Commit Graph

9 Commits

Author SHA1 Message Date
Martin Matuska b0ea71a855 Update vendor/libarchive to 3.8.0
New features:
 #2088 7-zip reader: improve self-extracting archive detection
 #2137 zip writer: added XZ, LZMA, ZSTD and BZIP2 support
 #2403 zip writer: added LZMA + RISCV BCJ filter
 #2601 bsdtar: support --mtime and --clamp-mtime
 #2602 libarchive: mbedtls 3.x compatibility

Security fixes:
 #2422 tar reader: Handle truncation in the middle of a GNU long linkname
       CVE-2024-57970
 #2532 tar reader: fix unchecked return value in list_item_verbose()
       CVE-2025-25724
 #2532 unzip: fix null pointer dereference
       CVE-2025-1632
 #2568 warc: prevent signed integer overflow
 #2584 rar: do not skip past EOF while reading
 #2588 tar: fix overflow in build_ustar_entry
 #2598 rar: fix double free with over 4 billion nodes
 #2599 rar: fix heap-buffer-overflow

Important bugfixes:
  #2399 7-zip reader: add SPARC filter support for non-LZMA compressors
  #2405 tar reader: ignore ustar size when pax size is present
  #2435 tar writer: fix bug when -s/a/b/ used more than once with b flag
  #2459 7-zip reader: add POWERPC filter support for non-LZMA compressors
  #2519 libarchive: handle ARCHIVE_FILTER_LZOP in archive_read_append_filter
  #2539 libarchive: add missing seeker function to archive_read_open_FILE()
  #2544 gzip: allow setting the original filename for gzip compressed files
  #2564 libarchive: improve lseek handling
  #2582 rar: support large headers on 32 bit systems
  #2587 bsdtar: don't hardlink negative inode files together
  #2596 rar: support large headers on 32 bit systems
  #2606 libarchive: support @-prefixed Unix epoch timestamps as date strings

Obtained from:	libarchive
Vendor commit:	70ff28fcf04ec129a1d064f96e49aa57fcc90e37
CVE:		CVE-2024-57970, CVE-2025-1632, CVE-2025-25724
2025-05-20 12:47:29 +02:00
Martin Matuska 2022efa030 Update vendor/libarchive to 3.7.5
Security fixes:
 #2158 rpm: calculate huge header sizes correctly
 #2160 util: fix out of boundary access in mktemp functions
 #2168 uu: stop processing if lines are too long
 #2174 lzop: prevent integer overflow
 #2172 rar4: protect copy_from_lzss_window_to_unp() (CVE-2024-20696)
 #2175 unzip: unify EOF handling
 #2179 rar4: fix out of boundary access with large files
 #2203 rar4: fix OOB access with unicode filenames
 #2210 rar4: add boundary checks to rgb filter
 #2248 rar4: fix OOB in delta filter
 #2249 rar4: fix OOB in audio filter
 #2256 fix multiple vulnerabilities identified by SAST
 #2258 cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing
 #2265 rar5: clear 'data ready' cache on window buffer reallocs
 #2269 rar4: fix CVE-2024-26256 (CVE-2024-26256)

Important bugfixes:
 #2150 xar: fix another infinite loop and expat error handling
 #2173 shar: check strdup return value
 #2161 lha: fix integer truncation on 32-bit systems
 #2245 7zip: fix issue when skipping first file in 7zip archive that
       is a multiple of 65536 bytes
 #2259 rar5: don't try to read rediculously long names
 #2290 ar: fix archive entries having no type

Obtained from:	libarchive
Vendor commit: 	12ecf8418ab3595d66cdea1abadcea8b6a9d288b
CVE:		CVE-2024-20696, CVE-2024-26256
2024-09-14 11:48:57 +02:00
Martin Matuska a509d68f27 Update vendor/libarchive to 3.7.3
New features:
  #1941 uudecode filter: support file name and file mode in raw mode
  #1943 7-zip reader: translate Windows permissions into UNIX
        permissions
  #1962 zstd filter now supports the "long" write option
  #2012 add trailing letter b to bsdtar(1) substitute pattern
  #2031 PCRE2 support
  #2054 add support for long options "--group" and "--owner" to tar(1)

Security fixes:
  #2101 Fix possible vulnerability in tar error reporting introduced
        in f27c173

Important bugfixes:
  #1974 ISO9660: preserve the natural order of links
  #2105 rar5: fix infinite loop if during rar5 decompression the last
        block produced no data
  #2027 xz filter: fix incorrect eof at the end of an lzip member
  #2043 zip: fix end-of-data marker processing when decompressing zip
        archives

Obtained from:		libarchive
Libarchive commit:	4fcc02d906cca4b9e21a78a833f1142a2689ec52
2024-04-11 15:48:20 +02:00
Martin Matuska d5f2a5ff11 Update vendor/libarchive/dist to git 833821f55b1807cac22a63a58b759a7802df2fb7
Libarchive 3.5.0

