#
368708 |
|
16-Dec-2020 |
mm |
MFC r368207,368607:
MFC r368207: Update libarchive to 3.5.0
Relevant vendor changes: Issue #1258: add archive_read_support_filter_by_code() PR #1347: mtree digest reader support Issue #1381: skip hardlinks pointing to itself on extraction PR #1387: fix writing of cpio archives with hardlinks without file type PR #1388: fix rdev field in cpio format for device nodes PR #1389: completed support for UTF-8 encoding conversion PR #1405: more formats in archive_read_support_format_by_code() PR #1408: fix uninitialized size in rar5_read_data PR #1409: system extended attribute support PR #1435: support for decompression of symbolic links in zipx archives Issue #1456: memory leak after unsuccessful archive_write_open_filename
MFC r368607: Sync libarchive with vendor.
Vendor changes: Issue #1461: Unbreak build without lzma Issue #1462: warc reader: Fix build with gcc11 Issue #1463: Fix code compatibility in test_archive_read_support.c Issue #1464: Use built-in strnlen on platforms where not available Issue #1465: warc reader: fix undefined behaviour in deconst() function
|
#
358090 |
|
19-Feb-2020 |
mm |
MFC r356212,r356366,r356416,r357785 Update libarchive to version 3.4.2
Relevant vendor changes (r356212): Issue #351: Refactor and implement private state logic for write filters PR #1252: RAR5 reader - verify window size for solid files (OSS-Fuzz 15482) PR #1255: zip writer - don't append unused NUL for directories PR #1260: Fix sparse file offset overflow on 32-bit systems PR #1263: UNICODE filename support for reading lha/lzh format Issue #1276: Bugfix and optimize archive_wstring_append_from_mbs() PR #1288: Add the "xattrhdr" option to pax write options PR #1295: 7z reader - fix reading archives with digests in PackInfo PR #1296: RAR5 reader - verify window size for multivolume archives PR #1297: ZIP reader - support LZMA_STREAM_END marker in 'lzma alone' files Issue #1298: Fix a heap-buffer-overflow in archive_string_append_from_wcs() OSS-Fuzz 19360, 19362: LHA reader - plug two memory leaks on error Fix possible off-by-one when dealing with readlink(2)
Relevant vendor changes (r356366): Issue #1302: Plug memory leak on failure of archive_write_client_open()
Relevant vendor changes (r356416): Issue #1302: Re-do fix for archive_write_client_open()
Relevant vendor changes (r357785): PR #1289: atomic extraction support (bsdtar -x --safe-writes) PR #1308: big endian fix for UTF16 support in LHA reader PR #1326: reject RAR5 files that declare invalid header flags Issue #987: fix support 7z archive entries with Delta filter Issue #1317: fix compression output buffer handling in XAR writer Issue #1319: fix uname or gname longer than 32 characters in pax writer Issue #1325: fix use after free when archiving hardlinks in ISO9660 or XAR Use localtime_r() and gmtime_r() instead of localtime() and gmtime()
|
#
353377 |
|
09-Oct-2019 |
mm |
MFC r316456,352732: Sync libarchive with vendor.
MFC r316456: Vendor changes (FreeBSD-related): Report which extended attributes could not be restored Update archive_read_disk.3 and archive_write_disk.3 manual pages Plug memory leaks in xattr tests.
MFC r352732: Relevant vendor changes: Issue #1237: Fix integer overflow in archive_read_support_filter_lz4.c PR #1249: Correct some typographical and grammatical errors. PR #1250: Minor corrections to the formatting of manual pages
|
#
315433 |
|
16-Mar-2017 |
mm |
MFC r314571: Update libarchive to version 3.3.1 (and sync with latest vendor dist)
Notable vendor changes: PR #501: improvements in ACL path handling PR #724: fix hang when reading malformed cpio files PR #864: fix out of bounds read with malformed GNU tar archives Documentation, style, test suite improvements and typo fixes.
New options to bsdtar that enable or disable reading and/or writing of: Access Control Lists (--acls, --no-acls) Extended file flags (--fflags, --no-fflags) Extended attributes (--xattrs, --no-xattrs) Mac OS X metadata (Mac OS X only) (--mac-metadata, --no-mac-metadata)
|
#
313571 |
|
11-Feb-2017 |
mm |
MFC r310866,310868,310870,311903,313074: Sync libarchive with vendor.
