libarchive (3.6.0-1ubuntu1.5) jammy-security; urgency=medium
* SECURITY UPDATE: double free issue
- debian/patches/CVE-2025-5914.patch: rar: Fix double free with over
4 billion nodes
- CVE-2025-5914
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2025-5915.patch: rar: Fix heap-buffer-overflow
- CVE-2025-5915
* SECURITY UPDATE: integer overflow
- debian/patches/CVE-2025-5916.patch: warc: Prevent signed integer
overflow
- CVE-2025-5916
* SECURITY UPDATE: out-of-bound write overflow
- debian/patches/CVE-2025-5917.patch: Fix overflow in build_ustar_entry
- CVE-2025-5917
-- Nishit Majithia <nishit.majithia@canonical.com> Wed, 25 Jun 2025 15:21:03 +0530
libarchive (3.6.0-1ubuntu1.4) jammy-security; urgency=medium
* SECURITY UPDATE: DoS via crafted TAR archive
- debian/patches/CVE-2025-25724.patch: make sure ltime is valid in
tar/util.c.
- CVE-2025-25724
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 10 Apr 2025 13:35:36 -0400
libarchive (3.6.0-1ubuntu1.3) jammy-security; urgency=medium
* SECURITY UPDATE: code execution via negative copy length
- debian/patches/CVE-2024-20696.patch: protect
copy_from_lzss_window_to_unp() in
libarchive/archive_read_support_format_rar.c.
- CVE-2024-20696
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 29 Oct 2024 10:03:06 +0100
libarchive (3.6.0-1ubuntu1.2) jammy-security; urgency=medium
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2022-36227.patch: Add NULL check in archive_write
functions
- CVE-2022-36227
* SECURITY UPDATE: Out of bounds access
- debian/patches/CVE-2024-48957.patch: check dst isn't less than or
equal to src in execute_filter_audio
- CVE-2024-48957
* SECURITY UPDATE: Out of bounds access
- debian/patches/CVE-2024-48958.patch: check dst isn't less than or
equal to src in execute_filter_delta
- CVE-2024-48958
-- Bruce Cable <bruce.cable@canonical.com> Mon, 14 Oct 2024 12:03:12 +1100
libarchive (3.6.0-1ubuntu1.1) jammy-security; urgency=medium
* SECURITY UPDATE: Remove code execution
- debian/patches/CVE-2024-26256.patch: fix OOB in rar e8 filter
in libarchive/archive_read_support_format_rar.c.
- CVE-2024-26256
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Thu, 30 May 2024 16:05:48 -0300
libarchive (3.6.0-1ubuntu1) jammy; urgency=medium
* Sync with Debian. (LP: #1967127)
- Includes upstream fixes for CVE-2021-36976
* debian/rules: fix broken check for nocheck DEB_BUILD_OPTION
* SECURITY UPDATE: possible out-of-bounds read
- Cherry-pick CVE-2022-26280.patch to fix zipx_lzma_alone_init()
- CVE-2022-26280
-- Jeremy Bicha <jbicha@ubuntu.com> Wed, 06 Apr 2022 16:33:16 -0400
libarchive (3.6.0-1) unstable; urgency=medium
* New upstream version (Closes: #1007120):
- update the upstream copyright information
- drop some patches that were taken from the upstream source:
- lzip-large-dict
- upstream-fix-32bit-size-cast
- upstream-fixup-file-flags
- upstream-fixup-symlinks
- add another spelling correction to the typos patch
- update the line numbers in the typos patch
* Add the year 2022 to my debian/* copyright notice.
* Reorder the copyright file so that it makes sense.
-- Peter Pentchev <roam@debian.org> Wed, 30 Mar 2022 13:04:33 +0300
libarchive (3.5.2-1) unstable; urgency=medium
* Declare compliance with Debian Policy 4.6.0 with no changes.
* Add the year 2021 to my debian/* copyright notice.
* Drop the Breaks/Replaces relations for pre-oldstable versions of
bsdtar and bsdcpio.
* Fix some shellcheck complaints about the minitar autopkgtest.
* Use a comma, not a semicolon, in the Origin DEP-3 header.
* Annotate the sharutils build dependency with <!nocheck>.
Closes: #981654
* Drop the obsolete libattr1-dev build dependency. At the moment it is
still pulled in by libacl1-dev, but there is no reason for us not to
do the right thing, so that everything goes right when libacl1-dev
corrects its build dependency. Closes: #953931
* New upstream version:
- fix handling of symlink ACLs; Closes: 1001986
- never follow symlinks when setting file flags; Closes: 1001990
- update the upstream copyright information
- drop some patches that were taken from the upstream source:
- upstream-cpio-hardlink-type
- upstream-cpio-rdev
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
- upstream-isint-w
- update the library symbols file
* Add the lzip-large-dict patch to support larger lzip dictionaries.
Closes: #1001901
* Add the upstream-fixup-symlinks, upstream-fixup-file-flags, and
upstream-fix-32bit-size-cast patches, importing three upstream
post-3.5.2 commits.
-- Peter Pentchev <roam@debian.org> Wed, 22 Dec 2021 19:51:54 +0200
libarchive (3.4.3-2) unstable; urgency=medium
* Add some more upstream patches:
- upstream-isint-w
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error (with a typo corrected)
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
* Drop the unused liblzo2 build dependency. According to upstream,
distributing libarchive binaries linked against liblzo2 violates
the liblzo2 GPL license, so libarchive does not even use it unless
explicitly requested, which we do not do anyway.
* Fix two problems related to cross-building libarchive.
Closes: #966637
- drop the gcc B-D that I added as a reminder that dropping --as-needed
was because it is handled automatically
- annotate the test dependencies with <!nocheck>; since we never run
the upstream test suite automatically, but only if the non-standard
"check" build option is specified, this has no effect on normal builds,
but it will fix cross-builds
-- Peter Pentchev <roam@debian.org> Sat, 01 Aug 2020 21:46:12 +0300
libarchive (3.4.3-1) unstable; urgency=medium
* New upstream release:
- update the upstream signing key
- update the typos patch, correct some more mistakes
- drop all the upstream-* patches
- add an upstream copyright notice for a new file
* Add the upstream-cpio-rdev and upstream-cpio-hardlink-type patches.
-- Peter Pentchev <roam@debian.org> Wed, 03 Jun 2020 16:40:28 +0300
# For older changelog entries, run 'apt-get changelog libarchive13'
Generated by dwww version 1.14 on Thu Sep 4 13:23:29 CEST 2025.