From 03543ced187bf33fefffa802dcedc9b7a2563c163767f8bb2fddfc539adb0a0f Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Tue, 3 Oct 2023 08:18:10 +0000 Subject: [PATCH 1/3] Accepting request 1111737 from home:dirkmueller:Factory - update to 3.7.2: * Multiple vulnerabilities have been fixed in the PAX writer * bsdunzip(1) now correctly handles arguments following an -x after the zipfile * zstd filter now supports the "long" write option * SEGV and stack buffer overflow in verbose mode of cpio * bsdunzip updated to match latest upstream code * miscellaneous functional bugfixes * NULL pointer dereference vulnerability in archive_write.c * fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715) * ZIP reader: Support of deflate algorithm in symbolic link decompression - Switch to cmake build - libarchive-xattr.patch, fix subtle wrong library check - libarchive-openssl.patch: Call OPENSSL_config where needed, otherwise on systems configured to use openSSL engines such This is a maintenance update to fix issues with the new RAR - Enforce usage of reentrant versions of libc functions - fix failed tests on ppc - Use %makeinstall to be SLES compatible - For SLES11 work around missing rpm macro - Add suport for xz and xar archives - Add libarchive-2.8.4-iso9660-data-types.patch: - fix dependency of devel package - remove minitar objects (leave binary there for now) OBS-URL: https://build.opensuse.org/request/show/1111737 OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=118 --- libarchive-3.7.0.tar.xz | 3 --- libarchive-3.7.0.tar.xz.asc | 14 ----------- libarchive-3.7.2.tar.xz | 3 +++ libarchive-3.7.2.tar.xz.asc | 14 +++++++++++ libarchive.changes | 47 +++++++++++++++++++++++-------------- libarchive.spec | 4 ++-- 6 files changed, 49 insertions(+), 36 deletions(-) delete mode 100644 libarchive-3.7.0.tar.xz delete mode 100644 libarchive-3.7.0.tar.xz.asc create mode 100644 libarchive-3.7.2.tar.xz create mode 100644 libarchive-3.7.2.tar.xz.asc diff --git a/libarchive-3.7.0.tar.xz b/libarchive-3.7.0.tar.xz deleted file mode 100644 index 7023df0..0000000 --- a/libarchive-3.7.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:44729a0cc3b0b0be6742a9873d25e85e240c9318f5f5ebf2cca6bc84d7b91b07 -size 5243356 diff --git a/libarchive-3.7.0.tar.xz.asc b/libarchive-3.7.0.tar.xz.asc deleted file mode 100644 index a040078..0000000 --- a/libarchive-3.7.0.tar.xz.asc +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQGzBAABCgAdFiEE2yx88bTCZfrvVuP8WEihi48UGEsFAmS2Pm8ACgkQWEihi48U -GEtM+Av/a42UPkVL5hw6TpXr6h5mct7aoltKoP/XrJp74SdXRnTZuDtz4RCPqbkg -vduB9L0udtwYHT6LVeZg2wv81cI3Vq+zcq5W3GJhE99aVa9ZL44JmKvdlBsWjPHc -38Q+juvQ1W+hShpUQb0Y1WvYHMaYM8U7GW33Cq9YgzpgCjl9hsAAQgowWouhR0iY -MEdgU7E1rcNSrSDr9oVWdJ3DfOmqZQHHKM3P+W9XSdl/OWGc4u2HFfSq8YZE5I94 -9wlVWnWoUN4oGxKDeCxeqEdOfTNqcwfOB4v+nroVrOHfHG5TA3+JvCBXElRMTkAY -9lTHkBoDlcOoxdT1yKqf6b09SRNV1YdFaIb4H5sGPX4mjzQ01tQOYwqPn+PgZEJT -CdLF52IvLtf3E550KZqQvA4JyC/4GcYrHEnFidRsrOTgEPMTXcDzxztNljtTLQVy -WCcGDdlqFFBhhedtichRLPB7nRDoPPFS3R2gPEhkjOILWD3z0sloAF+dDOush5Kc -icEahCNV -=W7Hb ------END PGP SIGNATURE----- diff --git a/libarchive-3.7.2.tar.xz b/libarchive-3.7.2.tar.xz new file mode 100644 index 0000000..706e493 --- /dev/null +++ b/libarchive-3.7.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:04357661e6717b6941682cde02ad741ae4819c67a260593dfb2431861b251acb +size 5237056 diff --git a/libarchive-3.7.2.tar.xz.asc b/libarchive-3.7.2.tar.xz.asc new file mode 100644 index 0000000..7d4d9c1 --- /dev/null +++ b/libarchive-3.7.2.tar.xz.