: Improve handling of open failures * Fix issue 119: Relax ISO verification * Fix issue 121: mtree parsing * Fix extraction of GNU tar 'D' directory entries * Be less demanding in LZMA/XZ compression tests - add baselibs.conf for PackageKit to use - Add suport for xz and xar archives - Add libarchive-2.8.4-iso9660-data-types.patch: fix ISO9660 reader data type mismatches - udpate to libarchive-2.8.4 - see /usr/share/doc/packages/libarchive2/NEWS for changes - drop libarchive-2.5.5_fix_testsuite.patch (upstream) - update libarchive-2.5.5_handle_ENOSYS_from_lutimes.patch - clean up specfile - disable make check for now - enable parallel building - added libarchive-2.5.5_handle_ENOSYS_from_lutimes.patch: it can happen that your system at build times supports lutimes but later at runtime the needed syscall is missing. - fix rm calls in %install - update to 2.5.5 This is a major version bump again: it incorporates lots of bugfixes and improvements. For all the details please see /usr/share/doc/packages/libarchive2/NEWS - drop the .la file - dropped patch libarchive-2.2.5_rpath.patch: no longer needed - added libarchive-2.5.5_fix_testsuite.patch: added missing mode to open() with O_CREAT - fix dependency of devel package - restructured package: bsdtar is now the main package and libarchive2 and libarchive-devel the subpackages. This saves us a rename on soversion bumps. - update to 2.2.5 (#291358) This is a major version bump. For a full list of all changes see /usr/share/doc/packages/libarchive/NEWS. Mostly notable this up- date includes the fixes for the following security bugs: Errors handling corrupt tar files in libarchive (CVE-2007-3641, CVE-2007-3644, CVE-2007-3645) - added libarchive-2.2.5_rpath.patch: dont set a rpath on the builddir. - no longer building the static lib - added ldconfig to post scripts - remove minitar objects (leave binary there for now) - updated to 2.0.28 - removed all patches: included upstream - require libbz2-devel on >= 10.3 - Change requires for libbz2 split. - updated bsdtar-1.2.53_ext2_include.patch: the old fix was not complete and on newer glibc/kernel-headers it seems you need to include linux/fs.h explicitly new name: bsdtar-1.3.1_linux_fs_includes.patch - build with -fno-strict-aliasing - added SA-06-24_libarchive.patch: fix DOS in libarchive (CVE-2006-5680) http://security.freebsd.org/advisories/FreeBSD-SA-06:24.libarchive.asc - update to version 1.3.1 - updated to 1.2.53: Upstream merged the source tarball. Splitted of a bsdtar package - fixed building of debuginfo package - libarchive 1.2.38 OBS-URL: https://build.opensuse.org/request/show/1346471 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libarchive?expand=0&rev=64