libarchive (3.0.3-6ubuntu1.4) precise-security; urgency=medium * SECURITY UPDATE: arbitrary file write via hardlink entries - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long pathnames in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-2.patch: fix path handling in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/main.c, libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c, libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-4.patch: fix testcases in libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in libarchive/archive_write_disk_posix.c. - CVE-2016-5418 * SECURITY UPDATE: denial of service and possible code execution when writing an ISO9660 archive - debian/patches/CVE-2016-6250.patch: check for overflow in libarchive/archive_write_set_format_iso9660.c. - CVE-2016-6250 * SECURITY UPDATE: denial of service via recursive decompression - debian/patches/CVE-2016-7166.patch: limit number of filters in libarchive/archive_read.c, added test to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_too_many_filters.c, libarchive/test/test_read_too_many_filters.gz.uu. - CVE-2016-7166 * SECURITY UPDATE: denial of service via non-printable multibyte character in a filename - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c. - CVE-2016-8687 * SECURITY UPDATE: denial of service via multiple long lines - debian/patches/CVE-2016-8688.patch: fix bounds in libarchive/archive_read_support_format_mtree.c, added test to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_format_mtree_crash747.c, libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu. - CVE-2016-8688 * SECURITY UPDATE: denial of service via multiple EmptyStream attributes - debian/patches/CVE-2016-8689.patch: reject files with multiple markers in libarchive/archive_read_support_format_7zip.c. - CVE-2016-8689 * SECURITY UPDATE: denial of service via invalid compressed file size - debian/patches/CVE-2017-5601.patch: add check to libarchive/archive_read_support_format_lha.c. - CVE-2017-5601 -- Marc Deslauriers Thu, 09 Mar 2017 11:34:04 -0500 libarchive (3.0.3-6ubuntu1.3) precise-security; urgency=medium * SECURITY UPDATE: denial of service via malformed rar or cab files - debian/patches/CVE-2015-8916.patch: ignore entries with empty filenames in tar/read.c. - CVE-2015-8916 - CVE-2015-8917 * SECURITY UPDATE: denial of service via malformed lzh file - debian/patches/CVE-2015-8919.patch: recognize empty dir name in libarchive/archive_read_support_format_lha.c. - CVE-2015-8919 * SECURITY UPDATE: buffer underflow parsing ar header - debian/patches/CVE-2015-8920.patch: check for empty filenames in libarchive/archive_read_support_format_ar.c. - CVE-2015-8920 * SECURITY UPDATE: read past end of string parsing - debian/patches/CVE-2015-8921.patch: properly calculate string length in libarchive/archive_entry.c. - CVE-2015-8921 * SECURITY UPDATE: segfault on malformed 7z archive - debian/patches/CVE-2015-8922.patch: reject some malformed files in libarchive/archive_read_support_format_7zip.c, added tests to Makefile.am, libarchive/test/test_read_format_7zip_malformed.7z.uu, libarchive/test/test_read_format_7zip_malformed.c, libarchive/test/test_read_format_7zip_malformed2.7z.uu, libarchive/test/CMakeLists.txt. - CVE-2015-8922 * SECURITY UPDATE: segfault on malformed Zip archive - debian/patches/CVE-2015-8923.patch: properly handle sizes in libarchive/archive_read_support_format_zip.c, added tests to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_format_zip_malformed.c, libarchive/test/test_read_format_zip_malformed1.zip.uu. - CVE-2015-8923 * SECURITY UPDATE: buffer overflow when processing tar files - debian/patches/CVE-2015-8924.patch: properly handle empty filenames in libarchive/archive_read_support_format_tar.c. - CVE-2015-8924 * SECURITY UPDATE: improper newline parsing - debian/patches/CVE-2015-8925.patch: fix escaped newline parsing in libarchive/archive_read_support_format_mtree.c, added tests to libarchive/test/test_read_format_mtree.c, libarchive/test/test_read_format_mtree.mtree.uu. - CVE-2015-8925 * SECURITY UPDATE: segfault on invalid rar archive - debian/patches/CVE-2015-8926.patch: properly handle return code in libarchive/archive_read_support_format_rar.c. - CVE-2015-8926 * SECURITY UPDATE: segfault via dir loop in malformed ISO - debian/patches/CVE-2015-8930.patch: limit recursion in libarchive/archive_read_support_format_iso9660.c. - CVE-2015-8930 * SECURITY UPDATE: integer overflow parsing time values - debian/patches/CVE-2015-8931.patch: fix time handling in libarchive/archive_read_support_format_mtree.c. - CVE-2015-8931 * SECURITY UPDATE: crash via invalid compressed data - debian/patches/CVE-2015-8932.patch: add more checks to libarchive/archive_read_support_filter_compress.c, added tests to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_filter_compress.c. - CVE-2015-8932 * SECURITY UPDATE: integer overflow via negative-sized sparse blocks - debian/patches/CVE-2015-8933.patch: add check to libarchive/archive_read_support_format_tar.c. - CVE-2015-8933 * SECURITY UPDATE: heap overflow parsing malformed tar archives - debian/patches/CVE-2015-8934.patch: properly check reading from lzss decompression buffer in libarchive/archive_read_support_format_rar.c, added tests to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_format_rar_invalid1.c, libarchive/test/test_read_format_rar_invalid1.rar.uu. - CVE-2015-8934 * SECURITY UPDATE: overflow reading 7-Zip with large number of substreams - debian/patches/CVE-2016-4300.patch: add another limit to libarchive/archive_read_support_format_7zip.c. - CVE-2016-4300 * SECURITY UPDATE: crash via rar files with zero dictionary size - debian/patches/CVE-2016-4302.patch: handle zero-sized disctionary in libarchive/archive_ppmd7.c, libarchive/archive_read_support_format_rar.c. - CVE-2016-4302 * SECURITY UPDATE: memory allocation issues with large cpio symlinks - debian/patches/CVE-2016-4809.patch: reject large symlinks in libarchive/archive_read_support_format_cpio.c. - CVE-2016-4809 * SECURITY UPDATE: integer overflow when computing volume descriptor - debian/patches/CVE-2016-5844.patch: fix multiplications in libarchive/archive_read_support_format_iso9660.c. - CVE-2016-5844 * debian/control: add dh-autoreconf to Build-Depends. * debian/rules: add autoreconf. -- Marc Deslauriers Wed, 13 Jul 2016 11:52:16 -0400 libarchive (3.0.3-6ubuntu1.2) precise-security; urgency=medium * SECURITY UPDATE: denial of service via malformed cpio archive - debian/patches/issue502.patch: fix implicit cast in libarchive/archive_read_support_format_cpio.c, reject attempts to move the file pointer by a negative amount in libarchive/archive_read.c. - CVE number pending. -- Marc Deslauriers Fri, 13 May 2016 10:15:48 -0400 libarchive (3.0.3-6ubuntu1.1) precise-security; urgency=medium * SECURITY UPDATE: denial of service via integer signedness error - debian/patches/CVE-2013-0211.patch: limit write requests in libarchive/archive_write.c. - CVE-2013-0211 * SECURITY UPDATE: absolute path traversal vulnerability in bsdcpio - debian/patches/CVE-2015-2304.patch: don't allow absolute paths by default in cpio/cpio.c, libarchive/archive.h, libarchive/archive_write_disk_posix.c, added test to libarchive/test/test_write_disk_secure.c, updated documentation in cpio/bsdcpio.1, libarchive/archive_write_disk.3. - CVE-2015-2304 -- Marc Deslauriers Tue, 24 Mar 2015 12:46:05 -0400 libarchive (3.0.3-6ubuntu1) precise; urgency=low * Add 03_ignore_fiemap_errors.patch: Ignore FIEMAP errors on linux < 2.6.28. This fixes a failing test case (and thus FTBFS) when building this on a hardy-based buildds. This can be dropped once the buildds get upgraded to something more modern. Thanks to Savvas Radevic for the patch! (LP: #942994) -- Martin Pitt Fri, 16 Mar 2012 10:10:24 +0100 libarchive (3.0.3-6) unstable; urgency=low * Add patch to fix infinite loop in xps files (Closes: #662603) - Thanks for the patch to Savvas Radevic! -- Andreas Henriksson Mon, 05 Mar 2012 16:23:05 +0100 libarchive (3.0.3-5) unstable; urgency=low * Detect if locales or locales-all is installed for use with test