Accepting request 760008 from home:namtrac:branches:Archiving

- Revert back to autoconf, cmake introduces a cycle. Leave cmake patches in since they are basically correct and might be useful in the future. - Update to version 3.4.1 New features: * Unicode filename support for reading lha/lzh archives * New pax write option "xattrhdr" Important bugfixes: * security fixes in wide string processing (#1276 #1298) * security fixes in RAR5 reader (#1212 #1217 #1296) CVE-2019-19221 * security fixes and optimizations to write filter logic (#351) * security fix related to use of readlink(2) (1dae5a5) * sparse file handling fixes (#1218 #1260) - Drop CVE-2019-19221.patch and fix-zstd-test.patch, fixed upstream CVE-2019-19221.patch out-of-bounds read in libarchive OBS-URL: https://build.opensuse.org/request/show/760008 OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=91
2019-12-31 08:23:29 +00:00 · 2019-12-31 08:23:29 +00:00 · 8d8d3afe6b
commit 8d8d3afe6b
parent 9d7341ca2a
9 changed files with 122 additions and 223 deletions
--- a/CVE-2019-19221.patch
+++ b/CVE-2019-19221.patch
@ -1,97 +0,0 @@
-From 22b1db9d46654afc6f0c28f90af8cdc84a199f41 Mon Sep 17 00:00:00 2001
-From: Martin Matuska <martin@matuska.org>
-Date: Thu, 21 Nov 2019 03:08:40 +0100
-Subject: [PATCH] Bugfix and optimize archive_wstring_append_from_mbs()
-
-The cal to mbrtowc() or mbtowc() should read up to mbs_length
-bytes and not wcs_length. This avoids out-of-bounds reads.
-
-mbrtowc() and mbtowc() return (size_t)-1 wit errno EILSEQ when
-they encounter an invalid multibyte character and (size_t)-2 when
-they they encounter an incomplete multibyte character. As we return
-failure and all our callers error out it makes no sense to continue
-parsing mbs.
-
-As we allocate `len` wchars at the beginning and each wchar has
-at least one byte, there will never be need to grow the buffer,
-so the code can be left out. On the other hand, we are always
-allocatng more memory than we need.
-
-As long as wcs_length == mbs_length == len we can omit wcs_length.
-We keep the old code commented if we decide to save memory and
-use autoexpanding wcs_length in the future.
-
-Fixes #1276
---
- libarchive/archive_string.c | 28 +++++++++++++++++-----------
- 1 file changed, 17 insertions(+), 11 deletions(-)
-
-diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c
-index 979a418b6..bd39c96f1 100644
--- a/libarchive/archive_string.c
-+++ b/libarchive/archive_string.c
-@@ -591,7 +591,7 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
- 	 * No single byte will be more than one wide character,
- 	 * so this length estimate will always be big enough.
- 	 */
-	size_t wcs_length = len;
-+	// size_t wcs_length = len;
- 	size_t mbs_length = len;
- 	const char *mbs = p;
- 	wchar_t *wcs;
-@@ -600,7 +600,11 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
- 
- 	memset(&shift_state, 0, sizeof(shift_state));
- #endif
-	if (NULL == archive_wstring_ensure(dest, dest->length + wcs_length + 1))
-+	/*
-+	 * As we decided to have wcs_length == mbs_length == len
-+	 * we can use len here instead of wcs_length
-+	 */
-+	if (NULL == archive_wstring_ensure(dest, dest->length + len + 1))
- 		return (-1);
- 	wcs = dest->s + dest->length;
- 	/*
-@@ -609,6 +613,12 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
- 	 * multi bytes.
- 	 */
- 	while (*mbs && mbs_length > 0) {
-+		/*
-+		 * The buffer we allocated is always big enough.
