Accepting request 1284694 from Archiving

OBS-URL: https://build.opensuse.org/request/show/1284694
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libarchive?expand=0&rev=59

fix-bsdunzip-test.patch

@@ -1,19 +0,0 @@
-commit 64e2e88ec326dd37fcb85c9a9d21fa43444a0a59
-Author: Bernhard M. Wiedemann <bwiedemann@suse.de>
-Date:   Wed May 22 10:13:47 2024 +0200
-
-    Fix test failure on openSUSE:Leap:15.5
-
-diff --git a/unzip/test/test_I.c b/unzip/test/test_I.c
-index 5d31ce8d..92e5ce59 100644
---- a/unzip/test/test_I.c
-+++ b/unzip/test/test_I.c
-@@ -45,7 +45,7 @@ DEFINE_TEST(test_I)
- #endif
- 
- 	extract_reference_file(reffile);
--	r = systemf("%s -I UTF-8 %s >test.out 2>test.err", testprog, reffile);
-+	r = systemf("env -uLC_ALL LC_CTYPE=en_US.UTF-8 %s -I UTF-8 %s >test.out 2>test.err", testprog, reffile);
- 	assertEqualInt(0, r);
- 	assertNonEmptyFile("test.out");
- 	assertEmptyFile("test.err");

fix-soversion.patch

@@ -1,13 +0,0 @@
-Index: libarchive-3.4.0/CMakeLists.txt
-===================================================================
---- libarchive-3.4.0.orig/CMakeLists.txt
-+++ libarchive-3.4.0/CMakeLists.txt
-@@ -71,7 +71,7 @@ SET(LIBARCHIVE_VERSION_STRING  "${VERSIO
- # libarchive 2.9 == interface version 11 = 2 + 9
- # libarchive 3.0 == interface version 12
- # libarchive 3.1 == interface version 13
--math(EXPR INTERFACE_VERSION  "13 + ${_minor}")
-+set(INTERFACE_VERSION  "13")
- 
- # Set SOVERSION == Interface version
- # ?? Should there be more here ??

lib-suffix.patch

@@ -1,42 +0,0 @@
-Index: b/libarchive/CMakeLists.txt
-===================================================================
---- a/libarchive/CMakeLists.txt
-+++ b/libarchive/CMakeLists.txt
-@@ -266,13 +266,13 @@ IF(ENABLE_INSTALL)
-   IF(BUILD_SHARED_LIBS)
-     INSTALL(TARGETS archive
-             RUNTIME DESTINATION bin
--            LIBRARY DESTINATION lib
--            ARCHIVE DESTINATION lib)
-+            LIBRARY DESTINATION lib${LIB_SUFFIX}
-+            ARCHIVE DESTINATION lib${LIB_SUFFIX})
-   ENDIF(BUILD_SHARED_LIBS)
-   INSTALL(TARGETS archive_static
-           RUNTIME DESTINATION bin
--          LIBRARY DESTINATION lib
--          ARCHIVE DESTINATION lib)
-+          LIBRARY DESTINATION lib${LIB_SUFFIX}
-+          ARCHIVE DESTINATION lib${LIB_SUFFIX})
-   INSTALL_MAN(${libarchive_MANS})
-   INSTALL(FILES ${include_HEADERS} DESTINATION include)
- ENDIF()
-Index: b/build/cmake/CreatePkgConfigFile.cmake
-===================================================================
---- a/build/cmake/CreatePkgConfigFile.cmake
-+++ b/build/cmake/CreatePkgConfigFile.cmake
-@@ -4,7 +4,7 @@
- # Set the required variables (we use the same input file as autotools)
- SET(prefix ${CMAKE_INSTALL_PREFIX})
- SET(exec_prefix \${prefix})
--SET(libdir \${exec_prefix}/lib)
-+SET(libdir \${exec_prefix}/lib${LIB_SUFFIX})
- SET(includedir \${prefix}/include)
- # Now, this is not particularly pretty, nor is it terribly accurate...
- # Loop over all our additional libs
-@@ -29,5 +29,5 @@ CONFIGURE_FILE(${CMAKE_CURRENT_SOURCE_DI
- # And install it, of course ;).
- IF(ENABLE_INSTALL)
-   INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/build/pkgconfig/libarchive.pc
--          DESTINATION "lib/pkgconfig")
-+          DESTINATION "lib${LIB_SUFFIX}/pkgconfig")
- ENDIF()

libarchive-3.7.4.tar.xz.asc

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQGzBAABCgAdFiEE2yx88bTCZfrvVuP8WEihi48UGEsFAmYre4IACgkQWEihi48U
-GEvAuwwAmsnbql7+1CW9RuBHitOvHyIL6sHbjR0Hd3ruI9s3FMevMBzPjpb5MgOU
-/D+o0amv1Tv/QSJAid1siZIumgur2hzqglNMK5FkoajpZ1UjYASHHxFoh5qkRKvW
-Ws/ViXMVGB2DlyydzzjFwa0JAAK/IpD9uKPPr6rgt+cRBibkWXuJILbmzi/DF1XH
-zlp/5FGwzY4/zhqbXgz11ZhX3gacdLd68+xsYbSII2JvZ2yb2zsS+0ia3skUawEj
-QMKzdpErqO+RedsRiJG9fjA65Q1hKWpMoWMuKZWLX+v0iv/OHv57RzLelmPy6Ohw
-0/PwCHFzFmOfu2LZd+mCWsrYaBrezGJq9tm+pAsCXSxcj3LuQwZ6d8/wgtS5CeNE
-+LoHCbzAcI5WiyU3wbw1qvulVDewL+j0rQoj23Lj2z9ry2K94NMpYji3JMkWI8dS
-QXitZd29uZ9l5Jf5Kz9BLHOoO1Q8bEOGB33dLpT+UIjFoJ6wqxNXef6OAECoHGH0
-OnEtTuAX
-=kNTk
------END PGP SIGNATURE-----

libarchive-3.8.1.tar.xz.asc

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAABCgAdFiEE2yx88bTCZfrvVuP8WEihi48UGEsFAmg8rVcACgkQWEihi48U
+GEsW5wv/aI/LDzxpFqr9JU1RY3PAn9uRngxVx+SRX1tdCKpeSwfjhq4gyTHjhQt+
+nP0F1z3Lo+w7AHSOVm3/DNfv906qXQEVG5AoSiztFJqNKFA2cWs+2ZgnlHFGgsu/
+IQugr7duGIm+zuPukQwPtI6P7EFwNTH3mAkU+J+Kb5nKxR4bLtgt/FL9Hl7rQR6y
+5uq5ykPBeSLAHyugWi2Ie0uki8efCLO9ha1eIlGqIaavsvYfFvleCRgsghW9bQ+8
+NGsVKjO2RWfQsSlzszJQRZaIPdV4EIP4boqfIMS1GCxhXjMVkdeDC3x1Dql9iqV3
+0xAafErxHQiXB54vgrRkgeeLUoCxNkSLFYWQt1fwufZobGCmF+BwNnIUJe77uTRF
+Gg3Eqk7Fcs77whoSClA4HYs/LL+PH9uU7XHDenUzeQMpmzrXD8qiMsFnPUa0yyQa
+XCBp+f5bUI/LhDCkCkWf+Tzky2RQIqlSgqiFUoVVby7WiUHQLTVol6E2GGROusYN
+5s1paMN8
+=YxiC
+-----END PGP SIGNATURE-----

