[14/47] libarchive: upgrade 3.7.4 -> 3.7.5

Message ID	1727246960-20665-14-git-send-email-wangmy@fujitsu.com
State	New
Headers	show Return-Path: <wangmy@fujitsu.com> ip: 139.138.37.100, mailfrom: wangmy@fujitsu.com) From: wangmy@fujitsu.com To: openembedded-core@lists.openembedded.org Cc: Wang Mingyu <wangmy@fujitsu.com> Subject: [OE-core] [PATCH 14/47] libarchive: upgrade 3.7.4 -> 3.7.5 Date: Wed, 25 Sep 2024 14:48:47 +0800 Message-Id: <1727246960-20665-14-git-send-email-wangmy@fujitsu.com> In-Reply-To: <1727246960-20665-1-git-send-email-wangmy@fujitsu.com> References: <1727246960-20665-1-git-send-email-wangmy@fujitsu.com>
Series	[01/47] adwaita-icon-theme: upgrade 46.2 -> 47.0 \| expand [01/47] adwaita-icon-theme: upgrade 46.2 -> 47.0 [02/47] at-spi2-core: upgrade 2.52.0 -> 2.54.0 [03/47] ell: upgrade 0.68 -> 0.69 [04/47] epiphany: upgrade 46.3 -> 47.0 [05/47] gawk: upgrade 5.3.0 -> 5.3.1 [06/47] ghostscript: upgrade 10.03.1 -> 10.04.0 [07/47] git: upgrade 2.46.0 -> 2.46.1 [08/47] gobject-introspection: upgrade 1.80.1 -> 1.82.0 [09/47] gtk4: upgrade 4.16.0 -> 4.16.1 [10/47] ifupdown: upgrade 0.8.43 -> 0.8.44 [11/47] igt-gpu-tools: upgrade 1.28 -> 1.29 [12/47] init-system-helpers: upgrade 1.66 -> 1.67 [13/47] iso-codes: upgrade 4.16.0 -> 4.17.0 [14/47] libarchive: upgrade 3.7.4 -> 3.7.5 [15/47] libevdev: upgrade 1.13.2 -> 1.13.3 [16/47] libjitterentropy: upgrade 3.5.0 -> 3.6.0 [17/47] libpng: upgrade 1.6.43 -> 1.6.44 [18/47] liburi-perl: upgrade 5.28 -> 5.29 [19/47] libxi: upgrade 1.8.1 -> 1.8.2 [20/47] llvm: upgrade 18.1.8 -> 19.1.0 [21/47] meson: upgrade 1.5.1 -> 1.5.2 [22/47] openssh: upgrade 9.8p1 -> 9.9p1 [23/47] orc: upgrade 0.4.39 -> 0.4.40 [24/47] python3-build: upgrade 1.2.1 -> 1.2.2 [25/47] python3-cffi: upgrade 1.17.0 -> 1.17.1 [26/47] python3-dtschema: upgrade 2024.5 -> 2024.9 [27/47] python3-hypothesis: upgrade 6.111.2 -> 6.112.1 [28/47] python3-idna: upgrade 3.8 -> 3.10 [29/47] python3-more-itertools: upgrade 10.4.0 -> 10.5.0 [30/47] python3-pyasn1: upgrade 0.6.0 -> 0.6.1 [31/47] python3-pycairo: upgrade 1.26.1 -> 1.27.0 [32/47] python3-pygobject: upgrade 3.48.2 -> 3.50.0 [33/47] python3-pytest: upgrade 8.3.2 -> 8.3.3 [34/47] python3-pytz: upgrade 2024.1 -> 2024.2 [35/47] python3-scons: upgrade 4.8.0 -> 4.8.1 [36/47] python3-trove-classifiers: upgrade 2024.7.2 -> 2024.9.12 [37/47] python3-websockets: upgrade 13.0.1 -> 13.1 [38/47] python3-zipp: upgrade 3.20.1 -> 3.20.2 [39/47] repo: upgrade 2.46 -> 2.47 [40/47] ruby: upgrade 3.3.4 -> 3.3.5 [41/47] shaderc: upgrade 2024.1 -> 2024.2 [42/47] strace: upgrade 6.10 -> 6.11 [43/47] sysklogd: upgrade 2.6.1 -> 2.6.2 [44/47] systemd: upgrade 256.5 -> 256.6 [45/47] vte: upgrade 0.76.3 -> 0.78.0 [46/47] wpebackend-fdo: upgrade 1.14.2 -> 1.14.3 [47/47] xcb-util-cursor: upgrade 0.1.4 -> 0.1.5