-+		 * Keep this code path in a comment if we decide to choose
-+		 * smaller wcs_length in the future
-+		 */
-+/*
- 		if (wcs_length == 0) {
- 			dest->length = wcs - dest->s;
- 			dest->s[dest->length] = L'\0';
-@@ -618,24 +628,20 @@ archive_wstring_append_from_mbs(struct archive_wstring *dest,
- 				return (-1);
- 			wcs = dest->s + dest->length;
- 		}
-+*/
- #if HAVE_MBRTOWC
-		r = mbrtowc(wcs, mbs, wcs_length, &shift_state);
-+		r = mbrtowc(wcs, mbs, mbs_length, &shift_state);
- #else
-		r = mbtowc(wcs, mbs, wcs_length);
-+		r = mbtowc(wcs, mbs, mbs_length);
- #endif
- 		if (r == (size_t)-1 || r == (size_t)-2) {
- 			ret_val = -1;
-			if (errno == EILSEQ) {
-				++mbs;
-				--mbs_length;
-				continue;
-			} else
-				break;
-+			break;
- 		}
- 		if (r == 0 || r > mbs_length)
- 			break;
- 		wcs++;
-		wcs_length--;
-+		// wcs_length--;
- 		mbs += r;
- 		mbs_length -= r;
- 	}
--- a/fix-zstd-test.patch
+++ b/fix-zstd-test.patch
@ -1,32 +0,0 @@
-From ff1691b0ce507733c9655c9fa5c33bc0ae4d6b5d Mon Sep 17 00:00:00 2001
-From: Martin Matuska <martin@matuska.org>
-Date: Mon, 12 Aug 2019 00:14:00 +0200
-Subject: [PATCH] test_write_filter_zstd: set compression level to 7
-
-Fixes #1226
---
- libarchive/test/test_write_filter_zstd.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libarchive/test/test_write_filter_zstd.c b/libarchive/test/test_write_filter_zstd.c
-index da3c80667..9fb01906d 100644
--- a/libarchive/test/test_write_filter_zstd.c
-+++ b/libarchive/test/test_write_filter_zstd.c
-@@ -125,7 +125,7 @@ DEFINE_TEST(test_write_filter_zstd)
- 	assertEqualIntA(a, ARCHIVE_OK,
- 	    archive_write_set_filter_option(a, NULL, "compression-level", "9"));
- 	assertEqualIntA(a, ARCHIVE_OK,
-	    archive_write_set_filter_option(a, NULL, "compression-level", "6"));
-+	    archive_write_set_filter_option(a, NULL, "compression-level", "7"));
- 	assertEqualIntA(a, ARCHIVE_OK, archive_write_open_memory(a, buff, buffsize, &used2));
- 	for (i = 0; i < 100; i++) {
- 		sprintf(path, "file%03d", i);
-@@ -140,7 +140,7 @@ DEFINE_TEST(test_write_filter_zstd)
- 	assertEqualIntA(a, ARCHIVE_OK, archive_write_close(a));
- 	assertEqualInt(ARCHIVE_OK, archive_write_free(a));
- 
-	failure("compression-level=6 wrote %d bytes, default wrote %d bytes",
-+	failure("compression-level=7 wrote %d bytes, default wrote %d bytes",
- 	    (int)used2, (int)used1);
- 	assert(used2 < used1);
- 
--- a/libarchive-3.4.0.tar.gz
+++ b/libarchive-3.4.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8643d50ed40c759f5412a3af4e353cffbce4fdf3b5cf321cb72cacf06b2d825e
-size 6908093
--- a/libarchive-3.4.0.tar.gz.asc
+++ b/libarchive-3.4.0.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEy1V4g2C5kvoIhch48ED3GWupmvQFAl0CEeEACgkQ8ED3GWup
-mvRz/g//dSHxY2sqxTg2K8B5eDLxkCZ9wV7X4bu6xR6Te8tqhUh6F6dGioDWAMHC
-6rSpAdKn+ldOJhuFoaDrOq+Lu8ZUxn4mRnqj9kG4PhhmPl31K+QwXMWHa4NX3n7u
-9d9oU9ebkiOhO8/J+dEljd9HTj9+A8sz97lwRGbckaFjYqRZ2UaYPIXnUwIG+I5I
-7djUHekZEJWri8qF4P797k5YTWXZbFhwTo8t8RVBsTZjupL2HD+V10JK7KzvTavE
-MpG7jrK4hxzxPdtbiWHMuLXKiDYZ7ANO+360CQyG6aGhr+ZwAEgkflNk9AZ71GRM
-vWWCb0b0m041IR6ahdf9R6N0BF0xxc/IpS6PoGq+dEixcteh2Vx/MDx9Jk+54q75
-QstTHFCHa6xmGSJ7Bmv9TIpAJ3s1sZvuTmmVoxDj1k6UEOwtMN+NFd9dDT2eZb2r
-7y+0gNrVxuUgaSPV/odPBnVaYZ29NKCDtLldli2JjBn705MxdIB7MDKs7HpiOBi1
-Zo2yG+1T69ZKe8/uxicTI11XnPIoukZr6kPFWBG5ZqfpwBszVZHUqxe35lnAgjfY
-KMluK6sQcvqE8rH8AFsvBihV60oC6KI/uiHCrbtYpOtPN6GgyO2hoGGHAbd3XCjb
-1JWDV4zwRkaQGdnoIRSapR8gFGd866fOpvsmKfeGVTICuRs2qYE=
-=JopE
-----END PGP SIGNATURE-----
--- a/libarchive-3.4.1.tar.gz
+++ b/libarchive-3.4.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fcf87f3ad8db2e4f74f32526dee62dd1fb9894782b0a503a89c9d7a70a235191
+size 6931920
--- a/libarchive-3.4.1.tar.gz.asc
+++ b/libarchive-3.4.1.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEpaRbEq2S2WS4nu4t7FYMgc7CJ24FAl4JV7oACgkQ7FYMgc7C
+J27LIw/+MNk1Fp+17UE/tC89gu5z0CQ3BbscAsQI/1/EWknECppxuRWQ9YLm8dkt
+YWBzJLy/BTI+ylVvj6tIqSQipHvH/KL4Zq4VSgZPl3Bo3eElSZeX/7/hZSX6uAwv
+mj/nmtecXCfX9Bfo53AxcVAGZl/re7Epg8GA9mX6TBxk2llyhhlgQeHxL1z6E/3K
+1TBGD8/q41wZ0/B/rerOr/p2MfukkbrL1NwDSpNuBJkTsumelxZzIF5yGszXv8Lz
+/KTLWQmW7qvcVPsXKl+omvBhgetgTJqs6nNmu1bz+rt+m3YeA96axFGo+9qdE35v
+DI3pK9071b60ZAKkAs3QU17OCtBSIGNJ191J1/T7cawSBxQLj3/d+vj7fYBGpzg2
+FmkYYvyaFjm+jLHZoxMaGf6TU/1x5Z0bmCKGtDINqto2e1nsqQTF6GunOubKzU6B
+f4nUdiKjkmRIS4Ex4tQe2CIgto7ooVdXHbJD5tlpvzfpQYCdHicWo+QvgeZuiEeA
+BgrI6WxAGL/pF4W4f5Te7y5RgJ+MvgOR5iIIzFkkT3gTf+vTZNwN7C1OcejCRlQh
+LDCKJxar4ATdpthcHun9Vu+/9epaHVgd6DhXY7IxGVFoEEkq81iqv3bGBnRZM8WJ
+5B58ZOv/ZHNc3eWVU5aN1L2gL9klHNORn2sCTKOCReTsRwxe7fY=
+=A8tP
+-----END PGP SIGNATURE-----
--- a/libarchive.changes
+++ b/libarchive.changes
@ -1,8 +1,30 @@
+-------------------------------------------------------------------
+Mon Dec 30 08:40:05 UTC 2019 - Ismail Dönmez <idonmez@suse.com>
+
+- Revert back to autoconf, cmake introduces a cycle. Leave cmake
+  patches in since they are basically correct and might be useful
+  in the future.
