aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/libarchive
Commit message (Collapse)AuthorAgeFilesLines
* MFC r368207,368607:stable/10Martin Matuska2020-12-1659-186/+1295
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | MFC r368207: Update libarchive to 3.5.0 Relevant vendor changes: Issue #1258: add archive_read_support_filter_by_code() PR #1347: mtree digest reader support Issue #1381: skip hardlinks pointing to itself on extraction PR #1387: fix writing of cpio archives with hardlinks without file type PR #1388: fix rdev field in cpio format for device nodes PR #1389: completed support for UTF-8 encoding conversion PR #1405: more formats in archive_read_support_format_by_code() PR #1408: fix uninitialized size in rar5_read_data PR #1409: system extended attribute support PR #1435: support for decompression of symbolic links in zipx archives Issue #1456: memory leak after unsuccessful archive_write_open_filename MFC r368607: Sync libarchive with vendor. Vendor changes: Issue #1461: Unbreak build without lzma Issue #1462: warc reader: Fix build with gcc11 Issue #1463: Fix code compatibility in test_archive_read_support.c Issue #1464: Use built-in strnlen on platforms where not available Issue #1465: warc reader: fix undefined behaviour in deconst() function Notes: svn path=/stable/10/; revision=368708
* MFC r361294:Martin Matuska2020-06-1228-461/+647
| | | | | | | | | | | | | | | | Update libarchive to 3.4.3 Relevant vendor changes: PR #1352: support negative zstd compression levels PR #1359: improve zstd version checking PR #1348: support RHT.security.selinux from GNU tar PR #1357: support for archives compressed with pzstd PR #1367: fix issues in acl tests PR #1372: child handling cleanup PR #1378: fix memory leak from passphrase callback Notes: svn path=/stable/10/; revision=362134
* MFC r358533:Martin Matuska2020-03-1312-40/+132
| | | | | | | | | | | | | | | | Sync libarchive with vendor. Relevant vendor changes: Issue #1257: Add testcase for ZIPX files with LZMA_STREAM_END marker PR #1331: cpio.5: fix hard link description Issue #1335: archive_read.c: fix UBSan warning about undefined behavior Issue #1338: XAR reader: fix UBSan warning about undefined behavior Issue #1339: bsdcpio_test: fix datatype in from_hex() Issue #1341: Safe writes: delete temporary file if rename fails. Issue #1341: Safe writes: improve error handling Notes: svn path=/stable/10/; revision=358927
* MFC r356212,r356366,r356416,r357785Martin Matuska2020-02-19156-927/+4060
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update libarchive to version 3.4.2 Relevant vendor changes (r356212): Issue #351: Refactor and implement private state logic for write filters PR #1252: RAR5 reader - verify window size for solid files (OSS-Fuzz 15482) PR #1255: zip writer - don't append unused NUL for directories PR #1260: Fix sparse file offset overflow on 32-bit systems PR #1263: UNICODE filename support for reading lha/lzh format Issue #1276: Bugfix and optimize archive_wstring_append_from_mbs() PR #1288: Add the "xattrhdr" option to pax write options PR #1295: 7z reader - fix reading archives with digests in PackInfo PR #1296: RAR5 reader - verify window size for multivolume archives PR #1297: ZIP reader - support LZMA_STREAM_END marker in 'lzma alone' files Issue #1298: Fix a heap-buffer-overflow in archive_string_append_from_wcs() OSS-Fuzz 19360, 19362: LHA reader - plug two memory leaks on error Fix possible off-by-one when dealing with readlink(2) Relevant vendor changes (r356366): Issue #1302: Plug memory leak on failure of archive_write_client_open() Relevant vendor changes (r356416): Issue #1302: Re-do fix for archive_write_client_open() Relevant vendor changes (r357785): PR #1289: atomic extraction support (bsdtar -x --safe-writes) PR #1308: big endian fix for UTF16 support in LHA reader PR #1326: reject RAR5 files that declare invalid header flags Issue #987: fix support 7z archive entries with Delta filter Issue #1317: fix compression output buffer handling in XAR writer Issue #1319: fix uname or gname longer than 32 characters in pax writer Issue #1325: fix use after free when archiving hardlinks in ISO9660 or XAR Use localtime_r() and gmtime_r() instead of localtime() and gmtime() Notes: svn path=/stable/10/; revision=358090
