Change log for libarchive package in Ubuntu

175 of 129 results
Published in plucky-release
Deleted in plucky-proposed (Reason: Moved to plucky)
libarchive (3.7.4-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * rar4 reader: protect copy_from_lzss_window_to_unp() (CVE-2024-20696)
    (Closes: #1086155)

 -- Salvatore Bonaccorso <email address hidden>  Fri, 01 Nov 2024 21:30:39 +0100
Published in jammy-updates
Published in jammy-security
libarchive (3.6.0-1ubuntu1.3) jammy-security; urgency=medium

  * SECURITY UPDATE: code execution via negative copy length
    - debian/patches/CVE-2024-20696.patch: protect
      copy_from_lzss_window_to_unp() in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2024-20696

 -- Marc Deslauriers <email address hidden>  Tue, 29 Oct 2024 10:03:06 +0100
Published in focal-updates
Published in focal-security
libarchive (3.4.0-2ubuntu1.4) focal-security; urgency=medium

  * SECURITY UPDATE: code execution via negative copy length
    - debian/patches/CVE-2024-20696.patch: protect
      copy_from_lzss_window_to_unp() in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2024-20696

 -- Marc Deslauriers <email address hidden>  Tue, 29 Oct 2024 10:06:37 +0100
Superseded in plucky-release
Deleted in plucky-proposed (Reason: Moved to plucky)
libarchive (3.7.4-1ubuntu1) plucky; urgency=medium

  * SECURITY UPDATE: code execution via negative copy length
    - debian/patches/CVE-2024-20696.patch: protect
      copy_from_lzss_window_to_unp() in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2024-20696

 -- Marc Deslauriers <email address hidden>  Tue, 29 Oct 2024 10:00:09 +0100
Published in noble-updates
Published in noble-security
libarchive (3.7.2-2ubuntu0.3) noble-security; urgency=medium

  * SECURITY UPDATE: code execution via negative copy length
    - debian/patches/CVE-2024-20696.patch: protect
      copy_from_lzss_window_to_unp() in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2024-20696

 -- Marc Deslauriers <email address hidden>  Tue, 29 Oct 2024 10:02:44 +0100
Published in oracular-updates
Published in oracular-security
libarchive (3.7.4-1ubuntu0.1) oracular-security; urgency=medium

  * SECURITY UPDATE: code execution via negative copy length
    - debian/patches/CVE-2024-20696.patch: protect
      copy_from_lzss_window_to_unp() in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2024-20696

 -- Marc Deslauriers <email address hidden>  Tue, 29 Oct 2024 10:00:09 +0100
Superseded in jammy-updates
Superseded in jammy-security
libarchive (3.6.0-1ubuntu1.2) jammy-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2022-36227.patch: Add NULL check in archive_write
      functions
    - CVE-2022-36227
  * SECURITY UPDATE: Out of bounds access
    - debian/patches/CVE-2024-48957.patch: check dst isn't less than or
      equal to src in execute_filter_audio
    - CVE-2024-48957
  * SECURITY UPDATE: Out of bounds access
    - debian/patches/CVE-2024-48958.patch: check dst isn't less than or
      equal to src in execute_filter_delta
    - CVE-2024-48958

 -- Bruce Cable <email address hidden>  Mon, 14 Oct 2024 12:03:12 +1100
Superseded in noble-updates
Superseded in noble-security
libarchive (3.7.2-2ubuntu0.2) noble-security; urgency=medium

  * SECURITY UPDATE: Out of bounds access
    - debian/patches/CVE-2024-48957.patch: check dst isn't less than or
      equal to src in execute_filter_audio
    - CVE-2024-48957
  * SECURITY UPDATE: Out of bounds access
    - debian/patches/CVE-2024-48958.patch: check dst isn't less than or
      equal to src in execute_filter_delta
    - CVE-2024-48958

 -- Bruce Cable <email address hidden>  Mon, 14 Oct 2024 12:12:50 +1100
Superseded in focal-updates
Superseded in focal-security
libarchive (3.4.0-2ubuntu1.3) focal-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference
    - debian/patches/CVE-2022-36227.patch: Add NULL check in archive_write
      functions
    - CVE-2022-36227

 -- Bruce Cable <email address hidden>  Mon, 14 Oct 2024 12:12:43 +1100
Superseded in plucky-release
Published in oracular-release
Deleted in oracular-proposed (Reason: Moved to oracular)
libarchive (3.7.4-1) unstable; urgency=medium

  * Drop a t64-related Lintian override.
  * Declare compliance with Policy 4.7.0 with no changes.
  * Use debhelper compat level 14:
    - use X-DH-Compat
    - let debhelper take care of some default dependencies
  * New upstream version:
    - use `git rm` in the `upstream` branch to remove two test files that
      was forgotten in the upstream tarball generation
    - update the symbols file
    - drop the fix-OOB-in-rar-e8-filter-2135, iso9660-hash, test-zstd-32bit, and
      robust-error-reporting patches, they were either taken from upstream or
      integrated there
    - refresh the typos patch
    - refresh the line numbers in the fix-OOB-* patches
  * Use debputy's X-Style: black.

 -- Peter Pentchev <email address hidden>  Wed, 07 Aug 2024 14:36:27 +0300

Available diffs

Superseded in oracular-release
Deleted in oracular-proposed (Reason: Moved to oracular)
libarchive (3.7.2-2.1) unstable; urgency=medium

  * Non-maintainer upload.
  * fix: OOB in rar e8 filter (CVE-2024-26256) (Closes: #1072107)
  * fix: OOB in rar delta filter
  * fix: OOB in rar audio filter

 -- Salvatore Bonaccorso <email address hidden>  Sat, 01 Jun 2024 15:50:51 +0200

Available diffs

Superseded in noble-updates
Superseded in noble-security
libarchive (3.7.2-2ubuntu0.1) noble-security; urgency=medium

  * SECURITY UPDATE: Remove code execution
    - debian/patches/CVE-2024-26256.patch: fix OOB in rar e8 filter
      in libarchive/archive_read_support_format_rar.c.
    - CVE-2024-26256

 -- Leonidas Da Silva Barbosa <email address hidden>  Thu, 30 May 2024 11:57:56 -0300
Published in mantic-updates
Published in mantic-security
libarchive (3.6.2-1ubuntu1.1) mantic-security; urgency=medium

