| #
344673 |
|
28-Feb-2019 |
mm |
MFC r344063,r344088:
MFC r344063:
Sync libarchive with vendor.
Relevant vendor changes:
PR #1085: Fix a null pointer dereference bug in zip writer
PR #1110: ZIP reader added support for XZ, LZMA, PPMD8 and BZIP2
decopmpression
PR #1116: Add support for 64-bit ar format
PR #1120: Fix a 7zip crash [1] and a ISO9660 infinite loop [2]
PR #1125: RAR5 reader - fix an invalid read and a memory leak
PR #1131: POSIX reader - do not fail when tree_current_lstat() fails
due to ENOENT [3]
PR #1134: Delete unnecessary null pointer checks before calls of free()
OSS-Fuzz 10843: Force intermediate to uint64_t to make UBSAN happy.
OSS-Fuzz 11011: Avoid buffer overflow in rar5 reader
MFC r344088:
archive_read_disk_posix.c: initialize delayed_errno
PR: 233006 [3]
Security: CVE-2019-1000019 [1], CVE-2019-1000020 [2]
|
| #
338033 |
|
18-Aug-2018 |
mm |
MFH r337745:
Sync libarchive with vendor..
Vendor changes:
PR #1042: validate iso9660 directory record length
MFC after: 3 days
Security: CVE-2017-14501
|
| #
318482 |
|
18-May-2017 |
mm |
MFC r317782,318181:
MFC r317782 (mm):
Sync libarchive with vendor
Vendor changes (FreeBSD-related):
PR 897: add test for ZIP archives with invalid EOCD headers
PR 901: fix invalid renaming of sparse files
OSS-Fuzz issue 497: remove fallback tree in LZX decoder
OSS-Fuzz issue 527: rewrite expressions in lz4 filter
OSS-Fuzz issue 577: fix integer overflow in cpio reader
OSS-Fuzz issue 862: fix numerc parsing in mtree reader
OSS-Fuzz issue 1097: fix undefined shift in rar reader
cpio: various optimizations and memory leak fixes
MFC r318181 (ngie) (2):
cpio/tests/test_option_lz4: fix a use after free in the failure case
Reported by: Coverity (2)
Sponsored by: Dell EMC Isilon (2)
|
| #
313570 |
|
11-Feb-2017 |
mm |
MFC r310866,310868,310870,311903,313074:
Sync libarchive with vendor.
MFC r310866:
PR #771: Add NFSv4 ACL support to pax and restricted pax
NFSv4 ACL information may now be stored to and restored from tar archives.
ACL must be non-trivial and supported by the underlying filesystem, e.g.
natively by ZFS or by UFS with the NFSv4 ACL enable flag set.
MFC r310868:
PR #843: Fix memory leak of struct archive_entry in cpio/cpio.c
PR #851: Spelling fixes
Fix two protoypes in manual page archive_read_disk.3
MFC r310870:
Use __LA_DEPRECATED macro with functions deprecated in 379867e
MFC r311903:
#691: Support for SCHILY.xattr extended attributes
#854: Spelling fixes
Multiple fixes in ACL code:
- prefer acl_set_fd_np() to acl_set_fd()
- if acl_set_fd_np() fails, do no fallback to acl_set_file()
- do not warn if trying to write ACLs to a filesystem without ACL support
- fix id handling in archive_acl_(from_to)_text*() for NFSv4 ACLs
MFC r313074:
- support extracting NFSv4 ACLs from Solaris tar archives
- bugfixes and optimizations in the ACL code
- multiple fixes in the test suite
- typo and other small bugfixes
Security fixes:
- cab reader: endless loop when parsing MSZIP signature (OSS-Fuzz 335)
- LHA reader: heap-buffer-overflow in lha_read_file_header_1()
(CVE-2017-5601)
- LZ4 reader: null-pointer dereference in lz4_filter_read_legacy_stream()
(OSS-Fuzz 453)
- mtree reader: heap-buffer-overflow in detect_form() (OSS-Fuzz 421, 443)
- WARC reader: heap-buffer-overflow in xstrpisotime() (OSS-Fuzz 382, 458)
Memory leak fixes:
- ACL support: free memory allocated by acl_get_qualifier()
- disk writer: missing free in create_filesystem_object()
- file reader: fd leak (Coverity 1016755)
- gnutar writer: fix free in archive_write_gnutar_header()
(Coverity 101675)
- iso 9660 reader: missing free in parse_file_info()
(partial Coverity 1016754)
- program reader: missing free in __archive_read_program()
- program writer: missing free in __archive_write_program_free()
- xar reader: missing free in xar_cleanup()
- xar reader: missing frees in expat_xmlattr_setup()
(Coverity 1229979-1229981)
- xar writer: missing free in file_free()
- zip reader: missing free in zip_read_local_file_header()
List of all libarchive issues at OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=libarchive
Security: CVE-2017-5601
|
| #
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.
Additional commits post-branch will follow.
