Re: [Buildroot] [PATCH] package/libarchive: security bump to v3.8.1

From: Baruch Siach via buildroot <buildroot@buildroot.org>
To: Titouan Christophe via buildroot <buildroot@buildroot.org>
Cc: Titouan Christophe <titouan.christophe@mind.be>,
	 Pierre-Jean Texier <texier.pj2@gmail.com>
Subject: Re: [Buildroot] [PATCH] package/libarchive: security bump to v3.8.1
Date: Mon, 23 Jun 2025 19:15:51 +0300	[thread overview]
Message-ID: <87frfqjux4.fsf@tarshish> (raw)
In-Reply-To: <20250623160224.953975-1-titouan.christophe@mind.be> (Titouan Christophe via buildroot's message of "Mon, 23 Jun 2025 18:02:24 +0200")

Hi Titouan,

On Mon, Jun 23 2025, Titouan Christophe via buildroot wrote:
> This fixes the following CVEs:
>
> - CVE-2025-5914
>     Libarchive: double free at archive_read_format_rar_seek_data()
>     in archive_read_support_format_rar.c
>     https://www.cve.org/CVERecord?id=CVE-2025-5914
>
> - CVE-2025-5915
>     Libarchive: heap buffer over read in copy_from_lzss_window()
>     at archive_read_support_format_rar.c
>     https://www.cve.org/CVERecord?id=CVE-2025-5915
>
> - CVE-2025-5916
>     Libarchive: integer overflow while reading warc files
>     at archive_read_support_format_warc.c
>     https://www.cve.org/CVERecord?id=CVE-2025-5916
>
> - CVE-2025-5917
>     Libarchive: off by one error in build_ustar_entry_name()
>     at archive_write_set_format_pax.c
>     https://www.cve.org/CVERecord?id=CVE-2025-5917
>
> - CVE-2025-5918
>     Libarchive: reading past eof may be triggered for piped file streams
>     https://www.cve.org/CVERecord?id=CVE-2025-5918
>
> See the release notes:
> - https://github.com/libarchive/libarchive/releases/tag/v3.8.0
> - https://github.com/libarchive/libarchive/releases/tag/v3.8.1
>
> In addition to the version bump, the following changes are required:
> - The COPYING file has been edited upstream because of filename change on a
>   sub-licensed component; see
>   https://github.com/libarchive/libarchive/commit/c26f0377457db392bd57a640e8fe25506120f810
> - The upstream "sha256sums" is currently unavailable, so the archive checksum
>   has been computed locally
> - Drop patches for libiconv in configure.ac, which has been properly addressed
>   upstream in https://github.com/libarchive/libarchive/pull/2611
> - Drop mbedtls patch that has been applied upstream

Since this patch drops all configure.ac patches, do we still need
AUTORECONF?

baruch

>
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
> ---
>  ...iconv-to-the-.pc-file-if-needed-1825.patch |  31 ---
>  ...o-not-add-iconv-for-Requires.private.patch |  27 --
>  ...mbedtls-version-3-compatibility-2602.patch | 238 ------------------
>  package/libarchive/libarchive.hash            |   7 +-
>  package/libarchive/libarchive.mk              |   2 +-
>  5 files changed, 5 insertions(+), 300 deletions(-)
>  delete mode 100644 package/libarchive/0001-Revert-Only-add-iconv-to-the-.pc-file-if-needed-1825.patch
>  delete mode 100644 package/libarchive/0002-autotools-do-not-add-iconv-for-Requires.private.patch
>  delete mode 100644 package/libarchive/0003-Fix-mbedtls-version-3-compatibility-2602.patch

-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot