diff mbox series

package/libarchive: bump to version 3.7.6

Message ID 20240925133735.3899867-1-francois.perrad@gadz.org
State Accepted
Headers show
Series package/libarchive: bump to version 3.7.6 | expand

Commit Message

Francois Perrad Sept. 25, 2024, 1:37 p.m. UTC 
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
---
 ...1-Revert-Only-add-iconv-to-the-.pc-file-if-needed-1825.patch | 2 +-
 .../0002-autotools-do-not-add-iconv-for-Requires.private.patch  | 2 +-
 package/libarchive/libarchive.hash                              | 2 +-
 package/libarchive/libarchive.mk                                | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

Comments

Thomas Petazzoni Oct. 2, 2024, 9:11 p.m. UTC | #1 
On Wed, 25 Sep 2024 15:37:34 +0200
Francois Perrad <francois.perrad@gadz.org> wrote:

> Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
> ---
>  ...1-Revert-Only-add-iconv-to-the-.pc-file-if-needed-1825.patch | 2 +-
>  .../0002-autotools-do-not-add-iconv-for-Requires.private.patch  | 2 +-
>  package/libarchive/libarchive.hash                              | 2 +-
>  package/libarchive/libarchive.mk                                | 2 +-
>  4 files changed, 4 insertions(+), 4 deletions(-)

Applied to master, thanks.

Thomas
Peter Korsgaard Oct. 19, 2024, 7:16 p.m. UTC | #2 
>>>>> "Francois" == Francois Perrad <francois.perrad@gadz.org> writes:

 > Signed-off-by: Francois Perrad <francois.perrad@gadz.org>

Looking at https://github.com/libarchive/libarchive/releases I see that
this fixes a number of security issues, so it should be marked as a
security bump:

Security fixes:

    fix multiple vulnerabilities identified by SAST (#2251, #2256)
    cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
    lzop: prevent integer overflow (#2174)
    rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
    rar4: fix CVE-2024-26256 (#2269, CVS-2024-26256)
    rar4: fix OOB in delta and audio filter (#2148, #2149)
    rar4: fix out of boundary access with large files (#2179)
    rar4: add boundary checks to rgb filter (#2210)
    rar4: fix OOB access with unicode filenames (#2203)
    rar5: clear 'data ready' cache on window buffer reallocs (#2265)
    rpm: calculate huge header sizes correctly (#2158)
    unzip: unify EOF handling (#2175)
    util: fix out of boundary access in mktemp functions (#2160)
    uu: stop processing if lines are too long (#2168)

In addition, 3.7.7 has been released with more security fixes - Care to
send a patch?

Committed to 2024.02.x and 2024.08.x after marking as a security bump,
thanks.
diff mbox series

Patch

diff --git a/package/libarchive/0001-Revert-Only-add-iconv-to-the-.pc-file-if-needed-1825.patch b/package/libarchive/0001-Revert-Only-add-iconv-to-the-.pc-file-if-needed-1825.patch
index a4dd7dad5..e630c51fe 100644
--- a/package/libarchive/0001-Revert-Only-add-iconv-to-the-.pc-file-if-needed-1825.patch
+++ b/package/libarchive/0001-Revert-Only-add-iconv-to-the-.pc-file-if-needed-1825.patch
@@ -15,7 +15,7 @@  diff --git a/configure.ac b/configure.ac
 index 93f7af94..204a4e69 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -434,9 +434,7 @@ if test "x$with_iconv" != "xno"; then
+@@ -449,9 +449,7 @@ if test "x$with_iconv" != "xno"; then
      AC_CHECK_HEADERS([localcharset.h])
      am_save_LIBS="$LIBS"
      LIBS="${LIBS} ${LIBICONV}"
diff --git a/package/libarchive/0002-autotools-do-not-add-iconv-for-Requires.private.patch b/package/libarchive/0002-autotools-do-not-add-iconv-for-Requires.private.patch
index 3cbd30410..aca2dab9d 100644
--- a/package/libarchive/0002-autotools-do-not-add-iconv-for-Requires.private.patch
+++ b/package/libarchive/0002-autotools-do-not-add-iconv-for-Requires.private.patch
@@ -17,7 +17,7 @@  diff --git a/configure.ac b/configure.ac
 index 99bff20d1..f245d0c55 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -434,7 +434,6 @@ if test "x$with_iconv" != "xno"; then
+@@ -449,7 +449,6 @@ if test "x$with_iconv" != "xno"; then
      AC_CHECK_HEADERS([localcharset.h])
      am_save_LIBS="$LIBS"
      LIBS="${LIBS} ${LIBICONV}"
diff --git a/package/libarchive/libarchive.hash b/package/libarchive/libarchive.hash
index a2c648873..08920b61c 100644
--- a/package/libarchive/libarchive.hash
+++ b/package/libarchive/libarchive.hash
@@ -1,4 +1,4 @@ 
 # From https://www.libarchive.de/downloads/sha256sums
-sha256  f887755c434a736a609cbd28d87ddbfbe9d6a3bb5b703c22c02f6af80a802735  libarchive-3.7.4.tar.xz
+sha256  0a2efdcb185da2eb1e7cd8421434cb9a6119f72417a13335cca378d476fd3ba0  libarchive-3.7.6.tar.xz
 # Locally computed:
 sha256  b2cdf763345de2de34cebf54394df3c61a105c3b71288603c251f2fa638200ba  COPYING
diff --git a/package/libarchive/libarchive.mk b/package/libarchive/libarchive.mk
index 7d58b5c69..d3a447552 100644
--- a/package/libarchive/libarchive.mk
+++ b/package/libarchive/libarchive.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-LIBARCHIVE_VERSION = 3.7.4
+LIBARCHIVE_VERSION = 3.7.6
 LIBARCHIVE_SOURCE = libarchive-$(LIBARCHIVE_VERSION).tar.xz
 LIBARCHIVE_SITE = https://www.libarchive.de/downloads
 LIBARCHIVE_INSTALL_STAGING = YES