libarchive (3.7.2-2ubuntu0.5) noble-security; urgency=medium
* SECURITY UPDATE: double free issue
- debian/patches/CVE-2025-5914.patch: rar: Fix double free with over
4 billion nodes
- CVE-2025-5914
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2025-5915.patch: rar: Fix heap-buffer-overflow
- CVE-2025-5915
* SECURITY UPDATE: integer overflow
- debian/patches/CVE-2025-5916.patch: warc: Prevent signed integer
overflow
- CVE-2025-5916
* SECURITY UPDATE: out-of-bound write overflow
- debian/patches/CVE-2025-5917.patch: Fix overflow in build_ustar_entry
- CVE-2025-5917
-- Nishit Majithia <nishit.majithia@canonical.com> Wed, 25 Jun 2025 15:20:27 +0530
libarchive (3.7.2-2ubuntu0.4) noble-security; urgency=medium
* SECURITY UPDATE: DoS via null pointer deref
- debian/patches/CVE-2025-1632_25724.patch: check return code of
archive_entry_pathname() in unzip/bsdunzip.c.
- CVE-2025-1632
* SECURITY UPDATE: DoS via crafted TAR archive
- debian/patches/CVE-2025-1632_25724.patch: make sure ltime is valid in
tar/util.c.
- CVE-2025-25724
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 10 Apr 2025 13:28:58 -0400
libarchive (3.7.2-2ubuntu0.3) noble-security; urgency=medium
* SECURITY UPDATE: code execution via negative copy length
- debian/patches/CVE-2024-20696.patch: protect
copy_from_lzss_window_to_unp() in
libarchive/archive_read_support_format_rar.c.
- CVE-2024-20696
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 29 Oct 2024 10:02:44 +0100
libarchive (3.7.2-2ubuntu0.2) noble-security; urgency=medium
* SECURITY UPDATE: Out of bounds access
- debian/patches/CVE-2024-48957.patch: check dst isn't less than or
equal to src in execute_filter_audio
- CVE-2024-48957
* SECURITY UPDATE: Out of bounds access
- debian/patches/CVE-2024-48958.patch: check dst isn't less than or
equal to src in execute_filter_delta
- CVE-2024-48958
-- Bruce Cable <bruce.cable@canonical.com> Mon, 14 Oct 2024 12:12:50 +1100
libarchive (3.7.2-2ubuntu0.1) noble-security; urgency=medium
* SECURITY UPDATE: Remove code execution
- debian/patches/CVE-2024-26256.patch: fix OOB in rar e8 filter
in libarchive/archive_read_support_format_rar.c.
- CVE-2024-26256
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Thu, 30 May 2024 11:57:56 -0300
libarchive (3.7.2-2) unstable; urgency=medium
[ Luca Boccassi ]
* libarchive-dev: depend on -dev packages in an attempt to
fix pkg-config --static --libs
Addresses: 1056317; more work needed on libarchive's own
configure tests
[ Peter Pentchev ]
* Acknowledge Lukas Märdian 64-bit-time_t-related NMU. Thanks!
* Add the year 2024 to my debian/* copyright notice.
* Re-sort the dependencies lists in the debian/control file.
* Switch the pkg-config dependency over to pkgconf.
* Add the robust-error-reporting upstream patch. Closes: #1068047
-- Peter Pentchev <roam@debian.org> Sat, 30 Mar 2024 20:11:06 +0200
libarchive (3.7.2-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition. Closes: #1062224
-- Lukas Märdian <slyon@debian.org> Thu, 29 Feb 2024 08:40:57 +0000
libarchive (3.7.2-1) unstable; urgency=medium
* Add the iso9660-hash patch to fix file ordering. Closes: #1051322
* Add the year 2023 to my debian/* copyright notice.
* Declare compatibility with version 1 of the dpkg build API:
- drop the implied Rules-Requires-Root declaration
- include dpkg's default.mk file for completeness
* Use dh-package-notes to record ELF package metadata.