  * SECURITY UPDATE: Remove code execution
    - debian/patches/CVE-2024-26256.patch: fix OOB in rar e8 filter
      in libarchive/archive_read_support_format_rar.c.
    - CVE-2024-26256

 -- Leonidas Da Silva Barbosa <email address hidden>  Thu, 30 May 2024 13:53:54 -0300
Superseded in jammy-updates
Superseded in jammy-security
libarchive (3.6.0-1ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Remove code execution
    - debian/patches/CVE-2024-26256.patch: fix OOB in rar e8 filter
      in libarchive/archive_read_support_format_rar.c.
    - CVE-2024-26256

 -- Leonidas Da Silva Barbosa <email address hidden>  Thu, 30 May 2024 16:05:48 -0300
Superseded in oracular-release
Published in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
libarchive (3.7.2-2) unstable; urgency=medium

  [ Luca Boccassi ]
  * libarchive-dev: depend on -dev packages in an attempt to
    fix pkg-config --static --libs
    Addresses: 1056317; more work needed on libarchive's own
    configure tests

  [ Peter Pentchev ]
  * Acknowledge Lukas Märdian 64-bit-time_t-related NMU. Thanks!
  * Add the year 2024 to my debian/* copyright notice.
  * Re-sort the dependencies lists in the debian/control file.
  * Switch the pkg-config dependency over to pkgconf.
  * Add the robust-error-reporting upstream patch. Closes: #1068047

 -- Peter Pentchev <email address hidden>  Sat, 30 Mar 2024 20:11:06 +0200
Superseded in noble-proposed
libarchive (3.7.2-1.1ubuntu3) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <email address hidden>  Sun, 31 Mar 2024 07:43:52 +0000
Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
libarchive (3.7.2-1.1ubuntu2) noble; urgency=medium

  * Rebuild against new time64_t renamed libraries.

 -- Gianfranco Costamagna <email address hidden>  Thu, 21 Mar 2024 00:19:38 +0100
Superseded in noble-proposed
libarchive (3.7.2-1.1ubuntu1) noble; urgency=medium

  * Merge with Debian; remaining changes:
    - Run dh_auto_test by default

Deleted in noble-updates (Reason: superseded by release)
Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
libarchive (3.7.2-1ubuntu2) noble; urgency=medium

  * armhf (-fstack-clash-protection) breakage rebuild

 -- Mate Kukri <email address hidden>  Thu, 23 Nov 2023 15:10:55 +0000

Available diffs

Superseded in noble-release
Deleted in noble-proposed (Reason: Moved to noble)
libarchive (3.7.2-1ubuntu1) noble; urgency=medium

  * Merge with Debian unstable. Remaining changes:
    - Run dh_auto_test by default

Available diffs

Superseded in noble-release
Published in mantic-release
Published in lunar-release
Deleted in lunar-proposed (Reason: Moved to lunar)
libarchive (3.6.2-1ubuntu1) lunar; urgency=medium

  * Sync with Debian. Remaining change:
    - Run dh_auto_test by default

Available diffs

Superseded in lunar-release
Obsolete in kinetic-release
Published in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
libarchive (3.6.0-1ubuntu1) jammy; urgency=medium

  * Sync with Debian. (LP: #1967127)
    - Includes upstream fixes for CVE-2021-36976
  * debian/rules: fix broken check for nocheck DEB_BUILD_OPTION
  * SECURITY UPDATE: possible out-of-bounds read
    - Cherry-pick CVE-2022-26280.patch to fix zipx_lzma_alone_init()
    - CVE-2022-26280

Available diffs

Obsolete in impish-updates
Obsolete in impish-security
libarchive (3.4.3-2ubuntu0.2) impish-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2022-26280.patch:  fix possible out-of-bounds
      read in zipx_lzma_alone_init() in libarchive/archive_read_support_format_zip.c.
    - CVE-2022-26280

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 05 Apr 2022 11:21:47 -0300

Available diffs

Superseded in focal-updates
Superseded in focal-security
libarchive (3.4.0-2ubuntu1.2) focal-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2022-26280.patch:  fix possible out-of-bounds
      read in zipx_lzma_alone_init() in libarchive/archive_read_support_format_zip.c.
    - CVE-2022-26280

 -- Leonidas Da Silva Barbosa <email address hidden>  Tue, 05 Apr 2022 11:33:37 -0300

Available diffs

Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
libarchive (3.5.2-1ubuntu1) jammy; urgency=medium

  * SECURITY UPDATE: use-after-free in copy_string
    - debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/*.
    - debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5.c, libarchive/test/*.
    - CVE-2021-36976

 -- Marc Deslauriers <email address hidden>  Wed, 16 Feb 2022 08:22:57 -0500
Superseded in focal-updates
Superseded in focal-security
libarchive (3.4.0-2ubuntu1.1) focal-security; urgency=medium

  * SECURITY UPDATE: extracting a symlink with ACLs modifies ACLs of target
    - debian/patches/CVE-2021-23177.patch: fix handling of symbolic link
      ACLs in libarchive/archive_disk_acl_freebsd.c,
      libarchive/archive_disk_acl_linux.c,
      libarchive/archive_disk_acl_sunos.c.
    - CVE-2021-23177
  * SECURITY UPDATE: symbolic links incorrectly followed
    - debian/patches/CVE-2021-31566-1.patch: do not follow symlinks when
      processing the fixup list in Makefile.am,
      libarchive/archive_write_disk_posix.c,
      libarchive/test/CMakeLists.txt,
      libarchive/test/test_write_disk_fixup.c.
    - debian/patches/CVE-2021-31566-2.patch: never follow symlinks when
      setting file flags on Linux in libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2021-31566-3.patch: fix following symlinks when
      processing the fixup list in libarchive/archive_write_disk_posix.c,
      libarchive/test/test_write_disk_fixup.c.
    - debian/patches/CVE-2021-31566-4.patch: fix writing fflags broken in
      8a1bd5c in libarchive/archive_write_disk_posix.c.
    - CVE-2021-31566
  * SECURITY UPDATE: use-after-free in copy_string
    - debian/patches/CVE-2021-36976-pre1.patch: verify window size for
      solid files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5*.
    - debian/patches/CVE-2021-36976-pre2.patch: verify window size for
      multivolume archives in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5*.
    - debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/*.
    - debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5.c, libarchive/test/*.
    - CVE-2021-36976

