src/lib/libarchive, branch release/14.4.0

src/lib/libarchive, branch release/14.4.0 FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F14.4.0 2026-01-15T20:04:41Z libarchive: merge from vendor branch 2026-01-15T20:04:41Z Martin Matuska mm@FreeBSD.org 2025-11-19T13:33:40Z urn:sha1:eb042d5e8de37eacbed5aa94ba64d7d95995a266 libarchive 3.8.3 Important bugfixes: #2753 lib: Create temporary files in the target directory #2768 lha: Fix for an out-of-bounds buffer overrun when using p[H_LEVEL_OFFSET] #2769 7-zip: Fix a buffer overrun when reading truncated 7zip headers #2771 lz4 and zstd: Support both lz4 and zstd data with leading skippable frames Obtained from: libarchive Vendor commit: 1368b08875351df8aa268237b882c8f4ceb0882d MFC after: 1 week (cherry picked from commit 007679a138089676aadc9a712277f4004403b905) libarchive: merge from vendor branch 2025-11-03T09:29:25Z Martin Matuska mm@FreeBSD.org 2025-10-21T14:10:15Z urn:sha1:1955c8f6293fd8188c208bf03debc67b0ad7c615 Update libarchive to 3.8.2 Important bugfixes: #2477 tar writer: fix replacing a regular file with a dir for ARCHIVE_EXTRACT_SAFE_WRITES #2659 lib: improve filter process handling #2664 zip writer: fix a memory leak if write callback error early #2665 lib: archive_read_data: handle sparse holes at end of file correctly #2668 7zip: Fix out of boundary access #2670 zip writer: fix writing with ZSTD compression #2672 lib: fix error checking in writing files #2678 zstd write filter: enable Zstandard's checksum feature #2679 lib: handle possible errors from system calls #2707 lib: avoid leaking file descriptors into subprocesses #2713 RAR5 reader: fix multiple issues in extra field parsing function #2716 RAR5 reader: early fail when file declares data for a dir entry #2717 bsdtar: Allow filename to have CRLF endings #2719 tar reader: fix checking the result of the strftime (CVE-2025-25724) #2737 tar reader: fix an infinite loop when parsing V headers #2742 lib: parse_date: handle dates in 2038 and beyond if time_t is big enough Obtained from: libarchive Vendor commit: 7f53fce04e4e672230f4eb80b219af17975e4f83 Security: CVE-2025-25724 PR: 290303 (exp-run, main) (cherry picked from commit 401026e4825a05abba6f945cf1b74b3328876fa2) libarchive: Stop using readdir_r() 2025-08-08T19:47:01Z Dag-Erling Smørgrav des@FreeBSD.org 2025-08-01T23:11:18Z urn:sha1:9ddbef8a3a827dfa5a0c332838e1fc8e384c4d92 It cannot be used safely, though libarchive goes to ridiculous lengths to attempt to do so. MFC after: 1 week Sponsored by: Klara, Inc. Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D51679 (cherry picked from commit 01e42ce81f751ccbeeddc4bc2716e6bd634cf5f8) libarchive: fix duplicate entry in tests Makefile 2025-06-19T22:17:49Z Martin Matuska mm@FreeBSD.org 2025-06-02T12:55:00Z urn:sha1:bcaefdc4267a1ed0e4cc5a4691fa0b7e28b7e854 Reported by: des MFC after: 2 weeks (together with 2e113ef82) (cherry picked from commit 331f2c1c46584510fa9104c86f31f44ece3838c5) libarchive: merge from vendor branch 2025-06-19T22:16:24Z Martin Matuska mm@FreeBSD.org 2025-06-01T20:16:26Z urn:sha1:6dad4525a2910496ecf3c41de659aac906f6c1f4 libarchive 3.8.1 New features: #2088 7-zip reader: improve self-extracting archive detection #2137 zip writer: added XZ, LZMA, ZSTD and BZIP2 support #2403 zip writer: added LZMA + RISCV BCJ filter #2601 bsdtar: support --mtime and --clamp-mtime #2602 libarchive: mbedtls 3.x compatibility Security fixes: #2422 tar reader: Handle truncation in the middle of a GNU long linkname (CVE-2024-57970) #2532 tar reader: fix unchecked return value in list_item_verbose() (CVE-2025-25724) #2532 unzip: fix null pointer dereference (CVE-2025-1632) #2568 warc: prevent signed integer overflow (CVE-2025-5916) #2584 rar: do not skip past EOF while reading (CVE-2025-5918) #2588 tar: fix overflow in build_ustar_entry (CVE-2025-5917) #2598 rar: fix double free with over 4 billion nodes (CVE-2025-5914) #2599 rar: fix heap-buffer-overflow (CVE-2025-5915) Important bugfixes: #2399 7-zip reader: add SPARC filter support for non-LZMA compressors #2405 tar reader: ignore ustar size when pax size is present #2435 tar writer: fix bug when -s/a/b/ used more than once with b flag #2459 7-zip reader: add POWERPC filter support for non-LZMA compressors #2519 libarchive: handle ARCHIVE_FILTER_LZOP in archive_read_append_filter #2539 libarchive: add missing seeker function to archive_read_open_FILE() #2544 gzip: allow setting the original filename for gzip compressed files #2564 libarchive: improve lseek handling #2582 rar: support