* MFC r316456,352732:Martin Matuska2019-10-0960-331/+584
| | | | | | | | | | | | | | | | | | | Sync libarchive with vendor. MFC r316456: Vendor changes (FreeBSD-related): Report which extended attributes could not be restored Update archive_read_disk.3 and archive_write_disk.3 manual pages Plug memory leaks in xattr tests. MFC r352732: Relevant vendor changes: Issue #1237: Fix integer overflow in archive_read_support_filter_lz4.c PR #1249: Correct some typographical and grammatical errors. PR #1250: Minor corrections to the formatting of manual pages Notes: svn path=/stable/10/; revision=353377
* MFC r349527,349538:Martin Matuska2019-07-115-3/+30
| | | | | | | | | | | | Sync libarchive with vendor. Relevant vendor changes: PR #1217: RAR5 reader - fix ARM filter going beyond window buffer boundary (OSS-Fuzz 15431) PR #1218: Fixes to sparse file handling Notes: svn path=/stable/10/; revision=349901
* MFC r348993,349135:Martin Matuska2019-06-2815-114/+966
| | | | | | | | | | | | | | | | | | Sync libarchive with vendor including security fixes r348993: - version bumped to 3.4.0 - check_symlinks_fsobj() without chdir() and fchdir() - bsdtar.1 manpage fixes - patches from OpenBSD to libarchive_fe/passphrase.c r349135: PR #1212: RAR5 reader - window_mask was not updated correctly (OSS-Fuzz 15278) OSS-Fuzz 15120: RAR reader - extend use after free bugfix Notes: svn path=/stable/10/; revision=349525
* MFC r347990:Martin Matuska2019-06-0486-3638/+7030
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Sync libarchive with vendor. Relevant vendor changes: Issue #795: XAR - do not try to add xattrs without an allocated name PR #812: non-recursive option for extract and list PR #958: support reading metadata from compressed files PR #999: add --exclude-vcs option to bsdtar Issue #1062: treat empty archives with a GNU volume header as valid PR #1074: Handle ZIP files with trailing 0s in the extra fields (Android APK archives) PR #1109: Ignore padding in Zip extra field data (Android APK archives) PR #1167: fix problems related to unreadable directories Issue #1168: fix handling of strtol() and strtoul() PR #1172: RAR5 - fix invalid window buffer read in E8E9 filter PR #1174: ZIP reader - fix of MSZIP signature parsing PR #1175: gzip filter - fix reading files larger than 4GB from memory PR #1177: gzip filter - fix memory leak with repeated header reads PR #1180: ZIP reader - add support for Info-ZIP Unicode Path Extra Field PR #1181: RAR5 - fix merge_block() recursion (OSS-Fuzz 12999, 13029, 13144, 13478, 13490) PR #1183: fix memory leak when decompressing ZIP files with LZMA PR #1184: fix RAR5 OSS-Fuzz issues 12466, 14490, 14491, 12817 OSS-Fuzz 12466: RAR5 - fix buffer overflow when parsing huffman tables OSS-Fuzz 14490, 14491: RAR5 - fix bad shift-left operations OSS-Fuzz 12817: RAR5 - handle a case with truncated huffman tables PR #1186: RAR5 - fix invalid type used for dictionary size mask (OSS-Fuzz 14537) PR #1187: RAR5 - fix integer overflow (OSS-Fuzz 14555) PR #1190: RAR5 - RAR5 don't try to unpack entries marked as directories (OSS-Fuzz 14574) PR #1196: RAR5 - fix a potential SIGSEGV on 32-bit builds OSS-Fuzz 2582: RAR - fix use after free if there is an invalid entry OSS-Fuzz 14331: RAR5 - fix maximum owner name length OSS-Fuzz 13965: RAR5 - use unsigned int for volume number + range check Additional RAR5 reader changes: - support symlinks, hardlinks, file owner, file group, versioned files - change ARCHIVE_FORMAT_RAR_V5 to 0x100000 - set correct mode for readonly directories - support readonly, hidden and system Windows file attributes MFC r347999: Install missing data file for lib.libarchive.functional_test.test_read_format_zip_utf8_paths Notes: svn path=/stable/10/; revision=348608