 -- Marc Deslauriers <email address hidden>  Wed, 16 Feb 2022 09:59:13 -0500
Superseded in impish-updates
Superseded in impish-security
libarchive (3.4.3-2ubuntu0.1) impish-security; urgency=medium

  * SECURITY UPDATE: extracting a symlink with ACLs modifies ACLs of target
    - debian/patches/CVE-2021-23177.patch: fix handling of symbolic link
      ACLs in libarchive/archive_disk_acl_freebsd.c,
      libarchive/archive_disk_acl_linux.c,
      libarchive/archive_disk_acl_sunos.c.
    - CVE-2021-23177
  * SECURITY UPDATE: symbolic links incorrectly followed
    - debian/patches/CVE-2021-31566-1.patch: do not follow symlinks when
      processing the fixup list in Makefile.am,
      libarchive/archive_write_disk_posix.c,
      libarchive/test/CMakeLists.txt,
      libarchive/test/test_write_disk_fixup.c.
    - debian/patches/CVE-2021-31566-2.patch: never follow symlinks when
      setting file flags on Linux in libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2021-31566-3.patch: fix following symlinks when
      processing the fixup list in libarchive/archive_write_disk_posix.c,
      libarchive/test/test_write_disk_fixup.c.
    - debian/patches/CVE-2021-31566-4.patch: fix writing fflags broken in
      8a1bd5c in libarchive/archive_write_disk_posix.c.
    - CVE-2021-31566
  * SECURITY UPDATE: use-after-free in copy_string
    - debian/patches/CVE-2021-36976-1.patch: fixed out of bounds read in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/*.
    - debian/patches/CVE-2021-36976-2.patch: fix invalid memory access in
      some files in Makefile.am,
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5.c, libarchive/test/*.
    - CVE-2021-36976

 -- Marc Deslauriers <email address hidden>  Wed, 16 Feb 2022 08:27:55 -0500
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
libarchive (3.5.2-1) unstable; urgency=medium

  * Declare compliance with Debian Policy 4.6.0 with no changes.
  * Add the year 2021 to my debian/* copyright notice.
  * Drop the Breaks/Replaces relations for pre-oldstable versions of
    bsdtar and bsdcpio.
  * Fix some shellcheck complaints about the minitar autopkgtest.
  * Use a comma, not a semicolon, in the Origin DEP-3 header.
  * Annotate the sharutils build dependency with <!nocheck>.
    Closes: #981654
  * Drop the obsolete libattr1-dev build dependency. At the moment it is
    still pulled in by libacl1-dev, but there is no reason for us not to
    do the right thing, so that everything goes right when libacl1-dev
    corrects its build dependency. Closes: #953931
  * New upstream version:
    - fix handling of symlink ACLs; Closes: 1001986
    - never follow symlinks when setting file flags; Closes: 1001990
    - update the upstream copyright information
    - drop some patches that were taken from the upstream source:
      - upstream-cpio-hardlink-type
      - upstream-cpio-rdev
      - upstream-unneeded-strlen
      - upstream-hardlink-to-self
      - upstream-set-format-error
      - upstream-rar-read-format
      - upstream-memory-stdlib
      - upstream-max-comp-level
      - upstream-isint-w
    - update the library symbols file
  * Add the lzip-large-dict patch to support larger lzip dictionaries.
    Closes: #1001901
  * Add the upstream-fixup-symlinks, upstream-fixup-file-flags, and
    upstream-fix-32bit-size-cast patches, importing three upstream
    post-3.5.2 commits.

 -- Peter Pentchev <email address hidden>  Wed, 22 Dec 2021 19:51:54 +0200
Superseded in jammy-release
Deleted in jammy-proposed (Reason: Moved to jammy)
Deleted in impish-proposed (Reason: Moved ot jammy)
libarchive (3.4.3-2build1) impish; urgency=medium

  * No-change rebuild to build packages with zstd compression.

 -- Matthias Klose <email address hidden>  Thu, 07 Oct 2021 12:14:04 +0200
Published in bionic-updates
Published in bionic-security
libarchive (3.2.2-3.1ubuntu0.7) bionic-security; urgency=medium

  * Add metadata support to fix issues with gnome-autoar security update
    (LP: #1929304)
    - debian/patches/metadata_support.patch: support reading metadata from
      compressed files.

 -- Marc Deslauriers <email address hidden>  Fri, 04 Jun 2021 10:37:49 -0400
Superseded in jammy-release
Obsolete in impish-release
Obsolete in hirsute-release
Obsolete in groovy-release
Deleted in groovy-proposed (Reason: moved to Release)
libarchive (3.4.3-2) unstable; urgency=medium

  * Add some more upstream patches:
    - upstream-isint-w
    - upstream-unneeded-strlen
    - upstream-hardlink-to-self
    - upstream-set-format-error (with a typo corrected)
    - upstream-rar-read-format
    - upstream-memory-stdlib
    - upstream-max-comp-level
  * Drop the unused liblzo2 build dependency. According to upstream,
    distributing libarchive binaries linked against liblzo2 violates
    the liblzo2 GPL license, so libarchive does not even use it unless
    explicitly requested, which we do not do anyway.
  * Fix two problems related to cross-building libarchive.
    Closes: #966637
    - drop the gcc B-D that I added as a reminder that dropping --as-needed
      was because it is handled automatically
    - annotate the test dependencies with <!nocheck>; since we never run
      the upstream test suite automatically, but only if the non-standard
      "check" build option is specified, this has no effect on normal builds,
      but it will fix cross-builds

 -- Peter Pentchev <email address hidden>  Sat, 01 Aug 2020 21:46:12 +0300
Superseded in groovy-release
Deleted in groovy-proposed (Reason: moved to Release)
libarchive (3.4.3-1build1) groovy; urgency=medium

  * No change rebuild against new libnettle8 and libhogweed6 ABI.