suite. * Bump Standards-Version to 3.9.3. -- Andres Mejia Thu, 23 Feb 2012 19:29:24 -0500 libarchive (3.0.3-4) unstable; urgency=low * Ensure tests are not run via root. (Closes: #659294) -- Andres Mejia Tue, 21 Feb 2012 16:01:26 -0500 libarchive (3.0.3-3) unstable; urgency=low * Update watch file to use new home for downloads. -- Andres Mejia Mon, 06 Feb 2012 17:04:34 -0500 libarchive (3.0.3-2) unstable; urgency=low * Upload to unstable. * Update homepage to libarchive's new home. -- Andres Mejia Mon, 06 Feb 2012 16:37:07 -0500 libarchive (3.0.3-1) experimental; urgency=low * New upstream release. * Fix for hurd build failure included in new release. (Closes: #653458) * Update copyright file. -- Andres Mejia Mon, 16 Jan 2012 11:49:46 -0500 libarchive (3.0.2-3) experimental; urgency=low * Prepare an upload to experimental. -- Andres Mejia Sat, 24 Dec 2011 20:39:17 -0500 libarchive (3.0.2-1) unstable; urgency=low * Prepare new upstream release. * Update package descriptions, deleting some information that doesn't apply to current build of packages. * Rename shared library package for soname bump. * Remove symbols files. Symbols file needs to be maintained better. Also, numerous symbols were in the file which were meant to stay private (all the __archive_* symbols for example). -- Andres Mejia Sat, 24 Dec 2011 15:47:39 -0500 libarchive (3.0.1b-1) experimental; urgency=low * Package latest testing release. * Update debian/control, noting new 7zip support. * Fix package description for bsdcpio. * Update symbols file for new symbols added in libarchive-3.0.1b. -- Andres Mejia Fri, 16 Dec 2011 17:28:03 -0500 libarchive (3.0.0a-1) experimental; urgency=low * Package testing release of libarchive for experimental. * Better ext2 file attribute/flag support included in new release. (Closes: #615875) * Remove all patches, applied in upstream source. * Add option to unapply patches for dpkg-source v3. * Change package name libarchive1 to libarchive11 to match soname bump. * Rename files used in packaging libarchive11. * Build depend on Nettle library. * Add mention of rar support in package description. * Remove installation of symlink for libarchive library file. * Explicitely build without openssl and with nettle support. * Add proper depends to new libarchive11 package. * Update symbols file for libarchive11. * Ensure bsdtar and bsdcpio are linked to shared library dynamically. * Build en_US.UTF-8 locale at runtime to pass test suite. -- Andres Mejia Fri, 16 Dec 2011 16:31:37 -0500 libarchive (2.8.5-5) unstable; urgency=medium * Backport fixes for fix for CVE-2011-1777 and CVE-2011-1778. (Closes: #651844) * Fix build failure for GNU/Hurd. (Closes: #651995) * Regenerate autoreconf patch. -- Andres Mejia Wed, 14 Dec 2011 12:18:31 -0500 libarchive (2.8.5-4) unstable; urgency=low [ Andres Mejia ] * Improve each packages' long description. * Refresh all patches. [ Samuel Thibault ] * Skip libacl1-dev build dependency on hurd (Closes: #645403) [ Andreas Henriksson ] * Add 0009-Patch-from-upstream-rev-3751.patch (Closes: #641265) + Thanks to Michael Cree for figuring out the details. -- Andres Mejia Sun, 11 Dec 2011 21:55:59 -0500 libarchive (2.8.5-3) unstable; urgency=low * Fix upgrade breakage because of manpages being moved from libarchive1 to libarchive-dev. (Closes: #641978) * Make short descriptions for packages unique. * Explicitly set config options to be used during builds. -- Andres Mejia Sun, 18 Sep 2011 10:25:34 -0400 libarchive (2.8.5-2) unstable; urgency=low * Add gbp.conf to enable pristine-tar to true by default. * Add myself to uploaders field. * Add default options to fail on any upstream changes during a build. * Bump Standards-Version to 3.9.2. * Remove duplicate "Section" field. * Remove unnecessary use of *.dirs dh files. * Remove unneeded build-deps. * Provide patch that implements changes made after running autoreconf -vif. * Remove generic comments from debian/rules. * Support parallel builds. * Remove commented lines from install file. * Add docs to all packages except the shared library