* MFC r345497:Martin Matuska2019-04-1015-222/+359
| | | | | | | | | | | | | | | | Sync libarchive with vendor. Relevant vendor changes: PR #1153: fixed 2 bugs in ZIP reader [1] PR #1143: ensure archive_read_disk_entry_from_file() uses ARCHIVE_READ_DISK Changes to file flags code, support more file flags on FreeBSD: UF_OFFLINE, UF_READONLY, UF_SPARSE, UF_REPARSE, UF_SYSTEM UF_ARCHIVE is not supported by intention (yet) PR: 236300 [1] Notes: svn path=/stable/10/; revision=346105
* MFC r344063,r344088:Martin Matuska2019-02-2836-324/+3247
| | | | | | | | | | | | | | | | | | | | | | | | | | | MFC r344063: Sync libarchive with vendor. Relevant vendor changes: PR #1085: Fix a null pointer dereference bug in zip writer PR #1110: ZIP reader added support for XZ, LZMA, PPMD8 and BZIP2 decopmpression PR #1116: Add support for 64-bit ar format PR #1120: Fix a 7zip crash [1] and a ISO9660 infinite loop [2] PR #1125: RAR5 reader - fix an invalid read and a memory leak PR #1131: POSIX reader - do not fail when tree_current_lstat() fails due to ENOENT [3] PR #1134: Delete unnecessary null pointer checks before calls of free() OSS-Fuzz 10843: Force intermediate to uint64_t to make UBSAN happy. OSS-Fuzz 11011: Avoid buffer overflow in rar5 reader MFC r344088: archive_read_disk_posix.c: initialize delayed_errno PR: 233006 [3] Security: CVE-2019-1000019 [1], CVE-2019-1000020 [2] Notes: svn path=/stable/10/; revision=344674
* MFC r339746,339751,339794,340866,340939,342042:Martin Matuska2018-12-2141-41/+10292
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Sync libarchive with vendor. Relevant vendor changes: PR #1013: Add missing h_base offset when performing absolute seeks in xar decompression PR #1023: Support extracting extattrs as non-root on non-user-writeable files PR #1061: Add support for extraction of RAR v5 archives PR #1066: Fix out of bounds read on empty string filename for gnutar, pax and v7tar PR #1067: Fix temporary file path buffer overflow in tests IS #1068: Correctly process and verify integer arguments passed to bsdcpio and bsdtar PR #1070: Don't default XAR entry atime/mtime to the current time PR #1080: Spelling fixes PR #1084: RAR5 reader bugfixes PR #1091: fix use-after-free in delayed newc link processing PR #1092: Fix a few obvious resource leaks and strcpy() misuses IS #1096: Support extracting ACLs with in-entry comments (GNU tar) PR #1102: RAR5 reader - fix big-endian problems PR #1105: Fix various crash, memory corruption and infinite loop conditions RAR5 reader: FreeBSD build platform fixes for powerpc(64), mips(64), sparc64 and riscv64 RAR5 reader: more maybe-uninitialized size_t fixes for riscv64 FreeBSD build Notes: svn path=/stable/10/; revision=342361
* MFC r338827:Martin Matuska2018-09-287-2/+22
| | | | | | | | | | | Sync libarchive with vendor. Relevant vendor changes: PR #1019: Add allocation check for the zip_entry struct Oss-Fuzz #10192: Handle whitespace-only ACL fields correctly Notes: svn path=/stable/10/; revision=339006
* MFC r338600:Martin Matuska2018-09-198-32/+93
| | | | | | | | | | | | | | Update libarchive to 3.3.3 As all important changes have already been merged from libarchive git this is just a version number bump, documentation update and some polishing for cpio tests. Other source code changes are not relevant to FreeBSD. Relnotes: yes Notes: svn path=/stable/10/; revision=338796
* MFH r337745:Martin Matuska2018-08-181-12/+17
| | | | | | | | | | | | | Sync libarchive with vendor.. Vendor changes: PR #1042: validate iso9660 directory record length MFC after: 3 days Security: CVE-2017-14501 Notes: svn path=/stable/10/; revision=338034
* MFH r336801,r336854:Martin Matuska2018-08-0520-68/+213