 -- Dimitri John Ledkov <email address hidden>  Mon, 29 Jun 2020 22:27:25 +0100
Superseded in groovy-proposed
libarchive (3.4.3-1) unstable; urgency=medium

  * New upstream release:
    - update the upstream signing key
    - update the typos patch, correct some more mistakes
    - drop all the upstream-* patches
    - add an upstream copyright notice for a new file
  * Add the upstream-cpio-rdev and upstream-cpio-hardlink-type patches.

 -- Peter Pentchev <email address hidden>  Wed, 03 Jun 2020 16:40:28 +0300

Available diffs

Superseded in groovy-release
Deleted in groovy-proposed (Reason: moved to Release)
libarchive (3.4.2-1) unstable; urgency=medium

  * Minor correction to the debian/watch file to catch up with
    the upstream site links.
  * New upstream release:
    - drop some patches that were taken from upstream:
      - upstream-rar-use-after-free
      - upstream-rar-uaf-test-eof
      - upstream-rar-window-mask
      - upstream-rar-window-test
      - upstream-rar-filter-beyond
      - upstream-archive-read-sparse
      - upstream-archive-clean
      - upstream-doc-7zip-zip
      - upstream-open-without-openat
      - upstream-lz4-uint32
      - CVE-2020-9308 patch
    - drop most of the typos patch - integrated upstream
    - update the upstream copyright years
  * Add some more corrections to the typos patch.
  * Drop the Name and Contact upstream metadata fields.
  * Drop the phony "build" target.
  * Do not pass "--as-needed" to the linker: recent versions of the Debian
    GCC package do that by default. Just in case, add a build dependency on
    a recent version so that it is not forgotten e.g. in a backport.
  * Add some upstream patches since 3.4.2.
  * Update to debhelper compat level 13:
    - `dh_missing --fail-missing` is the default now
    - use execute_before/execute_after targets
  * Drop the local-options file.

 -- Peter Pentchev <email address hidden>  Sat, 09 May 2020 22:04:02 +0300
Superseded in groovy-release
Published in focal-release
Deleted in focal-proposed (Reason: moved to Release)
libarchive (3.4.0-2ubuntu1) focal; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - debian/patches/CVE-2019-19221.patch: Bugfix and optimize
      archive_wstring_append_from_mbs() in libarchive/archive_string.c.
    - CVE-2019-19221

Available diffs

Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release)
libarchive (3.4.0-1ubuntu2) focal; urgency=medium

  * Make autopkgtests cross-test-friendly.

 -- Steve Langasek <email address hidden>  Wed, 04 Mar 2020 21:47:59 -0800
Superseded in focal-proposed
libarchive (3.4.0-1ubuntu1) focal; urgency=medium

  * SECURITY UPDATE: Out-of-read and Denial of service
    - debian/patches/CVE-2019-19221.patch: Bugfix and optimize
      archive_wstring_append_from_mbs() in libarchive/archive_string.c.
    - CVE-2019-19221
  * SECURITY UPDATE: SIGSEGV denial of service
    - debian/patches/CVE-2020-9308.patch: reject files that
      declare invalid header flags fix in
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5.c,
      libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu.
    - CVE-2020-9308

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 04 Mar 2020 12:32:51 -0300

Available diffs

Published in xenial-updates
Published in xenial-security
libarchive (3.1.2-11ubuntu0.16.04.8) xenial-security; urgency=medium

  * SECURITY UPDATE: Out-of-read and Denial of service
    - debian/patches/CVE-2019-19221.patch: Bugfix and optimize
      archive_wstring_append_from_mbs() in libarchive/archive_string.c.
    - CVE-2019-19221

 -- <email address hidden> (Leonidas S. Barbosa)  Thu, 20 Feb 2020 14:45:19 -0300
Superseded in bionic-updates
Superseded in bionic-security
libarchive (3.2.2-3.1ubuntu0.6) bionic-security; urgency=medium

  * SECURITY UPDATE: Out-of-read and Denial of service
    - debian/patches/CVE-2019-19221.patch: Bugfix and optimize
      archive_wstring_append_from_mbs() in libarchive/archive_string.c.
    - CVE-2019-19221

 -- <email address hidden> (Leonidas S. Barbosa)  Thu, 20 Feb 2020 14:46:13 -0300
Obsolete in eoan-updates
Obsolete in eoan-security
libarchive (3.4.0-1ubuntu0.1) eoan-security; urgency=medium

  * SECURITY UPDATE: Out-of-read and Denial of service
    - debian/patches/CVE-2019-19221.patch: Bugfix and optimize
      archive_wstring_append_from_mbs() in libarchive/archive_string.c.
    - CVE-2019-19221
  * SECURITY UPDATE: SIGSEGV denial of service
    - debian/patches/CVE-2020-9308.patch: reject files that
      declare invalid header flags fix in
      libarchive/archive_read_support_format_rar5.c,
      libarchive/test/test_read_format_rar5.c,
      libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu.
    - CVE-2020-9308

 -- <email address hidden> (Leonidas S. Barbosa)  Thu, 20 Feb 2020 14:58:57 -0300
Superseded in focal-release
Deleted in focal-proposed (Reason: moved to Release)
libarchive (3.4.0-1build1) focal; urgency=medium

  * No-change rebuild against libnettle7

 -- Steve Langasek <email address hidden>  Thu, 31 Oct 2019 22:12:00 +0000
Obsolete in disco-updates
Obsolete in disco-security
libarchive (3.3.3-4ubuntu0.1) disco-security; urgency=medium

  * SECURITY UPDATE: Use-after-free
    - debian/patches/CVE-2019-18408.patch: RAR reader: fix use after free
      in libarchive/archive_read_support_format_rar.c.
    - CVE-2019-18408

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 28 Oct 2019 10:34:56 -0300
Superseded in bionic-updates
Superseded in bionic-security
libarchive (3.2.2-3.1ubuntu0.5) bionic-security; urgency=medium

  * SECURITY UPDATE: Use-after-free
    - debian/patches/CVE-2019-18408.patch: RAR reader: fix use after free
      in libarchive/archive_read_support_format_rar.c.
    - CVE-2019-18408

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 28 Oct 2019 10:50:50 -0300
Superseded in xenial-updates
Superseded in xenial-security
libarchive (3.1.2-11ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Use-after-free
    - debian/patches/CVE-2019-18408.patch: RAR reader: fix use after free
      in libarchive/archive_read_support_format_rar.c.
    - CVE-2019-18408

