libarchive (3.6.2-1+deb12u1) bookworm-security; urgency=high
[ Peter Pentchev ]
* Add the robust-error-reporting upstream patch. Closes: #1068047
[ Salvatore Bonaccorso ]
* fix: OOB in rar e8 filter (CVE-2024-26256) (Closes: #1072107)
* fix: OOB in rar delta filter
* fix: OOB in rar audio filter
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 02 Jun 2024 16:38:00 +0200
libarchive (3.6.2-1) unstable; urgency=medium
[ Debian Janitor ]
* Set upstream metadata fields: Bug-Database.
* Update standards version to 4.6.0, no changes needed.
[ Peter Pentchev ]
* Declare compliance with Policy 4.6.2 with no changes.
* Fix the licensing of the blake2-related files.
Closes: #1023392
* New upstream version:
- fix a ZIP read vulnerability (CVE-2022-28066)
Closes: #1008953
- fix a memory allocation vulnerability (CVE-2022-36227)
Closes: #1024669
- refresh the typos patch
- remove a lot of libarchive internal functions from the shared
library's symbols file. These functions were never present in
any of the public-facing libarchive header files, so they should
not be referenced by any libarchive consumers. In version 3.6.2,
libarchive switched to a "hide internal symbols" policy, so that
these symbols are now not present in the shipped shared library.
- drop the optional internal symbols regular expressions, too;
now that libarchive hides its internal symbols, the appearance of
any names like that in the generated symbols file would be a bug
- add the iconv-pkgconfig patch to drop the reference to "iconv"
from the .pc file: on Debian systems, iconv(3) is part of glibc
-- Peter Pentchev <roam@debian.org> Sat, 24 Dec 2022 23:17:29 +0200
libarchive (3.6.0-1) unstable; urgency=medium
* New upstream version (Closes: #1007120):
- update the upstream copyright information
- drop some patches that were taken from the upstream source:
- lzip-large-dict
- upstream-fix-32bit-size-cast
- upstream-fixup-file-flags
- upstream-fixup-symlinks
- add another spelling correction to the typos patch
- update the line numbers in the typos patch
* Add the year 2022 to my debian/* copyright notice.
* Reorder the copyright file so that it makes sense.
-- Peter Pentchev <roam@debian.org> Wed, 30 Mar 2022 13:04:33 +0300
libarchive (3.5.2-1) unstable; urgency=medium
* Declare compliance with Debian Policy 4.6.0 with no changes.
* Add the year 2021 to my debian/* copyright notice.
* Drop the Breaks/Replaces relations for pre-oldstable versions of
bsdtar and bsdcpio.
* Fix some shellcheck complaints about the minitar autopkgtest.
* Use a comma, not a semicolon, in the Origin DEP-3 header.
* Annotate the sharutils build dependency with <!nocheck>.
Closes: #981654
* Drop the obsolete libattr1-dev build dependency. At the moment it is
still pulled in by libacl1-dev, but there is no reason for us not to
do the right thing, so that everything goes right when libacl1-dev
corrects its build dependency. Closes: #953931
* New upstream version:
- fix handling of symlink ACLs; Closes: 1001986
- never follow symlinks when setting file flags; Closes: 1001990
- update the upstream copyright information
- drop some patches that were taken from the upstream source:
- upstream-cpio-hardlink-type
- upstream-cpio-rdev
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
- upstream-isint-w
- update the library symbols file
* Add the lzip-large-dict patch to support larger lzip dictionaries.
Closes: #1001901
* Add the upstream-fixup-symlinks, upstream-fixup-file-flags, and
upstream-fix-32bit-size-cast patches, importing three upstream
post-3.5.2 commits.