package. * Remove unneeded use of 'debian/tmp' in path for install files. * Provide different mechanism to install symlink for libarchive1 package. * Move all manpages for libarchive1 to libarchive-dev. * Move libarchive-dev control stanza up. This will make libarchive-dev the default package for installing files into, such as the README.Debian. * Convert libarchive into multiarch library package. * Update Vcs-* entries. -- Andres Mejia Sat, 17 Sep 2011 18:50:11 -0400 libarchive (2.8.5-1) unstable; urgency=low * Add 0010-Patch-from-upstream-rev-2811.patch * Drop "update-patch-series" target from debian/rules * Convert package to dh7 * Imported Upstream version 2.8.5 (Closes: #640524) * Rebase patch queue and drop patches merged upstream - dropped 0003-Patch-from-upstream-rev-2516.patch - dropped 0010-Patch-from-upstream-rev-2811.patch -- Andreas Henriksson Mon, 05 Sep 2011 17:35:36 +0200 libarchive (2.8.4-2) unstable; urgency=low * update-patch-series: + replace local patch with upstream commit. (Rebase patches branch to drop commit/patch "0007-Ignore-ENOSYS-error-when-sett...", in favor of upstream revision 2537 added as "0007-Patch-from-upstream-rev-2537.patch") + add 0008-Patch-from-upstream-rev-2888.patch (Closes: #610079) + add 0009-Patch-from-upstream-rev-2940.patch (Closes: #610783) -- Andreas Henriksson Tue, 09 Aug 2011 13:39:10 +0200 libarchive (2.8.4-1) unstable; urgency=low * Update debian/watch for new code.google.com layout. * update patch series: + added 0003-Patch-from-upstream-rev-2516.patch - Compatibility with WinISO generated iso files (Closes: #587513) + added 0004-Patch-from-upstream-rev-2514.patch + added 0005-Patch-from-upstream-rev-2520.patch - Enable version stripping code in iso9660/joliet (Closes: #587316) * Imported Upstream version 2.8.4 * update-patch-series: + added 0006-Patch-from-upstream-rev-2521.patch + added 0007-Ignore-ENOSYS-error-when-sett... (Closes: #588925) - Big thanks to Modestas Vainius for awesome debugging! -- Andreas Henriksson Thu, 15 Jul 2010 14:45:06 +0200 libarchive (2.8.3-1) unstable; urgency=low * Imported Upstream version 2.8.3 * update-patch-series: 0001-Clear-archive_error_number-in-archiv... - gvfs has been fixed since, workaround not needed anymore. -- Andreas Henriksson Fri, 23 Apr 2010 13:25:33 +0200 libarchive (2.8.0-2) unstable; urgency=low * Clean up libarchive.la file. (Closes: #571468) - Thanks to Sune Vuorela for suggesting this fix. * Update patch series: + added two patches matching revision 1990, 1991 from upstream regarding PATH_MAX hopefully fixing build on Hurd. -- Andreas Henriksson Thu, 25 Feb 2010 22:31:13 +0100 libarchive (2.8.0-1) unstable; urgency=low * Set myself as maintainer (Closes: #570539). + co-maintainers welcome! * Imported Upstream version 2.8.0 (Closes: #559158) * Drop debian revision in symbols file. * Updated symbols for 2.8 * Update rules for new build directory (config.aux -> build/autoconf) * Replace ${Source-Version} with ${source:Version} in control file. * Drop debian/shlibs.local.ex * Bump debhelper compatibility level to 5. * Stop trying to install non-existant usr/share/pkgconfig * Update Vcs fields to point to new collab-maint repository. * Update debian/copyright * Bump Standards-Version to 3.8.4 * Add update-patch-series target in debian/rules. * Added patch to fix gvfsd-archive problems: + 0001-Clear-archive_error_number-in-archive_clear_error.patch (from http://bugs.gentoo.org/show_bug.cgi?id=289260#c1 ) * Switch to dpkg-source 3.0 (quilt) format * Split Build-Depends on multiple lines. * Add liblzma-dev to Build-Depends for lzma support. * Add Build-Depends on libxml2-dev for xar support. * Explicitly give --without-openssl to configure. -- Andreas Henriksson Tue, 23 Feb 2010 20:50:25 +0100 libarchive (2.6.2-2) unstable; urgency=low * Orphaning the package; set maintainer to QA group. -- John Goerzen Fri, 19 Feb 2010 11:23:14 -0600 libarchive (2.6.2-1) unstable; urgency=low * New Upstream Version. Closes: #516577. * Update watch file to new homepage. Closes: #517398. -- John Goerzen Thu, 