368708 |
16-Dec-2020 |
mm |
MFC r368207,368607:
MFC r368207: Update libarchive to 3.5.0
Relevant vendor changes: Issue #1258: add archive_read_support_filter_by_code() PR #1347: mtree digest reader support Issue #1381: skip hardlinks pointing to itself on extraction PR #1387: fix writing of cpio archives with hardlinks without file type PR #1388: fix rdev field in cpio format for device nodes PR #1389: completed support for UTF-8 encoding conversion PR #1405: more formats in archive_read_support_format_by_code() PR #1408: fix uninitialized size in rar5_read_data PR #1409: system extended attribute support PR #1435: support for decompression of symbolic links in zipx archives Issue #1456: memory leak after unsuccessful archive_write_open_filename
MFC r368607: Sync libarchive with vendor.
Vendor changes: Issue #1461: Unbreak build without lzma Issue #1462: warc reader: Fix build with gcc11 Issue #1463: Fix code compatibility in test_archive_read_support.c Issue #1464: Use built-in strnlen on platforms where not available Issue #1465: warc reader: fix undefined behaviour in deconst() function |
362134 |
12-Jun-2020 |
mm |
MFC r361294: Update libarchive to 3.4.3
Relevant vendor changes: PR #1352: support negative zstd compression levels PR #1359: improve zstd version checking PR #1348: support RHT.security.selinux from GNU tar PR #1357: support for archives compressed with pzstd PR #1367: fix issues in acl tests PR #1372: child handling cleanup PR #1378: fix memory leak from passphrase callback |
358927 |
13-Mar-2020 |
mm |
MFC r358533: Sync libarchive with vendor.
Relevant vendor changes: Issue #1257: Add testcase for ZIPX files with LZMA_STREAM_END marker PR #1331: cpio.5: fix hard link description Issue #1335: archive_read.c: fix UBSan warning about undefined behavior Issue #1338: XAR reader: fix UBSan warning about undefined behavior Issue #1339: bsdcpio_test: fix datatype in from_hex() Issue #1341: Safe writes: delete temporary file if rename fails. Issue #1341: Safe writes: improve error handling |
358090 |
19-Feb-2020 |
mm |
MFC r356212,r356366,r356416,r357785 Update libarchive to version 3.4.2
Relevant vendor changes (r356212): Issue #351: Refactor and implement private state logic for write filters PR #1252: RAR5 reader - verify window size for solid files (OSS-Fuzz 15482) PR #1255: zip writer - don't append unused NUL for directories PR #1260: Fix sparse file offset overflow on 32-bit systems PR #1263: UNICODE filename support for reading lha/lzh format Issue #1276: Bugfix and optimize archive_wstring_append_from_mbs() PR #1288: Add the "xattrhdr" option to pax write options PR #1295: 7z reader - fix reading archives with digests in PackInfo PR #1296: RAR5 reader - verify window size for multivolume archives PR #1297: ZIP reader - support LZMA_STREAM_END marker in 'lzma alone' files Issue #1298: Fix a heap-buffer-overflow in archive_string_append_from_wcs() OSS-Fuzz 19360, 19362: LHA reader - plug two memory leaks on error Fix possible off-by-one when dealing with readlink(2)
Relevant vendor changes (r356366): Issue #1302: Plug memory leak on failure of archive_write_client_open()
Relevant vendor changes (r356416): Issue #1302: Re-do fix for archive_write_client_open()
Relevant vendor changes (r357785): PR #1289: atomic extraction support (bsdtar -x --safe-writes) PR #1308: big endian fix for UTF16 support in LHA reader PR #1326: reject RAR5 files that declare invalid header flags Issue #987: fix support 7z archive entries with Delta filter Issue #1317: fix compression output buffer handling in XAR writer Issue #1319: fix uname or gname longer than 32 characters in pax writer Issue #1325: fix use after free when archiving hardlinks in ISO9660 or XAR Use localtime_r() and gmtime_r() instead of localtime() and gmtime() |
353377 |
09-Oct-2019 |
mm |
MFC r316456,352732: Sync libarchive with vendor.
MFC r316456: Vendor changes (FreeBSD-related): Report which extended attributes could not be restored Update archive_read_disk.3 and archive_write_disk.3 manual pages Plug memory leaks in xattr tests.
MFC r352732: Relevant vendor changes: Issue #1237: Fix integer overflow in archive_read_support_filter_lz4.c PR #1249: Correct some typographical and grammatical errors. PR #1250: Minor corrections to the formatting of manual pages |
349901 |
11-Jul-2019 |
mm |
MFC r349527,349538: Sync libarchive with vendor.