Relevant vendor changes:
  Issue #1258: add archive_read_support_filter_by_code()
  PR #1347: mtree digest reader support
  Issue #1381: skip hardlinks pointing to itself on extraction
  PR #1387: fix writing of cpio archives with hardlinks without file type
  PR #1388: fix rdev field in cpio format for device nodes
  PR #1389: completed support for UTF-8 encoding conversion
  PR #1405: more formats in archive_read_support_format_by_code()
  PR #1408: fix uninitialized size in rar5_read_data
  PR #1409: system extended attribute support
  PR #1435: support for decompression of symbolic links in zipx archives
  Issue #1456: memory leak after unsuccessful archive_write_open_filename
2020-12-01 10:36:46 +00:00
Martin Matuska 8185c4ae24 Update vendor/libarchive/dist to git 3288ebb0353beb51dfb09d444dedbe9235ead53d
Libarchive 3.4.2

Relevant vendor changes:
  PR #1289: atomic extraction support (bsdtar -x --safe-writes)
  PR #1308: big endian fix for UTF16 support in LHA reader
  PR #1326: reject RAR5 files that declare invalid header flags
  Issue #987: fix support 7z archive entries with Delta filter
  Issue #1317: fix compression output buffer handling in XAR writer
  Issue #1319: fix uname or gname longer than 32 characters in pax writer
  Issue #1325: fix use after free when archiving hardlinks in ISO9660 or XAR
  Use localtime_r() and gmtime_r() instead of localtime() and gmtime()
2020-02-11 23:48:03 +00:00
Martin Matuska 8e97bbedae Update vendor/libarchive/dist to git b5818e39e128eca4951e2ab10467d4d850a2ba57
Relevant vendor changes:
Issue #795: XAR - do not try to add xattrs without an allocated name
PR #812: non-recursive option for extract and list
PR #958: support reading metadata from compressed files
PR #999: add --exclude-vcs option to bsdtar
Issue #1062: treat empty archives with a GNU volume header as valid
PR #1074: Handle ZIP files with trailing 0s in the extra fields
          (Android APK archives)
PR #1109: Ignore padding in Zip extra field data (Android APK archives)
PR #1167: fix problems related to unreadable directories
Issue #1168: fix handling of strtol() and strtoul()
PR #1172: RAR5 - fix invalid window buffer read in E8E9 filter
PR #1174: ZIP reader - fix of MSZIP signature parsing
PR #1175: gzip filter - fix reading files larger than 4GB from memory
PR #1177: gzip filter - fix memory leak with repeated header reads
PR #1180: ZIP reader - add support for Info-ZIP Unicode Path Extra Field
PR #1181: RAR5 - fix merge_block() recursion
          (OSS-Fuzz 12999, 13029, 13144, 13478, 13490)
PR #1183: fix memory leak when decompressing ZIP files with LZMA
PR #1184: fix RAR5 OSS-Fuzz issues 12466, 14490, 14491, 12817
  OSS-Fuzz 12466: RAR5 - fix buffer overflow when parsing huffman tables
  OSS-Fuzz 14490, 14491: RAR5 - fix bad shift-left operations
  OSS-Fuzz 12817: RAR5 - handle a case with truncated huffman tables
PR #1186: RAR5 - fix invalid type used for dictionary size mask
          (OSS-Fuzz 14537)
PR #1187: RAR5 - fix integer overflow (OSS-Fuzz 14555)
PR #1190: RAR5 - RAR5 don't try to unpack entries marked as directories
          (OSS-Fuzz 14574)
PR #1196: RAR5 - fix a potential SIGSEGV on 32-bit builds
OSS-Fuzz 2582: RAR - fix use after free if there is an invalid entry
OSS-Fuzz 14331: RAR5 - fix maximum owner name length
OSS-Fuzz 13965: RAR5 - use unsigned int for volume number + range check

Additional RAR5 reader changes:
  - support symlinks, hardlinks, file owner, file group, versioned files
  - change ARCHIVE_FORMAT_RAR_V5 to 0x100000
  - set correct mode for readonly directories
  - support readonly, hidden and system Windows file attributes

NOTE: a version bump of libarchive will happen in the following days
2019-05-20 12:32:00 +00:00
Martin Matuska 4e579f6c94 Update vendor/libarchive/dist to git commit 61c56e5 (post 3.2.0) 2016-05-11 10:19:44 +00:00
Martin Matuska 17993d47e9 Update vendor libarchive dist to new "release" branch (post 3.0.3)
Git branch:	release
Git commit:	9af87742342aa4f37a22ec12c4cc1c82e00ffa2f

Obtained from:	https://github.com/libarchive/libarchive.git
2012-02-08 12:53:14 +00:00
Martin Matuska 35fa5e2f58 Vendor import of libarchive (release/2.8, r3824)
Obtained from:	http://libarchive.googlecode.com/svn/release/2.8
2011-12-20 22:47:56 +00:00