libarchive.changes

@@ -1,3 +1,115 @@
+-------------------------------------------------------------------
+Thu Jun  5 21:05:40 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update to 3.8.1:
+  * libarchive: fix FILE_skip regression
+  * compress: Prevent call stack overflow
+  * iso9660: always check archive_string_ensure return value
+  * tar: Support negative time values with pax
+  * tar: Reset accumulated header state after reading macOS metadata blob
+  * tar: Keep block alignment after pax error
+  * tar: Handle extra bytes after sparse entries
+- includes changes from 3.8.0:
+  * bsdtar: support --mtime and --clamp-mtime
+  * 7-zip reader: improve self-extracting archive detection
+  * xar: xmllite support for the XAR reader and writer
+  * zip writer: added XZ, LZMA, ZSTD and BZIP2 support
+  * zip writer: added LZMA + RISCV BCJ filter
+  * rar: do not skip past EOF while reading (boo#1244159)
+  * rar: fix double free with over 4 billion nodes (boo#1244160)
+  * rar: fix heap-buffer-overflow (boo#1244161)
+  * warc: prevent signed integer overflow (boo#1244162)
+  * tar: fix overflow in build_ustar_entry (boo#1244163)
+  * bsdtar: don't hardlink negative inode files together
+  * gz: allow setting the original filename for gzip compressed files
+  * lib: improve lseek handling
+  * lib: support @-prefixed Unix epoch timestamps as date strings
+  * rar: support large headers on 32 bit systems
+  * tar reader: Improve LFS support on 32 bit systems
+- drop lib-suffix.patch, different implementation upstream
+- spec file clean-up, removing currently unused -static
+
+-------------------------------------------------------------------
+Sat Apr  5 08:28:47 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Update to 3.7.9:
+  * fix regression regarding GNU sparse entries
+
+-------------------------------------------------------------------
+Sun Mar 23 18:15:43 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Update to 3.7.8:
+  * 7zip reader: add SPARC and POWERPC filter support for non-LZMA compressors
+  * tar reader: Ignore ustar size when pax size is present
+  * tar writer: Fix bug when -s/a/b/ used more than once with b flag
+  * libarchive: Handle ARCHIVE_FILTER_LZOP in archive_read_append_filter
+  * libarchive: Adding missing seeker function to archive_read_open_FILE()
+- inludes the previously patched security fixes, dropping:
+  CVE-2025-1632.patch, CVE-2025-25724.patch, CVE-2024-57970.patch
+
+-------------------------------------------------------------------
+Tue Mar 11 15:54:34 UTC 2025 - Marius Grossu <marius.grossu@suse.com>
+
+- Fix CVE-2025-1632, null pointer dereference in bsdunzip.c
+  (CVE-2025-1632, bsc#1237606)
+  * CVE-2025-1632.patch
+- Fix CVE-2025-25724, Buffer Overflow vulnerability in libarchive
+  (CVE-2025-25724, bsc#1238610)
+  * CVE-2025-25724.patch 
+
+-------------------------------------------------------------------
+Tue Feb 25 15:14:11 UTC 2025 - Antonio Teixeira <antonio.teixeira@suse.com>
+
+- Fix CVE-2024-57970, heap-based buffer over-read in header_gnu_longlink
+  because it mishandles truncation (CVE-2024-57970, bsc#1237233)
+  * CVE-2024-57970.patch
+
+-------------------------------------------------------------------
+Thu Oct 17 08:41:56 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
+
+- Update to 3.7.7:
+  * gzip: prevent a hang when processing a malformed gzip inside a gzip
+  * tar: don't crash on truncated tar archives
+  * tar: fix two leaks in tar header parsing
+  * 7-zip: read/write symlink paths as UTF-8
+  * cpio: exit with an error code if an entry could not be extracted
+  * rar5: report encrypted entries
+  * tar: fix truncation of entry pathnames in specific archives
+
+-------------------------------------------------------------------
+Fri Sep 27 19:15:54 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
+
+- Update to 3.7.6:
+  * tar: clean up linkpath between entries
+  * tar: fix memory leaks when processing symlinks or parsing pax headers
+  * iso: be more cautious about parsing ISO-9660 timestamps
+- Version 3.7.5 changes:
+  * fix multiple vulnerabilities identified by SAST
+  * cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing
+  * lzop: prevent integer overflow
+  * rar4: protect copy_from_lzss_window_to_unp() (CVE-2024-20696, bsc#1225971)
+  * rar4: fix CVE-2024-26256 (CVE-2024-26256, bsc#1225972)
+  * rar4: fix OOB in delta and audio filter
+  * rar4: fix out of boundary access with large files
+  * rar4: add boundary checks to rgb filter
+  * rar4: fix OOB access with unicode filenames
+  * rar5: clear 'data ready' cache on window buffer reallocs
+  * rpm: calculate huge header sizes correctly
+  * unzip: unify EOF handling
+  * util: fix out of boundary access in mktemp functions
+  * uu: stop processing if lines are too long
+  * 7zip: fix issue when skipping first file in 7zip archive that is a multiple
+    of 65536 bytes
+  * ar: fix archive entries having no type
+  * lha: do not allow negative file sizes
+  * lha: fix integer truncation on 32-bit systems
+  * shar: check strdup return value
+  * rar5: don't try to read rediculously long names
+  * xar: fix another infinite loop and expat error handling
+  * many Windows fixes, cleanups and improvements
+- Drop fix-soversion.patch, fix-bsdunzip-test.patch
+  * Fixed upstream
+
 -------------------------------------------------------------------
 Thu Jun 20 14:56:58 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
 

libarchive.spec

@@ -1,7 +1,8 @@
 #
 # spec file for package libarchive
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,19 +19,8 @@
 
