A vulnerability has been identified in the libarchive library. This flaw can be triggered whe
n file streams are piped into bsdtar, potentially allowing for reading past the end of the fi
le. This out-of-bounds read can lead to unintended consequences, including unpredictable prog
ram behavior, memory corruption, or a denial-of-service condition.
CVE-2025-5918-0001 is the dependent commit and CVE-2025-5918-0002 is the actual CVE fix.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5918
Upstream-patches:
89b8c35ff4dcbf1e0ede
(From OE-Core rev: 369c164a163b2c7f15ee5fc41130be9feaf7245e)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-
one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-
byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, lea
ding to unpredictable program behavior, crashes, or in specific circumstances, could be lever
aged as a building block for more sophisticated exploitation.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5917
Upstream-patch:
7c02cde37a
(From OE-Core rev: 2b6832b05bab414df1da7c74a0c6a5e5a9d75b29)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library. This flaw
involves an integer overflow that can be triggered when processing a Web
Archive (WARC) file that claims to have more than INT64_MAX - 4 content
bytes. An attacker could craft a malicious WARC archive to induce this
overflow, potentially leading to unpredictable program behavior, memory
corruption, or a denial-of-service condition within applications that
process such archives using libarchive.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5916
Upstream-patch:
ef09372952
(From OE-Core rev: 9c74d3a096fed68d173f8711b373a42f158d6cc7)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library. This flaw can lead to a heap b
uffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer
-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memo
ry buffer, which can result in unpredictable program behavior, crashes (denial of service), o
r the disclosure of sensitive information from adjacent memory regions.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5915
Upstream-patches:
a612bf62f8
(From OE-Core rev: 99fdc86ad57db4d8829a33033918cf78419977af)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library, specifically within the archiv
e_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultim
ately lead to a double-free condition. Exploiting a double-free vulnerability can result in m
emory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service
condition.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-5914
Upstream-patch:
09685126fc
(From OE-Core rev: b7d8249bda296620a5bbf592f4cdf566b4537563)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These is update with only bug and security releases.
On top of previous CVE patches, also CVE-2024-48615 is handled.
Also many security fixes without CVE assigment are included.
Note that upgrade to 3.7.5 on master required fix of test in
python3-libarchive-c, however that recipe does not yet have ptest in
scarthgap and the fix was in test only, not in productive code, so it is
not necessary in scarthgap.
Also remove CVE_STATUS which was obsolete already before this upgrade.
(From OE-Core rev: f20516a3ed8a39d7e4deddf11dd2acd871894048)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit referencing this MR which was merged to master.
(From OE-Core rev: a4ff82c789d50a3f411170636679ce46c8f84b25)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changlog:
========
rar: Fix OOB in rar e8 filter
zip: Fix out of boundary access
7zip: Limit amount of properties
bsdtar: Fix error handling around strtol() usages
passphrase: Improve newline handling on Windows
passphrase: Never allow empty passwords
rar: Fix "File CRC Error" when extracting specific rar4 archives
xar: Avoid infinite link loop
zip: Update AppleDouble support for directories
zstd: Implement core detection
PCRE2 support
add trailing letter b to bsdtar(1) substitute pattern
add support for long options "--group" and "--owner" to tar(1)
Fix possible vulnerability in tar error reporting introduced in f27c173
ISO9660: preserve the natural order of links
rar5: fix decoding unicode filenames on Windows
rar5: fix infinite loop if during rar5 decompression the last block produced no data
xz filter: fix incorrect eof at the end of an lzip member
zip: fix end-of-data marker processing when decompressing zip archives
multiple bsdunzip(1) fixes
filetime truncation fix on Windows
Adjusted configurehack.patch to align with upgraded version.
(From OE-Core rev: 1c789d692e0bbea4c26cfad8c36abf051f54a444)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
automatic detection could result in inconsistent host dependencies
since it will be enabled for libarchive-native if the build host has
libb2 installed and this can then fail on hosts which do not have
this library installed
Fixes errors like
recipe-sysroot-native/usr/bin/opkg: error while loading shared libraries: libb2.so.1: cannot open shared object file: No such file or directory
(From OE-Core rev: 5356afef9f0ee70fb804ff9fc8746bcaa47c02ba)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
=========
SEGV and stack buffer overflow in verbose mode of cpio
bsdunzip updated to match latest upstream code
miscellaneous functional bugfixes
build fixes on multiple platforms
bsdunzip: new tool ported from FreeBSD
drop-in replacement for Info-ZIP unzip, not yet ported for Windows
7zip reader: support for Zstandard compression
7zip reader: support for ARM64 filter
zstd filter: support for multi-frame zstd archives
pax: fix year 2038 problem on platforms with 64-bit time_t
Windows: Universal Windows Platform (UWP) fixes and improvements
Windows: bcrypt usage fixes and improvements
Windows: time function usage fixes and improvements
(From OE-Core rev: 186bf084301b3d088dd1f100d870937b39d1389a)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This issue was reported and discusses under [1] which is linked in NVD CVE report.
It was already documented that some parts or libarchive are thread safe and some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports thread race condition for non-thread-safe function.
And as such the CVE report is now invalid.
The issue is still not closed for 2 reasons:
* better document what is and what is not thread safe
* request to public if someone could make these functions thread safe
This should however not invalidate above statment about ignoring this CVE.
