libarchive

Libarchive 3.7.5 is a bugfix and security release

Security fixes:

• fix multiple vulnerabilities identified by SAST (#2251, #2256)
• cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
• lzop: prevent integer overflow (#2174)
• rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
• rar4: fix CVE-2024-26256 (#2269, CVS-2024-26256)
• rar4: fix OOB in delta and audio filter (#2148, #2149)
• rar4: fix out of boundary access with large files (#2179)
• rar4: add boundary checks to rgb filter (#2210)
• rar4: fix OOB access with unicode filenames (#2203)
• rar5: clear 'data ready' cache on window buffer reallocs (#2265)
• rpm: calculate huge header sizes correctly (#2158)
• unzip: unify EOF handling (#2175)
• util: fix out of boundary access in mktemp functions (#2160)
• uu: stop processing if lines are too long (#2168)

Important bugfixes:

• 7zip: fix issue when skipping first file in 7zip archive that is a multiple of 65536 bytes (#2245)
• ar: fix archive entries having no type (#2290)
• lha: do not allow negative file sizes (#2155)
• lha: fix integer truncation on 32-bit systems (#2161)
• shar: check strdup return value (#2173)
• rar5: don't try to read rediculously long names (#2259)
• xar: fix another infinite loop and expat error handling (#2150)
• many Windows fixes, cleanups and improvements

Thanks to all contributors and bug reporters!

Libarchive 3.7.4 is a bugfix and security release

Security fixes:

• rar: Fix OOB in rar e8 filter (#2135) (CVE-2024-26256)
• zip: Fix out of boundary access (#2145)

Important bugfixes:

• 7zip: Limit amount of properties (#2131)
• bsdtar: Fix error handling around strtol() usages (#2110)
• passphrase: Improve newline handling on Windows (#2115)
• passphrase: Never allow empty passwords (#2116)
• rar: Fix "File CRC Error" when extracting specific rar4 archives (#2124)
• xar: Avoid infinite link loop (#2123)
• zip: Update AppleDouble support for directories (#2108)
• zstd: Implement core detection (#2083, #2071)

Thanks to all contributors and bug reporters!

Libarchive 3.7.3 is a feature, security and bugfix release.

New features:

• PCRE2 support (#2031)
• add trailing letter b to bsdtar(1) substitute pattern (#2012)
• add support for long options "--group" and "--owner" to tar(1) (#2054)

Security fixes:

• Fix possible vulnerability in tar error reporting introduced in f27c173 (#2101)

Important bugfixes:

• ISO9660: preserve the natural order of links (#1974)
• rar5: fix decoding unicode filenames on Windows (#1978)
• rar5: fix infinite loop if during rar5 decompression the last block produced no data (#2105)
• xz filter: fix incorrect eof at the end of an lzip member (#2027)
• zip: fix end-of-data marker processing when decompressing zip archives (#2042)
• multiple bsdunzip(1) fixes (#2022, #2030)
• filetime truncation fix on Windows (#2050)

Thanks to all contributors and bug reporters.

Libarchive 3.7.2 is a security, bugfix and feature release.

Security fixes:

• Multiple vulnerabilities have been fixed in the PAX writer (1b4e0d0f9d445ba3e4d0c7db7ce0b30300572fe8)

Important bugfixes:

• bsdunzip(1) now correctly handles arguments following an -x after the zipfile

New features:

• bsdunzip(1) now supports the "--version" flag
• 7-zip reader now translates Windows permissions into UNIX permissions (#1943)
• uudecode filter in raw mode now supports file name and file mode
• zstd filter now supports the "long" write option (#1962)

Libarchive 3.7.1 is a security, feature and bugfix release.

Security fixes:

• SEGV and stack buffer overflow in verbose mode of cpio (#1934, #1935)

Feature updates:

• bsdunzip updated to match latest upstream code (#1926)

Important bugfixes:

• miscellaneous functional bugfixes (#1731, #1929, #1930)
• build fixes on multiple platforms (Android #1921, older MacOS X #1919, #1933 and others)

Thanks to all contributors and bug reporters.

Libarchive 3.7.0 is a feature and bugfix release.

