Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b57939e61959923180c40aeda7700ee62ef95113
rpi-buildroot/package/libarchive/libarchive.hash
Titouan Christophe 91895774f8 package/libarchive: security bump to v3.8.1 
This fixes the following CVEs:

- CVE-2025-5914
    Libarchive: double free at archive_read_format_rar_seek_data()
    in archive_read_support_format_rar.c
    https://www.cve.org/CVERecord?id=CVE-2025-5914

- CVE-2025-5915
    Libarchive: heap buffer over read in copy_from_lzss_window()
    at archive_read_support_format_rar.c
    https://www.cve.org/CVERecord?id=CVE-2025-5915

- CVE-2025-5916
    Libarchive: integer overflow while reading warc files
    at archive_read_support_format_warc.c
    https://www.cve.org/CVERecord?id=CVE-2025-5916

- CVE-2025-5917
    Libarchive: off by one error in build_ustar_entry_name()
    at archive_write_set_format_pax.c
    https://www.cve.org/CVERecord?id=CVE-2025-5917

- CVE-2025-5918
    Libarchive: reading past eof may be triggered for piped file streams
    https://www.cve.org/CVERecord?id=CVE-2025-5918

See the release notes:
- https://github.com/libarchive/libarchive/releases/tag/v3.8.0
- https://github.com/libarchive/libarchive/releases/tag/v3.8.1

In addition to the version bump, the following changes are required:
- The COPYING file has been edited upstream because of filename change on a
  sub-licensed component; see
  c26f037745
- The upstream "sha256sums" is currently unavailable, so the archive checksum
  has been computed locally
- Drop patches for libiconv in configure.ac, which has been properly addressed
  upstream in https://github.com/libarchive/libarchive/pull/2611
- Following the above, AUTORECONF is not needed any longer
- Drop mbedtls patch that has been applied upstream

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 95db5707df)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
2025-07-03 09:56:44 +02:00

6 lines
320 B
Plaintext
Raw Blame History

# Locally computed after verifying the signature from
# https://www.libarchive.de/downloads/libarchive-3.8.1.tar.xz.asc
sha256 19f917d42d530f98815ac824d90c7eaf648e9d9a50e4f309c812457ffa5496b5 libarchive-3.8.1.tar.xz
# Locally computed:
sha256 30e556b3959e3985d66efefec5eaac51d4995053caa1d3cffe6eb916f146f229 COPYING
Reference in New Issue View Git Blame Copy Permalink