* New upstream version:
- build and install the new bsdunzip tool in libarchive-tools
- drop the iconv-pkgconfig patch, applied upstream
- update the upstream copyright information
* Do not detect -amd64 versions in the watch file.
* Add the test-zstd-32bit upstream patch.
-- Peter Pentchev <roam@debian.org> Sat, 14 Oct 2023 18:28:55 +0300
libarchive (3.6.2-1) unstable; urgency=medium
[ Debian Janitor ]
* Set upstream metadata fields: Bug-Database.
* Update standards version to 4.6.0, no changes needed.
[ Peter Pentchev ]
* Declare compliance with Policy 4.6.2 with no changes.
* Fix the licensing of the blake2-related files.
Closes: #1023392
* New upstream version:
- fix a ZIP read vulnerability (CVE-2022-28066)
Closes: #1008953
- fix a memory allocation vulnerability (CVE-2022-36227)
Closes: #1024669
- refresh the typos patch
- remove a lot of libarchive internal functions from the shared
library's symbols file. These functions were never present in
any of the public-facing libarchive header files, so they should
not be referenced by any libarchive consumers. In version 3.6.2,
libarchive switched to a "hide internal symbols" policy, so that
these symbols are now not present in the shipped shared library.
- drop the optional internal symbols regular expressions, too;
now that libarchive hides its internal symbols, the appearance of
any names like that in the generated symbols file would be a bug
- add the iconv-pkgconfig patch to drop the reference to "iconv"
from the .pc file: on Debian systems, iconv(3) is part of glibc
-- Peter Pentchev <roam@debian.org> Sat, 24 Dec 2022 23:17:29 +0200
libarchive (3.6.0-1) unstable; urgency=medium
* New upstream version (Closes: #1007120):
- update the upstream copyright information
- drop some patches that were taken from the upstream source:
- lzip-large-dict
- upstream-fix-32bit-size-cast
- upstream-fixup-file-flags
- upstream-fixup-symlinks
- add another spelling correction to the typos patch
- update the line numbers in the typos patch
* Add the year 2022 to my debian/* copyright notice.
* Reorder the copyright file so that it makes sense.
-- Peter Pentchev <roam@debian.org> Wed, 30 Mar 2022 13:04:33 +0300
libarchive (3.5.2-1) unstable; urgency=medium
* Declare compliance with Debian Policy 4.6.0 with no changes.
* Add the year 2021 to my debian/* copyright notice.
* Drop the Breaks/Replaces relations for pre-oldstable versions of
bsdtar and bsdcpio.
* Fix some shellcheck complaints about the minitar autopkgtest.
* Use a comma, not a semicolon, in the Origin DEP-3 header.
* Annotate the sharutils build dependency with <!nocheck>.
Closes: #981654
* Drop the obsolete libattr1-dev build dependency. At the moment it is
still pulled in by libacl1-dev, but there is no reason for us not to
do the right thing, so that everything goes right when libacl1-dev
corrects its build dependency. Closes: #953931
* New upstream version:
- fix handling of symlink ACLs; Closes: 1001986
- never follow symlinks when setting file flags; Closes: 1001990
- update the upstream copyright information
- drop some patches that were taken from the upstream source:
- upstream-cpio-hardlink-type
- upstream-cpio-rdev
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
- upstream-isint-w
- update the library symbols file
* Add the lzip-large-dict patch to support larger lzip dictionaries.
Closes: #1001901
* Add the upstream-fixup-symlinks, upstream-fixup-file-flags, and
upstream-fix-32bit-size-cast patches, importing three upstream
post-3.5.2 commits.