| | | | | | | | | | | | | | | | | | | | | | MFH r336801 (cem): Cherry-pick upstream 2c8c83b9 Relevant vendor changes: Fix issue #948: out-of-bounds read in lha_read_data_none() MFH r336854: Sync libarchive with vendor. Important vendor changes: PR #993: Chdir to -C directory for metalog processing OSS-Fuzz #4969: Check size of the extended time field in zip archives PR #973: Record informational compression level in gzip header amdbugs: 877 Security: CVE-2017-14503 Notes: svn path=/stable/10/; revision=337352
* MFH r328332:Martin Matuska2018-02-0329-94/+230
| | | | | | | | | | | | | | | | Sync libarchive with vendor. Relevant vendor changes: PR #893: delete dead ppmd7 alloc callbacks PR #904: Fix archive freeing bug in bsdcat PR #961: Fix ZIP format names PR #962: Don't modify attributes for existing directories when ARCHIVE_EXTRACT_NO_OVERWRITE is set PR #964: Fix -Werror=implicit-fallthrough= for GCC 7 PR #970: zip: Allow backslash as path separator Notes: svn path=/stable/10/; revision=328828
* MFH r324148:Martin Matuska2017-10-0849-48/+1494
| | | | | | | | | | | | | | | | | Sync libarchive with vendor. Relevant vendor changes: PR #905: Support for Zstandard read and write filters PR #922: Avoid overflow when reading corrupt cpio archive Issue #935: heap-based buffer overflow in xml_data (CVE-2017-14166) OSS-Fuzz 2936: Place a limit on the mtree line length OSS-Fuzz 2394: Ensure that the ZIP AES extension header is large enough OSS-Fuzz 573: Read off-by-one error in RAR archives (CVE-2017-14502) Security: CVE-2017-14166, CVE-2017-14502 Notes: svn path=/stable/10/; revision=324418
* MFH r321674:Martin Matuska2017-08-042-3/+4
| | | | | | | | | | | | Sync libarchive with vendor. Relevant vendor changes: PR #926: ensure ar strtab is null terminated PR: 220462 Notes: svn path=/stable/10/; revision=322072
* MFC r320927,320931,320932:Martin Matuska2017-07-204-4/+8
| | | | | | | | | | | | Bump libarchive to 3.3.2 Vendor changes: PR #901: don't depend on stdin in a testcase Relnotes: yes Notes: svn path=/stable/10/; revision=321304
* MFC r317782,318181:Martin Matuska2017-05-1835-311/+253
| | | | | | | | | | | | | | | | | | | | | | | | MFC r317782 (mm): Sync libarchive with vendor Vendor changes (FreeBSD-related): PR 897: add test for ZIP archives with invalid EOCD headers PR 901: fix invalid renaming of sparse files OSS-Fuzz issue 497: remove fallback tree in LZX decoder OSS-Fuzz issue 527: rewrite expressions in lz4 filter OSS-Fuzz issue 577: fix integer overflow in cpio reader OSS-Fuzz issue 862: fix numerc parsing in mtree reader OSS-Fuzz issue 1097: fix undefined shift in rar reader cpio: various optimizations and memory leak fixes MFC r318181 (ngie) (2): cpio/tests/test_option_lz4: fix a use after free in the failure case Reported by: Coverity (2) Sponsored by: Dell EMC Isilon (2) Notes: svn path=/stable/10/; revision=318483
* MFC r315636,315876,316095:Martin Matuska2017-03-3143-2573/+2127
| | | | | | | | | | | | | | | | | | | | | | | | | | | Sync libarchive with vendor Vendor changes/bugfixes (FreeBSD-related): r315636: PR 867 (bsdcpio): show numeric uid/gid when names are not found PR 870 (seekable zip): accept files with valid ZIP64 EOCD headers PR 880 (pax): Fix handling of "size" pax header keyword PR 887 (crypto): Discard 3072 bytes instead of 1024 of first keystream OSS-Fuzz issue 806 (mtree): rework mtree_atol10 integer parser Break ACL read/write code into platform-specific source files r315876: Store extended attributes with extattr_set_link() if no fd is provided Add extended attribute tests to libarchive and bsdtar Fix tar's test_option_acls Support the UF_HIDDEN file flag r316095: Constify variables in several places Unify platform ACL code in a single source file Fix unused variable if compiling on FreeBSD without NFSv4 ACL support Notes: svn path=/stable/10/; revision=316338
* MFC r314571:Martin Matuska2017-03-1660-8615/+2970