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation |
| #
302075 |
|
22-Jun-2016 |
mm |
MFV r302003,r302037,r302038,r302056:
Update libarchive to 3.2.1 (bugfix and security fix release)
List of vendor fixes:
- fix exploitable heap overflow vulnerability in Rar decompression
(vendor issue 719, CVE-2016-4302, TALOS-2016-0154)
- fix exploitable stack based buffer overflow vulnebarility in mtree
parse_device functionality (vendor PR 715, CVE-2016-4301, TALOS-2016-0153)
- fix exploitable heap overflow vulnerability in 7-zip read_SubStreamsInfo
(vendor issue 718, CVE-2016-4300, TALOS-2016-152)
- fix integer overflow when computing location of volume descriptor
(vendor issue 717)
- fix buffer overflow when reading a crafred rar archive (vendor issue 521)
- fix possible buffer overflow when reading ISO9660 archives on machines
where sizeof(int) < sizeof(size_t) (vendor issue 711)
- tar and cpio should fail if an input file named on the command line is
missing (vendor issue 708)
- fix incorrect writing of gnutar filenames that are exactly 512 bytes
long (vendor issue 682)
- allow tests to be run from paths that are equal or longer than 128
characters (vendor issue 657)
- add memory allocation errors in archive_entry_xattr.c (vendor PR 603)
- remove dead code in archive_entry_xattr_add_entry() (vendor PR 716)
- fix broken decryption of ZIP files (vendor issue 553)
- manpage style, typo and description fixes
Post-3.2.1 vendor fixes:
- fix typo in cpio version reporting (Vendor PR 725, 726)
- fix argument range of ctype functions in libarchive_fe/passphrase.c
- fix ctype use and avoid empty loop bodies in WARC reader
MFC after: 1 week
Security: CVE-2016-4300, CVE-2016-4301, CVE-2016-4302
Approved by: re (kib)
|
| #
299529 |
|
12-May-2016 |
mm |
MFV r299425:
Update libarchive to 3.2.0
New features:
- new bsdcat command-line utility
- LZ4 compression (in src only via external utility from ports)
- Warc format support
- 'Raw' format writer
- Zip: Support archives >4GB, entries >4GB
- Zip: Support encrypting and decrypting entries
- Zip: Support experimental streaming extension
- Identify encrypted entries in several formats
- New --clear-nochange-flags option to bsdtar tries to remove noschg and
similar flags before deleting files
- New --ignore-zeros option to bsdtar to handle concatenated tar archives
- Use multi-threaded LZMA decompression if liblzma supports it
- Expose version info for libraries used by libarchive
Patched files (fixed compiler warnings):
contrib/libarchive/cat/bsdcat.c (vendor PR #702)
contrib/libarchive/cat/bsdcat.h (vendor PR #702)
contrib/libarchive/libarchive/archive_read_support_format_mtree.c (PR #701)
contrib/libarchive/libarchive_fe/err.c (vendor PR #703)
MFC after: 1 month
Relnotes: yes
|
| #
248616 |
|
22-Mar-2013 |
mm |
MFV r248590,248594:
Update libarchive to 3.1.2
Some of new features:
- support for lrzip and grzip compression
- support for writing tar v7 format
- b64encode and uuencode filters
- support for __MACOSX directory in Zip archives
- support for lzop compresion (external utility)
|
| #
238856 |
|
28-Jul-2012 |
mm |
Update libarchive to 3.0.4
|
| #
232153 |
|
25-Feb-2012 |
mm |
Update libarchive to 3.0.3
Some of new features:
- New readers: RAR, LHA/LZH, CAB reader, 7-Zip
- New writers: ISO9660, XAR
- Improvements to many formats, especially including ISO9660 and Zip
- Stackable write filters to write, e.g., tar.gz.uu in a single pass
- Exploit seekable input; new "seekable" Zip reader can exploit the Zip
Central Directory when it's available; the old "streamable" Zip reader
is still fully supported for cases where seeking is not possible.
Full release notes available at:
https://github.com/libarchive/libarchive/wiki/ReleaseNotes
|
| #
230759 |
|
29-Jan-2012 |
mm |
Uupdate code to vendor rev. 4183 (release/2.8)
Fixes vendor issue 224:
"Mishandling CD9660 images with RockRidge extensions from FreeBSD makefs"
References:
http://code.google.com/p/libarchive/issues/detail?id=224
MFC after: 1 week
|
| #
228911 |
|
27-Dec-2011 |
mm |
Update to vendor revision 4016.
Vendor has integrated most of our local changes in revisions 3976-3979 so
future updates are going to be easier.
Thanks to Tim Kientzle <kientzle@FreeBSD.org>.
MFC after: 8 days
|
| #
228772 |
|
21-Dec-2011 |
mm |
Add missing integer casts to comparsions in libarchive read.
MFC after: 2 weeks
|
| #
228771 |
|
21-Dec-2011 |
mm |
Partial merge of r224691 from lib/libarchive:
Add compatibility for ISO images created with unfixed makefs that
violated ECMA-119 (ISO9660): allow reserved4 to be 0x20 in PVD.
This allows tar to read FreeBSD distribution ISO images created
with makefs prior to NetBSD bin/45217 bugfix (up to 9.0-BETA1).
MFC after: 2 weeks
|
| #
228763 |
|
21-Dec-2011 |
mm |
Set svn:keywords to FreeBSD=%H for contrib/libarchive
MFC after: 2 weeks
|
| #
228761 |
|
21-Dec-2011 |
mm |
Copy libarchive from vendor branch to contrib
MFC after: 2 weeks
|
| #
228759 |
|
21-Dec-2011 |
mm |
Set svn:eol-style property to native for all text files in vendor/libarchive
|
| #
228753 |
|
20-Dec-2011 |
mm |
Vendor import of libarchive (release/2.8, r3824)
Obtained from: http://libarchive.googlecode.com/svn/release/2.8
|