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 28 Oct 2019 10:57:06 -0300
Superseded in focal-release
Obsolete in eoan-release
Deleted in eoan-proposed (Reason: moved to Release)
libarchive (3.4.0-1) unstable; urgency=medium

  * Declare compliance with Debian Policy 4.4.0 with no changes.
  * Mark the adequate test as superficial and give it a name.
  * Update the watch file a bit:
    - use the version 4 format placeholders
    - drop the "pasv" option, no FTP upstream sites
    - add the upstream signing key
  * Run all available Salsa CI jobs.
  * Drop the bsdtar and bsdcpio transitional packages.
    Closes: #940745, #940753
  * New upstream version:
    - drop all the patches obtained from the upstream Git repository
      (CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879,
       CVE-2018-1000880, CVE-2019-1000019, CVE-2019-1000020, and
       zip-nullptr)
    - update the library symbols file
  * Add some bugfix patches obtained from upstream.
  * Add the typos patch to correct some typographical and grammatical
    errors.
  * Update the upstream copyright information.

 -- Peter Pentchev <email address hidden>  Sat, 21 Sep 2019 01:44:44 +0300

Available diffs

Superseded in bionic-updates
Deleted in bionic-proposed (Reason: moved to -updates)
libarchive (3.2.2-3.1ubuntu0.4) bionic; urgency=medium

  * debian/patches/git_zip_directories.patch:
    - backport a fix for an issue where files are created instead of
      directories (lp: #1830629)

 -- Sebastien Bacher <email address hidden>  Fri, 28 Jun 2019 21:20:28 +0200
Superseded in eoan-release
Obsolete in disco-release
Deleted in disco-proposed (Reason: moved to release)
libarchive (3.3.3-4) unstable; urgency=medium

  * Add three upstream patches:
    - CVE-2019-1000019: fix a crash when parsing some 7zip archives
    - CVE-2019-1000020: require the RockRidge extension for iso9660
    - zip-nullptr: fix a null pointer deference in ZIP files handling

 -- Peter Pentchev <email address hidden>  Wed, 06 Feb 2019 11:01:25 +0200

Available diffs

Obsolete in cosmic-updates
Obsolete in cosmic-security
libarchive (3.2.2-5ubuntu0.2) cosmic-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-1000019.patch: fix in
      libarchive/archive_read_support_format_7zip.c.
    - CVE-2019-1000019
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-1000020.patch: fix in
      libarchive/archive_read_support_format_iso9660.c.
    - CVE-2019-1000020

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 06 Feb 2019 08:55:41 -0300
Superseded in bionic-updates
Superseded in bionic-security
libarchive (3.2.2-3.1ubuntu0.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-1000019.patch: fix in
      libarchive/archive_read_support_format_7zip.c.
    - CVE-2019-1000019
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-1000020.patch: fix in
      libarchive/archive_read_support_format_iso9660.c.
    - CVE-2019-1000020

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 06 Feb 2019 08:54:50 -0300
Superseded in xenial-updates
Superseded in xenial-security
libarchive (3.1.2-11ubuntu0.16.04.6) xenial-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-1000019.patch: fix in
      libarchive/archive_read_support_format_7zip.c.
    - CVE-2019-1000019
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-1000020.patch: fix in
      libarchive/archive_read_support_format_iso9660.c.
    - CVE-2019-1000020

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 06 Feb 2019 08:53:41 -0300
Published in trusty-updates
Published in trusty-security
libarchive (3.1.2-7ubuntu2.8) trusty-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-1000019.patch: fix in
      libarchive/archive_read_support_format_7zip.c.
    - CVE-2019-1000019
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2019-1000020.patch: fix in
      libarchive/archive_read_support_format_iso9660.c.
    - CVE-2019-1000020

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 06 Feb 2019 08:48:45 -0300
Superseded in trusty-updates
Superseded in trusty-security
libarchive (3.1.2-7ubuntu2.7) trusty-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14502.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2017-14502
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000877.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2018-1000877
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000878.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2018-1000878

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 14 Jan 2019 09:08:38 -0300
Superseded in bionic-updates
Superseded in bionic-security
libarchive (3.2.2-3.1ubuntu0.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14502.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2017-14502
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000877.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2018-1000877
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000878.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2018-1000878
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000880.patch: fix in
      libarchive/archive_read_support_format_warc.c.
    - CVE-2018-1000880

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 14 Jan 2019 09:53:14 -0300
Superseded in xenial-updates
Superseded in xenial-security
libarchive (3.1.2-11ubuntu0.16.04.5) xenial-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14502.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2017-14502
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000877.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2018-1000877
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000878.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2018-1000878

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 14 Jan 2019 09:30:58 -0300
Superseded in cosmic-updates
Superseded in cosmic-security
libarchive (3.2.2-5ubuntu0.1) cosmic-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000877.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2018-1000877
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000878.patch: fix in
      libarchive/archive_read_support_format_rar.c.
    - CVE-2018-1000878
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2018-1000880.patch: fix in
      libarchive/archive_read_support_format_warc.c.
    - CVE-2018-1000880

 -- <email address hidden> (Leonidas S. Barbosa)  Mon, 14 Jan 2019 10:26:10 -0300
Superseded in disco-release
Deleted in disco-proposed (Reason: moved to release)
libarchive (3.3.3-3) unstable; urgency=medium

  [ Andreas Henriksson ]
  * Build-depend on libext2fs-dev instead of e2fslibs-dev (Closes: #890210)
  * CI: Use the salsa-ci-team pipeline

  [ Peter Pentchev ]
  * Declare compliance with Debian Policy 4.3.0 with no changes.
  * Bump the debhelper compatibility level to 12 with no changes.
  * Add my copyright notice for debian/*.
  * Extend Andreas Henriksson's copyright notice all the way to 2019.

 -- Peter Pentchev <email address hidden>  Sat, 05 Jan 2019 19:07:02 +0200

Available diffs

Superseded in disco-release
Deleted in disco-proposed (Reason: moved to release)
libarchive (3.3.3-2) unstable; urgency=medium

  * Add Daniel Axtens's security and reliability patches:
    - CVE-2018-1000877.patch: Closes: #916964
    - CVE-2018-1000878.patch: Closes: #916963
    - CVE-2018-1000879.patch: Closes: #916962
    - CVE-2018-1000880.patch: Closes: #916960
    - all merged upstream in https://github.com/libarchive/libarchive/pull/1105
    Thanks to Salvatore Bonaccorso for filing the Debian bugs!