MFC r310866: PR #771: Add NFSv4 ACL support to pax and restricted pax
NFSv4 ACL information may now be stored to and restored from tar archives. ACL must be non-trivial and supported by the underlying filesystem, e.g. natively by ZFS or by UFS with the NFSv4 ACL enable flag set.
MFC r310868: PR #843: Fix memory leak of struct archive_entry in cpio/cpio.c PR #851: Spelling fixes Fix two protoypes in manual page archive_read_disk.3
MFC r310870: Use __LA_DEPRECATED macro with functions deprecated in 379867e
MFC r311903: #691: Support for SCHILY.xattr extended attributes #854: Spelling fixes
Multiple fixes in ACL code: - prefer acl_set_fd_np() to acl_set_fd() - if acl_set_fd_np() fails, do no fallback to acl_set_file() - do not warn if trying to write ACLs to a filesystem without ACL support - fix id handling in archive_acl_(from_to)_text*() for NFSv4 ACLs
MFC r313074: - support extracting NFSv4 ACLs from Solaris tar archives - bugfixes and optimizations in the ACL code - multiple fixes in the test suite - typo and other small bugfixes
Security fixes: - cab reader: endless loop when parsing MSZIP signature (OSS-Fuzz 335) - LHA reader: heap-buffer-overflow in lha_read_file_header_1() (CVE-2017-5601) - LZ4 reader: null-pointer dereference in lz4_filter_read_legacy_stream() (OSS-Fuzz 453) - mtree reader: heap-buffer-overflow in detect_form() (OSS-Fuzz 421, 443) - WARC reader: heap-buffer-overflow in xstrpisotime() (OSS-Fuzz 382, 458)
Memory leak fixes: - ACL support: free memory allocated by acl_get_qualifier() - disk writer: missing free in create_filesystem_object() - file reader: fd leak (Coverity 1016755) - gnutar writer: fix free in archive_write_gnutar_header() (Coverity 101675) - iso 9660 reader: missing free in parse_file_info() (partial Coverity 1016754) - program reader: missing free in __archive_read_program() - program writer: missing free in __archive_write_program_free() - xar reader: missing free in xar_cleanup() - xar reader: missing frees in expat_xmlattr_setup() (Coverity 1229979-1229981) - xar writer: missing free in file_free() - zip reader: missing free in zip_read_local_file_header()
List of all libarchive issues at OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=libarchive
Security: CVE-2017-5601
|
#
311042 |
|
02-Jan-2017 |
mm |
MFC r309300,r309363,r309405,r309523,r309590,r310185,r310623:
Sync libarchive with vendor.
Fixed vendor issues (relevant to FreeBSD) #825, #832: Add sanity check of tar "uid, "gid" and "mtime" fields #830, #831, #833, #846: Spelling fixes #850: Fix issues with reading certain jar files
Fixed issues found by Google OSS-Fuzz: OSS-Fuzz #15: Fix heap-buffer-overflow in archive_le16dec() OSS-Fuzz #16: Fix possible hang in uudecode_filter_read() OSS-Fuzz #139, #145, #152: Fix heap-buffer-overflow in uudecode_bidder_bid() OSS-Fuzz #220: Reject an 'ar' filename table larger than 1GB or a filename larger than 1MB OSS-Fuzz #227, #230, #239: Fix possible memory leak in archive_read_free() OSS-Fuzz #237: Fix heap buffer overflow when reading invalid ar archives OSS-Fuzz #286: Bugfix in archive_strncat_l()
More information: https://github.com/libarchive/libarchive/issues/[libarchive_issue_number] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=[oss_fuzz_issue_number]
|
#
305192 |
|
01-Sep-2016 |
mm |
MFC r304075,r304989: Sync libarchive with vendor including security fixes
Vendor issues fixed: Issue #731: Reject tar entries >= INT64_MAX Issue #744: Very long pathnames evade symlink checks Issue #748: libarchive can compress, but cannot decompress zip some files PR #750: ustar: fix out of bounds read on empty string ("") filename PR #755: fix use of acl_get_flagset_np() on FreeBSD Issue #767: Buffer overflow printing a filename Issue #770: Zip read: be more careful about extra_length
MFC r304874: Temporarily disable two libarchive tests that have not yet been fixed by vendor. Tests will be re-enabled after a fix has been merged.