| | | | | | | | | | | | | | | | | | | Update libarchive to version 3.3.1 (and sync with latest vendor dist) Notable vendor changes: PR #501: improvements in ACL path handling PR #724: fix hang when reading malformed cpio files PR #864: fix out of bounds read with malformed GNU tar archives Documentation, style, test suite improvements and typo fixes. New options to bsdtar that enable or disable reading and/or writing of: Access Control Lists (--acls, --no-acls) Extended file flags (--fflags, --no-fflags) Extended attributes (--xattrs, --no-xattrs) Mac OS X metadata (Mac OS X only) (--mac-metadata, --no-mac-metadata) Notes: svn path=/stable/10/; revision=315433
* Fix incomplete merge in r313927:Martin Matuska2017-02-184-108/+145
| | | | | | | | | | | | MFC r313572: Vendor bugfixes: cpio reader sanity fix (OSS-Fuzz 504) WARC reader sanity fixes (OSS-Fuzz 511, 526, 532, 552) mtree reader time parsing fix (OSS-Fuzz 538) XAR reader memleak fix (OSS-Fuzz 551) Notes: svn path=/stable/10/; revision=313929
* MFC r313572,313782Martin Matuska2017-02-1810-153/+188
| | | | | | | | | | | | | | | | | | | | | | Sync libarchive with vendor. MFC r313572: Vendor bugfixes: cpio reader sanity fix (OSS-Fuzz 504) WARC reader sanity fixes (OSS-Fuzz 511, 526, 532, 552) mtree reader time parsing fix (OSS-Fuzz 538) XAR reader memleak fix (OSS-Fuzz 551) MFC r313782: Vendor changes: Make SCHILY.acl.ace header more compact (NFSv4 ACLs) Vendor bugfixes: zip reader integer parsing fix (OSS-Fuzz 556) spelling fixes (issue #863) Notes: svn path=/stable/10/; revision=313927
* MFC r310866,310868,310870,311903,313074:Martin Matuska2017-02-1199-1760/+6328
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Sync libarchive with vendor. MFC r310866: PR #771: Add NFSv4 ACL support to pax and restricted pax NFSv4 ACL information may now be stored to and restored from tar archives. ACL must be non-trivial and supported by the underlying filesystem, e.g. natively by ZFS or by UFS with the NFSv4 ACL enable flag set. MFC r310868: PR #843: Fix memory leak of struct archive_entry in cpio/cpio.c PR #851: Spelling fixes Fix two protoypes in manual page archive_read_disk.3 MFC r310870: Use __LA_DEPRECATED macro with functions deprecated in 379867e MFC r311903: #691: Support for SCHILY.xattr extended attributes #854: Spelling fixes Multiple fixes in ACL code: - prefer acl_set_fd_np() to acl_set_fd() - if acl_set_fd_np() fails, do no fallback to acl_set_file() - do not warn if trying to write ACLs to a filesystem without ACL support - fix id handling in archive_acl_(from_to)_text*() for NFSv4 ACLs MFC r313074: - support extracting NFSv4 ACLs from Solaris tar archives - bugfixes and optimizations in the ACL code - multiple fixes in the test suite - typo and other small bugfixes Security fixes: - cab reader: endless loop when parsing MSZIP signature (OSS-Fuzz 335) - LHA reader: heap-buffer-overflow in lha_read_file_header_1() (CVE-2017-5601) - LZ4 reader: null-pointer dereference in lz4_filter_read_legacy_stream() (OSS-Fuzz 453) - mtree reader: heap-buffer-overflow in detect_form() (OSS-Fuzz 421, 443) - WARC reader: heap-buffer-overflow in xstrpisotime() (OSS-Fuzz 382, 458) Memory leak fixes: - ACL support: free memory allocated by acl_get_qualifier() - disk writer: missing free in create_filesystem_object() - file reader: fd leak (Coverity 1016755) - gnutar writer: fix free in archive_write_gnutar_header() (Coverity 101675) - iso 9660 reader: missing free in parse_file_info() (partial Coverity 1016754) - program reader: missing free in __archive_read_program() - program writer: missing free in __archive_write_program_free() - xar reader: missing free in xar_cleanup() - xar reader: missing frees in expat_xmlattr_setup() (Coverity 1229979-1229981) - xar writer: missing free in file_free() - zip reader: missing free in zip_read_local_file_header() List of all libarchive issues at OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=libarchive Security: CVE-2017-5601 Notes: svn path=/stable/10/; revision=313571