 -- Peter Pentchev <email address hidden>  Fri, 21 Dec 2018 18:01:29 +0200

Available diffs

Superseded in disco-release
Deleted in disco-proposed (Reason: moved to release)
libarchive (3.3.3-1) unstable; urgency=medium

  [ Peter Pentchev ]
  * Declare compliance with Debian Policy 4.2.1 with no changes.
  * Drop the Lintian overrides related to B-D: debhelper-compat -
    Lintian 2.5.98 no longer emits these warnings and errors.
  * Build with zstd compression support.
  * Pass --fail-missing to dh_missing, not to dh_install any more.

  [ Andreas Henriksson ]
  * New upstream release.
  * Drop debian/patches/ now part of upstream release:
    - Avoid-a-read-off-by-one-error-for-UTF16-names-in-RAR.patch
    - Do-something-sensible-for-empty-strings-to-make-fuzz.patch
    - Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch
    - Reject-LHA-archive-entries-with-negative-size.patch
    - Reread-the-CAB-header-skipping-the-self-extracting-b.patch
    - archive_strncat_l-allocate-and-do-not-convert-if-len.patch
    - iso9660-validate-directory-record-length.patch
  * Update libarchive13.symbols

 -- Peter Pentchev <email address hidden>  Sat, 15 Dec 2018 02:01:01 +0200

Available diffs

Superseded in disco-release
Obsolete in cosmic-release
Deleted in cosmic-proposed (Reason: moved to release)
libarchive (3.2.2-5) unstable; urgency=medium

  * Acknowledge NMUs; many thanks to Salvatore Bonaccorso!
  * Use my Debian e-mail address.
  * Declare compliance with Debian Policy 4.2.0:
    - add Rules-Requires-Root: no to the source control stanza
    - install the upstream release notes (NEWS)
  * Drop the duplicate Priority fields for the binary packages.
  * Switch to the HTTPS scheme in various upstream and Debian
    packaging URLs.
  * Drop some trailing whitespace from old changelog entries.
  * Bump the debhelper compatibility level to 11 with no changes and
    use the B-D: debhelper-compat (= 11) mechanism.
  * Add a trivial autopkgtest running adequate on the binary packages.

 -- Peter Pentchev <email address hidden>  Sat, 25 Aug 2018 18:28:10 +0300

Available diffs

Superseded in cosmic-release
Deleted in cosmic-proposed (Reason: moved to release)
libarchive (3.2.2-4.2) unstable; urgency=medium

  * Non-maintainer upload.
  * iso9660: validate directory record length (CVE-2017-14501)
    (Closes: #875966)

 -- Salvatore Bonaccorso <email address hidden>  Sun, 05 Aug 2018 08:18:10 +0200

Available diffs

Superseded in bionic-updates
Superseded in bionic-security
libarchive (3.2.2-3.1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14501.patch: fix in
      libarchive/archive_read_support_format_iso9660.c.
    - CVE-2017-14501
  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14503.patch: fix in
      libarchive/archive_read_support_format_lha.c.
    - CVE-2017-14503

 -- <email address hidden> (Leonidas S. Barbosa)  Tue, 07 Aug 2018 15:23:21 -0300
Superseded in xenial-updates
Superseded in xenial-security
libarchive (3.1.2-11ubuntu0.16.04.4) xenial-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2016-10209.patch: fix in
      libarchive/archive_string.c.
    - CVE-2016-10209
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2016-10349-and-CVE-2016-10350.patch: fix in
      libarchive/archive_read_support_format_cab.c.
    - CVE-2016-10349
    - CVE-2016-10350
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-14166.patch: fix in
      libarchive/archive_read_support_format_xar.c.
    - CVE-2017-14166
  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14501.patch: fix in
      libarchive/archive_read_support_format_iso9660.c.
    - CVE-2017-14501
  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14503.patch: fix in
      libarchive/archive_read_support_format_lha.c.
    - CVE-2017-14503

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 08 Aug 2018 15:28:16 -0300
Superseded in trusty-updates
Superseded in trusty-security
libarchive (3.1.2-7ubuntu2.6) trusty-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2016-10209.patch: fix in
      libarchive/archive_string.c.
    - CVE-2016-10209
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2016-10349-and-CVE-2016-10350.patch: fix in
      libarchive/archive_read_support_format_cab.c.
    - CVE-2016-10349
    - CVE-2016-10350
  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2017-14166.patch: fix in
      libarchive/archive_read_support_format_xar.c.
    - CVE-2017-14166
  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14501.patch: fix in
      libarchive/archive_read_support_format_iso9660.c.
    - CVE-2017-14501
  * SECURITY UPDATE: Out-of-bounds read
    - debian/patches/CVE-2017-14503.patch: fix in
      libarchive/archive_read_support_format_lha.c.
    - CVE-2017-14503

 -- <email address hidden> (Leonidas S. Barbosa)  Wed, 08 Aug 2018 13:42:39 -0300
Superseded in cosmic-release
Deleted in cosmic-proposed (Reason: moved to release)
libarchive (3.2.2-4.1) unstable; urgency=medium

  * Non-maintainer upload.
  * Reject LHA archive entries with negative size (CVE-2017-14503)
    (Closes: #875960)
  * Avoid a read off-by-one error for UTF16 names in RAR archives
    (CVE-2017-14502)
    (Closes: #875974)

 -- Salvatore Bonaccorso <email address hidden>  Wed, 25 Jul 2018 21:29:42 +0200

Available diffs

Superseded in cosmic-release
Deleted in cosmic-proposed (Reason: moved to release)
libarchive (3.2.2-4) unstable; urgency=medium

  * Team upload.
  * debian/control: Update Vcs-* fields for move to salsa.debian.org
  * debian/control: Replace Priority: extra with optional

 -- Andreas Henriksson <email address hidden>  Thu, 31 May 2018 00:01:28 +0200

Available diffs

Superseded in cosmic-release
Published in bionic-release
Obsolete in artful-release
Deleted in artful-proposed (Reason: moved to release)
libarchive (3.2.2-3.1) unstable; urgency=high