large headers on 32 bit systems #2587 bsdtar: don't hardlink negative inode files together #2596 rar: support large headers on 32 bit systems #2606 libarchive: support @-prefixed Unix epoch timestamps as date strings #2634 tar: Support negative time values with pax #2637 tar: Keep block alignment after pax error #2642 libarchive: fix FILE_skip regression #2643 tar: Handle extra bytes after sparse entries #2649 compress: Prevent call stack overflow #2651 iso9660: always check archive_string_ensure return value CVE: CVE-2024-57970, CVE-2025-1632, CVE-2025-25724, CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918 PR: 286944 (exp-run, main, libarchive 3.8.0) (cherry picked from commit 2e113ef82465598b8c26e0ca415fbe90677fbd47) libarchive tests: Re-enable a broken test 2024-11-05T00:55:43Z Mark Johnston markj@FreeBSD.org 2024-10-29T15:11:28Z urn:sha1:4c0effbb1ddf85fa8d7b94e8b3767acd11a38b76 It passes and so appears to have been silently fixed at some point. PR: 240683 MFC after: 1 week (cherry picked from commit 218f80226b82763c3cbd48de560959ad546b5e26) libarchive: merge from vendor branch 2024-10-27T08:45:34Z Martin Matuska mm@FreeBSD.org 2024-10-20T08:22:09Z urn:sha1:2ae238160f205576f465cbbed2c397774bea3976 Libarchive 3.7.7 Security fixes: #2158 rpm: calculate huge header sizes correctly #2160 util: fix out of boundary access in mktemp functions #2168 uu: stop processing if lines are too long #2174 lzop: prevent integer overflow #2172 rar4: protect copy_from_lzss_window_to_unp() (CVE-2024-20696) #2175 unzip: unify EOF handling #2179 rar4: fix out of boundary access with large files #2203 rar4: fix OOB access with unicode filenames #2210 rar4: add boundary checks to rgb filter #2248 rar4: fix OOB in delta filter #2249 rar4: fix OOB in audio filter #2256 fix multiple vulnerabilities identified by SAST #2258 cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing #2265 rar5: clear 'data ready' cache on window buffer reallocs #2269 rar4: fix CVE-2024-26256 (CVE-2024-26256) #2330 iso: be more cautious about parsing ISO-9660 timestamps #2343 tar: clean up linkpath between entries #2364 tar: don't crash on truncated tar archives #2366 gzip: prevent a hang when processing a malformed gzip inside a gzip #2377 tar: fix two leaks in tar header parsing Important bugfixes: #2096 rar5: report encrypted entries #2150 xar: fix another infinite loop and expat error handling #2173 shar: check strdup return value #2161 lha: fix integer truncation on 32-bit systems #2338 tar: fix memory leaks when processing symlinks or parsing pax headers #2245 7zip: fix issue when skipping first file in 7zip archive that is a multiple of 65536 bytes #2252 7-zip: read/write symlink paths as UTF-8 #2259 rar5: don't try to read rediculously long names #2290 ar: fix archive entries having no type #2360 tar: fix truncation of entry pathnames in specific archives CVE: CVE-2024-20696, CVE-2024-26256 (cherry picked from commit bd66c1b43e33540205dbc1187c2f2a15c58b57ba) libarchive: fix thread autodetermination for zstd compression format 2024-06-27T08:53:41Z Baptiste Daroussin bapt@FreeBSD.org 2024-05-03T13:37:29Z urn:sha1:8ef92ee26b9d8e5bb76a759b6356119b5a8b8e9d The libarchive code uses sysconf(3) to determine the number of threads when 0 has been given as the number of thread to use MFC after: 3 days (cherry picked from commit a25e0ba57ee17e75ab27fdc09ac3275a8215087e) libarchive: merge from vendor branch 2024-04-30T06:47:56Z Martin Matuska mm@FreeBSD.org 2024-04-29T08:15:04Z urn:sha1:8774c92e32b25cb0253f1a7a0fbf5d2e6fecc4a3 Libarchive 3.7.4 + three fixes from master Security fixes: #2135 rar: Fix OOB in rar e8 filter (CVE-2024-26256) #2145 zip: Fix out of boundary access #2148 rar: Fix OOB in rar delta filter #2149 rar: Fix OOB in rar audio filter Important bugfixes: #2131 7zip: Limit amount of properties #2110 bsdtar: Fix error handling around strtol() usages #2116 passphrase: Never allow empty passwords #2124 rar: Fix "File CRC Error" when extracting specific rar4 archives #2123 xar: Avoid infinite link loop #2150 xar: Fix another infinite loop and expat error handling #2108 zip: Update AppleDouble support for directories #2071 zstd: Implement core detectiongit (cherry picked from commit 13d826ff947d9026f98e317e7385b22abfc0eace) libarchive: add two missing package files to libarchive tests 2024-04-30T06:47:37Z Martin Matuska mm@FreeBSD.org 2024-04-17T07:58:32Z urn:sha1:3cf9a5010e7dbd77e152b340e19e8d59ca053f2e (cherry picked from commit 7d03ec330684a4e82e6113df3f40305849e5fb6c)