Re: [ptxdist] [APPLIED] libarchive: Version bump. 3.7.4 -> 3.8.1

Sat, 12 Jul 2025 08:49:29 -0700 

Thanks, applied as 900ae2a6436b3d66ea536cbd48429f3e1cd4d951.

Michael

[sent from post-receive hook]

On Sat, 12 Jul 2025 17:48:25 +0200, Christian Melki 
<[email protected]> wrote:
> Bunch of fixes and a bunch security updates, including CVEs.
> Probably still in the wake of the xz fallout.
> https://github.com/libarchive/libarchive/releases/tag/v3.7.5
> https://github.com/libarchive/libarchive/releases/tag/v3.7.6
> https://github.com/libarchive/libarchive/releases/tag/v3.7.7
> https://github.com/libarchive/libarchive/releases/tag/v3.7.8
> https://github.com/libarchive/libarchive/releases/tag/v3.7.9
> https://github.com/libarchive/libarchive/releases/tag/v3.8.0
> https://github.com/libarchive/libarchive/releases/tag/v3.8.1
> 
> Plugs CVEs:
> CVE-2025-5918: RAR. Do not skip past EOF while reading.
> CVE-2025-5914: RAR. Fix double free with over 4 billion nodes.
> CVE-2025-5915: RAR. Fix heap-buffer-overflow.
> CVE-2025-5916: WARC. Prevent signed integer overflow.
> CVE-2025-5917: TAR. Fix overflow in build_ustar_entry.
> CVE-2024-57970: TAR. Handle truncation in the middle of a GNU long linkname.
> CVE-2025-1632: UNZIP. Fix null pointer dereference.
> CVE-2025-25724: TAR. Fix unchecked return value in list_item_verbose.
> CVE-2024-20696: RAR. Protect copy_from_lzss_window_to_unp.
> CVS-2024-26256. RAR: Fix OOB in rar e8 filter.
> 
> * License hash changed, minor source inclusion row change.
> 
> Signed-off-by: Christian Melki <[email protected]>
> Message-Id: <[email protected]>
> Signed-off-by: Michael Olbrich <[email protected]>
> 
> diff --git a/rules/libarchive.make b/rules/libarchive.make
> index 5fbe4b0fe112..c506b644d306 100644
> --- a/rules/libarchive.make
> +++ b/rules/libarchive.make
> @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBARCHIVE) += libarchive
>  #
>  # Paths and names
>  #
> -LIBARCHIVE_VERSION   := 3.7.4
> -LIBARCHIVE_MD5               := 5649f858cd87dc969b6901152bd6614d
> +LIBARCHIVE_VERSION   := 3.8.1
> +LIBARCHIVE_MD5               := 29353cd50c2146601b708a80307a5a76
>  LIBARCHIVE           := libarchive-$(LIBARCHIVE_VERSION)
>  LIBARCHIVE_SUFFIX    := tar.gz
>  LIBARCHIVE_URL               := 
> https://www.libarchive.org/downloads/$(LIBARCHIVE).$(LIBARCHIVE_SUFFIX)
> @@ -23,7 +23,7 @@ LIBARCHIVE_SOURCE   := 
> $(SRCDIR)/$(LIBARCHIVE).$(LIBARCHIVE_SUFFIX)
>  LIBARCHIVE_DIR               := $(BUILDDIR)/$(LIBARCHIVE)
>  LIBARCHIVE_LICENSE   := BSD-2-Clause AND BSD-3-Clause AND public_domain AND \
>                          (CC-0-1.0 OR OpenSSL OR Apache-2.0)
> -LIBARCHIVE_LICENSE_FILES     := 
> file://COPYING;md5=d499814247adaee08d88080841cb5665
> +LIBARCHIVE_LICENSE_FILES     := 
> file://COPYING;md5=7ce08437ff7f5e24d72e666313ae4084
>  
>  # 
> ----------------------------------------------------------------------------
>  # Prepare

Reply via email to