  * Non-maintainer upload.
  * Reupload 3.2.2-2.1 on top of 3.2.2-3
  * archive_strncat_l(): allocate and do not convert if length == 0
    (CVE-2016-10209) (Closes: #859456)
  * Reread the CAB header skipping the self-extracting binary code
    (CVE-2016-10349, CVE-2016-10350) (Closes: #861609)
  * Do something sensible for empty strings to make fuzzers happy
    (CVE-2017-14166)
    Fixes heap-based buffer over-read in the atol8 function. (Closes: #874539)

 -- Salvatore Bonaccorso <email address hidden>  Thu, 14 Sep 2017 16:02:10 +0200

Available diffs

Superseded in artful-release
Obsolete in zesty-release
Deleted in zesty-proposed (Reason: moved to release)
libarchive (3.2.2-2) unstable; urgency=medium

  * Disable tests (Closes: #859455)

 -- Andreas Henriksson <email address hidden>  Mon, 03 Apr 2017 22:20:05 +0200

Available diffs

Published in precise-updates
Published in precise-security
libarchive (3.0.3-6ubuntu1.4) precise-security; urgency=medium

  * SECURITY UPDATE: arbitrary file write via hardlink entries
    - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long
      pathnames in libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-2.patch: fix path handling in
      libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am,
      libarchive/test/CMakeLists.txt, libarchive/test/main.c,
      libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c,
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-4.patch: fix testcases in
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in
      libarchive/archive_write_disk_posix.c.
    - CVE-2016-5418
  * SECURITY UPDATE: denial of service and possible code execution when
    writing an ISO9660 archive
    - debian/patches/CVE-2016-6250.patch: check for overflow in
      libarchive/archive_write_set_format_iso9660.c.
    - CVE-2016-6250
  * SECURITY UPDATE: denial of service via recursive decompression
    - debian/patches/CVE-2016-7166.patch: limit number of filters in
      libarchive/archive_read.c, added test to Makefile.am,
      libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_too_many_filters.c,
      libarchive/test/test_read_too_many_filters.gz.uu.
    - CVE-2016-7166
  * SECURITY UPDATE: denial of service via non-printable multibyte
    character in a filename
    - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c.
    - CVE-2016-8687
  * SECURITY UPDATE: denial of service via multiple long lines
    - debian/patches/CVE-2016-8688.patch: fix bounds in
      libarchive/archive_read_support_format_mtree.c, added test to
      Makefile.am, libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_format_mtree_crash747.c,
      libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu.
    - CVE-2016-8688
  * SECURITY UPDATE: denial of service via multiple EmptyStream attributes
    - debian/patches/CVE-2016-8689.patch: reject files with multiple
      markers in libarchive/archive_read_support_format_7zip.c.
    - CVE-2016-8689
  * SECURITY UPDATE: denial of service via invalid compressed file size
    - debian/patches/CVE-2017-5601.patch: add check to
      libarchive/archive_read_support_format_lha.c.
    - CVE-2017-5601

 -- Marc Deslauriers <email address hidden>  Thu, 09 Mar 2017 11:34:04 -0500
Superseded in trusty-updates
Superseded in trusty-security
libarchive (3.1.2-7ubuntu2.4) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary file write via hardlink entries
    - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long
      pathnames in libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-2.patch: fix path handling in
      libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am,
      libarchive/test/CMakeLists.txt, libarchive/test/main.c,
      libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c,
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-4.patch: fix testcases in
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in
      libarchive/archive_write_disk_posix.c.
    - CVE-2016-5418
  * SECURITY UPDATE: denial of service and possible code execution when
    writing an ISO9660 archive
    - debian/patches/CVE-2016-6250.patch: check for overflow in
      libarchive/archive_write_set_format_iso9660.c.
    - CVE-2016-6250
  * SECURITY UPDATE: denial of service via recursive decompression
    - debian/patches/CVE-2016-7166.patch: limit number of filters in
      libarchive/archive_read.c, added test to Makefile.am,
      libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_too_many_filters.c,
      libarchive/test/test_read_too_many_filters.gz.uu.
    - CVE-2016-7166
  * SECURITY UPDATE: denial of service via non-printable multibyte
    character in a filename
    - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c.
    - CVE-2016-8687
  * SECURITY UPDATE: denial of service via multiple long lines
    - debian/patches/CVE-2016-8688.patch: fix bounds in
      libarchive/archive_read_support_format_mtree.c, added test to
      Makefile.am, libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_format_mtree_crash747.c,
      libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu.
    - CVE-2016-8688
  * SECURITY UPDATE: denial of service via multiple EmptyStream attributes
    - debian/patches/CVE-2016-8689.patch: reject files with multiple
      markers in libarchive/archive_read_support_format_7zip.c.
    - CVE-2016-8689
  * SECURITY UPDATE: denial of service via invalid compressed file size
    - debian/patches/CVE-2017-5601.patch: add check to
      libarchive/archive_read_support_format_lha.c.
    - CVE-2017-5601

 -- Marc Deslauriers <email address hidden>  Thu, 09 Mar 2017 11:23:19 -0500
Superseded in xenial-updates
Superseded in xenial-security
libarchive (3.1.2-11ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY UPDATE: arbitrary file write via hardlink entries
    - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long
      pathnames in libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-2.patch: fix path handling in
      libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am,
      libarchive/test/CMakeLists.txt, libarchive/test/main.c,
      libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c,
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-4.patch: fix testcases in
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in
      libarchive/archive_write_disk_posix.c.
    - CVE-2016-5418
  * SECURITY UPDATE: denial of service and possible code execution when
    writing an ISO9660 archive
    - debian/patches/CVE-2016-6250.patch: check for overflow in
      libarchive/archive_write_set_format_iso9660.c.
    - CVE-2016-6250
  * SECURITY UPDATE: denial of service via recursive decompression
    - debian/patches/CVE-2016-7166.patch: limit number of filters in
      libarchive/archive_read.c, added test to Makefile.am,
      libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_too_many_filters.c,
      libarchive/test/test_read_too_many_filters.gz.uu.
    - CVE-2016-7166
  * SECURITY UPDATE: denial of service via non-printable multibyte
    character in a filename
    - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c.
    - CVE-2016-8687
  * SECURITY UPDATE: denial of service via multiple long lines
    - debian/patches/CVE-2016-8688.patch: fix bounds in
      libarchive/archive_read_support_format_mtree.c, added test to
      Makefile.am, libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_format_mtree_crash747.c,
      libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu.
    - CVE-2016-8688
  * SECURITY UPDATE: denial of service via multiple EmptyStream attributes
    - debian/patches/CVE-2016-8689.patch: reject files with multiple
      markers in libarchive/archive_read_support_format_7zip.c.
    - CVE-2016-8689
  * SECURITY UPDATE: denial of service via invalid compressed file size
    - debian/patches/CVE-2017-5601.patch: add check to
      libarchive/archive_read_support_format_lha.c.
    - CVE-2017-5601