-- Peter Pentchev <roam@debian.org> Wed, 22 Dec 2021 19:51:54 +0200
libarchive (3.4.3-2) unstable; urgency=medium
* Add some more upstream patches:
- upstream-isint-w
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error (with a typo corrected)
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
* Drop the unused liblzo2 build dependency. According to upstream,
distributing libarchive binaries linked against liblzo2 violates
the liblzo2 GPL license, so libarchive does not even use it unless
explicitly requested, which we do not do anyway.
* Fix two problems related to cross-building libarchive.
Closes: #966637
- drop the gcc B-D that I added as a reminder that dropping --as-needed
was because it is handled automatically
- annotate the test dependencies with <!nocheck>; since we never run
the upstream test suite automatically, but only if the non-standard
"check" build option is specified, this has no effect on normal builds,
but it will fix cross-builds
-- Peter Pentchev <roam@debian.org> Sat, 01 Aug 2020 21:46:12 +0300
libarchive (3.4.3-1) unstable; urgency=medium
* New upstream release:
- update the upstream signing key
- update the typos patch, correct some more mistakes
- drop all the upstream-* patches
- add an upstream copyright notice for a new file
* Add the upstream-cpio-rdev and upstream-cpio-hardlink-type patches.
-- Peter Pentchev <roam@debian.org> Wed, 03 Jun 2020 16:40:28 +0300
libarchive (3.4.2-1) unstable; urgency=medium
* Minor correction to the debian/watch file to catch up with
the upstream site links.
* New upstream release:
- drop some patches that were taken from upstream:
- upstream-rar-use-after-free
- upstream-rar-uaf-test-eof
- upstream-rar-window-mask
- upstream-rar-window-test
- upstream-rar-filter-beyond
- upstream-archive-read-sparse
- upstream-archive-clean
- upstream-doc-7zip-zip
- upstream-open-without-openat
- upstream-lz4-uint32
- CVE-2020-9308 patch
- drop most of the typos patch - integrated upstream
- update the upstream copyright years
* Add some more corrections to the typos patch.
* Drop the Name and Contact upstream metadata fields.
* Drop the phony "build" target.
* Do not pass "--as-needed" to the linker: recent versions of the Debian
GCC package do that by default. Just in case, add a build dependency on
a recent version so that it is not forgotten e.g. in a backport.
* Add some upstream patches since 3.4.2.
* Update to debhelper compat level 13:
- `dh_missing --fail-missing` is the default now
- use execute_before/execute_after targets
* Drop the local-options file.
-- Peter Pentchev <roam@debian.org> Sat, 09 May 2020 22:04:02 +0300
libarchive (3.4.0-2) unstable; urgency=medium
* Declare compliance with Debian Policy 4.5.0 with no changes.
* Add the year 2020 to my debian/* copyright notice.
* Add the CVE-2020-9308 patch - invalid RAR5 headers. (Closes: #951759)
* Make the autopkgtests cross-test-friendly. (Closes: #953140)
-- Peter Pentchev <roam@debian.org> Sat, 07 Mar 2020 16:28:00 +0200
libarchive (3.4.0-1) unstable; urgency=medium
* Declare compliance with Debian Policy 4.4.0 with no changes.
* Mark the adequate test as superficial and give it a name.
* Update the watch file a bit:
- use the version 4 format placeholders
- drop the "pasv" option, no FTP upstream sites
- add the upstream signing key
* Run all available Salsa CI jobs.
* Drop the bsdtar and bsdcpio transitional packages.
Closes: #940745, #940753
* New upstream version:
- drop all the patches obtained from the upstream Git repository
(CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879,
CVE-2018-1000880, CVE-2019-1000019, CVE-2019-1000020, and
zip-nullptr)
- update the library symbols file
* Add some bugfix patches obtained from upstream.
* Add the typos patch to correct some typographical and grammatical
errors.
* Update the upstream copyright information.
-- Peter Pentchev <roam@debian.org> Sat, 21 Sep 2019 01:44:44 +0300
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libarchive-dev`.
Generated by dwww version 1.15 on Wed Jun 26 03:24:45 CEST 2024.