91895774f8
This fixes the following CVEs:
- CVE-2025-5914
Libarchive: double free at archive_read_format_rar_seek_data()
in archive_read_support_format_rar.c
https://www.cve.org/CVERecord?id=CVE-2025-5914
- CVE-2025-5915
Libarchive: heap buffer over read in copy_from_lzss_window()
at archive_read_support_format_rar.c
https://www.cve.org/CVERecord?id=CVE-2025-5915
- CVE-2025-5916
Libarchive: integer overflow while reading warc files
at archive_read_support_format_warc.c
https://www.cve.org/CVERecord?id=CVE-2025-5916
- CVE-2025-5917
Libarchive: off by one error in build_ustar_entry_name()
at archive_write_set_format_pax.c
https://www.cve.org/CVERecord?id=CVE-2025-5917
- CVE-2025-5918
Libarchive: reading past eof may be triggered for piped file streams
https://www.cve.org/CVERecord?id=CVE-2025-5918
See the release notes:
- https://github.com/libarchive/libarchive/releases/tag/v3.8.0
- https://github.com/libarchive/libarchive/releases/tag/v3.8.1
In addition to the version bump, the following changes are required:
- The COPYING file has been edited upstream because of filename change on a
sub-licensed component; see
c26f037745
- The upstream "sha256sums" is currently unavailable, so the archive checksum
has been computed locally
- Drop patches for libiconv in configure.ac, which has been properly addressed
upstream in https://github.com/libarchive/libarchive/pull/2611
- Following the above, AUTORECONF is not needed any longer
- Drop mbedtls patch that has been applied upstream
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 95db5707df)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>