Relevant vendor changes: PR #1217: RAR5 reader - fix ARM filter going beyond window buffer boundary (OSS-Fuzz 15431) PR #1218: Fixes to sparse file handling |
349525 |
28-Jun-2019 |
mm |
MFC r348993,349135: Sync libarchive with vendor including security fixes
r348993: - version bumped to 3.4.0 - check_symlinks_fsobj() without chdir() and fchdir() - bsdtar.1 manpage fixes - patches from OpenBSD to libarchive_fe/passphrase.c
r349135: PR #1212: RAR5 reader - window_mask was not updated correctly (OSS-Fuzz 15278) OSS-Fuzz 15120: RAR reader - extend use after free bugfix |
348608 |
04-Jun-2019 |
mm |
MFC r347990: Sync libarchive with vendor.
Relevant vendor changes: Issue #795: XAR - do not try to add xattrs without an allocated name PR #812: non-recursive option for extract and list PR #958: support reading metadata from compressed files PR #999: add --exclude-vcs option to bsdtar Issue #1062: treat empty archives with a GNU volume header as valid PR #1074: Handle ZIP files with trailing 0s in the extra fields (Android APK archives) PR #1109: Ignore padding in Zip extra field data (Android APK archives) PR #1167: fix problems related to unreadable directories Issue #1168: fix handling of strtol() and strtoul() PR #1172: RAR5 - fix invalid window buffer read in E8E9 filter PR #1174: ZIP reader - fix of MSZIP signature parsing PR #1175: gzip filter - fix reading files larger than 4GB from memory PR #1177: gzip filter - fix memory leak with repeated header reads PR #1180: ZIP reader - add support for Info-ZIP Unicode Path Extra Field PR #1181: RAR5 - fix merge_block() recursion (OSS-Fuzz 12999, 13029, 13144, 13478, 13490) PR #1183: fix memory leak when decompressing ZIP files with LZMA PR #1184: fix RAR5 OSS-Fuzz issues 12466, 14490, 14491, 12817 OSS-Fuzz 12466: RAR5 - fix buffer overflow when parsing huffman tables OSS-Fuzz 14490, 14491: RAR5 - fix bad shift-left operations OSS-Fuzz 12817: RAR5 - handle a case with truncated huffman tables PR #1186: RAR5 - fix invalid type used for dictionary size mask (OSS-Fuzz 14537) PR #1187: RAR5 - fix integer overflow (OSS-Fuzz 14555) PR #1190: RAR5 - RAR5 don't try to unpack entries marked as directories (OSS-Fuzz 14574) PR #1196: RAR5 - fix a potential SIGSEGV on 32-bit builds OSS-Fuzz 2582: RAR - fix use after free if there is an invalid entry OSS-Fuzz 14331: RAR5 - fix maximum owner name length OSS-Fuzz 13965: RAR5 - use unsigned int for volume number + range check
Additional RAR5 reader changes: - support symlinks, hardlinks, file owner, file group, versioned files - change ARCHIVE_FORMAT_RAR_V5 to 0x100000 - set correct mode for readonly directories - support readonly, hidden and system Windows file attributes
MFC r347999: Install missing data file for lib.libarchive.functional_test.test_read_format_zip_utf8_paths |
346105 |
10-Apr-2019 |
mm |
MFC r345497: Sync libarchive with vendor.
Relevant vendor changes: PR #1153: fixed 2 bugs in ZIP reader [1] PR #1143: ensure archive_read_disk_entry_from_file() uses ARCHIVE_READ_DISK Changes to file flags code, support more file flags on FreeBSD: UF_OFFLINE, UF_READONLY, UF_SPARSE, UF_REPARSE, UF_SYSTEM UF_ARCHIVE is not supported by intention (yet)
PR: 236300 [1] |
344674 |
28-Feb-2019 |
mm |
MFC r344063,r344088:
MFC r344063: Sync libarchive with vendor.
Relevant vendor changes: PR #1085: Fix a null pointer dereference bug in zip writer PR #1110: ZIP reader added support for XZ, LZMA, PPMD8 and BZIP2 decopmpression PR #1116: Add support for 64-bit ar format PR #1120: Fix a 7zip crash [1] and a ISO9660 infinite loop [2] PR #1125: RAR5 reader - fix an invalid read and a memory leak PR #1131: POSIX reader - do not fail when tree_current_lstat() fails due to ENOENT [3] PR #1134: Delete unnecessary null pointer checks before calls of free() OSS-Fuzz 10843: Force intermediate to uint64_t to make UBSAN happy. OSS-Fuzz 11011: Avoid buffer overflow in rar5 reader
MFC r344088: archive_read_disk_posix.c: initialize delayed_errno
PR: 233006 [3] Security: CVE-2019-1000019 [1], CVE-2019-1000020 [2] |
342361 |
21-Dec-2018 |
mm |
MFC r339746,339751,339794,340866,340939,342042: Sync libarchive with vendor.