New features:

• bsdunzip: new tool ported from FreeBSD (#1873)
  drop-in replacement for Info-ZIP unzip, not yet ported for Windows
• 7zip reader: support for Zstandard compression (#1894)
• 7zip reader: support for ARM64 filter (#1918)
• zstd filter: support for multi-frame zstd archives (#1818)

Other notable bugfixes and improvements:

• pax: fix year 2038 problem on platforms with 64-bit time_t (#1840)
• Windows: Universal Windows Platform (UWP) fixes and improvements (#1879, #1883, #1885, #1840)
• Windows: bcrypt usage fixes and improvements (#1881, #1887)
• Windows: time function usage fixes and improvements (#1820, #1824, #1830)

Thanks to all contributors and bug reporters.

Libarchive 3.6.2 is a bugfix and security release.

Important security fixes:

• NULL pointer dereference vulnerability in archive_write.c (#1754, #1759, CVE-2022-36227)

Important bug fixes:

• include ZSTD in Windows builds (#1688)
• SSL fixes on Windows (#1714, #1723, #1724)
• rar5 reader: fix possible garbled output with bsdtar -O (#1745)
• mtree reader: support reading mtree files with tabs (#1783)
• various small fixes for issues found by CodeQL

Libarchive 3.6.1 is a bugfix and security release.

Security fixes:

• 7zip reader: fix PPMD read beyond boundary (#1671)
• ZIP reader: fix possible out of bounds read (OSS-Fuzz 38766 #1672)
• ISO reader: fix possible heap buffer overflow in read_children() (OSS-Fuzz 38764, #1685)
• RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0)
  • fix heap use after free in archive_read_format_rar_read_data() (OSS-Fuzz 44547, 52efa50c69653029687bfc545703b7340b7a51e2)
  • fix null dereference in read_data_compressed() (OSS-Fuzz 44843, 1271f775dc917798ad7d03c3b3bd66bacad03603)
  • fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715)

Libarchive 3.6.0 is a feature and bugfix release.

New features:

• tar: new option "--no-read-sparse" (#1614)
• tar: threads support for zstd (#1567)
• RAR reader: filter support (#1503)
• RAR5 reader: self-extracting archive support (#1585)
• ZIP reader: zstd decompression support (#1518)

Other notable bugfixes and improvements:

• tar: respect "--ignore-zeros" in c, r and u modes (#1620)
• reduced size of application binaries (#1625)
• internal code optimizations

Thanks to all contributors and bug reporters.

Libarchive 3.5.1 is a bugfix release.

Bugfixes:

• various compilation fixes (#1461, #1462, #1463, #1464)
• fixed undefined behavior in a function in warc reader (#1465)
• Windows binary uses xz 5.2.5

Thanks to all contributors and bug reporters.

Libarchive 3.5.3 is a security release

Security Fixes:

• extended fix for following symlinks when processing the fixup list (#1566, #1617, CVE-2021-31566)
• fix invalid memory access and out of bounds read in RAR5 reader (#1491, #1492, #1493, CVE-2021-36976)

Thanks to all contributors and bug reporters.

Libarchive 3.5.2 is a feature and security release.

New minor features:

• CPIO: Support for PWB and v7 binary cpio formats (#1502)
• ZIP reader: Support of deflate algorithm in symbolic link decompression (#1509)

Important security fixes:

• fix handling of symbolic link ACLs on Linux (#1565)
• never follow symlinks when setting file flags on Linux (e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b)
• do not follow symlinks when processing the fixup list (#1566)

Important bugfixes:

• fix extraction of hardlinks to symlinks (#1044)
• 7zip reader and writer fixes (#1480, #1532)
• RAR reader fixes (#1504, #1521)
• ZIP reader: fix excessive read for padded zip (#1514)
• CAB reader: fix double free (#1520)
• handle short writes from archive_write_callback (#1530)

Thanks to all contributors and bug reporters.

Libarchive 3.5.0 is a feature and bugfix release.

