libarchive (3.7.4-4) unstable; urgency=medium
* Add the CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, and
CVE-2025-5917 patches.
Closes: #1107621, #1107622, #1107623, #1107626
-- Peter Pentchev <roam@debian.org> Thu, 24 Jul 2025 17:40:32 +0300
libarchive (3.7.4-3) unstable; urgency=medium
* Rename the CVE-2025-1632 patch to CVE-2025-1632-25724, use the exact
upstream commit that fixes two problems at once.
Also closes: #1103479
-- Peter Pentchev <roam@debian.org> Sun, 27 Apr 2025 23:19:29 +0300
libarchive (3.7.4-2) unstable; urgency=high
* Acknowledge NMU; thanks, Salvatore!
* Point to the debian/trixie branch in the gbp.conf file since
the master branch in the repository already contains changes that
did not make it in time for the Trixie freeze.
* Add the CVE-2025-1632 patch. Closes: #1103494
* Add the year 2025 to my debian/* copyright notice.
-- Peter Pentchev <roam@debian.org> Sat, 26 Apr 2025 11:34:57 +0300
libarchive (3.7.4-1.1) unstable; urgency=medium
* Non-maintainer upload.
* rar4 reader: protect copy_from_lzss_window_to_unp() (CVE-2024-20696)
(Closes: #1086155)
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 01 Nov 2024 21:30:39 +0100
libarchive (3.7.4-1) unstable; urgency=medium
* Drop a t64-related Lintian override.
* Declare compliance with Policy 4.7.0 with no changes.
* Use debhelper compat level 14:
- use X-DH-Compat
- let debhelper take care of some default dependencies
* New upstream version:
- use `git rm` in the `upstream` branch to remove two test files that
was forgotten in the upstream tarball generation
- update the symbols file
- drop the fix-OOB-in-rar-e8-filter-2135, iso9660-hash, test-zstd-32bit, and
robust-error-reporting patches, they were either taken from upstream or
integrated there
- refresh the typos patch
- refresh the line numbers in the fix-OOB-* patches
* Use debputy's X-Style: black.
-- Peter Pentchev <roam@debian.org> Wed, 07 Aug 2024 14:36:27 +0300
libarchive (3.7.2-2.1) unstable; urgency=medium
* Non-maintainer upload.
* fix: OOB in rar e8 filter (CVE-2024-26256) (Closes: #1072107)
* fix: OOB in rar delta filter
* fix: OOB in rar audio filter
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 01 Jun 2024 15:50:51 +0200
libarchive (3.7.2-2) unstable; urgency=medium
[ Luca Boccassi ]
* libarchive-dev: depend on -dev packages in an attempt to
fix pkg-config --static --libs
Addresses: 1056317; more work needed on libarchive's own
configure tests
[ Peter Pentchev ]
* Acknowledge Lukas Märdian 64-bit-time_t-related NMU. Thanks!
* Add the year 2024 to my debian/* copyright notice.
* Re-sort the dependencies lists in the debian/control file.
* Switch the pkg-config dependency over to pkgconf.
* Add the robust-error-reporting upstream patch. Closes: #1068047
-- Peter Pentchev <roam@debian.org> Sat, 30 Mar 2024 20:11:06 +0200
libarchive (3.7.2-1.1) unstable; urgency=medium
* Non-maintainer upload.
* Rename libraries for 64-bit time_t transition. Closes: #1062224
-- Lukas Märdian <slyon@debian.org> Thu, 29 Feb 2024 08:40:57 +0000
libarchive (3.7.2-1) unstable; urgency=medium
* Add the iso9660-hash patch to fix file ordering. Closes: #1051322
* Add the year 2023 to my debian/* copyright notice.
* Declare compatibility with version 1 of the dpkg build API:
- drop the implied Rules-Requires-Root declaration
- include dpkg's default.mk file for completeness
* Use dh-package-notes to record ELF package metadata.