|
#
302295 |
|
30-Jun-2016 |
mm |
MFC r302075:
Update libarchive to 3.2.1 (bugfix and security fix release)
List of vendor fixes: - fix exploitable heap overflow vulnerability in Rar decompression (vendor issue 719, CVE-2016-4302, TALOS-2016-0154) - fix exploitable stack based buffer overflow vulnebarility in mtree parse_device functionality (vendor PR 715, CVE-2016-4301, TALOS-2016-0153) - fix exploitable heap overflow vulnerability in 7-zip read_SubStreamsInfo (vendor issue 718, CVE-2016-4300, TALOS-2016-152) - fix integer overflow when computing location of volume descriptor (vendor issue 717) - fix buffer overflow when reading a crafred rar archive (vendor issue 521) - fix possible buffer overflow when reading ISO9660 archives on machines where sizeof(int) < sizeof(size_t) (vendor issue 711) - tar and cpio should fail if an input file named on the command line is missing (vendor issue 708) - fix incorrect writing of gnutar filenames that are exactly 512 bytes long (vendor issue 682) - allow tests to be run from paths that are equal or longer than 128 characters (vendor issue 657) - add memory allocation errors in archive_entry_xattr.c (vendor PR 603) - remove dead code in archive_entry_xattr_add_entry() (vendor PR 716) - fix broken decryption of ZIP files (vendor issue 553) - manpage style, typo and description fixes
Post-3.2.1 vendor fixes: - fix typo in cpio version reporting (Vendor PR 725, 726) - fix argument range of ctype functions in libarchive_fe/passphrase.c - fix ctype use and avoid empty loop bodies in WARC reader
Security: CVE-2016-4300, CVE-2016-4301, CVE-2016-4302
|
#
302001 |
|
17-Jun-2016 |
mm |
MFC r299529,r299540,r299576,r299896:
r299529,r299540: Update libarchive to 3.2.0
New features: - new bsdcat command-line utility - LZ4 compression (in src only via external utility from ports) - Warc format support - 'Raw' format writer - Zip: Support archives >4GB, entries >4GB - Zip: Support encrypting and decrypting entries - Zip: Support experimental streaming extension - Identify encrypted entries in several formats - New --clear-nochange-flags option to bsdtar tries to remove noschg and similar flags before deleting files - New --ignore-zeros option to bsdtar to handle concatenated tar archives - Use multi-threaded LZMA decompression if liblzma supports it - Expose version info for libraries used by libarchive
r299576,r299896: Fix broken cpio behavior.
Relnotes: yes
|
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
248616 |
|
22-Mar-2013 |
mm |
MFV r248590,248594: Update libarchive to 3.1.2
Some of new features: - support for lrzip and grzip compression - support for writing tar v7 format - b64encode and uuencode filters - support for __MACOSX directory in Zip archives - support for lzop compresion (external utility)
|
#
238856 |
|
28-Jul-2012 |
mm |
Update libarchive to 3.0.4
|
#
232153 |
|
25-Feb-2012 |
mm |
Update libarchive to 3.0.3
Some of new features: - New readers: RAR, LHA/LZH, CAB reader, 7-Zip - New writers: ISO9660, XAR - Improvements to many formats, especially including ISO9660 and Zip - Stackable write filters to write, e.g., tar.gz.uu in a single pass - Exploit seekable input; new "seekable" Zip reader can exploit the Zip Central Directory when it's available; the old "streamable" Zip reader is still fully supported for cases where seeking is not possible.
Full release notes available at: https://github.com/libarchive/libarchive/wiki/ReleaseNotes
|
#
231200 |
|
08-Feb-2012 |
mm |
Update vendor libarchive dist to new "release" branch (post 3.0.3)
Git branch: release Git commit: 9af87742342aa4f37a22ec12c4cc1c82e00ffa2f
Obtained from: https://github.com/libarchive/libarchive.git
|