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- + +iQGzBAABCgAdFiEE2yx88bTCZfrvVuP8WEihi48UGEsFAmT/ktkACgkQWEihi48U +GEuaGQwAys30icl3gHL4W1EBf63n2EtlEWUMy3pVab2ZO7eTYGO7slWygXYmfjTe +WwkuIsBpfrH5fBsfMRq12WxXNKBQiTY0mwTH881H1kOXsLEbeFxlUZ5JRajTLa55 +UBy/u2MJZZHjvdUUJMJG8qTHUdbjquZkZUfMWJyd7jRz9UTez6SolayUzFx6Os/V +MI0djMCQ+7FZecvA0+3AHiTsiAmK3+6upsJz2+KgczABlmFzQhcQ4y7ZdBzbSDTG +AJ6yqivLC+6Kfe6Kph8Ci5VJ/EWkc9vdei0JxQDNT/ramrGuk+9XwEC8rdCLWr6x +q8spjOHRPYf9wPeQXSEPuSkvFJIN6Y9EQ1KWHn2cYmBcr99C0iDVile0ztPO5SqX +IAgLxnZo0WuVytR2gy+xMS7gLPOIMB6Zu6+ViWlhp0Uqlk0ypndFnTXnycVWbtz2 +iCSlAH7qikHt1MhbnbPILPhNS/8IScq6aiF2TPN+p9COnzy7Gnzi/IstlG8VM/cu +njTFixjD +=aLKb +-----END PGP SIGNATURE----- diff --git a/libarchive.changes b/libarchive.changes index adc6ca1..78276ed 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Sun Sep 17 08:53:58 UTC 2023 - Dirk Müller + +- update to 3.7.2: + * Multiple vulnerabilities have been fixed in the PAX writer + * bsdunzip(1) now correctly handles arguments following an + -x after the zipfile + * zstd filter now supports the "long" write option + * SEGV and stack buffer overflow in verbose mode of cpio + * bsdunzip updated to match latest upstream code + * miscellaneous functional bugfixes + + ------------------------------------------------------------------- Mon Jul 24 06:36:59 UTC 2023 - Bernhard Wiedemann @@ -9,7 +22,7 @@ Mon Jul 24 06:36:59 UTC 2023 - Bernhard Wiedemann Fri Dec 23 07:57:09 UTC 2022 - Dirk Müller - update to 3.6.2 (bsc#1205629, CVE-2022-36227) - * NULL pointer dereference vulnerability in archive_write.c + * NULL pointer dereference vulnerability in archive_write.c * include ZSTD in Windows builds (#1688) * SSL fixes on Windows (#1714, #1723, #1724) * rar5 reader: fix possible garbled output with bsdtar -O (#1745) @@ -26,7 +39,7 @@ Fri Apr 8 17:01:05 UTC 2022 - Dirk Müller * RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0) * fix heap use after free in archive_read_format_rar_read_data() (OSS-Fuzz 44547, 52efa50) * fix null dereference in read_data_compressed() (OSS-Fuzz 44843, 1271f77) - * fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715) + * fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715) ------------------------------------------------------------------- Thu Feb 24 19:18:32 UTC 2022 - Ferdinand Thiessen @@ -55,7 +68,7 @@ Sun Nov 7 19:13:11 UTC 2021 - Andreas Stieger - update to 3.5.2: * CPIO: Support for PWB and v7 binary cpio formats - * ZIP reader: Support of deflate algorithm in symbolic link decompression + * ZIP reader: Support of deflate algorithm in symbolic link decompression * security: fix handling of symbolic link ACLs on Linux (boo#1192425) * security: never follow symlinks when setting file flags on Linux (boo#1192426) * security: do not follow symlinks when processing the fixup list (boo#1192427) @@ -65,7 +78,7 @@ Sun Nov 7 19:13:11 UTC 2021 - Andreas Stieger * ZIP reader: fix excessive read for padded zip * CAB reader: fix double free * handle short writes from archive_write_callback - + ------------------------------------------------------------------- Wed Jan 6 16:11:01 UTC 2021 - Dirk Müller @@ -156,7 +169,7 @@ Fri Nov 22 13:17:53 UTC 2019 - Adrian Schröter ------------------------------------------------------------------- Sun Aug 18 12:33:05 UTC 2019 - Ismail Dönmez -- Switch to cmake build +- Switch to cmake build - Add lib-suffix.patch to honor LIB_SUFFIX - Add fix-zstd-test.patch to fix zstd test - Add fix-soversion.patch to fix the soversion to 13 as autotools @@ -338,7 +351,7 @@ Tue Nov 11 12:07:46 UTC 2014 - jsegitz@novell.com ------------------------------------------------------------------- Wed May 28 17:18:59 UTC 2014 - crrodriguez@opensuse.org -- libarchive-xattr.patch, fix subtle wrong library check +- libarchive-xattr.patch, fix subtle wrong library check that causes this package to depend on libattr when it should be using glibc. @@ -358,15 +371,15 @@ Tue Aug 20 05:34:09 UTC 2013 - crrodriguez@opensuse.org ------------------------------------------------------------------- Mon Aug 19 21:14:38 UTC 2013 - crrodriguez@opensuse.org -- libarchive-openssl.patch: Call OPENSSL_config where needed, - otherwise on systems configured to use openSSL engines such +- libarchive-openssl.patch: Call OPENSSL_config where needed, + otherwise on systems configured to use openSSL engines such as via-padlock