Accepting request 1132047 from home:yfjiang:branches:Archiving

Sync changelog with Leap/SLE.

OBS-URL: https://build.opensuse.org/request/show/1132047
OBS-URL: https://build.opensuse.org/package/show/Archiving/libarchive?expand=0&rev=119

libarchive.changes

@@ -28,6 +28,14 @@ Fri Dec 23 07:57:09 UTC 2022 - Dirk Müller <dmueller@suse.com>
   * rar5 reader: fix possible garbled output with bsdtar -O (#1745)
   * mtree reader: support reading mtree files with tabs (#1783)
   * various small fixes for issues found by CodeQL
+- Drop upstream merged CVE-2022-36227.patch
+
+-------------------------------------------------------------------
+Tue Nov 22 14:20:36 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2022-36227, Handle a calloc returning NULL
+  (CVE-2022-36227, bsc#1205629)
+  * CVE-2022-36227.patch
 
 -------------------------------------------------------------------
 Fri Apr  8 17:01:05 UTC 2022 - Dirk Müller <dmueller@suse.com>
@@ -40,6 +48,14 @@ Fri Apr  8 17:01:05 UTC 2022 - Dirk Müller <dmueller@suse.com>
   * fix heap use after free in archive_read_format_rar_read_data() (OSS-Fuzz 44547, 52efa50)
   * fix null dereference in read_data_compressed() (OSS-Fuzz 44843, 1271f77)
   * fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715)
+- Drop upstream merged fix-CVE-2022-26280.patch
+
+-------------------------------------------------------------------
+Tue Apr  7 16:28:45 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2022-26280 out-of-bounds read via the component zipx_lzma_alone_init
+  (CVE-2022-26280, bsc#1197634)
+  * fix-CVE-2022-26280.patch
 
 -------------------------------------------------------------------
 Thu Feb 24 19:18:32 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de>
@@ -54,7 +70,19 @@ Thu Feb 24 19:18:32 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de>
   * tar: respect "--ignore-zeros" in c, r and u modes
   * reduced size of application binaries
   * internal code optimizations
-- Drop upstream merged fix-following-symlinks.patch
+- Drop upstream merged:
+  * fix-following-symlinks.patch
+  * fix-CVE-2021-36976.patch
+
+-------------------------------------------------------------------
+Mon Feb 23 14:44:21 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2021-36976 use-after-free in copy_string
+  (CVE-2021-36976, bsc#1188572)
+  * fix-CVE-2021-36976.patch
+- The following issues have already been fixed in this package but
+  weren't previously mentioned in the changes file:
+  CVE-2017-5601, bsc#1022528, bsc#1189528
 
 -------------------------------------------------------------------
 Mon Nov 29 09:00:26 UTC 2021 - Adrian Schröter <adrian@suse.de>
@@ -78,6 +106,26 @@ Sun Nov  7 19:13:11 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
   * ZIP reader: fix excessive read for padded zip
   * CAB reader: fix double free
   * handle short writes from archive_write_callback
+- Drop upstream mereged:
+  * CVE-2021-23177.patch
+  * CVE-2021-31566.patch
+  * bsc1192427.patch
+
+-------------------------------------------------------------------
+Fri Oct 21 14:18:01 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2021-31566, modifies file flags of symlink target
+  (CVE-2021-31566, bsc#1192426.patch)
+  CVE-2021-31566.patch
+- Fix bsc#1192427, processing fixup entries may follow symbolic links
+  bsc1192427.patch
+
+-------------------------------------------------------------------
+Mon Sep 12 14:07:20 UTC 2021 - Danilo Spinella <danilo.spinella@suse.com>
+
+- Fix CVE-2021-23177, extracting a symlink with ACLs modifies ACLs of target
+  (CVE-2021-23177, bsc#1192425)
+  * CVE-2021-23177.patch
 
 -------------------------------------------------------------------
 Wed Jan  6 16:11:01 UTC 2021 - Dirk Müller <dmueller@suse.com>