New features:

• mtree digest reader support (#1347)
• completed support for UTF-8 encoding conversion (#1389)
• minor API enhancements (#1258, #1405)
• support for system extended attributes (#1409)
• support for decompression of symbolic links in zipx archives (#1435)

Important bugfixes:

• fixed extraction of archives with hard links pointing to itself (#1381)
• cpio fixes (#1387, #1388)
• fixed uninitialized size in rar5_read_data (#1408)
• fixed memory leaks in error case of archive_write_open() functions (#1456)

Thanks to all contributors and bug reporters.

Libarchive 3.4.3 is a feature and bugfix release.

New features:

• support for pzstd compressed files (#1357)
• support for RHT.security.selinux tar extended attribute (#1348)

Important bugfixes:

• various zstd fixes and improvements (#1342 #1352 #1359)
• child process handling fixes (#1372)

Thanks to all contributors and bug reporters.

Libarchive 3.4.2 is a feature and security release.

New features:

• support for atomic file extraction (bsdtar -x --safe-writes) (#1289)
• support for mbed TLS (PolarSSL) (#1301)

Important bugfixes:

• security fixes in RAR5 reader (#1280 #1326)
• compression buffer fix in XAR writer (#1317)
• fix uname and gname longer than 32 characters in PAX writer (#1319)
• fix segfault when archiving hard links in ISO9660 and XAR writers (#1325)
• fix support for extracting 7z archive entries with Delta filter (#987)

Thanks to all contributors and bug reporters.
Special thanks to Christos Zoulas (@zoulasc) from NetBSD for the atomic file extraction feature.

Libarchive 3.4.1 is a feature and security release.

New features:

• Unicode filename support for reading lha/lzh archives
• New pax write option "xattrhdr"

Important bugfixes:

• security fixes in wide string processing (#1276 #1298)
• security fixes in RAR5 reader (#1212 #1217 #1296)
• security fixes and optimizations to write filter logic (#351)
• security fix related to use of readlink(2) (1dae5a549fe4ab99fd3a49a9edcf897a7b2b1844)
• sparse file handling fixes (#1218 #1260)

Thanks to all contributors and bug reporters for making libarchive such a great piece of software.

Libarchive 3.4.0 is a feature and security release.

Feature higlights:

• Support for file and directory symlinks on Windows
• Read support for RAR 5.0 archives
• Read support for ZIPX archives with xz, lzma, ppmd8 and bzip2 compression
• Support for non-recursive list and extract
• New tar option: --exclude-vcs
• Improved file attribute support on Linux and file flags support on FreeBSD
• 64-bit ar format support

Important bugfixes:

• fix reading Android APK archives (#1055 )
• fix problems related to unreadable directories (#1167)
• patches from OpenBSD to libarchive_fe/passphrase.c
• support extracting ACLs with in-entry comments (#1096)
• support extracting extattrs as non-root on non-user-writable files (#1023)
• a two-digit number of OSS-Fuzz issues was resolved in this release
• various resource leak, use-after-free and crash fixes

Thanks to all contributors and bug reporters for making libarchive such a great piece of software.
Special thanks to @antekone for implementing RAR 5.0 reader and ZIPX decompression support.

Libarchive 3.3.3 is a feature and security release.

Feature Higlights:

• support for zstandard read and write filters

Important bugfixes:

• NO_OVERWRITE doesn't change existing directory attributes
• Many fixes for building with Visual Studio
• Avoid super-linear slowdown on malformed mtree files

Notes:

• The full official release is available from https://libarchive.org. Github's source code snapshots below do not contain the generated autoconf build files that are included with the official release.

Libarchive 3.3.2 is a feature and security release.

Feature Higlights:

• librichacl support for Linux

Notes:

• The full official release is available from https://libarchive.org. Github's source code snapshots below do not contain the generated autoconf build files that are included with the official release.
• Linking libarchive against liblzo violates LZO GPL licence. Please don't distribute binary packages of libarchive linked against liblzo.

Libarchive v3.3.1 includes a few minor patches to v3.3.0 to address build issues identified late in the v3.3.0 release.

Note: The full official release is available from https://libarchive.org. Github's source snapshot below does not contain the generated autoconf build files that are included with the official release.

Note for package maintainers: Linking libarchive against liblzo violates LZO GPL licence. Please don't distribute binary packages of libarchive linked against liblzo.