Relevant vendor changes: PR #1013: Add missing h_base offset when performing absolute seeks in xar decompression PR #1023: Support extracting extattrs as non-root on non-user-writeable files PR #1061: Add support for extraction of RAR v5 archives PR #1066: Fix out of bounds read on empty string filename for gnutar, pax and v7tar PR #1067: Fix temporary file path buffer overflow in tests IS #1068: Correctly process and verify integer arguments passed to bsdcpio and bsdtar PR #1070: Don't default XAR entry atime/mtime to the current time PR #1080: Spelling fixes PR #1084: RAR5 reader bugfixes PR #1091: fix use-after-free in delayed newc link processing PR #1092: Fix a few obvious resource leaks and strcpy() misuses IS #1096: Support extracting ACLs with in-entry comments (GNU tar) PR #1102: RAR5 reader - fix big-endian problems PR #1105: Fix various crash, memory corruption and infinite loop conditions
RAR5 reader: FreeBSD build platform fixes for powerpc(64), mips(64), sparc64 and riscv64 RAR5 reader: more maybe-uninitialized size_t fixes for riscv64 FreeBSD build |
339006 |
28-Sep-2018 |
mm |
MFC r338827: Sync libarchive with vendor.
Relevant vendor changes: PR #1019: Add allocation check for the zip_entry struct Oss-Fuzz #10192: Handle whitespace-only ACL fields correctly |
338796 |
19-Sep-2018 |
mm |
MFC r338600: Update libarchive to 3.3.3
As all important changes have already been merged from libarchive git this is just a version number bump, documentation update and some polishing for cpio tests. Other source code changes are not relevant to FreeBSD.
Relnotes: yes |
338034 |
18-Aug-2018 |
mm |
MFH r337745: Sync libarchive with vendor..
Vendor changes: PR #1042: validate iso9660 directory record length
MFC after: 3 days Security: CVE-2017-14501 |
337352 |
05-Aug-2018 |
mm |
MFH r336801,r336854:
MFH r336801 (cem): Cherry-pick upstream 2c8c83b9
Relevant vendor changes: Fix issue #948: out-of-bounds read in lha_read_data_none()
MFH r336854: Sync libarchive with vendor.
Important vendor changes: PR #993: Chdir to -C directory for metalog processing OSS-Fuzz #4969: Check size of the extended time field in zip archives PR #973: Record informational compression level in gzip header
amdbugs: 877 Security: CVE-2017-14503 |
328828 |
03-Feb-2018 |
mm |
MFH r328332: Sync libarchive with vendor.
Relevant vendor changes: PR #893: delete dead ppmd7 alloc callbacks PR #904: Fix archive freeing bug in bsdcat PR #961: Fix ZIP format names PR #962: Don't modify attributes for existing directories when ARCHIVE_EXTRACT_NO_OVERWRITE is set PR #964: Fix -Werror=implicit-fallthrough= for GCC 7 PR #970: zip: Allow backslash as path separator |
324418 |
08-Oct-2017 |
mm |
MFH r324148: Sync libarchive with vendor.
Relevant vendor changes: PR #905: Support for Zstandard read and write filters PR #922: Avoid overflow when reading corrupt cpio archive Issue #935: heap-based buffer overflow in xml_data (CVE-2017-14166) OSS-Fuzz 2936: Place a limit on the mtree line length OSS-Fuzz 2394: Ensure that the ZIP AES extension header is large enough OSS-Fuzz 573: Read off-by-one error in RAR archives (CVE-2017-14502)
Security: CVE-2017-14166, CVE-2017-14502 |
322072 |
04-Aug-2017 |
mm |
MFH r321674: Sync libarchive with vendor.
