Pick 2 commits as in scarthgap branch plus one additional precondition
to apply those.
(From OE-Core rev: e43507dad134c5036be1c79a37f73c34f4fb6292)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-
one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-
byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, lea
ding to unpredictable program behavior, crashes, or in specific circumstances, could be lever
aged as a building block for more sophisticated exploitation.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5917
Upstream-patch:
7c02cde37a
(From OE-Core rev: 2b2a2fce345c9bfcad44cc8ef3419f43dd07b022)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library. This flaw
involves an integer overflow that can be triggered when processing a Web
Archive (WARC) file that claims to have more than INT64_MAX - 4 content
bytes. An attacker could craft a malicious WARC archive to induce this
overflow, potentially leading to unpredictable program behavior, memory
corruption, or a denial-of-service condition within applications that
process such archives using libarchive.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5916
Upstream-patch:
ef09372952
(From OE-Core rev: 0e939bf5fc7412c7357fcd7d8ae760f023ac40eb)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library. This flaw can lead to a heap b
uffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer
-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memo
ry buffer, which can result in unpredictable program behavior, crashes (denial of service), o
r the disclosure of sensitive information from adjacent memory regions.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5915
Upstream-patches:
a612bf62f8
(From OE-Core rev: 41e7be4aa28481530d5e259d0f25b238b86c012d)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Adds patch to backport fix for CVE-2025-5914.
(From OE-Core rev: 4a4c6e0382834e03480e07f30ed5efa23f6c6fe2)
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit referencing this MR which was merged to master.
Note that this commit also patched CVE-2025-1632 in bsdunzip, however
that utility was introduced only in 3.7.0, so that part is not
applicable in kirkstone.
(From OE-Core rev: ec837d3b21b4f8b98abac53e2833f1490ba6bf1e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There was no CVE assigned but the commit message is clear.
(From OE-Core rev: 3743a82162546eceb8d54b240dc70c521c53bed8)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This issue was reported and discusses under [1] which is linked in NVD CVE report.
It was already documented that some parts or libarchive are thread safe and some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports thread race condition for non-thread-safe function.
And as such the CVE report is now invalid.
The issue is still not closed for 2 reasons:
* better document what is and what is not thread safe
* request to public if someone could make these functions thread safe
This should however not invalidate above statment about ignoring this CVE.
[1] https://github.com/libarchive/libarchive/issues/1876
[2] https://github.com/libarchive/libarchive/pull/1875
(From OE-Core rev: d5e7971e12cdc8748be91b4e6408b42fa86b2f15)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Libarchive is being used by OPKG package manager as default
API for extracting tar files. This fix allows us to extract
ipks packages with preserved ACLs and xattrs.
Partially addresses [YOCTO #15091]
[RP: Merge into main PACKAGECONFIG and tweak commit message]
(From OE-Core rev: b1f80f0a2bf30698192c7a214c5802b76464d095)
Signed-off-by: Piotr Łobacz <p.lobacz@welotec.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 913aad1ac013368aef8f6af332588ef24bba46bd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Libarchive 3.6.2 is a bugfix and security release.
Important security fixes:
NULL pointer dereference vulnerability in archive_write.c (#1754, #1759, CVE-2022-36227)
Important bug fixes:
include ZSTD in Windows builds (#1688)
SSL fixes on Windows (#1714, #1723, #1724)
rar5 reader: fix possible garbled output with bsdtar -O (#1745)
mtree reader: support reading mtree files with tabs (#1783)
various small fixes for issues found by CodeQL
Use --without-iconv as otherwise autotools write a bogus iconv
dependency into .pc file.
(From OE-Core rev: 41e1b4c29e45a9022eea8f89dfb09b6eb2eae60b)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit edce1bce81fe2f47fb2c5e2b94ebda73f95cbaea)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 93b972845a28b62ea01ee0f4a1e043bd58fc0892)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Libarchive 3.5.3 is a security release
Security Fixes:
extended fix for following symlinks when processing the fixup list (#1566, #1617, CVE-2021-31566)
fix invalid memory access and out of bounds read in RAR5 reader (#1491, #1492, #1493, CVE-2021-36976)
(From OE-Core rev: 5b00b0e015312264cdb3fd88b6f4a8df456316c3)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Now that zstd is in oe-core, add PACKAGECONFIG for it and enabled
it by default in libarchive.
zstd support is expected by CMake, which in nativesdk depends on
libarchive. CMake depends on having all formats supported and build
issues can arise when zstd is not available:
https://gitlab.kitware.com/cmake/cmake/-/issues/21552
Quote from a CMake dev:
"As far as CMake's design is concerned, we have no optional formats.
All should be supported. That's why we bundle sufficiently new versions
of libarchive and libzstd. If a distro builds with an older libarchive
that doesn't have zstd support, then that is not a proper packaging of CMake."
(From OE-Core rev: 6090bec1261726e5290f50e9cd22e42952253ed5)
Signed-off-by: Samuli Piippo <samuli.piippo@qt.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An XML parser (either libxml2, or expat) is only needed by libarchive to
read/write XAR archives. However, these also need OpenSSL enabled which
by default it is not, so XAR files were disabled and libxml2 was a build
dependency for no reason.
As XAR archives are mainly used on macOS, we can remove libxml2.
(From OE-Core rev: 363f1ee30b0e6d222943aaed8dce37a4a441a86d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-libarchive/CVE-2018-1000877.patch
-libarchive/CVE-2018-1000878.patch
-libarchive/CVE-2018-1000879.patch
-libarchive/CVE-2018-1000880.patch
-libarchive/CVE-2019-1000019.patch
-libarchive/CVE-2019-1000020.patch
-libarchive/bug1066.patch
-libarchive/non-recursive-extract-and-list.patch
Removed since these are included in 3.4.0.
-License-Update: Copyright year updated to 2018.
(From OE-Core rev: 4f8fa80b6c57f29c68678cabcac5d114d1ff0500)
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix out of bounds read on empty string filename for guntar, pax and v7tar
(From OE-Core rev: 459506272b8800604886f6bd3bc32ee09d7bb906)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This upgrades to 3.3.3 release and drop the backported patches when
doing the recipe update.
(From OE-Core rev: 60d99a4e64fdddbbe5863fa5879c813fa004600b)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The XZ format is widely used and multiple recipes inside OE-Core
already use it, so making the XZ enabled by default align the
expectation of users. The LZO, on the other side, is commonly used in
embedded systems due its performance so it makes sense to be available
by default.
(From OE-Core rev: 6d24b0bc7ebddd10de5ad8f210b8ed85fc6ae769)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch is needed for meta-swupd. Without it, some bsdtar
invocations fail with:
bsdtar: Option -n is not permitted in mode -x
The patch was removed in the update to 3.3.1 with the claim that it
had been merged upstream, but that is not the case.
(From OE-Core rev: 38c86302ebdf886b887165aff06560c63a1537b9)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
read_header in archive_read_support_format_rar.c suffers from an
off-by-one error for UTF-16 names in RAR archives, leading to an
out-of-bounds read in archive_read_format_rar_read_header.
Backport the patch from
https://github.com/libarchive/libarchive/commit
commit 5562545b5562f6d12a4ef991fae158bf4ccf92b6
CVE: CVE-2017-14502
(From OE-Core rev: 0bedb69abff85cc07ad4a54eed41d15d0a38c080)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