* MFC r309300,r309363,r309405,r309523,r309590,r310185,r310623:Martin Matuska2017-01-0288-615/+1619
| | | | | | | | | | | | | | | | | | | | | | | | | | Sync libarchive with vendor. Fixed vendor issues (relevant to FreeBSD) #825, #832: Add sanity check of tar "uid, "gid" and "mtime" fields #830, #831, #833, #846: Spelling fixes #850: Fix issues with reading certain jar files Fixed issues found by Google OSS-Fuzz: OSS-Fuzz #15: Fix heap-buffer-overflow in archive_le16dec() OSS-Fuzz #16: Fix possible hang in uudecode_filter_read() OSS-Fuzz #139, #145, #152: Fix heap-buffer-overflow in uudecode_bidder_bid() OSS-Fuzz #220: Reject an 'ar' filename table larger than 1GB or a filename larger than 1MB OSS-Fuzz #227, #230, #239: Fix possible memory leak in archive_read_free() OSS-Fuzz #237: Fix heap buffer overflow when reading invalid ar archives OSS-Fuzz #286: Bugfix in archive_strncat_l() More information: https://github.com/libarchive/libarchive/issues/[libarchive_issue_number] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=[oss_fuzz_issue_number] Notes: svn path=/stable/10/; revision=311042
* MFstable/11 r310569:Enji Cooper2016-12-2627-77/+148
| | | | | | | | | | | | MFC r309869: Merge changes from vendor to address several Coverity issues with contrib/libarchive's tests Obtained from: libarchive (ebe29c, fd0ea2, f9e3de) Notes: svn path=/stable/10/; revision=310570
* Partial MFC r309300:Martin Matuska2016-12-082-94/+192
| | | | | | | | | | | Apply fix for libarchive issue #821: "tar -P" cannot extract hardlinks through symlinks PR: 213255 Reported by: Tijl Coosemans <tilj@FreeBSD.org> Notes: svn path=/stable/10/; revision=309702
* MFC r307861:Martin Matuska2016-10-3117-33/+359
| | | | | | | | | | Update libarchive to 3.2.2 Most of the post-3.2.1 fixes have already been merged. This update contains just the version bump and some fixes to the test framework. Notes: svn path=/stable/10/; revision=308152
* MFC r307215:Martin Matuska2016-10-2210-31/+127
| | | | | | | | | | Sync libarchive with vendor. Style and tests fixes. Important vendor bugfixes (relevant to FreeBSD): #801: FreeBSD Coverity report: resource leak in libarchive/tar/test/main.c Notes: svn path=/stable/10/; revision=307798
* MFC r306670:Martin Matuska2016-10-1219-22/+222
| | | | | | | | | | | | | | Sync libarchive with vendor including security fixes. Important vendor bugfixes (relevant to FreeBSD): #747: Out of bounds read in mtree parser #761: heap-based buffer overflow in read_Header (7-zip) #794: Invalid file on bsdtar command line results in internal errors (1) PR: 213092 (1) Notes: svn path=/stable/10/; revision=307139
* MFC r305819:Martin Matuska2016-09-259-152/+467
| | | | | | | | | | | | | | | | | | | | Sync libarchive with vendor including important security fixes. Issues fixed (FreeBSD): PR #778: ACL error handling Issue #745: Symlink check prefix optimization is too aggressive Issue #746: Hard links with data can evade sandboxing restrictions This update fixes the vulnerability #3 and vulnerability #4 as reported in "non-cryptanalytic attacks against FreeBSD update components". https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f Fix for vulnerability #2 has already been merged in r305192. Security: http://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f Notes: svn path=/stable/10/; revision=306322
* MFC r305422:Martin Matuska2016-09-126-184/+445
| | | | | | | | | | | | | | Sync libarchive with vendor Vendor issues fixed: PR #777: Multiple bugfixes for setup_acls() This includes a bugfix for a bug that caused ACLs not to be read properly for files and directories inside subdirectories and as a result not being stored or being incorrectly stored in tar archives. Notes: svn path=/stable/10/; revision=305755
* MFC r304075,r304989:Martin Matuska2016-09-0132-65/+600
