FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F14.2 2025-08-07T23:53:04Z 2025-08-07T23:53:04Z Martin Matuska mm@FreeBSD.org 2025-06-01T20:16:26Z urn:sha1:c0979bd2734f792c33bd45932f2eefe792dc74c2 libarchive 3.8.1 New features: #2088 7-zip reader: improve self-extracting archive detection #2137 zip writer: added XZ, LZMA, ZSTD and BZIP2 support #2403 zip writer: added LZMA + RISCV BCJ filter #2601 bsdtar: support --mtime and --clamp-mtime #2602 libarchive: mbedtls 3.x compatibility Security fixes: #2422 tar reader: Handle truncation in the middle of a GNU long linkname (CVE-2024-57970) #2532 tar reader: fix unchecked return value in list_item_verbose() (CVE-2025-25724) #2532 unzip: fix null pointer dereference (CVE-2025-1632) #2568 warc: prevent signed integer overflow (CVE-2025-5916) #2584 rar: do not skip past EOF while reading (CVE-2025-5918) #2588 tar: fix overflow in build_ustar_entry (CVE-2025-5917) #2598 rar: fix double free with over 4 billion nodes (CVE-2025-5914) #2599 rar: fix heap-buffer-overflow (CVE-2025-5915) Important bugfixes: #2399 7-zip reader: add SPARC filter support for non-LZMA compressors #2405 tar reader: ignore ustar size when pax size is present #2435 tar writer: fix bug when -s/a/b/ used more than once with b flag #2459 7-zip reader: add POWERPC filter support for non-LZMA compressors #2519 libarchive: handle ARCHIVE_FILTER_LZOP in archive_read_append_filter #2539 libarchive: add missing seeker function to archive_read_open_FILE() #2544 gzip: allow setting the original filename for gzip compressed files #2564 libarchive: improve lseek handling #2582 rar: support large headers on 32 bit systems #2587 bsdtar: don't hardlink negative inode files together #2596 rar: support large headers on 32 bit systems #2606 libarchive: support @-prefixed Unix epoch timestamps as date strings #2634 tar: Support negative time values with pax #2637 tar: Keep block alignment after pax error #2642 libarchive: fix FILE_skip regression #2643 tar: Handle extra bytes after sparse entries #2649 compress: Prevent call stack overflow #2651 iso9660: always check archive_string_ensure return value CVE: CVE-2024-57970, CVE-2025-1632, CVE-2025-25724, CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918 PR: 286944 (exp-run, main, libarchive 3.8.0) Approved by: so Security: FreeBSD-SA-25:07.libarchive (cherry picked from commit 2e113ef82465598b8c26e0ca415fbe90677fbd47) (cherry picked from commit 6dad4525a2910496ecf3c41de659aac906f6c1f4) 2024-10-29T13:04:25Z Mark Johnston markj@FreeBSD.org 2024-10-22T12:48:04Z urn:sha1:6feb4f363cdbe6a41ca631b37d1451cd5f1191e0 Reviewed by: kib MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D47215 (cherry picked from commit 1249ee57e96b84e84015b433d0a3bfdef0c108bf) 2024-10-27T08:45:34Z Martin Matuska mm@FreeBSD.org 2024-10-20T08:22:09Z urn:sha1:2ae238160f205576f465cbbed2c397774bea3976 Libarchive 3.7.7 Security fixes: #2158 rpm: calculate huge header sizes correctly #2160 util: fix out of boundary access in mktemp functions #2168 uu: stop processing if lines are too long #2174 lzop: prevent integer overflow #2172 rar4: protect copy_from_lzss_window_to_unp() (CVE-2024-20696) #2175 unzip: unify EOF handling #2179 rar4: fix out of boundary access with large files #2203 rar4: fix OOB access with unicode filenames #2210 rar4: add boundary checks to rgb filter #2248 rar4: fix OOB in delta filter #2249 rar4: fix OOB in audio filter #2256 fix multiple vulnerabilities identified by SAST #2258 cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing #2265 rar5: clear 'data ready' cache on window buffer reallocs #2269 rar4: fix CVE-2024-26256 (CVE-2024-26256) #2330 iso: be more cautious about parsing ISO-9660 timestamps #2343 tar: clean up linkpath between entries #2364 tar: don't crash on truncated tar archives #2366 gzip: prevent a hang when processing a malformed gzip inside a gzip #2377 tar: fix two leaks in tar header parsing Important bugfixes: #2096 rar5: report encrypted entries #2150 xar: fix another infinite loop and expat error handling #2173 shar: check strdup return value #2161 lha: fix integer truncation on 32-bit systems #2338 tar: fix memory leaks when processing symlinks or parsing pax headers #2245 7zip: fix issue when skipping first file in 7zip archive that is a multiple of 65536 bytes #2252 7-zip: read/write symlink paths as UTF-8 #2259 rar5: don't try to read rediculously long names #2290 ar: fix archive entries having no type #2360 tar: fix truncation of entry pathnames in specific archives CVE: CVE-2024-20696, CVE-2024-26256 (cherry picked from commit bd66c1b43e33540205dbc1187c2f2a15c58b57ba) 2024-10-25T11:30:26Z Christos Margiolis christos@FreeBSD.org 2024-10-18T08:42:12Z urn:sha1:7224e9f2d4af666550d93cf565db22b1f577f593 A new utility which dumps MIDI 1.0 events in real-time. Sponsored by: The FreeBSD Foundation MFC after: 1 week Reviewed by: dev_submerge.ch Differential Revision: https://reviews.freebsd.org/D46418 (cherry picked from commit f57efe95cc25ae527c632d4ffcf064799f922216) (cherry picked from commit b8007cfdb72c1be27d1d93937886fd60f21915ab) (cherry picked from commit feb9ba2993cf6aefa49b7b17ca49c52210c26035) (cherry picked from commit 53314e34d5e8e7f781ab990805b22f7a56bc0580) 2024-10-23T07:25:50Z Baptiste Daroussin bapt@FreeBSD.org 2024-10-14T07:37:46Z urn:sha1:6c1a174e4c0a01a40aa1c06dfc07a37a31cabe33 by being locale dependant the json export is invalid in locales where the separator for float is a comma. The Json and the XML are invalid for login-time when days contains contains characters which are not unicode. Forcing locale to be C, makes this json and xml output valid and also identical accross locales, so reliable for parsers PR: 276304 Reported by: Vedran Miletic <vedran@miletic.net> (cherry picked from commit bd490be57438a82c22d1274bc58d51142b63f4a0) 2024-10-23T07:24:09Z Baptiste Daroussin bapt@FreeBSD.org 2024-10-07T13:28:54Z urn:sha1:8610fcedb98bf6960c1bfd80084125016e1f8709 Following up from another review using basically the same code: remove useless cast replace uint32_t with unsigned int. No functional changes expected (cherry picked from commit 782766a32d963587a6aac8521aedd132b68a9dab) 2024-10-23T07:24:09Z Baptiste Daroussin bapt@FreeBSD.org 2024-10-07T09:43:50Z urn:sha1:379b9c6e7c680d14fac511ad7d5f54ea95c35681 genl monitor nlsysevent is now able to print the messages received (cherry picked from commit 883722891aa92fc6033020c67ec7f2f0d9fedf95) 2024-10-23T07:24:09Z Baptiste Daroussin bapt@FreeBSD.org 2024-10-07T10:08:29Z urn:sha1:58aca1634027fa469f8bcd4503803d8fee94393c (cherry picked from commit 33938d88e35b88c5f28ca10aac89d871fc9edc3f) 2024-10-23T07:24:09Z Baptiste Daroussin bapt@FreeBSD.org 2024-10-07T10:07:07Z urn:sha1:c116dea0be45de2ebc7c7f519bdfc33c69571054 the monitor command now subscribes too all groups if no "multicast group" is provided, this avoid potential collision with a group that could be named "all" (cherry picked from commit f45132db215be4d811e0efa0d01bcab72e4d0a59) 2024-10-23T07:24:09Z Baptiste Daroussin bapt@FreeBSD.org 2024-10-07T09:45:21Z urn:sha1:eff7d958dda8542dc5be4ac6109d0da2055c0d02 Add a special keyword "all" for the group name, which allows genl to monitor all groups in an existing family (cherry picked from commit 65e7a648693cc151990688f48c190df1c1fc858b)