+
+-------------------------------------------------------------------
+Mon Dec 30 08:14:13 UTC 2019 - Ismail Dönmez <idonmez@suse.com>
+
+- Update to version 3.4.1
+  New features:
+  * Unicode filename support for reading lha/lzh archives
+  * New pax write option "xattrhdr"
+  Important bugfixes:
+  * security fixes in wide string processing (#1276 #1298)
+  * security fixes in RAR5 reader (#1212 #1217 #1296) CVE-2019-19221
+  * security fixes and optimizations to write filter logic (#351)
+  * security fix related to use of readlink(2) (1dae5a5)
+  * sparse file handling fixes (#1218 #1260)
+- Drop CVE-2019-19221.patch and fix-zstd-test.patch, fixed upstream
+
 -------------------------------------------------------------------
 Fri Nov 22 13:17:53 UTC 2019 - Adrian Schröter <adrian@suse.de>

 - fix bsc#1157569
-  CVE-2019-19221 out-of-bounds read in libarchive
+  CVE-2019-19221.patch out-of-bounds read in libarchive

 -------------------------------------------------------------------
 Sun Aug 18 12:33:05 UTC 2019 - Ismail Dönmez <idonmez@suse.com>
--- a/libarchive.keyring
+++ b/libarchive.keyring
@ -1,63 +1,65 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----

-mQINBFhUn/MBEACxbpg9G9KKuROKDLgugNKr6c4lrp3lTvx4XwuA+EGLCC/tBwOE
-8ak5f21g/QogUnYkhpuI3XLqKGsuWCDFQHB3Wk1dUYE/7wk4Um4DyHrMncyUmAHY
-fy9OZ+ZVYDBcodxlBDtVHKG0lzNhTs/HNO4Ep6Ja/37GsbEJRqz0XRgqM6l7GYwC
-iltTaU3nJuGDeWtRsaZO5Xqm36NoXNTlR4MYy1m+ddAZZexgonNX33MNaATlkcJg
-o1HIr7fUt2JcLjrM0LVd5BAbLEcaXSlE0Dl6MjnOYsJLL/zjMQ8esfRzVNYYZiZv
-qHCCDLii3rOzdCiuaJ0D2BfZKZNF4ETi+tvtL4YkmiDUb9+jc7p/CbYRpk0eV/9O
-4JERtwI7TVvObksY4N88Oc882dNvbw8y3R9WLuIoRx69lBwTmiYYlDt6kCd/7Wgp
-rqq2Spmvyp5KOVm7qFi0F2SsMqsNWngdKbiMTXD2Rg0rZqpcnLdWcYysrAnnyuQH
-vR6WUmDaeJdAnSf3VBsavdK2sjjjqcqW8+0NGWBg2UaHgUGc1gh01hfkp5tjAyR2
-G3jNSfzP0PtJIuxvOOwDZsdja/BW5bnuzjZUNGOoZQ8OcYR6By8uugfcmd4H6GK9
-+Yj+xUDnook3WKksy80ekDT8KdC/XTdmRYYZRbtb8gjBGxdlzciC5l262wARAQAB
-tB9NYXJ0aW4gTWF0dXNrYSA8bW1ARnJlZUJTRC5vcmc+iQI9BBMBCAAnAhsDBQsJ
-CAcCBhUICQoLAgQWAgMBAh4BAheABQJYVKWNBQkFo6AaAAoJEPBA9xlrqZr05uoP
-/0JduegGf9eD69vXJvDORE+eGhqHhEP3v6mbfJ6ErmyaypKfbyWfLw2rdEaY14Wt
-8IEPQi8ULpTaJPZOjlk77BAZ/efPIBAvGNs0D1z424bn3uZM+pZhh6jY7nPkyajh