Message ID

1727246960-20665-14-git-send-email-wangmy@fujitsu.com

State

New

Headers

From: wangmy@fujitsu.com
To: openembedded-core@lists.openembedded.org
Cc: Wang Mingyu <wangmy@fujitsu.com>
Subject: [OE-core] [PATCH 14/47] libarchive: upgrade 3.7.4 -> 3.7.5
Date: Wed, 25 Sep 2024 14:48:47 +0800
Message-Id: <1727246960-20665-14-git-send-email-wangmy@fujitsu.com>
In-Reply-To: <1727246960-20665-1-git-send-email-wangmy@fujitsu.com>
References: <1727246960-20665-1-git-send-email-wangmy@fujitsu.com>

Series

[01/47] adwaita-icon-theme: upgrade 46.2 -> 47.0 | expand

Commit Message

Mingyu Wang (Fujitsu) Sept. 25, 2024, 6:48 a.m. UTC

From: Wang Mingyu <wangmy@fujitsu.com>

configurehack.patch
refreshed for 3.7.5

Changelog:
============
- fix multiple vulnerabilities identified by SAST
- cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing
- lzop: prevent integer overflow
- rar4: protect copy_from_lzss_window_to_unp()
- rar4: fix CVE-2024-26256
- rar4: fix OOB in delta and audio filter
- rar4: fix out of boundary access with large files
- rar4: add boundary checks to rgb filter
- rar4: fix OOB access with unicode filenames
- rar5: clear 'data ready' cache on window buffer reallocs
- rpm: calculate huge header sizes correctly
- unzip: unify EOF handling
- util: fix out of boundary access in mktemp functions
- uu: stop processing if lines are too long
- 7zip: fix issue when skipping first file in 7zip archive that is a multiple of 65536 bytes
- ar: fix archive entries having no type
- lha: do not allow negative file sizes
- lha: fix integer truncation on 32-bit systems
- shar: check strdup return value
- rar5: don't try to read rediculously long names
- xar: fix another infinite loop and expat error handling
- many Windows fixes, cleanups and improvements

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
---
 .../libarchive/libarchive/configurehack.patch     | 15 ++++++++-------
 .../{libarchive_3.7.4.bb => libarchive_3.7.5.bb}  |  2 +-
 2 files changed, 9 insertions(+), 8 deletions(-)
 rename meta/recipes-extended/libarchive/{libarchive_3.7.4.bb => libarchive_3.7.5.bb} (96%)

Comments

Ross Burton Sept. 26, 2024, 11:39 a.m. UTC | #1

> On 25 Sep 2024, at 07:48, wangmy via lists.openembedded.org <wangmy=fujitsu.com@lists.openembedded.org> wrote:
> 
> configurehack.patch
> refreshed for 3.7.5
> 
> Changelog:
> ============
> - fix multiple vulnerabilities identified by SAST
> - cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing
> - lzop: prevent integer overflow
> - rar4: protect copy_from_lzss_window_to_unp()
> - rar4: fix CVE-2024-26256
> - rar4: fix OOB in delta and audio filter
> - rar4: fix out of boundary access with large files
> - rar4: add boundary checks to rgb filter
> - rar4: fix OOB access with unicode filenames
> - rar5: clear 'data ready' cache on window buffer reallocs
> - rpm: calculate huge header sizes correctly
> - unzip: unify EOF handling
> - util: fix out of boundary access in mktemp functions
> - uu: stop processing if lines are too long
> - 7zip: fix issue when skipping first file in 7zip archive that is a multiple of 65536 bytes
> - ar: fix archive entries having no type
> - lha: do not allow negative file sizes
> - lha: fix integer truncation on 32-bit systems
> - shar: check strdup return value
> - rar5: don't try to read rediculously long names
> - xar: fix another infinite loop and expat error handling
> - many Windows fixes, cleanups and improvements