Relevant vendor changes: PR #926: ensure ar strtab is null terminated
PR: 220462 |
321304 |
20-Jul-2017 |
mm |
MFC r320927,320931,320932: Bump libarchive to 3.3.2
Vendor changes: PR #901: don't depend on stdin in a testcase
Relnotes: yes |
318483 |
18-May-2017 |
mm |
MFC r317782,318181:
MFC r317782 (mm): Sync libarchive with vendor
Vendor changes (FreeBSD-related): PR 897: add test for ZIP archives with invalid EOCD headers PR 901: fix invalid renaming of sparse files OSS-Fuzz issue 497: remove fallback tree in LZX decoder OSS-Fuzz issue 527: rewrite expressions in lz4 filter OSS-Fuzz issue 577: fix integer overflow in cpio reader OSS-Fuzz issue 862: fix numerc parsing in mtree reader OSS-Fuzz issue 1097: fix undefined shift in rar reader cpio: various optimizations and memory leak fixes
MFC r318181 (ngie) (2): cpio/tests/test_option_lz4: fix a use after free in the failure case
Reported by: Coverity (2) Sponsored by: Dell EMC Isilon (2) |
316338 |
31-Mar-2017 |
mm |
MFC r315636,315876,316095: Sync libarchive with vendor
Vendor changes/bugfixes (FreeBSD-related): r315636: PR 867 (bsdcpio): show numeric uid/gid when names are not found PR 870 (seekable zip): accept files with valid ZIP64 EOCD headers PR 880 (pax): Fix handling of "size" pax header keyword PR 887 (crypto): Discard 3072 bytes instead of 1024 of first keystream OSS-Fuzz issue 806 (mtree): rework mtree_atol10 integer parser Break ACL read/write code into platform-specific source files
r315876: Store extended attributes with extattr_set_link() if no fd is provided Add extended attribute tests to libarchive and bsdtar Fix tar's test_option_acls Support the UF_HIDDEN file flag
r316095: Constify variables in several places Unify platform ACL code in a single source file Fix unused variable if compiling on FreeBSD without NFSv4 ACL support |
315433 |
16-Mar-2017 |
mm |
MFC r314571: Update libarchive to version 3.3.1 (and sync with latest vendor dist)
Notable vendor changes: PR #501: improvements in ACL path handling PR #724: fix hang when reading malformed cpio files PR #864: fix out of bounds read with malformed GNU tar archives Documentation, style, test suite improvements and typo fixes.
New options to bsdtar that enable or disable reading and/or writing of: Access Control Lists (--acls, --no-acls) Extended file flags (--fflags, --no-fflags) Extended attributes (--xattrs, --no-xattrs) Mac OS X metadata (Mac OS X only) (--mac-metadata, --no-mac-metadata) |
313929 |
18-Feb-2017 |
mm |
Fix incomplete merge in r313927:
MFC r313572: Vendor bugfixes: cpio reader sanity fix (OSS-Fuzz 504) WARC reader sanity fixes (OSS-Fuzz 511, 526, 532, 552) mtree reader time parsing fix (OSS-Fuzz 538) XAR reader memleak fix (OSS-Fuzz 551) |
313927 |
18-Feb-2017 |
mm |
MFC r313572,313782 Sync libarchive with vendor.
MFC r313572: Vendor bugfixes: cpio reader sanity fix (OSS-Fuzz 504) WARC reader sanity fixes (OSS-Fuzz 511, 526, 532, 552) mtree reader time parsing fix (OSS-Fuzz 538) XAR reader memleak fix (OSS-Fuzz 551)
MFC r313782: Vendor changes: Make SCHILY.acl.ace header more compact (NFSv4 ACLs)
Vendor bugfixes: zip reader integer parsing fix (OSS-Fuzz 556) spelling fixes (issue #863) |
313571 |
11-Feb-2017 |
mm |
MFC r310866,310868,310870,311903,313074: Sync libarchive with vendor.
MFC r310866: PR #771: Add NFSv4 ACL support to pax and restricted pax
NFSv4 ACL information may now be stored to and restored from tar archives. ACL must be non-trivial and supported by the underlying filesystem, e.g. natively by ZFS or by UFS with the NFSv4 ACL enable flag set.
MFC r310868: PR #843: Fix memory leak of struct archive_entry in cpio/cpio.c PR #851: Spelling fixes Fix two protoypes in manual page archive_read_disk.3
MFC r310870: Use __LA_DEPRECATED macro with functions deprecated in 379867e
MFC r311903: #691: Support for SCHILY.xattr extended attributes #854: Spelling fixes
Multiple fixes in ACL code: - prefer acl_set_fd_np() to acl_set_fd() - if acl_set_fd_np() fails, do no fallback to acl_set_file() - do not warn if trying to write ACLs to a filesystem without ACL support - fix id handling in archive_acl_(from_to)_text*() for NFSv4 ACLs
MFC r313074: - support extracting NFSv4 ACLs from Solaris tar archives - bugfixes and optimizations in the ACL code - multiple fixes in the test suite - typo and other small bugfixes
Security fixes: - cab reader: endless loop when parsing MSZIP signature (OSS-Fuzz 335) - LHA reader: heap-buffer-overflow in lha_read_file_header_1() (CVE-2017-5601) - LZ4 reader: null-pointer dereference in lz4_filter_read_legacy_stream() (OSS-Fuzz 453) - mtree reader: heap-buffer-overflow in detect_form() (OSS-Fuzz 421, 443) - WARC reader: heap-buffer-overflow in xstrpisotime() (OSS-Fuzz 382, 458)
Memory leak fixes: - ACL support: free memory allocated by acl_get_qualifier() - disk writer: missing free in create_filesystem_object() - file reader: fd leak (Coverity 1016755) - gnutar writer: fix free in archive_write_gnutar_header() (Coverity 101675) - iso 9660 reader: missing free in parse_file_info() (partial Coverity 1016754) - program reader: missing free in __archive_read_program() - program writer: missing free in __archive_write_program_free() - xar reader: missing free in xar_cleanup() - xar reader: missing frees in expat_xmlattr_setup() (Coverity 1229979-1229981) - xar writer: missing free in file_free() - zip reader: missing free in zip_read_local_file_header()
List of all libarchive issues at OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=libarchive
Security: CVE-2017-5601 |
311042 |
02-Jan-2017 |
mm |
MFC r309300,r309363,r309405,r309523,r309590,r310185,r310623:
Sync libarchive with vendor.