-8tDeMtixLiaK6re2/TRuIUPy7Y91P94uPgLVxx88qtI62gh5Sc8oGY+OMQybtZ8S
-6kEuio3ZhQF4fXM92NUf1XY9BYZ330yiv/CQTz+Bz/nOHU7QqDG8OKVrUA0lNKfE
-crF7dsrrBeLoC73FB+gqcHcTZ/A+ZlO+IWunWfs6plB7F92v4d3dzsHIuPt6Ldf2
-tP+hmsMa0mGmL6zriG1vo3hxpRmRqlr5KTpa1yrjs/8PULfuae8qcGuUcytaZVhY
-zu2hIijwWJ0OxIF6EhV4maG/9bEINqNUaHzthrHbSVeYTR7i4EIGOXgK3jMZ9zhj
-Uz70IzAcshNdypVO6QeMB9Cv5ei975MKG0khRukdmg43Q4OijSmh6F4+Ikp5yTT3
-BfVUiK0Jy+ceGE+hU/fRFhPWp3+oyVXO9Xhng7LNvp+gT32UN9FLOVmAhPj0mYVS
-aHKs1MwCV2xZv1nJjVE9TbmwR1G27fyQfXZ/m3+Gzl+mT+oD9FnsiFAO67FEm/O1
-GPPl4LSHWD5QP3L+RXXJ0sxTmDUew6XgbnVFNnuaypFatCNNYXJ0aW4gTWF0dXNr
-YSA8bWFydGluQG1hdHVza2Eub3JnPokCPQQTAQgAJwIbAwULCQgHAgYVCAkKCwIE
-FgIDAQIeAQIXgAUCWFSljQUJBaOgGgAKCRDwQPcZa6ma9H8rEACEjIuI1hNpsCRF
-CFdtrS5bUrMBrS29LEmiyPIAS2uSYf5A/iSek0oe2MG9NZ8zGNpjJ9o2ZSw2LlFp
-dJlJ5fNjF+MQu09LbmuZKSYArFwnS8Vc2bjpzUQuBsQRcItD3kWAI1HbgjnrF5Ey
-gj6ps5m8H6PM8+sxLhtVfTPN8Ad2vARJFr/OEfJtZGvJgaBvoivQw2GfTBbCvtGG
-du1f9mrraC/pPSIkgx97Zrv1z841gAIjfmChpjgP+kAYosunBNAwJtbqQctrpnP+
-SoNceUxrKf2hI8qRBDAE2CyB2KwLC3Qdr2TOzsZ2XG3OqNh7k4GoikfQr8V278QW
-SAImpzUmJQqA0vCKnAjIHEVRNGSiVNlbNIDLdzYj0f6SDyW+YTm3PKNOGvDcZT5m
-ZAogGnXQn23on0c1mWqe9LKWQjgch+7CXdA4ovSVI12poGVhhQ0b92WFsozBUIYa
-W/7OVfDhlJDRehHT8MmR7eQS1AeBujUxyg0mfapdDMCepr8xrpuMpfrT0s4Yw1Mk
-Nnne0DAMFKF9bA7JQ+2L971IpikITKnY17wua+XggfcCB970VM1XiPvRLPIxZr+a
-BLvKFLhM2dYDbdetFDKRxypbz2ePaAjAVlOk96Om5LavKhqC/jbJeUk2CVtauYLz
-itB5D6WMHTlyQLvU2G2T4clYFNyfw7kCDQRYVJ/zARAA1zIB+5uoKEGwPClb+INb
-/6JNaj6wBQ/RVYDR+dpN1Sdp19WnoAErz5hKX+qficy2aq2tI/xzA7E4hwS+qWA9
-vne1ALzBaWIfk699lOBnDwFCcwgJe6UeYBEQtuFC4pyJvLlT/Tr6uGuImEMl5BZn
-BNnJZHFvkQYEGkX2MX85xd9opgugNoKIZVOUJ5nh86WsLlsTHiVmlORgA4TfEuFk
-b4SDdJsfhV11Dt44Vyvz5tA6ha4uOQ5/6CQl4X5i345wAYyeUYK9asXXfsVXR67b
-/rB7v8htSX/3fQ04vzD5+UGeRdc/7FiczR5+PXg5/hVBagnUg1kVScopB2v34UXa
-Z6Wod/hHPgIQsTEdhtCKf6qcSmHqYL4vrSl19JY33U+EI67cvm2H2MzgnVdja0l7
-O3N7KUNjYhWb8d6lvknaM5WX/snBlDJhJyiE2eK9hfZCfFB9s/W+k5HVXvBtm6Sp
-VGA6hCljLN4WhXoNtXxXNySvJX9XlNP2+VeNsGGGNgqcmN9PGey+93pioa/tyOEm
-hKJhz+rtypRdkcfvo5axzFVdYr7EIHQgWep7rAxj/TtOu8NghWC8hl3h52HAVT+w
-dVOuP3CgE8tNnSULYcCIW7AJGG+K90E5KFenrvM/ndhQAct8o0J+ySpsd7rXpviZ
-pnfy4903ZFcNJu+9cM+IgPcAEQEAAYkCHwQYAQgACQUCWFSf8wIbDAAKCRDwQPcZ
-a6ma9EGDEACbe5pzfhvR0Da7owUJCdGErVg+NWpdrGINMXk0Q18Q7RkMegfOpCI3