 -- Marc Deslauriers <email address hidden>  Thu, 09 Mar 2017 11:01:45 -0500
Obsolete in yakkety-updates
Obsolete in yakkety-security
libarchive (3.2.1-2ubuntu0.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: arbitrary file write via hardlink entries
    - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long
      pathnames in libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-2.patch: fix path handling in
      libarchive/archive_write_disk_posix.c.
    - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am,
      libarchive/test/CMakeLists.txt, libarchive/test/main.c,
      libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c,
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-4.patch: fix testcases in
      libarchive/test/test_write_disk_secure745.c,
      libarchive/test/test_write_disk_secure746.c.
    - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in
      libarchive/archive_write_disk_posix.c.
    - CVE-2016-5418
  * SECURITY UPDATE: denial of service via non-printable multibyte
    character in a filename
    - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c.
    - CVE-2016-8687
  * SECURITY UPDATE: denial of service via multiple long lines
    - debian/patches/CVE-2016-8688.patch: fix bounds in
      libarchive/archive_read_support_format_mtree.c, added test to
      Makefile.am, libarchive/test/CMakeLists.txt,
      libarchive/test/test_read_format_mtree_crash747.c,
      libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu.
    - CVE-2016-8688
  * SECURITY UPDATE: denial of service via multiple EmptyStream attributes
    - debian/patches/CVE-2016-8689.patch: reject files with multiple
      markers in libarchive/archive_read_support_format_7zip.c.
    - CVE-2016-8689
  * SECURITY UPDATE: denial of service via invalid compressed file size
    - debian/patches/CVE-2017-5601.patch: add check to
      libarchive/archive_read_support_format_lha.c.
    - CVE-2017-5601

 -- Marc Deslauriers <email address hidden>  Thu, 09 Mar 2017 10:35:20 -0500
Superseded in zesty-release
Deleted in zesty-proposed (Reason: moved to release)
libarchive (3.2.1-6) unstable; urgency=medium

  * Add debian/patches/Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch
    - Cherry-pick upstream commit 98dcbbf0bf4854bf987557
      "Fail with negative lha->compsize in lha_read_file_header_1()"
      Secunia SA74169, CVE-2017-5601 (Closes: #853278)

 -- Andreas Henriksson <email address hidden>  Tue, 31 Jan 2017 10:25:56 +0100

Available diffs

Superseded in zesty-release
Deleted in zesty-proposed (Reason: moved to release)
libarchive (3.2.1-5) unstable; urgency=medium

  * Cherry-pick upstream commits 7f17c791, eec077f5, e37b620f
    - Fixes for upstream issues 747, 761, 767 also known as
      CVE-2016-8689, CVE-2016-8688, CVE-2016-8687
    (Closes: #840934, #840935, #840936)

 -- Andreas Henriksson <email address hidden>  Sun, 16 Oct 2016 15:41:59 +0200

Available diffs

Published in xenial-backports
libarchive (3.2.1-2~ubuntu16.04.1) xenial-backports; urgency=medium

  * No-change backport to xenial (LP: #1607385)

 -- Iain Lane <email address hidden>  Thu, 28 Jul 2016 14:28:03 +0100
Superseded in zesty-release
Obsolete in yakkety-release
Deleted in yakkety-proposed (Reason: moved to release)
libarchive (3.2.1-2) unstable; urgency=medium

  * The "welcome Peter to the team" upload

  [ Peter Pentchev ]
  * Declare compliancy with Debian Policy 3.9.8 with no changes.
  * Remove the "XS-Testsuite: autopkgtest" header from the control file:
    it has not been "XS-" for some time, and it is added by default by
    dpkg-1.17.11 when debian/tests/control is present.
  * Use the HTTPS scheme for the Alioth VCS URLs.
  * Switch to Alioth's cgit in the Vcs-Browser source control field.
  * Convert the copyright file to the machine-readable format.
  * Fill in the upstream metadata file.
  * Enable full build hardening.
  * Pass --as-needed to the linker to avoid overlinking.
  * Bump the debhelper build dependency to version 9 to reflect
    the debhelper compatibility level and drop the now-unused Lintian
    override.
  * Fold the bsdtar and bsdcpio packages into the new libarchive-tools
    binary package and install bsdcat into it, too.  Make bsdtar and
    bsdcpio transitional dummy packages.
  * Drop the Breaks and Replaces relations to libarchive1, it's not
    even in oldstable any more.
  * Drop the misc:Pre-Depends that were needed for the multi-arch
    transition; dpkg-dev adds them automatically now.
  * Fix a typo in README.Debian.
  * Add an upstream patch to replace the use of SIGRTMAX with something
    that calculates the exact value of the highest signal actually used;
    hopefully this fixes the FTBFS on the GNU Hurd.
  * Drop the outdated and unused SONAME mismatch Lintian override.
  * Re-enable the use of minitar for extraction, too, in the CI test;
    keep the untar test for completeness.
  * Add the Typos patch to fix a couple of typographical errors.
  * Add the Candidate patch to fix a typographical error in a structure
    member field and, consequently, update all references to it.
  * Add the CPPCheck patch to fix some issues reported by cppcheck.

  [ Andreas Henriksson ]
  * Add Peter Pentchev to Uploaders

 -- Andreas Henriksson <email address hidden>  Mon, 25 Jul 2016 17:54:13 +0200

Available diffs

175 of 129 results