Fixed vendor issues (relevant to FreeBSD) #825, #832: Add sanity check of tar "uid, "gid" and "mtime" fields #830, #831, #833, #846: Spelling fixes #850: Fix issues with reading certain jar files
Fixed issues found by Google OSS-Fuzz: OSS-Fuzz #15: Fix heap-buffer-overflow in archive_le16dec() OSS-Fuzz #16: Fix possible hang in uudecode_filter_read() OSS-Fuzz #139, #145, #152: Fix heap-buffer-overflow in uudecode_bidder_bid() OSS-Fuzz #220: Reject an 'ar' filename table larger than 1GB or a filename larger than 1MB OSS-Fuzz #227, #230, #239: Fix possible memory leak in archive_read_free() OSS-Fuzz #237: Fix heap buffer overflow when reading invalid ar archives OSS-Fuzz #286: Bugfix in archive_strncat_l()
More information: https://github.com/libarchive/libarchive/issues/[libarchive_issue_number] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=[oss_fuzz_issue_number] |
310570 |
26-Dec-2016 |
ngie |
MFstable/11 r310569:
MFC r309869:
Merge changes from vendor to address several Coverity issues with contrib/libarchive's tests
Obtained from: libarchive (ebe29c, fd0ea2, f9e3de) |
309702 |
08-Dec-2016 |
mm |
Partial MFC r309300:
Apply fix for libarchive issue #821: "tar -P" cannot extract hardlinks through symlinks
PR: 213255 Reported by: Tijl Coosemans <tilj@FreeBSD.org> |
308152 |
31-Oct-2016 |
mm |
MFC r307861: Update libarchive to 3.2.2
Most of the post-3.2.1 fixes have already been merged. This update contains just the version bump and some fixes to the test framework. |
307798 |
22-Oct-2016 |
mm |
MFC r307215: Sync libarchive with vendor. Style and tests fixes.
Important vendor bugfixes (relevant to FreeBSD): #801: FreeBSD Coverity report: resource leak in libarchive/tar/test/main.c |
307139 |
12-Oct-2016 |
mm |
MFC r306670: Sync libarchive with vendor including security fixes.
Important vendor bugfixes (relevant to FreeBSD): #747: Out of bounds read in mtree parser #761: heap-based buffer overflow in read_Header (7-zip) #794: Invalid file on bsdtar command line results in internal errors (1)
PR: 213092 (1) |
306322 |
25-Sep-2016 |
mm |
MFC r305819: Sync libarchive with vendor including important security fixes.
Issues fixed (FreeBSD): PR #778: ACL error handling Issue #745: Symlink check prefix optimization is too aggressive Issue #746: Hard links with data can evade sandboxing restrictions
This update fixes the vulnerability #3 and vulnerability #4 as reported in "non-cryptanalytic attacks against FreeBSD update components". https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f
Fix for vulnerability #2 has already been merged in r305192.