 %define somajor 13
 %define libname libarchive%{somajor}
-%if 0%{?centos_version} || 0%{?rhel_version}
-%if 0%{?centos_version} <= 600 || 0%{?rhel_version <= 700}
-%bcond_without	static_libs
-%bcond_with	openssl
-%bcond_with	ext2fs
-%endif
-%else
-%bcond_with	static_libs
-%bcond_without	openssl
-%bcond_without	ext2fs
-%endif
 Name:           libarchive
-Version:        3.7.4
+Version:        3.8.1
 Release:        0
 Summary:        Utility and C library to create and read several streaming archive formats
 License:        BSD-2-Clause
@@ -40,29 +30,19 @@ Source0:        https://github.com/libarchive/libarchive/releases/download/v%{ve
 Source1:        https://github.com/libarchive/libarchive/releases/download/v%{version}/libarchive-%{version}.tar.xz.asc
 Source2:        libarchive.keyring
 Source1000:     baselibs.conf
-Patch1:         lib-suffix.patch
-Patch2:         fix-soversion.patch
-# PATCH-FIX-SUSE danilo.spinella@suse.com
-# bsdunzip test fails because of a locale issue, set locale properly to fix it
-# It will be fixed in the next release
-Patch3:         fix-bsdunzip-test.patch
 BuildRequires:  cmake
-BuildRequires:  libacl-devel
-BuildRequires:  libbz2-devel
-BuildRequires:  liblz4-devel
-BuildRequires:  libtool
-BuildRequires:  libxml2-devel
-BuildRequires:  libzstd-devel
 BuildRequires:  ninja
 BuildRequires:  pkgconfig
-BuildRequires:  xz-devel
-BuildRequires:  zlib-devel
-%if %{with ext2fs}
-BuildRequires:  libext2fs-devel
-%endif
-%if %{with openssl}
-BuildRequires:  libopenssl-devel
-%endif
+BuildRequires:  pkgconfig(bzip2)
+BuildRequires:  pkgconfig(expat)
+BuildRequires:  pkgconfig(ext2fs)
+BuildRequires:  pkgconfig(libacl)
+BuildRequires:  pkgconfig(libcrypto)
+BuildRequires:  pkgconfig(liblz4)
+BuildRequires:  pkgconfig(liblzma)
+BuildRequires:  pkgconfig(libxml-2.0)
+BuildRequires:  pkgconfig(libzstd)
+BuildRequires:  pkgconfig(zlib) >= 1.2.1
 
 %description
 Libarchive is a programming library that can create and read several
@@ -140,13 +120,12 @@ compression, archive format detection and decoding, and archive data
 I/O. It should be very easy to add new formats, new compression
 methods, or new ways of reading/writing archives.
 
-%package -n libarchive-devel
+%package devel
 Summary:        Development files for libarchive
 Group:          Development/Libraries/C and C++
 Requires:       %{libname} = %{version}
-Requires:       glibc-devel
 
-%description -n libarchive-devel
+%description devel
 Libarchive is a programming library that can create and read several
 different streaming archive formats, including most popular tar
 variants and several cpio formats. It can also write shar archives and
@@ -157,64 +136,48 @@ and 6.
 
 This package contains the development files.
 
-%package static-devel
-Summary:        Static library for libarchive
-Group:          Development/Libraries/C and C++
-Requires:       %{name}-devel = %{version}
-
-%description static-devel
-Static library for libarchive
-
 %prep
-%setup -q
-%autopatch -p1
+%autosetup -p1
 
 %build
 %define __builder ninja
 %cmake
 %cmake_build
 
+%install
+%cmake_install
+rm "%{buildroot}%{_mandir}/man5/"{tar,cpio,mtree}.5*
+rm "%{buildroot}%{_libdir}/libarchive.a"
+
 %check
 exclude=""
-%ifarch %arm %ix86 ppc s390
+%ifarch %{arm} %{ix86} ppc s390
 exclude="-E test_write_filter"
 %endif
 %ctest $exclude
 
-%install
-%cmake_install
-
-find %{buildroot} -type f -name "*.la" -delete -print
-rm "%{buildroot}%{_libdir}/libarchive.a"
-rm "%{buildroot}%{_mandir}/man5/"{tar,cpio,mtree}.5*
-sed -i -e '/Libs.private/d' %{buildroot}%{_libdir}/pkgconfig/libarchive.pc
-
-%post   -n %{libname} -p /sbin/ldconfig
-%postun -n %{libname} -p /sbin/ldconfig
+%ldconfig_scriptlets -n %{libname}
 
 %files -n bsdtar
+%license COPYING
 %{_bindir}/bsdcat
 %{_bindir}/bsdcpio
 %{_bindir}/bsdtar
 %{_bindir}/bsdunzip
-%{_mandir}/man1/*
-%{_mandir}/man5/*
+%{_mandir}/man1/*.1%{?ext_man}
+%{_mandir}/man5/*.5%{?ext_man}
 
 %files -n %{libname}
 %license COPYING
 %doc NEWS
-%{_libdir}/libarchive.so.*
+%{_libdir}/libarchive.so.%{somajor}{,.*}
 
-%files -n libarchive-devel
+%files devel
+%license COPYING
 %doc examples/
-%{_mandir}/man3/*
+%{_mandir}/man3/*.3%{?ext_man}
 %{_libdir}/libarchive.so
 %{_includedir}/archive*
 %{_libdir}/pkgconfig/libarchive.pc
 
-%if %{with static_libs}
-%files static-devel
-%{_libdir}/%{name}.a
-%endif
-
 %changelog