wont benefit from hardware acceleration. ------------------------------------------------------------------- Fri Aug 16 20:07:27 UTC 2013 - andreas.stieger@gmx.de - update to 3.1.2 - This is a maintenance update to fix issues with the new RAR + This is a maintenance update to fix issues with the new RAR seeking feature. - libarchive's new website moved to http://www.libarchive.org. @@ -435,22 +448,22 @@ Tue Aug 7 18:47:14 UTC 2012 - dimstar@opensuse.org ------------------------------------------------------------------- Mon May 7 08:35:39 UTC 2012 - werner@suse.de -- Enforce usage of reentrant versions of libc functions +- Enforce usage of reentrant versions of libc functions ------------------------------------------------------------------- Mon Feb 13 18:19:49 UTC 2012 - dvaleev@suse.com -- fix failed tests on ppc +- fix failed tests on ppc ------------------------------------------------------------------- Wed Feb 8 10:57:45 UTC 2012 - idonmez@suse.com -- Use %makeinstall to be SLES compatible +- Use %makeinstall to be SLES compatible ------------------------------------------------------------------- Thu Dec 22 11:27:05 UTC 2011 - werner@suse.de -- For SLES11 work around missing rpm macro +- For SLES11 work around missing rpm macro ------------------------------------------------------------------- Tue Dec 6 16:00:48 UTC 2011 - coolo@suse.com @@ -475,8 +488,8 @@ Fri Sep 30 08:15:50 UTC 2011 - coolo@suse.com ------------------------------------------------------------------- Tue Apr 19 13:23:09 UTC 2011 - idoenmez@novell.com -- Add suport for xz and xar archives -- Add libarchive-2.8.4-iso9660-data-types.patch: +- Add suport for xz and xar archives +- Add libarchive-2.8.4-iso9660-data-types.patch: fix ISO9660 reader data type mismatches ------------------------------------------------------------------- @@ -523,7 +536,7 @@ Sat Sep 6 17:54:11 CEST 2008 - mrueckert@suse.de ------------------------------------------------------------------- Wed Aug 15 12:58:06 CEST 2007 - ro@suse.de -- fix dependency of devel package +- fix dependency of devel package ------------------------------------------------------------------- Tue Aug 7 16:47:22 CEST 2007 - mrueckert@suse.de @@ -549,7 +562,7 @@ Mon Jul 30 14:31:32 CEST 2007 - mrueckert@suse.de Fri Jun 8 01:35:37 CEST 2007 - ro@suse.de - added ldconfig to post scripts -- remove minitar objects (leave binary there for now) +- remove minitar objects (leave binary there for now) ------------------------------------------------------------------- Sun Apr 8 20:53:59 CEST 2007 - mrueckert@suse.de diff --git a/libarchive.spec b/libarchive.spec index 09e4fac..99354f8 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -1,7 +1,7 @@ # # spec file for package libarchive # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,7 +30,7 @@ %bcond_without ext2fs %endif Name: libarchive -Version: 3.7.0 +Version: 3.7.2 Release: 0 Summary: Utility and C library to create and read several different streaming archive formats License: BSD-2-Clause From a98beefcf3633a9a4b137188b71f83529a7b4150f4be9ca293b7263cddcf97dc Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Tue, 12 Dec 2023 10:02:48 +0000 Subject: [PATCH 2/3] Accepting request 1132047 from home:yfjiang:branches:Archiving Sync changelog with Leap/SLE. OBS-URL: https://build.opensuse.org/request/show/1132047 OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=119 --- libarchive.changes | 50 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/libarchive.changes b/libarchive.changes index 78276ed..9900211 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -28,6 +28,14 @@ Fri Dec 23 07:57:09 UTC 2022 - Dirk Müller * rar5 reader: fix possible garbled output with bsdtar -O (#1745) * mtree reader: support reading mtree files with tabs (#1783) * various small fixes for issues found by CodeQL +- Drop upstream merged CVE-2022-36227.patch + +------------------------------------------------------------------- +Tue