Security: http://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f |
305755 |
12-Sep-2016 |
mm |
MFC r305422: Sync libarchive with vendor
Vendor issues fixed: PR #777: Multiple bugfixes for setup_acls()
This includes a bugfix for a bug that caused ACLs not to be read properly for files and directories inside subdirectories and as a result not being stored or being incorrectly stored in tar archives. |
305192 |
01-Sep-2016 |
mm |
MFC r304075,r304989: Sync libarchive with vendor including security fixes
Vendor issues fixed: Issue #731: Reject tar entries >= INT64_MAX Issue #744: Very long pathnames evade symlink checks Issue #748: libarchive can compress, but cannot decompress zip some files PR #750: ustar: fix out of bounds read on empty string ("") filename PR #755: fix use of acl_get_flagset_np() on FreeBSD Issue #767: Buffer overflow printing a filename Issue #770: Zip read: be more careful about extra_length
MFC r304874: Temporarily disable two libarchive tests that have not yet been fixed by vendor. Tests will be re-enabled after a fix has been merged. |
302425 |
08-Jul-2016 |
mm |
MFC r302294:
Sync libarchive with vendor, bugfixes for tests: - fix tests on filesystems without birthtime support, e.g. UFS1 (1) - vendor issue #729: avoid use of C99 for-scope declarations in test_write_format_gnutar_filenames.c
PR: 204157 (1) |
302295 |
30-Jun-2016 |
mm |
MFC r302075:
Update libarchive to 3.2.1 (bugfix and security fix release)
List of vendor fixes: - fix exploitable heap overflow vulnerability in Rar decompression (vendor issue 719, CVE-2016-4302, TALOS-2016-0154) - fix exploitable stack based buffer overflow vulnebarility in mtree parse_device functionality (vendor PR 715, CVE-2016-4301, TALOS-2016-0153) - fix exploitable heap overflow vulnerability in 7-zip read_SubStreamsInfo (vendor issue 718, CVE-2016-4300, TALOS-2016-152) - fix integer overflow when computing location of volume descriptor (vendor issue 717) - fix buffer overflow when reading a crafred rar archive (vendor issue 521) - fix possible buffer overflow when reading ISO9660 archives on machines where sizeof(int) < sizeof(size_t) (vendor issue 711) - tar and cpio should fail if an input file named on the command line is missing (vendor issue 708) - fix incorrect writing of gnutar filenames that are exactly 512 bytes long (vendor issue 682) - allow tests to be run from paths that are equal or longer than 128 characters (vendor issue 657) - add memory allocation errors in archive_entry_xattr.c (vendor PR 603) - remove dead code in archive_entry_xattr_add_entry() (vendor PR 716) - fix broken decryption of ZIP files (vendor issue 553) - manpage style, typo and description fixes
Post-3.2.1 vendor fixes: - fix typo in cpio version reporting (Vendor PR 725, 726) - fix argument range of ctype functions in libarchive_fe/passphrase.c - fix ctype use and avoid empty loop bodies in WARC reader
Security: CVE-2016-4300, CVE-2016-4301, CVE-2016-4302 |
302001 |
17-Jun-2016 |
mm |
MFC r299529,r299540,r299576,r299896:
r299529,r299540: Update libarchive to 3.2.0
New features: - new bsdcat command-line utility - LZ4 compression (in src only via external utility from ports) - Warc format support - 'Raw' format writer - Zip: Support archives >4GB, entries >4GB - Zip: Support encrypting and decrypting entries - Zip: Support experimental streaming extension - Identify encrypted entries in several formats - New --clear-nochange-flags option to bsdtar tries to remove noschg and similar flags before deleting files - New --ignore-zeros option to bsdtar to handle concatenated tar archives - Use multi-threaded LZMA decompression if liblzma supports it - Expose version info for libraries used by libarchive
r299576,r299896: Fix broken cpio behavior.
Relnotes: yes |
300361 |
21-May-2016 |
mm |
Backport security fix for absolute path traversal vulnerability in bsdcpio.
This is a direct commit to stable/10.
Security: CVE-2015-2304 |
295961 |
24-Feb-2016 |
delphij |
MFC r295914: MFV r295913:
Partially apply upstream changeset 6e06b1c8 (kientzle).
Limit filter recursion level to 25 (instead of infinite). This fixes a potential crash issue discovered by Alexander Cherepanov.
PR: 207362 Reported by: Robert Clausecker Obtained from: libarchive github project Approved by: re (marius) |
286082 |
30-Jul-2015 |
bdrewery |
MFC r285972:
MFV r285970:
Apply upstream changeset bf4f6ec64e:
Fix issue 356: properly skip a sparse file entry in a tar file.
PR: 201506 Relnotes: yes |
283259 |
21-May-2015 |
delphij |
MFC r282932: MFV r282927,r282928,r282930 (kientzle):
Don't segfault when reading malformed cpio archives. |
281044 |
03-Apr-2015 |
bdrewery |
MFC r280870:
Fix --one-file-system to include the directory encountered rather than excluding it. This was broken in 3.0.4 (r238856).
Relnotes: yes |
275031 |
25-Nov-2014 |
dim |
MFC r274846:
Fix the following -Werror warning from clang 3.5.0, while building usr.bin/cpio on amd64 (or any arch with 64-bit time_t):
contrib/libarchive/cpio/cpio.c:1143:6: error: absolute value function 'abs' given an argument of type 'long' but has parameter of type 'int' which may cause truncation of value [-Werror,-Wabsolute-value] if (abs(mtime - now) > (365/2)*86400) ^ contrib/libarchive/cpio/cpio.c:1143:6: note: use function 'labs' instead if (abs(mtime - now) > (365/2)*86400) ^~~ labs 1 error generated.
This is because time_t is a long on amd64. To avoid the warning, just copy the equivalent test from a few lines before, which is used in the Windows case, and which is type safe.
Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D1198 |
271004 |
03-Sep-2014 |
ae |
MFC r270661: Remove leading '/' from hardlink name when removing them from the regular file name. This fixes the problem, when bsdtar can not create hardlinks to extracted files. |
259073 |
07-Dec-2013 |
peter |
Hoist all the mergeinfo up to the root in preparation for enforcing merges to the root only. All MFC's were rerecorded to the root.
Going forward, if an MFC includes mergeinfo, it will need to be made to the root and committed from the root. Merges with --ignore-ancestry or diff | patch can go anywhere.
The mergeinfo in HEAD is in a bad state from years of neglect and manual tampering and this was branched into 10.x. This confuses the coalescing code and prevents it from doing its job.
Approved by: re (gjb, implicit) |
256281 |
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
248995 |
02-Apr-2013 |
mdf |
Fix return type of extattr_set_* and fix rmextattr(8) utility.
extattr_set_{fd,file,link} is logically a write(2)-like operation and should return ssize_t, just like extattr_get_*. Also, the user-space utility was using an int for the return value of extattr_get_* and extattr_list_*, both of which return an ssize_t.
MFC after: 1 week
|
248664 |
23-Mar-2013 |
mm |
Merge bugfix from vendor master branch:
Limit write requests to at most INT_MAX. This prevents a certain common programming error (passing -1 to write) from leading to other problems deeper in the library.
References: https://github.com/libarchive/libarchive/commit/22531545514043e0
Reported by: Xin Li <delphij@FreeBSD.org> Obtained from: libarchive (master branch)
|
248616 |
22-Mar-2013 |
mm |
MFV r248590,248594: Update libarchive to 3.1.2
Some of new features: - support for lrzip and grzip compression - support for writing tar v7 format - b64encode and uuencode filters - support for __MACOSX directory in Zip archives - support for lzop compresion (external utility)
|
246229 |
02-Feb-2013 |
kientzle |
Fix an obvious typo that broke time specifications of the form "2 hours ago".
|
239622 |
23-Aug-2012 |
mm |
Apply fix for vendor pull request #17: Support appending to empty archives
References: https://github.com/libarchive/libarchive/pull/17
Submitted by: myself Obtained from: libarchive master branch on github
|
238909 |
30-Jul-2012 |
mm |
Backport NFSv4 ACL fix from libarchive master branch.
Source: https://github.com/libarchive/libarchive/commit/f67370d5
Obtained from: libarchive (master branch)
|
238882 |
29-Jul-2012 |
mm |
Fix endless loop if reading unsupported ACL type. Apply fix from vendor's master branch.
References: https://github.com/libarchive/libarchive/commit/d8b9dbd
Reported on: freebsd-current@ Obtained from: libarchive
|
238856 |
28-Jul-2012 |
mm |
Update libarchive to 3.0.4
|
238827 |
27-Jul-2012 |
mm |
Update information on obtaining libarchive sources and FreeBSD-Xlist
|
232153 |
25-Feb-2012 |
mm |
Update libarchive to 3.0.3
Some of new features: - New readers: RAR, LHA/LZH, CAB reader, 7-Zip - New writers: ISO9660, XAR - Improvements to many formats, especially including ISO9660 and Zip - Stackable write filters to write, e.g., tar.gz.uu in a single pass - Exploit seekable input; new "seekable" Zip reader can exploit the Zip Central Directory when it's available; the old "streamable" Zip reader is still fully supported for cases where seeking is not possible.
Full release notes available at: https://github.com/libarchive/libarchive/wiki/ReleaseNotes
|
230759 |
29-Jan-2012 |
mm |
Uupdate code to vendor rev. 4183 (release/2.8)
Fixes vendor issue 224: "Mishandling CD9660 images with RockRidge extensions from FreeBSD makefs"
References: http://code.google.com/p/libarchive/issues/detail?id=224
MFC after: 1 week
|
228911 |
27-Dec-2011 |
mm |
Update to vendor revision 4016.
Vendor has integrated most of our local changes in revisions 3976-3979 so future updates are going to be easier. Thanks to Tim Kientzle <kientzle@FreeBSD.org>.
MFC after: 8 days
|
228835 |
23-Dec-2011 |
mm |
Fix typo s/xz/libarchive/
Reported by: Emil Mikulic (private e-mail) MFC after: 12 days
|
228777 |
21-Dec-2011 |
mm |
Merge FreeBSD changes from usr.bin/cpio to contrib/libarchive/cpio:
r204111 (uqs): Fix common misspelling of hierarchy
r211054 (kientzle); Fix -R when used with -p. Previously, the uname and gname weren't overwritten, so the disk restore would use those to lookup the original uid/gid again. Clearing the uname and gname prevents this.