* New upstream version:
- build and install the new bsdunzip tool in libarchive-tools
- drop the iconv-pkgconfig patch, applied upstream
- update the upstream copyright information
* Do not detect -amd64 versions in the watch file.
* Add the test-zstd-32bit upstream patch.
-- Peter Pentchev <roam@debian.org> Sat, 14 Oct 2023 18:28:55 +0300
libarchive (3.6.2-1) unstable; urgency=medium
[ Debian Janitor ]
* Set upstream metadata fields: Bug-Database.
* Update standards version to 4.6.0, no changes needed.
[ Peter Pentchev ]
* Declare compliance with Policy 4.6.2 with no changes.
* Fix the licensing of the blake2-related files.
Closes: #1023392
* New upstream version:
- fix a ZIP read vulnerability (CVE-2022-28066)
Closes: #1008953
- fix a memory allocation vulnerability (CVE-2022-36227)
Closes: #1024669
- refresh the typos patch
- remove a lot of libarchive internal functions from the shared
library's symbols file. These functions were never present in
any of the public-facing libarchive header files, so they should
not be referenced by any libarchive consumers. In version 3.6.2,
libarchive switched to a "hide internal symbols" policy, so that
these symbols are now not present in the shipped shared library.
- drop the optional internal symbols regular expressions, too;
now that libarchive hides its internal symbols, the appearance of
any names like that in the generated symbols file would be a bug
- add the iconv-pkgconfig patch to drop the reference to "iconv"
from the .pc file: on Debian systems, iconv(3) is part of glibc
-- Peter Pentchev <roam@debian.org> Sat, 24 Dec 2022 23:17:29 +0200
libarchive (3.6.0-1) unstable; urgency=medium
* New upstream version (Closes: #1007120):
- update the upstream copyright information
- drop some patches that were taken from the upstream source:
- lzip-large-dict
- upstream-fix-32bit-size-cast
- upstream-fixup-file-flags
- upstream-fixup-symlinks
- add another spelling correction to the typos patch
- update the line numbers in the typos patch
* Add the year 2022 to my debian/* copyright notice.
* Reorder the copyright file so that it makes sense.
-- Peter Pentchev <roam@debian.org> Wed, 30 Mar 2022 13:04:33 +0300
libarchive (3.5.2-1) unstable; urgency=medium
* Declare compliance with Debian Policy 4.6.0 with no changes.
* Add the year 2021 to my debian/* copyright notice.
* Drop the Breaks/Replaces relations for pre-oldstable versions of
bsdtar and bsdcpio.
* Fix some shellcheck complaints about the minitar autopkgtest.
* Use a comma, not a semicolon, in the Origin DEP-3 header.
* Annotate the sharutils build dependency with <!nocheck>.
Closes: #981654
* Drop the obsolete libattr1-dev build dependency. At the moment it is
still pulled in by libacl1-dev, but there is no reason for us not to
do the right thing, so that everything goes right when libacl1-dev
corrects its build dependency. Closes: #953931
* New upstream version:
- fix handling of symlink ACLs; Closes: 1001986
- never follow symlinks when setting file flags; Closes: 1001990
- update the upstream copyright information
- drop some patches that were taken from the upstream source:
- upstream-cpio-hardlink-type
- upstream-cpio-rdev
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
- upstream-isint-w
- update the library symbols file
* Add the lzip-large-dict patch to support larger lzip dictionaries.
Closes: #1001901
* Add the upstream-fixup-symlinks, upstream-fixup-file-flags, and
upstream-fix-32bit-size-cast patches, importing three upstream
post-3.5.2 commits.
-- Peter Pentchev <roam@debian.org> Wed, 22 Dec 2021 19:51:54 +0200
libarchive (3.4.3-2) unstable; urgency=medium
* Add some more upstream patches:
- upstream-isint-w
- upstream-unneeded-strlen
- upstream-hardlink-to-self
- upstream-set-format-error (with a typo corrected)
- upstream-rar-read-format
- upstream-memory-stdlib
- upstream-max-comp-level
* Drop the unused liblzo2 build dependency. According to upstream,
distributing libarchive binaries linked against liblzo2 violates
the liblzo2 GPL license, so libarchive does not even use it unless
explicitly requested, which we do not do anyway.