-+RUHmrU0OmU3abUEiSVnvyrx5GhtkTPI+eVvCc0pwpUFhH5nORtRa6ptW9C90/EF
-xP5T10vIrIQSKgeiJMOxULpa3f2eF62t48RI4950W+le+Jd2QyC6QavabXtjxk8e
-YSjjT4Vn7uqKuAfVSuFrhTHqA+/o5VTzbYmrkJ012SXxwE+URjc+jMHNuKCrJmMS
-38JCVXa060I0Ci3EisRtBIj9O1Gy0at8txEFTwkt86nQd0Cjgh/YXN9Ontil3JjI
-2DBl/pOei96dQ26CC4LxbPEc5sj9D2wDeMw7KrXbXRPskkJ6eSUpRtc0Cq7f86uV
-bLQZwkYU2WXcaqQG3ql1RvoRV7m+OchZJ/27f5gFLRR3eTuy99Se/mxknwvpxDTd
-XV9MqhXUkXkkWfhpij8bsGp0O9FRSXh00iJG5n9+EygD+jJe6Jrt+i4DCDctILGQ
-22rnKEJ0sOfcPtObxB+yqbsRab6ws6dpGCnLfbyyxkVp0Uaax0+JUyQZkwfZ00/f
-uLL6J9Q3BNNQnqeFNvA+D5TjM7uFL7Sg9BwAsuOwTodhd2WJpeYknnWZZ+LqJ9Bl
-Heo9XgfmVI+nhV7kXqil0pKc1D2SguOTqtRiBRJznEuAsaaCmQclkA==
-=H6gz
+mQINBF3+nDABEADygj7s5lCb/s8gTcCFgh6xJ8qZRmR4KVZMgkELNDF3zVhML8um
+vLxNyd04n0SDBnpBxSqe5TGCgCRPLYL1OeytE9XxJ6Vf6LFu+vLSXaesL0IqrZDy
+wpr2mpf8Vw3KNFUcIbKnW+E86TdN5EkYJ9WaE3sm9WnYgtV2Jtz6ZoLA4Go3Kbwf
+TIMysmZDSPstIT2rGfUy1KNIgmwvOZhUjkROaX3qk0XWfTZJDozYaKH0jqrLutPX
+O3KNj7SxIVjZOo51ls+w30XhRGlJjIFktry+bWviYy/AfbAjRqLAha/l3Oj3FmvX
+y7+MyAMGcdDAIwQRzmWjmu5BQE1ZK1zONIUrlb6eEaO4dze7/5uxkMDt9SvRav8M
+ehpZpAlrKf+Ac36Z2DkTzkzmO+OhmlM6jlhUlfUq8fBhBgP6maOcr5DzQQOAQfOm
+YJBiYcXmbxwgTxdE0TeQdHqkmatdHof/gJ9A1wLTNbwZJibv3Clk4kuFoQNwKWJs
+FdXFbWwdOCDxFC0+oMM3X+cHryfnarqu1ltcfNacjaFR6DaoPMON3J8AdQutv7Ew
+nH0E8pTdMBT9gQv8emWKKD5I4s+GsL3Acjy1ALZMKFozYV8fnewgDU5Zy95zSNLe
+/n9IlirsoTFiiXC4J82RYkhLCBS02qNp2T1zgBHRdMVoslbrxmEAw5shYwARAQAB
+tCNNYXJ0aW4gTWF0dXNrYSA8bWFydGluQG1hdHVza2Eub3JnPokCVAQTAQgAPhYh
+BKWkWxKtktlkuJ7uLexWDIHOwiduBQJd/pwwAhsDBQkFo5qABQsJCAcCBhUKCQgL
+AgQWAgMBAh4BAheAAAoJEOxWDIHOwiduj88QAI+AIPwOI9CDE/+XMMLg/ncY3Ecg
+OD3GDtH3NWT6ykJ/BOmSEx78DN9c/YR1ICxgvLJoj0Cz91/rquCAvIohGEXRhIg9
+Bg+ZsaW6x9fyTRvgv6Ew8GVWd1daK2iw3FssbLwldDNmqdbvN/q/pn8I06X9Ry5f
+DfXXHFCyv+fFZp5XXCeBQbOTa8GldIUUXNnaFKAzIwX5ngi2t7fgNtp/HwqxROFq
+0RXHnJdGR9z6Igf9vE9H3CQzf5aCXlxl9bpUHZCkjPruU0RLiYkvt++qF+TkCtxv
+PqjmSyeQUoqxi8NcHaZoeXo5PlwcXqY9PDAtCvZl/zBwQP0EplR5ILvTzhkcsYUY
+4g01JDsiXNX24X+RguQiXf7EDUM+0c/qk2C3gKOcWMWClKM47dEw4Qc96uMdnRjO
+0kDL1Ue49RFV4+RMlCWCoYlOE9jQO09W6IeLTl7kfLo268PvC3Xg3YSDR+9Pvdho
+f5IAKHrdwW+yMvC2kMPDYJP2NMeZz5y+eujONR0RZDDI4vHbE2wnjrpw1Cvvf7QG
+RROJBEGTZni90wta5ZlwzsXa9imduZyTKIs/6jD86+wsTVBg2wJU65i7cOQGs08M