r212263 (gjb): Fix typo in bsdcpio manual: s/libarchive_formats/libarchive-formats
MFC after: 2 weeks
|
228776 |
21-Dec-2011 |
mm |
Merge FreeBSD changes from usr.bin/tar to contrib/libarchive/tar:
r204111 (uqs): Fix common misspelling of hierarchy
r207786 (kientzle): Various manpage updates, including many long-option synonyms that were previously undocumented.
r208028 (uqs): mdoc: move remaining sections into consistent order
This pertains mostly to FILES, HISTORY, EXIT STATUS and AUTHORS sections.
r209152 (kientzle): If the compressed data is larger than the uncompressed, report the compression ratio as 0% instead of displaying nonsense triggered by numeric overflow. This is common when dealing with uncompressed files when the I/O blocking causes there to be small transient differences in the accounting.
r210720 (joel): Fix typos.
r223541 (kientzle): If there is a read error reading Y/N confirmation from the keyboard, exit immediately with an error.
If there is an error opening or reading a file to put into the archive, set the return value for a deferred error exit.
r223573 (kientzle): The --newer-than test should descend into old directories to look for new files.
r226636 (kientzle): Typo from previous commit. Urgh.
r224153 (mm, partial): Update bsdtar.1 manpage
MFC after: 2 weeks
|
228775 |
21-Dec-2011 |
mm |
Merge FreeBSD changes from usr.bin/tar to contrib/libarchive/libarchive_fe:
r213469: Recognize both ! and ^ as markers for negated character classes.
MFC after: 2 weeks
|
228774 |
21-Dec-2011 |
mm |
Add $FreeBSD$ to libarchive_fe headers where missing.
MFC after: 2 weeks
|
228773 |
21-Dec-2011 |
mm |
Merge FreeBSD changes from lib/libarchive to contrib/libarchive:
r204111 (uqs): Fix common misspelling of hierarchy
r208027 (uqs): mdoc: move CAVEATS, BUGS and SECURITY CONSIDERATIONS sections to the bottom of the manpages and order them consistently.
GNU groff doesn't care about the ordering, and doesn't even mention CAVEATS and SECURITY CONSIDERATIONS as common sections and where to put them.
r208291 (uqs): mdoc: consistently spell our email addresses <foo@FreeBSD.org>
r209031 (uqs): mdoc nitpicking: the title argument shall be uppercase
r214822 (kientzle): Clarify the naming: Methods that free an object should be called "free". Retain the old "finish" names to preserve source compatibility for now.
r214905 (kientzle): If the Zip reader doesn't see a PK signature block because there's inter-entry garbage, just scan forward to find the next one. This allows us to handle a lot of Zip archives that have been modified in-place.
Thanks to: Gleb Kurtsou for sending me a sample archive
r216258 (kientzle): Don't write data into an empty "file."
In particular, this check avoids a warning when extracting directory entries from certain GNU tar archives that store directory contents.
r225525 (kientzle): Fix cpio on ARM.
MFC after: 2 weeks
|
228772 |
21-Dec-2011 |
mm |
Add missing integer casts to comparsions in libarchive read.
MFC after: 2 weeks
|
228771 |
21-Dec-2011 |
mm |
Partial merge of r224691 from lib/libarchive:
Add compatibility for ISO images created with unfixed makefs that violated ECMA-119 (ISO9660): allow reserved4 to be 0x20 in PVD. This allows tar to read FreeBSD distribution ISO images created with makefs prior to NetBSD bin/45217 bugfix (up to 9.0-BETA1).
MFC after: 2 weeks
|
228770 |
21-Dec-2011 |
mm |
Remove libarchive/archive_entry_copy_bhfi.c and libarchive/mtree.5 Add these files to FREEBSD-Xlist
MFC after: 2 weeks
|
228769 |
21-Dec-2011 |
mm |
Remove config_freebsd.h and add to FREEBSD-Xlist This file is common for libarchive, cpio and tar and is going to be located outside of contrib (lib/libarchive)
|
228764 |
21-Dec-2011 |
mm |
Strip unnecessary files and directories from contrib/libarchive according to FREEBSD-Xlist
MFC after: 2 weeks
|
228763 |
21-Dec-2011 |
mm |
Set svn:keywords to FreeBSD=%H for contrib/libarchive
MFC after: 2 weeks
|
228762 |
21-Dec-2011 |
mm |
Add FREEBSD-Xlist and FREEBSD-upgrade to contrib/libarchive
MFC after: 2 weeks
|
228761 |
21-Dec-2011 |
mm |
Copy libarchive from vendor branch to contrib
MFC after: 2 weeks
|
228759 |
21-Dec-2011 |
mm |
Set svn:eol-style property to native for all text files in vendor/libarchive
|
228753 |
20-Dec-2011 |
mm |
Vendor import of libarchive (release/2.8, r3824)
Obtained from: http://libarchive.googlecode.com/svn/release/2.8
|