| | | | | | | | | | | | | | | | | | | | Sync libarchive with vendor including security fixes Vendor issues fixed: Issue #731: Reject tar entries >= INT64_MAX Issue #744: Very long pathnames evade symlink checks Issue #748: libarchive can compress, but cannot decompress zip some files PR #750: ustar: fix out of bounds read on empty string ("") filename PR #755: fix use of acl_get_flagset_np() on FreeBSD Issue #767: Buffer overflow printing a filename Issue #770: Zip read: be more careful about extra_length MFC r304874: Temporarily disable two libarchive tests that have not yet been fixed by vendor. Tests will be re-enabled after a fix has been merged. Notes: svn path=/stable/10/; revision=305192
* MFC r302294:Martin Matuska2016-07-086-26/+48
| | | | | | | | | | | | Sync libarchive with vendor, bugfixes for tests: - fix tests on filesystems without birthtime support, e.g. UFS1 (1) - vendor issue #729: avoid use of C99 for-scope declarations in test_write_format_gnutar_filenames.c PR: 204157 (1) Notes: svn path=/stable/10/; revision=302425
* MFC r302075:Martin Matuska2016-06-3031-168/+586
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update libarchive to 3.2.1 (bugfix and security fix release) List of vendor fixes: - fix exploitable heap overflow vulnerability in Rar decompression (vendor issue 719, CVE-2016-4302, TALOS-2016-0154) - fix exploitable stack based buffer overflow vulnebarility in mtree parse_device functionality (vendor PR 715, CVE-2016-4301, TALOS-2016-0153) - fix exploitable heap overflow vulnerability in 7-zip read_SubStreamsInfo (vendor issue 718, CVE-2016-4300, TALOS-2016-152) - fix integer overflow when computing location of volume descriptor (vendor issue 717) - fix buffer overflow when reading a crafred rar archive (vendor issue 521) - fix possible buffer overflow when reading ISO9660 archives on machines where sizeof(int) < sizeof(size_t) (vendor issue 711) - tar and cpio should fail if an input file named on the command line is missing (vendor issue 708) - fix incorrect writing of gnutar filenames that are exactly 512 bytes long (vendor issue 682) - allow tests to be run from paths that are equal or longer than 128 characters (vendor issue 657) - add memory allocation errors in archive_entry_xattr.c (vendor PR 603) - remove dead code in archive_entry_xattr_add_entry() (vendor PR 716) - fix broken decryption of ZIP files (vendor issue 553) - manpage style, typo and description fixes Post-3.2.1 vendor fixes: - fix typo in cpio version reporting (Vendor PR 725, 726) - fix argument range of ctype functions in libarchive_fe/passphrase.c - fix ctype use and avoid empty loop bodies in WARC reader Security: CVE-2016-4300, CVE-2016-4301, CVE-2016-4302 Notes: svn path=/stable/10/; revision=302295
* MFC r299529,r299540,r299576,r299896:Martin Matuska2016-06-17389-4328/+60858
| | | | | | | | | | | | | | | | | | | | | | | | | | | | r299529,r299540: Update libarchive to 3.2.0 New features: - new bsdcat command-line utility - LZ4 compression (in src only via external utility from ports) - Warc format support - 'Raw' format writer - Zip: Support archives >4GB, entries >4GB - Zip: Support encrypting and decrypting entries - Zip: Support experimental streaming extension - Identify encrypted entries in several formats - New --clear-nochange-flags option to bsdtar tries to remove noschg and similar flags before deleting files - New --ignore-zeros option to bsdtar to handle concatenated tar archives - Use multi-threaded LZMA decompression if liblzma supports it - Expose version info for libraries used by libarchive r299576,r299896: Fix broken cpio behavior. Relnotes: yes Notes: svn path=/stable/10/; revision=302001
* Backport security fix for absolute path traversal vulnerability in bsdcpio.Martin Matuska2016-05-216-4/+44
| | | | | | | | | This is a direct commit to stable/10. Security: CVE-2015-2304 Notes: svn path=/stable/10/; revision=300361
* MFC r295914: MFV r295913:Xin LI2016-02-241-2/+5