+XzMWIOUdzqPSGj1OU9TG1bGFhmkob69zCUSWdfHPQ7Dq3mGnMBICv6YQHk1ICmq8
+KPv3gtRfTUhE6j/ttB9NYXJ0aW4gTWF0dXNrYSA8bW1ARnJlZUJTRC5vcmc+iQJU
+BBMBCAA+FiEEpaRbEq2S2WS4nu4t7FYMgc7CJ24FAl3+nGQCGwMFCQWjmoAFCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ7FYMgc7CJ27fNRAA1BIVGfsogIbOVKmc
+FC3912mEXbsfAvl6vShhdWU28hn4Iei2lIc6nt2VmatBAp490Lkhm2oAvCj/HUDK
+YFBH45HjHzg2NAgD/BQdSqZ91jSUnYAZfylmqjNT1HhKLt79N/LfNMN2VamapsSJ
+gB/ckQc4VfibNRQCSyOeMzxR7Fipu5iUG2RAtRKfmT/DXJFMb9qSfDZ6jaObMg7a
+lB8I5ARbpsoDi5ykFgud6BC4wVFQHs7ZjSed9J0f6shwyvxUmaqocefKNVrBptE4
+KQYaog1TH1tACzbs4u+ieVgTrRTIQvwapKqV/vBmktQTF2ZS54ul11eq7idSIT4B
+1C6pb8KSiPUYilbaxFMSJU0Us/8Yj0efbLzYPLUTrqyb9wn0EFLCspKaV6jChLdn
+9JjCqmw2yCNJelMnSvCub1fSbqdOfKS1Xg9fV6b3/vxIbWEh8GVLhGA900XySL4G
+ce1VXIQctn6kQv+1sayTu/pb5nhLYqZ0aHtM4KdgooZikofGQPa7yGcmEgnLg6jE
+Lo25y586NcJzkbwI10U+FsOnOpZww0A+LY5xdBom2VvdKdd+ZFKqTI1qah2A9X6J
+I/3rn10OgD/Xs1F9Xsj4Q0qWk0OQ042LqPG5lMYd4kqwRsAsNhcvYaP0137HgCBo
+5BVDVFZtdGVJFMa9ppCWqOF6L++5Ag0EXf6cMAEQAK0PaOYdWhRlwcFq6wmlLFU0
+f22LbkqBoOxy9+xsWyXmKbJtQ64c8N0OYcvD6nx+aeFUh4kL9ht4vcYHJVVYqFvV
+xa7v3a3IXamMfjm3TOoF727FwI6Yee5CnaNYj2B2a0UQMeEEB+WysFY/gx7qo/WZ
+Ap2u5vlfqdQ1Z00MO/aYJWqGbwDJdYpfF6KlcePQChm367CjKcUInVpue0enaEXw
+urx6JhxfMI9VqnLBNmZGSRjOlLTxkE3wIFnply/6HencMbWZYuhPEBYC4gcWNitm
+ckMmt+zfdBYEu1YjN0GKMVB0EQsGwqyKyDYTjXUnvBhO6SY+ap+wkMH7q2T166+i
+OWK7/Dp/VN03fMtk8UROW1rD4lGoaUKrFfNXiu3VP9LOv4ikzb+DNVGTUYTl1+NR
+PnSC+72YdaAM3EpIAH9xnJB2IrTdpu4ODYmx7YeMRs3j+BZak+knRhyirt5CPQ53
+T6+xaubHf+q+KP3j6Bk6BkeWf1RkfMZsXUDRpoXlkq1uTz9HQAxgC7MkV4casjYi
+wYHIYLKP5bT/p+urSt2+jfBw2uyGe3fcNW5woEp69wgindGmofxTXwuLLwy3TC5s
+8P3Q1U0ti23hfQG/nXGinGj2OiwD/ELCHnDSf6VkvhNRq1T7yPqUWx7tSSl2t5+j
+8LgSZ/ElYubrrVTRAZ7fABEBAAGJAjwEGAEIACYWIQSlpFsSrZLZZLie7i3sVgyB
+zsInbgUCXf6cMAIbDAUJBaOagAAKCRDsVgyBzsInbsIqEADdNfDxTcd/dKx2/S2L
+qfHsWHaHlJpVHy8ywxJ8JaEa7vs/tFNCAYVNs3NL8nfjerzW3ah+MmktiJNb37xR
+/D58IfCw95ulOW/sV8H7HTlVVpshmD6boUwPx0m7S2a5pqhUnYSfrMNXmajZK6Ni
+dcdSwXNBJz0jPRWDEj8MacRRPITPIjc+5mYAML56hgSg2A+0as308ZitxEEtlQ7A
+PajG0svPDqcWlIn6HkVNcozJCrFqT8RwomC/sP3B1bsObeKzJLLxGm4ifTdlqhEE
+1iwG6NWFr18BIyDj2taSOUKqV5kywC00oWF4UvGPxxzd2GDosvodOHHSgaCFXSGp
+X8iBoHT1Gi7S4Ernnt/sEIZM8tnHiqC+42yqOI/3yJM2SKNabF0vuSN4OvdIXWIn