* Fix two problems related to cross-building libarchive.
Closes: #966637
- drop the gcc B-D that I added as a reminder that dropping --as-needed
was because it is handled automatically
- annotate the test dependencies with <!nocheck>; since we never run
the upstream test suite automatically, but only if the non-standard
"check" build option is specified, this has no effect on normal builds,
but it will fix cross-builds
-- Peter Pentchev <roam@debian.org> Sat, 01 Aug 2020 21:46:12 +0300
libarchive (3.4.3-1) unstable; urgency=medium
* New upstream release:
- update the upstream signing key
- update the typos patch, correct some more mistakes
- drop all the upstream-* patches
- add an upstream copyright notice for a new file
* Add the upstream-cpio-rdev and upstream-cpio-hardlink-type patches.
-- Peter Pentchev <roam@debian.org> Wed, 03 Jun 2020 16:40:28 +0300
libarchive (3.4.2-1) unstable; urgency=medium
* Minor correction to the debian/watch file to catch up with
the upstream site links.
* New upstream release:
- drop some patches that were taken from upstream:
- upstream-rar-use-after-free
- upstream-rar-uaf-test-eof
- upstream-rar-window-mask
- upstream-rar-window-test
- upstream-rar-filter-beyond
- upstream-archive-read-sparse
- upstream-archive-clean
- upstream-doc-7zip-zip
- upstream-open-without-openat
- upstream-lz4-uint32
- CVE-2020-9308 patch
- drop most of the typos patch - integrated upstream
- update the upstream copyright years
* Add some more corrections to the typos patch.
* Drop the Name and Contact upstream metadata fields.
* Drop the phony "build" target.
* Do not pass "--as-needed" to the linker: recent versions of the Debian
GCC package do that by default. Just in case, add a build dependency on
a recent version so that it is not forgotten e.g. in a backport.
* Add some upstream patches since 3.4.2.
* Update to debhelper compat level 13:
- `dh_missing --fail-missing` is the default now
- use execute_before/execute_after targets
* Drop the local-options file.
-- Peter Pentchev <roam@debian.org> Sat, 09 May 2020 22:04:02 +0300
libarchive (3.4.0-2) unstable; urgency=medium
* Declare compliance with Debian Policy 4.5.0 with no changes.
* Add the year 2020 to my debian/* copyright notice.
* Add the CVE-2020-9308 patch - invalid RAR5 headers. (Closes: #951759)
* Make the autopkgtests cross-test-friendly. (Closes: #953140)
-- Peter Pentchev <roam@debian.org> Sat, 07 Mar 2020 16:28:00 +0200
libarchive (3.4.0-1) unstable; urgency=medium
* Declare compliance with Debian Policy 4.4.0 with no changes.
* Mark the adequate test as superficial and give it a name.
* Update the watch file a bit:
- use the version 4 format placeholders
- drop the "pasv" option, no FTP upstream sites
- add the upstream signing key
* Run all available Salsa CI jobs.
* Drop the bsdtar and bsdcpio transitional packages.
Closes: #940745, #940753
* New upstream version:
- drop all the patches obtained from the upstream Git repository
(CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000879,
CVE-2018-1000880, CVE-2019-1000019, CVE-2019-1000020, and
zip-nullptr)
- update the library symbols file
* Add some bugfix patches obtained from upstream.
* Add the typos patch to correct some typographical and grammatical
errors.
* Update the upstream copyright information.
-- Peter Pentchev <roam@debian.org> Sat, 21 Sep 2019 01:44:44 +0300
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libarchive13t64`.
Generated by dwww version 1.16 on Tue Dec 16 11:18:30 CET 2025.