This upgrade includes fix for CVE-2024-57970, CVE-2025-25724 and
CVE-2025-1632
Changelog:
==========
Libarchive 3.7.8 is a bugfix and security release
Security fixes:
tar reader: Handle truncation in the middle of a GNU long linkname (#2422, CVE-2024-57970)
unzip: fix null pointer dereference (#2532, CVE-2025-1632)
tar reader: fix unchecked return value in list_item_verbose() (#2532, CVE-2025-25724)
Important bugfixes:
7zip reader: add SPARC (#2399) and POWERPC (#2459) filter support for non-LZMA compressors
tar reader: Ignore ustar size when pax size is present (#2405)
tar writer: Fix bug when -s/a/b/ used more than once with b flag (#2435)
cpio: Fix a Y2038 bug on Windows (#2471)
libarchive: Handle ARCHIVE_FILTER_LZOP in archive_read_append_filter (#2519)
libarchive: Adding missing seeker function to archive_read_open_FILE() (#2539)
(From OE-Core rev: 861d6a37e9457510e526c7cd5a63c82d9c48b591)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop configurehack.patch, no longer needed
Upstream changes break the python3-libarchive-c test suite, a second
patch follows.
(From OE-Core rev: e093f603963f10dd8a4cfb2a8d3c3f0efb3fb5bf)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
-PCRE2 support
-add trailing letter b to bsdtar(1) substitute pattern
-add support for long options "--group" and "--owner" to tar(1)
-Fix possible vulnerability in tar error reporting introduced in f27c173
-ISO9660: preserve the natural order of links
-rar5: fix decoding unicode filenames on Windows
-rar5: fix infinite loop if during rar5 decompression the last block produced no data
-xz filter: fix incorrect eof at the end of an lzip member
-zip: fix end-of-data marker processing when decompressing zip archives
-multiple bsdunzip(1) fixes
-filetime truncation fix on Windows
configurehack.patch
refreshed for 3.7.3
(From OE-Core rev: bd4ab2025bcaffcf2802ad09c9d83e2a4d2a0f2c)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
automatic detection could result in inconsistent host dependencies
since it will be enabled for libarchive-native if the build host has
libb2 installed and this can then fail on hosts which do not have
this library installed
Fixes errors like
recipe-sysroot-native/usr/bin/opkg: error while loading shared libraries: libb2.so.1: cannot open shared object file: No such file or directory
(From OE-Core rev: 5356afef9f0ee70fb804ff9fc8746bcaa47c02ba)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
=========
SEGV and stack buffer overflow in verbose mode of cpio
bsdunzip updated to match latest upstream code
miscellaneous functional bugfixes
build fixes on multiple platforms
bsdunzip: new tool ported from FreeBSD
drop-in replacement for Info-ZIP unzip, not yet ported for Windows
7zip reader: support for Zstandard compression
7zip reader: support for ARM64 filter
zstd filter: support for multi-frame zstd archives
pax: fix year 2038 problem on platforms with 64-bit time_t
Windows: Universal Windows Platform (UWP) fixes and improvements
Windows: bcrypt usage fixes and improvements
Windows: time function usage fixes and improvements
(From OE-Core rev: 186bf084301b3d088dd1f100d870937b39d1389a)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This issue was reported and discusses under [1] which is linked in NVD CVE report.
It was already documented that some parts or libarchive are thread safe and some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports thread race condition for non-thread-safe function.
And as such the CVE report is now invalid.
The issue is still not closed for 2 reasons:
* better document what is and what is not thread safe
* request to public if someone could make these functions thread safe
This should however not invalidate above statment about ignoring this CVE.
[1] https://github.com/libarchive/libarchive/issues/1876
[2] https://github.com/libarchive/libarchive/pull/1875
(From OE-Core rev: 9b5b850d6a6982bb8ff14dcfbb6769b293638293)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2.72c is a prerelease version of autoconf 2.73. It contains largefile and y2038 64 bit
time_t improvements for 32 bit architectures.
Rather than work on the older codebase, this brings us to work with the recent
autoconf upstream with the 64 bit changes. It is unclear when upstream will release
2.73 but it is easier for us to be aligned now we've done the bulk of the work needed
to update.
Upstream added several patches which fixed several common failures OE builds ran
into (backported in the next commit). In general testing has otherwise been good for us.
There is an unfortunate gnulib largefile.m4 bug. This change patches various software
to workaround it, next time they update new versions of the gnulib code will be pulled
in which address the issue with the official fix.
There are also a couple of ordering related fixes for apr and libarchive.
(From OE-Core rev: bb74a03e927b4867d885ad3539b097f0e7ed108c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Libarchive is being used by OPKG package manager as default
API for extracting tar files. This fix allows us to extract
ipks packages with preserved ACLs and xattrs.
Partially addresses [YOCTO #15091]
[RP: Merge into main PACKAGECONFIG and tweak commit message]
(From OE-Core rev: 913aad1ac013368aef8f6af332588ef24bba46bd)
Signed-off-by: Piotr Łobacz <p.lobacz@welotec.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use --without-iconv as otherwise autotools write a bogus iconv
dependency into .pc file.