This causes python-libarchive-c to fail ptests:

{'python3-libarchive-c': ['tests/test_entry.py:test_check_archiveentry_using_python_testtar']}

Ross

Ross Burton Sept. 26, 2024, 2:06 p.m. UTC | #2

> On 26 Sep 2024, at 12:39, Ross Burton via lists.openembedded.org <ross.burton=arm.com@lists.openembedded.org> wrote:
> This causes python-libarchive-c to fail ptests:
> 
> {'python3-libarchive-c': ['tests/test_entry.py:test_check_archiveentry_using_python_testtar’]
> }

It already breaks opkg, but 3.7.6 has fixed that regression at least.  I’ve posted the upgrade to that so it’s on the list and nobody else tries it.

Ross

diff --git a/meta/recipes-extended/libarchive/libarchive/configurehack.patch b/meta/recipes-extended/libarchive/libarchive/configurehack.patch
index 45fddd9147..1d416d4e6d 100644
--- a/meta/recipes-extended/libarchive/libarchive/configurehack.patch
+++ b/meta/recipes-extended/libarchive/libarchive/configurehack.patch
@@ -1,4 +1,8 @@ 
-To work with autoconf 2.73, tweak the macro ordering in configure.in.
+From 18d5b2ff6ba3bbe856777447e59ee4d3343b0131 Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard.purdie@linuxfoundation.org>
+Date: Thu, 27 Jul 2023 20:47:55 -0700
+Subject: [PATCH] To work with autoconf 2.73, tweak the macro ordering in
+ configure.in.
 
 Upstream-Status: Pending
 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
@@ -7,10 +11,10 @@  Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
  1 file changed, 13 insertions(+), 13 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 503bb75..e3101da 100644
+index 227275a..b75eb87 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -414,6 +414,19 @@ if test "x$with_bz2lib" != "xno"; then
+@@ -429,6 +429,19 @@ if test "x$with_bz2lib" != "xno"; then
    esac
  fi
  
@@ -30,7 +34,7 @@  index 503bb75..e3101da 100644
  AC_ARG_WITH([libb2],
    AS_HELP_STRING([--without-libb2], [Don't build support for BLAKE2 through libb2]))
  
-@@ -678,19 +691,6 @@ fi
+@@ -693,19 +706,6 @@ fi
  
  AC_SUBST(DEAD_CODE_REMOVAL)
  
@@ -50,6 +54,3 @@  index 503bb75..e3101da 100644
  # Check for tm_gmtoff in struct tm
  AC_CHECK_MEMBERS([struct tm.tm_gmtoff, struct tm.__tm_gmtoff],,,
  [
--- 
-2.34.1
-
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb b/meta/recipes-extended/libarchive/libarchive_3.7.5.bb
similarity index 96%
rename from meta/recipes-extended/libarchive/libarchive_3.7.4.bb
rename to meta/recipes-extended/libarchive/libarchive_3.7.5.bb
index da85764116..15a307c2f5 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.4.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.5.bb
@@ -33,7 +33,7 @@  SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
 SRC_URI += "file://configurehack.patch"
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
 
-SRC_URI[sha256sum] = "7875d49596286055b52439ed42f044bd8ad426aa4cc5aabd96bfe7abb971d5e8"
+SRC_URI[sha256sum] = "37556113fe44d77a7988f1ef88bf86ab68f53d11e85066ffd3c70157cc5110f1"
 
 CVE_STATUS[CVE-2023-30571] = "upstream-wontfix: upstream has documented that reported function is not thread-safe"

[14/47] libarchive: upgrade 3.7.4 -> 3.7.5

Commit Message

Comments

Patch