12 Mar 2009 09:32:31 -0500 libarchive (2.6.1-1) unstable; urgency=low * New Upstream Version * Update homepage. Closes: #514835. * Clean up Debian rules. Patch partially from Bernhard R. Link. Closes: #480495. -- John Goerzen Thu, 19 Feb 2009 09:28:57 -0600 libarchive (2.4.17-2) unstable; urgency=high [ John Goerzen ] * Ignore failures in test suite due to bugs in the testsuite that were turning into FTBFS bugs. Closes: #474400. * Added README.Debian documenting need for largefile suport in sources. Mostly used suggested text found in #479728. Closes: #479728. [ Bernhard R. Link ] * Added symbols file for libarchive. Closes: #476516. -- John Goerzen Thu, 05 Jun 2008 15:42:57 -0500 libarchive (2.4.17-1) unstable; urgency=high * New Upstream Version * This upstream version corrected several problems with the testsuite. Therefore, we can now run test suite after build. Closes: #473221. * uudecode is now used as part of the build. Added build-dep on sharutils. Fixes FTBFS. Closes: #473266. -- John Goerzen Thu, 03 Apr 2008 09:25:04 -0500 libarchive (2.4.14-1) unstable; urgency=high * New upstream release. Closes: #465061, #448292. #465061 is grave bug, so setting urgency high. * Added Vcs-* and Homepage lines to debian/control -- John Goerzen Sat, 29 Mar 2008 10:14:21 -0500 libarchive (2.4.11-1) unstable; urgency=low * New upstream version. * Move bsdtar to section utils. Closes: #460988. * Added bsdcpio package due to new upstream cpio command. -- John Goerzen Mon, 21 Jan 2008 10:02:29 -0600 libarchive (2.2.4-1) unstable; urgency=high * New upstream version with security fixes. Closes: #432924. Fixes: CVE-2007-3641, CVE-2007-3644, CVE-2007-3645 -- John Goerzen Fri, 13 Jul 2007 08:14:00 -0500 libarchive (2.2.3-1) unstable; urgency=low * New upstream version. -- John Goerzen Wed, 06 Jun 2007 03:36:35 -0500 libarchive (2.0.25-3) unstable; urgency=low * SONAME should not be tied to the tarball version string (Closes: #418637) Provide libarchive.so.1 as a backwards-compatible symlink to libarchive.so.2, reverting the package name to libarchive1. Patch from Neil Williams. -- John Goerzen Mon, 16 Apr 2007 13:50:29 +0100 libarchive (2.0.25-2) unstable; urgency=low * Remove build-dep on linux-kernel-headers for compatibility with BSD ports. Closes: #377480. -- John Goerzen Tue, 13 Mar 2007 20:03:37 -0500 libarchive (2.0.25-1) unstable; urgency=low * New upstream version * Remove unnecessary dep on libarchive1. Closes: #396756. * Bump standards-version * Rename libarchive1 to libarchive2 to match new soname. -- John Goerzen Tue, 13 Mar 2007 07:03:53 -0500 libarchive (1.3.1-1) unstable; urgency=high * New upstream release. * Applied FreeBSD patch for potential DoS. This is CVS-2006-5680, FreeBSD SA-06:24. -- John Goerzen Mon, 18 Dec 2006 05:51:08 -0600 libarchive (1.2.53-2) unstable; urgency=low * Added build-dep on bison. Closes: #374200. -- John Goerzen Sat, 17 Jun 2006 17:24:44 -0500 libarchive (1.2.53-1) unstable; urgency=low * New upstream version. * The bsdtar program has been integrated into the libarchive source package upstream. This package, therefore, now generates the bsdtar binary package. -- John Goerzen Sat, 17 Jun 2006 10:44:05 -0500 libarchive (1.02.036-2) unstable; urgency=low * Added conflict on old libarchive-doc package. This package never existed in testing or stable, so this conflict can be removed before long. -- John Goerzen Tue, 18 Oct 2005 11:02:06 -0500 libarchive (1.02.036-1) unstable; urgency=low * New upstream version, now with support for building as a .so. * Added build-dep on libattr1-dev. * No more libarchive-doc; its files now live in libarchive1. * Thanks to Bernhard R. Link for ideas for this package. -- John Goerzen Mon, 17 Oct 2005 10:27:30 -0500 libarchive (1.02.034-2) unstable; urgency=low * Split off manpages into separate package libarchive-doc. The bsdtar manpages point readers to these. -- John Goerzen Tue, 11 Oct 2005 05:36:28 -0500 libarchive (1.02.034-1) unstable; urgency=low * Initial release Closes: #333222. -- John Goerzen Mon, 10 Oct 2005 19:24:56 -0500