-- Peter Pentchev <roam@debian.org> Wed, 22 Dec 2021 19:51:54 +0200
libarchive (3.4.3-2) unstable; urgency=medium
* Add some more upstream patches:
- upstream-isint-w
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error (with a typo corrected)
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
* Drop the unused liblzo2 build dependency. According to upstream,
distributing libarchive binaries linked against liblzo2 violates
the liblzo2 GPL license, so libarchive does not even use it unless
explicitly requested, which we do not do anyway.
* Fix two problems related to cross-building libarchive.
Closes: #966637
- drop the gcc B-D that I added as a reminder that dropping --as-needed
was because it is handled automatically
- annotate the test dependencies with <!nocheck>; since we never run
the upstream test suite automatically, but only if the non-standard
"check" build option is specified, this has no effect on normal builds,
but it will fix cross-builds
-- Peter Pentchev <roam@debian.org> Sat, 01 Aug 2020 21:46:12 +0300
libarchive (3.4.3-1) unstable; urgency=medium
* New upstream release:
- update the upstream signing key
- update the typos patch, correct some more mistakes
- drop all the upstream-* patches
- add an upstream copyright notice for a new file
* Add the upstream-cpio-rdev and upstream-cpio-hardlink-type patches.
-- Peter Pentchev <roam@debian.org> Wed, 03 Jun 2020 16:40:28 +0300
libarchive (3.4.2-1) unstable; urgency=medium
* Minor correction to the debian/watch file to catch up with
the upstream site links.
* New upstream release:
- drop some patches that were taken from upstream:
- upstream-rar-use-after-free
- upstream-rar-uaf-test-eof
- upstream-rar-window-mask
- upstream-rar-window-test
- upstream-rar-filter-beyond
- upstream-archive-read-sparse
- upstream-archive-clean
- upstream-doc-7zip-zip
- upstream-open-without-openat
- upstream-lz4-uint32
- CVE-2020-9308 patch
- drop most of the typos patch - integrated upstream
- update the upstream copyright years
* Add some more corrections to the typos patch.
* Drop the Name and Contact upstream metadata fields.
* Drop the phony "build" target.
* Do not pass "--as-needed" to the linker: recent versions of the Debian
GCC package do that by default. Just in case, add a build dependency on
a recent version so that it is not forgotten e.g. in a backport.
* Add some upstream patches since 3.4.2.
* Update to debhelper compat level 13:
- `dh_missing --fail-missing` is the default now
- use execute_before/execute_after targets
* Drop the local-options file.
-- Peter Pentchev <roam@debian.org> Sat, 09 May 2020 22:04:02 +0300
libarchive (3.4.0-2) unstable; urgency=medium
* Declare compliance with Debian Policy 4.5.0 with no changes.
* Add the year 2020 to my debian/* copyright notice.
* Add the CVE-2020-9308 patch - invalid RAR5 headers. (Closes: #951759)
* Make the autopkgtests cross-test-friendly. (Closes: #953140)
-- Peter Pentchev <roam@debian.org> Sat, 07 Mar 2020 16:28:00 +0200
libarchive (3.4.0-1) unstable; urgency=medium
* Declare compliance with Debian Policy 4.4.0 with no changes.
* Mark the adequate test as superficial and give it a name.
* Update the watch file a bit:
- use the version 4 format placeholders
- drop the "pasv" option, no FTP upstream sites
- add the upstream signing key
* Run all available Salsa CI jobs.
* Drop the bsdtar and bsdcpio transitional packages.
Closes: #940745, #940753
* New upstream version:
- drop all the patches obtained from the upstream Git repository
(CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879,
CVE-2018-1000880, CVE-2019-1000019, CVE-2019-1000020, and
zip-nullptr)
- update the library symbols file
* Add some bugfix patches obtained from upstream.
* Add the typos patch to correct some typographical and grammatical
errors.
* Update the upstream copyright information.
-- Peter Pentchev <roam@debian.org> Sat, 21 Sep 2019 01:44:44 +0300
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libarchive13t64`.
Generated by dwww version 1.16 on Sat Dec 13 16:19:24 CET 2025.