[1] https://github.com/libarchive/libarchive/issues/1876
[2] https://github.com/libarchive/libarchive/pull/1875
(From OE-Core rev: 9b5b850d6a6982bb8ff14dcfbb6769b293638293)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2.72c is a prerelease version of autoconf 2.73. It contains largefile and y2038 64 bit
time_t improvements for 32 bit architectures.
Rather than work on the older codebase, this brings us to work with the recent
autoconf upstream with the 64 bit changes. It is unclear when upstream will release
2.73 but it is easier for us to be aligned now we've done the bulk of the work needed
to update.
Upstream added several patches which fixed several common failures OE builds ran
into (backported in the next commit). In general testing has otherwise been good for us.
There is an unfortunate gnulib largefile.m4 bug. This change patches various software
to workaround it, next time they update new versions of the gnulib code will be pulled
in which address the issue with the official fix.
There are also a couple of ordering related fixes for apr and libarchive.
(From OE-Core rev: bb74a03e927b4867d885ad3539b097f0e7ed108c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Libarchive is being used by OPKG package manager as default
API for extracting tar files. This fix allows us to extract
ipks packages with preserved ACLs and xattrs.
Partially addresses [YOCTO #15091]
[RP: Merge into main PACKAGECONFIG and tweak commit message]
(From OE-Core rev: 913aad1ac013368aef8f6af332588ef24bba46bd)
Signed-off-by: Piotr Łobacz <p.lobacz@welotec.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use --without-iconv as otherwise autotools write a bogus iconv
dependency into .pc file.
(From OE-Core rev: edce1bce81fe2f47fb2c5e2b94ebda73f95cbaea)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
LZO is a fairly obsolete compression format these days, so disable it by
default.
(From OE-Core rev: d5a484a01caebc71ddc98d04954199c3f4642c77)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Libarchive 3.5.3 is a security release
Security Fixes:
extended fix for following symlinks when processing the fixup list (#1566, #1617, CVE-2021-31566)
fix invalid memory access and out of bounds read in RAR5 reader (#1491, #1492, #1493, CVE-2021-36976)
(From OE-Core rev: 5b00b0e015312264cdb3fd88b6f4a8df456316c3)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Now that zstd is in oe-core, add PACKAGECONFIG for it and enabled
it by default in libarchive.
zstd support is expected by CMake, which in nativesdk depends on
libarchive. CMake depends on having all formats supported and build
issues can arise when zstd is not available:
https://gitlab.kitware.com/cmake/cmake/-/issues/21552
Quote from a CMake dev:
"As far as CMake's design is concerned, we have no optional formats.
All should be supported. That's why we bundle sufficiently new versions
of libarchive and libzstd. If a distro builds with an older libarchive
that doesn't have zstd support, then that is not a proper packaging of CMake."
(From OE-Core rev: 6090bec1261726e5290f50e9cd22e42952253ed5)
Signed-off-by: Samuli Piippo <samuli.piippo@qt.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An XML parser (either libxml2, or expat) is only needed by libarchive to
read/write XAR archives. However, these also need OpenSSL enabled which
by default it is not, so XAR files were disabled and libxml2 was a build
dependency for no reason.
As XAR archives are mainly used on macOS, we can remove libxml2.
(From OE-Core rev: 363f1ee30b0e6d222943aaed8dce37a4a441a86d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-libarchive/CVE-2018-1000877.patch
-libarchive/CVE-2018-1000878.patch
-libarchive/CVE-2018-1000879.patch
-libarchive/CVE-2018-1000880.patch
-libarchive/CVE-2019-1000019.patch
-libarchive/CVE-2019-1000020.patch
-libarchive/bug1066.patch
-libarchive/non-recursive-extract-and-list.patch
Removed since these are included in 3.4.0.
-License-Update: Copyright year updated to 2018.
(From OE-Core rev: 4f8fa80b6c57f29c68678cabcac5d114d1ff0500)
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix out of bounds read on empty string filename for guntar, pax and v7tar
(From OE-Core rev: 459506272b8800604886f6bd3bc32ee09d7bb906)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This upgrades to 3.3.3 release and drop the backported patches when
doing the recipe update.
(From OE-Core rev: 60d99a4e64fdddbbe5863fa5879c813fa004600b)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The XZ format is widely used and multiple recipes inside OE-Core
already use it, so making the XZ enabled by default align the
expectation of users. The LZO, on the other side, is commonly used in
embedded systems due its performance so it makes sense to be available
by default.
(From OE-Core rev: 6d24b0bc7ebddd10de5ad8f210b8ed85fc6ae769)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch is needed for meta-swupd. Without it, some bsdtar
invocations fail with:
bsdtar: Option -n is not permitted in mode -x
The patch was removed in the update to 3.3.1 with the claim that it
had been merged upstream, but that is not the case.
(From OE-Core rev: 38c86302ebdf886b887165aff06560c63a1537b9)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
read_header in archive_read_support_format_rar.c suffers from an
off-by-one error for UTF-16 names in RAR archives, leading to an
out-of-bounds read in archive_read_format_rar_read_header.
Backport the patch from
https://github.com/libarchive/libarchive/commit
commit 5562545b5562f6d12a4ef991fae158bf4ccf92b6
CVE: CVE-2017-14502
(From OE-Core rev: 0bedb69abff85cc07ad4a54eed41d15d0a38c080)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