+nHfYIzdvMgBdY6oELMfML5j6hRvvVba9ekZLDjiMwfliSNl1OtKJjsxCnt2tUtrZ
+oq956yJdDMtOj/x4NT3HwaK9gJ1g4Ti7IAa2anONLTsFiZQHfwFLUOqH1F0ul7OZ
+IwKm6lr4SCCdqYdMympq7BuMhs6ufo5bq9v8IjiMnjkXFu9V00fhO84YoOY77Lbn
+sVe1qMxq8LxcTqKHqBveFzmgDRe9Bd4gQC/lhHtRtWS4m7Q981GaU9h7O07ckap2
+SnhsHUNk+W65LKZ22ZjsJek8cQ==
+=BSXs
 -----END PGP PUBLIC KEY BLOCK-----
--- a/libarchive.spec
+++ b/libarchive.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libarchive
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -30,7 +30,7 @@
 %bcond_without	ext2fs
 %endif
 Name:           libarchive
-Version:        3.4.0
+Version:        3.4.1
 Release:        0
 Summary:        Utility and C library to create and read several different streaming archive formats
 License:        BSD-2-Clause
@ -41,18 +41,13 @@ Source1:        https://github.com/libarchive/libarchive/releases/download/v%{ve
 Source2:        libarchive.keyring
 Source1000:     baselibs.conf
 Patch1:         lib-suffix.patch
-Patch2:         fix-zstd-test.patch
-Patch3:         fix-soversion.patch
-# PATCH-FIX-UPSTREAM bsc#1157569
-Patch10:        CVE-2019-19221.patch
-BuildRequires:  cmake
+Patch2:         fix-soversion.patch
 BuildRequires:  libacl-devel
 BuildRequires:  libbz2-devel
 BuildRequires:  liblz4-devel
 BuildRequires:  libtool
 BuildRequires:  libxml2-devel
 BuildRequires:  libzstd-devel
-BuildRequires:  ninja
 BuildRequires:  pkgconfig
 BuildRequires:  xz-devel
 BuildRequires:  zlib-devel
@ -169,18 +164,27 @@ Static library for libarchive
 %autopatch -p1

 %build
-%define __builder ninja
-%cmake
-%cmake_build
+export CFLAGS="%{optflags} -D_REENTRANT -pipe"
+export CXXFLAGS="$CFLAGS"
+%configure \
+	--disable-silent-rules \
+%if %{without static_libs}
+	--disable-static \
+%endif
+	--enable-bsdcpio
+
+# lzma mt detection is broken
+sed -i -e "/HAVE_LZMA_STREAM_ENCODER_MT/d" config.h
+
+make %{?_smp_mflags}

 %check
-ninja test -C build
+make %{?_smp_mflags} check

 %install
-%cmake_install
+%make_install

 find %{buildroot} -type f -name "*.la" -delete -print
-rm "%{buildroot}%{_libdir}/libarchive.a"
 rm "%{buildroot}%{_mandir}/man5/"{tar,cpio,mtree}.5*
 sed -i -e '/Libs.private/d' %{buildroot}%{_libdir}/pkgconfig/libarchive.pc