-
libarchive (3.4.3-2ubuntu0.2) impish-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2022-26280.patch: fix possible out-of-bounds
read in zipx_lzma_alone_init() in libarchive/archive_read_support_format_zip.c.
- CVE-2022-26280
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 05 Apr 2022 11:21:47 -0300
-
libarchive (3.4.3-2ubuntu0.1) impish-security; urgency=medium
* SECURITY UPDATE: extracting a symlink with ACLs modifies ACLs of target
- debian/patches/CVE-2021-23177.patch: fix handling of symbolic link
ACLs in libarchive/archive_disk_acl_freebsd.c,
libarchive/archive_disk_acl_linux.c,
libarchive/archive_disk_acl_sunos.c.
- CVE-2021-23177
* SECURITY UPDATE: symbolic links incorrectly followed
- debian/patches/CVE-2021-31566-1.patch: do not follow symlinks when
processing the fixup list in Makefile.am,
libarchive/archive_write_disk_posix.c,
libarchive/test/CMakeLists.txt,
libarchive/test/test_write_disk_fixup.c.
- debian/patches/CVE-2021-31566-2.patch: never follow symlinks when
setting file flags on Linux in libarchive/archive_write_disk_posix.c.
- debian/patches/CVE-2021-31566-3.patch: fix following symlinks when
processing the fixup list in libarchive/archive_write_disk_posix.c,
libarchive/test/test_write_disk_fixup.c.
- debian/patches/CVE-2021-31566-4.patch: fix writing fflags broken in
8a1bd5c in libarchive/archive_write_disk_posix.c.
- CVE-2021-31566
* SECURITY UPDATE: use-after-free in copy_string
- debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in
some files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/*.
- debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in
some files in Makefile.am,
libarchive/archive_read_support_format_rar5.c,
libarchive/test/test_read_format_rar5.c, libarchive/test/*.
- CVE-2021-36976
-- Marc Deslauriers <email address hidden> Wed, 16 Feb 2022 08:27:55 -0500
-
libarchive (3.4.3-2build1) impish; urgency=medium
* No-change rebuild to build packages with zstd compression.
-- Matthias Klose <email address hidden> Thu, 07 Oct 2021 12:14:04 +0200
-
libarchive (3.4.3-2) unstable; urgency=medium
* Add some more upstream patches:
- upstream-isint-w
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error (with a typo corrected)
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
* Drop the unused liblzo2 build dependency. According to upstream,
distributing libarchive binaries linked against liblzo2 violates
the liblzo2 GPL license, so libarchive does not even use it unless
explicitly requested, which we do not do anyway.
* Fix two problems related to cross-building libarchive.
Closes: #966637
- drop the gcc B-D that I added as a reminder that dropping --as-needed
was because it is handled automatically
- annotate the test dependencies with <!nocheck>; since we never run
the upstream test suite automatically, but only if the non-standard
"check" build option is specified, this has no effect on normal builds,
but it will fix cross-builds
-- Peter Pentchev <email address hidden> Sat, 01 Aug 2020 21:46:12 +0300