(From OE-Core rev: edce1bce81fe2f47fb2c5e2b94ebda73f95cbaea)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
LZO is a fairly obsolete compression format these days, so disable it by
default.
(From OE-Core rev: d5a484a01caebc71ddc98d04954199c3f4642c77)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Libarchive 3.5.3 is a security release
Security Fixes:
extended fix for following symlinks when processing the fixup list (#1566, #1617, CVE-2021-31566)
fix invalid memory access and out of bounds read in RAR5 reader (#1491, #1492, #1493, CVE-2021-36976)
(From OE-Core rev: 5b00b0e015312264cdb3fd88b6f4a8df456316c3)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Now that zstd is in oe-core, add PACKAGECONFIG for it and enabled
it by default in libarchive.
zstd support is expected by CMake, which in nativesdk depends on
libarchive. CMake depends on having all formats supported and build
issues can arise when zstd is not available:
https://gitlab.kitware.com/cmake/cmake/-/issues/21552
Quote from a CMake dev:
"As far as CMake's design is concerned, we have no optional formats.
All should be supported. That's why we bundle sufficiently new versions
of libarchive and libzstd. If a distro builds with an older libarchive
that doesn't have zstd support, then that is not a proper packaging of CMake."
(From OE-Core rev: 6090bec1261726e5290f50e9cd22e42952253ed5)
Signed-off-by: Samuli Piippo <samuli.piippo@qt.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An XML parser (either libxml2, or expat) is only needed by libarchive to
read/write XAR archives. However, these also need OpenSSL enabled which
by default it is not, so XAR files were disabled and libxml2 was a build
dependency for no reason.
As XAR archives are mainly used on macOS, we can remove libxml2.
(From OE-Core rev: 363f1ee30b0e6d222943aaed8dce37a4a441a86d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-libarchive/CVE-2018-1000877.patch
-libarchive/CVE-2018-1000878.patch
-libarchive/CVE-2018-1000879.patch
-libarchive/CVE-2018-1000880.patch
-libarchive/CVE-2019-1000019.patch
-libarchive/CVE-2019-1000020.patch
-libarchive/bug1066.patch
-libarchive/non-recursive-extract-and-list.patch
Removed since these are included in 3.4.0.
-License-Update: Copyright year updated to 2018.
(From OE-Core rev: 4f8fa80b6c57f29c68678cabcac5d114d1ff0500)
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix out of bounds read on empty string filename for guntar, pax and v7tar
(From OE-Core rev: 459506272b8800604886f6bd3bc32ee09d7bb906)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This upgrades to 3.3.3 release and drop the backported patches when
doing the recipe update.
(From OE-Core rev: 60d99a4e64fdddbbe5863fa5879c813fa004600b)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The XZ format is widely used and multiple recipes inside OE-Core
already use it, so making the XZ enabled by default align the
expectation of users. The LZO, on the other side, is commonly used in
embedded systems due its performance so it makes sense to be available
by default.
(From OE-Core rev: 6d24b0bc7ebddd10de5ad8f210b8ed85fc6ae769)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch is needed for meta-swupd. Without it, some bsdtar
invocations fail with:
bsdtar: Option -n is not permitted in mode -x
The patch was removed in the update to 3.3.1 with the claim that it
had been merged upstream, but that is not the case.
(From OE-Core rev: 38c86302ebdf886b887165aff06560c63a1537b9)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
read_header in archive_read_support_format_rar.c suffers from an
off-by-one error for UTF-16 names in RAR archives, leading to an
out-of-bounds read in archive_read_format_rar_read_header.
Backport the patch from
https://github.com/libarchive/libarchive/commit
commit 5562545b5562f6d12a4ef991fae158bf4ccf92b6
CVE: CVE-2017-14502
(From OE-Core rev: 0bedb69abff85cc07ad4a54eed41d15d0a38c080)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1) Upgrade libarchive from 3.2.2 to 3.3.1.
2) Fix an unknown-configure-option "--without-lzmadec" when do_configure.
3) Delete three patches, since they are integrated upstream.
0001-archive_write_disk_posix.c-make-_fsobj-functions-mor.patch
0002-Fix-extracting-hardlinks-over-symlinks.patch
non-recursive-extract-and-list.patch
(From OE-Core rev: b5a5ca83670f93879048758d0637ea0f0a3866ac)
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The largefile distro feature has been enabled by default in oe-core
for a long time and, more recently, also in poky-tiny. Building
without the largefile distro feature receives little or no testing.
Many packages now enable LFS without exposing a configure option, so
there should be very little expectation that disabling the distro
feature will result in a distro which globally disables LFS.
Respecting the distro feature adds a maintenance over-head and may be
the source of configurations oddities (e.g. dbus-native currently
builds with LFS disabled for no clear reason - fixed by this commit).
Ignore the largefile distro feature more widely, as a first step
towards deprecating and eventually removing it.
(From OE-Core rev: a75ccaea77c8aad8d46e87e8ed4af2e2e0ad5327)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These set of patches backported from upstream, which fixes the issues in
extracting hardlinks over softlinks while etracting packages by opkg.
(From OE-Core rev: d123490284331c02854f6527a04086c058b7c32e)
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