Nov 22 14:20:36 UTC 2022 - Danilo Spinella + +- Fix CVE-2022-36227, Handle a calloc returning NULL + (CVE-2022-36227, bsc#1205629) + * CVE-2022-36227.patch ------------------------------------------------------------------- Fri Apr 8 17:01:05 UTC 2022 - Dirk Müller @@ -40,6 +48,14 @@ Fri Apr 8 17:01:05 UTC 2022 - Dirk Müller * fix heap use after free in archive_read_format_rar_read_data() (OSS-Fuzz 44547, 52efa50) * fix null dereference in read_data_compressed() (OSS-Fuzz 44843, 1271f77) * fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715) +- Drop upstream merged fix-CVE-2022-26280.patch + +------------------------------------------------------------------- +Tue Apr 7 16:28:45 UTC 2022 - Danilo Spinella + +- Fix CVE-2022-26280 out-of-bounds read via the component zipx_lzma_alone_init + (CVE-2022-26280, bsc#1197634) + * fix-CVE-2022-26280.patch ------------------------------------------------------------------- Thu Feb 24 19:18:32 UTC 2022 - Ferdinand Thiessen @@ -54,7 +70,19 @@ Thu Feb 24 19:18:32 UTC 2022 - Ferdinand Thiessen * tar: respect "--ignore-zeros" in c, r and u modes * reduced size of application binaries * internal code optimizations -- Drop upstream merged fix-following-symlinks.patch +- Drop upstream merged: + * fix-following-symlinks.patch + * fix-CVE-2021-36976.patch + +------------------------------------------------------------------- +Mon Feb 23 14:44:21 UTC 2022 - Danilo Spinella + +- Fix CVE-2021-36976 use-after-free in copy_string + (CVE-2021-36976, bsc#1188572) + * fix-CVE-2021-36976.patch +- The following issues have already been fixed in this package but + weren't previously mentioned in the changes file: + CVE-2017-5601, bsc#1022528, bsc#1189528 ------------------------------------------------------------------- Mon Nov 29 09:00:26 UTC 2021 - Adrian Schröter @@ -78,6 +106,26 @@ Sun Nov 7 19:13:11 UTC 2021 - Andreas Stieger * ZIP reader: fix excessive read for padded zip * CAB reader: fix double free * handle short writes from archive_write_callback +- Drop upstream mereged: + * CVE-2021-23177.patch + * CVE-2021-31566.patch + * bsc1192427.patch + +------------------------------------------------------------------- +Fri Oct 21 14:18:01 UTC 2021 - Danilo Spinella + +- Fix CVE-2021-31566, modifies file flags of symlink target + (CVE-2021-31566, bsc#1192426.patch) + CVE-2021-31566.patch +- Fix bsc#1192427, processing fixup entries may follow symbolic links + bsc1192427.patch + +------------------------------------------------------------------- +Mon Sep 12 14:07:20 UTC 2021 - Danilo Spinella + +- Fix CVE-2021-23177, extracting a symlink with ACLs modifies ACLs of target + (CVE-2021-23177, bsc#1192425) + * CVE-2021-23177.patch ------------------------------------------------------------------- Wed Jan 6 16:11:01 UTC 2021 - Dirk Müller From c9e103d848c09d4796f7171615aed1e5e0305bc0955860ed92f2305708d9a7ef Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Sat, 30 Dec 2023 07:16:07 +0000 Subject: [PATCH 3/3] Accepting request 1135701 from home:dirkmueller:Factory - skip write tests on 32bit, they OOM OBS-URL: https://build.opensuse.org/request/show/1135701 OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=120 --- libarchive.changes | 5 +++++ libarchive.spec | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/libarchive.changes b/libarchive.changes index 9900211..e7754de 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Dec 29 18:39:00 UTC 2023 - Dirk Müller + +- skip write tests on 32bit, they OOM + ------------------------------------------------------------------- Sun Sep 17 08:53:58 UTC 2023 - Dirk Müller diff --git a/libarchive.spec b/libarchive.spec index 99354f8..6db9bcb 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -171,7 +171,11 @@ Static library for libarchive %cmake_build %check -%ctest +exclude="" +%ifarch %arm %ix86 ppc s390 +exclude="-E test_write_filter" +%endif +%ctest $exclude %install %cmake_install