fde0b3fe1c
Fixes the following security issues:
- CVE-2024-57970: libarchive through 3.7.7 has a heap-based buffer
over-read in header_gnu_longlink in archive_read_support_format_tar.c
via a TAR archive because it mishandles truncation in the middle of a
GNU long linkname.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2024-57970
- 8291210321
- CVE-2025-1632: This affects the function list of the file bsdunzip.c.
The manipulation leads to null pointer dereference. It is possible
to launch the attack on the local host.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-1632
- c9bc934e7e
- CVE-2025-25724: list_item_verbose in tar/util.c in libarchive through 3.7.7
does not check an strftime return value, which can lead to a denial of
service or unspecified other impact via a crafted TAR archive that is read
with a verbose value of 2.
For example, the 100-byte buffer may not be sufficient for a custom locale.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-25724
- c9bc934e7e
The patch added in [1] are still needed for this version bump.
For more details on the version bump, see the release notes:
- https://github.com/libarchive/libarchive/releases/tag/v3.7.8
- https://github.com/libarchive/libarchive/releases/tag/v3.7.9
[1] 9ac63a3360 package/libarchive: fix uclibc build with libiconv (again)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
5 lines
254 B
Plaintext
5 lines
254 B
Plaintext
# From https://www.libarchive.de/downloads/sha256sums
|
|
sha256 ed8b5732e4cd6e30fae909fb945cad8ff9cb7be5c6cdaa3944ec96e4a200c04c libarchive-3.7.9.tar.xz
|
|
# Locally computed:
|
|
sha256 b2cdf763345de2de34cebf54394df3c61a105c3b71288603c251f2fa638200ba COPYING
|