| | | | | | | | | | | | | | | Partially apply upstream changeset 6e06b1c8 (kientzle). Limit filter recursion level to 25 (instead of infinite). This fixes a potential crash issue discovered by Alexander Cherepanov. PR: 207362 Reported by: Robert Clausecker Obtained from: libarchive github project Approved by: re (marius) Notes: svn path=/stable/10/; revision=295961
* MFC r285972:Bryan Drewery2015-07-303-3/+163
| | | | | | | | | | | | | | MFV r285970: Apply upstream changeset bf4f6ec64e: Fix issue 356: properly skip a sparse file entry in a tar file. PR: 201506 Relnotes: yes Notes: svn path=/stable/10/; revision=286082
* MFC r282932: MFV r282927,r282928,r282930 (kientzle):Xin LI2015-05-212-8/+16
| | | | | | | Don't segfault when reading malformed cpio archives. Notes: svn path=/stable/10/; revision=283259
* MFC r280870:Bryan Drewery2015-04-031-1/+1
| | | | | | | | | | Fix --one-file-system to include the directory encountered rather than excluding it. This was broken in 3.0.4 (r238856). Relnotes: yes Notes: svn path=/stable/10/; revision=281044
* MFC r274846:Dimitry Andric2014-11-251-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | Fix the following -Werror warning from clang 3.5.0, while building usr.bin/cpio on amd64 (or any arch with 64-bit time_t): contrib/libarchive/cpio/cpio.c:1143:6: error: absolute value function 'abs' given an argument of type 'long' but has parameter of type 'int' which may cause truncation of value [-Werror,-Wabsolute-value] if (abs(mtime - now) > (365/2)*86400) ^ contrib/libarchive/cpio/cpio.c:1143:6: note: use function 'labs' instead if (abs(mtime - now) > (365/2)*86400) ^~~ labs 1 error generated. This is because time_t is a long on amd64. To avoid the warning, just copy the equivalent test from a few lines before, which is used in the Windows case, and which is type safe. Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D1198 Notes: svn path=/stable/10/; revision=275031
* MFC r270661:Andrey V. Elsukov2014-09-031-10/+29
| | | | | | | | | Remove leading '/' from hardlink name when removing them from the regular file name. This fixes the problem, when bsdtar can not create hardlinks to extracted files. Notes: svn path=/stable/10/; revision=271004
* Fix return type of extattr_set_* and fix rmextattr(8) utility.Matthew D Fleming2013-04-022-3/+4
| | | | | | | | | | | | extattr_set_{fd,file,link} is logically a write(2)-like operation and should return ssize_t, just like extattr_get_*. Also, the user-space utility was using an int for the return value of extattr_get_* and extattr_list_*, both of which return an ssize_t. MFC after: 1 week Notes: svn path=/head/; revision=248995
* Merge bugfix from vendor master branch:Martin Matuska2013-03-231-0/+5
| | | | | | | | | | | | | | | Limit write requests to at most INT_MAX. This prevents a certain common programming error (passing -1 to write) from leading to other problems deeper in the library. References: https://github.com/libarchive/libarchive/commit/22531545514043e0 Reported by: Xin Li <delphij@FreeBSD.org> Obtained from: libarchive (master branch) Notes: svn path=/head/; revision=248664
* MFV r248590,248594:Martin Matuska2013-03-22381-3915/+39146
| | | | | | | | | | | | | | Update libarchive to 3.1.2 Some of new features: - support for lrzip and grzip compression - support for writing tar v7 format - b64encode and uuencode filters - support for __MACOSX directory in Zip archives - support for lzop compresion (external utility) Notes: svn path=/head/; revision=248616
* Fix an obvious typo that broke time specifications of the formTim Kientzle2013-02-022-4/+8
| | | | | | | "2 hours ago". Notes: svn path=/head/; revision=246229
* Apply fix for vendor pull request #17:Martin Matuska2012-08-231-0/+1
| | | | | | | | | | | | | Support appending to empty archives References: https://github.com/libarchive/libarchive/pull/17 Submitted by: myself Obtained from: libarchive master branch on github Notes: svn path=/head/; revision=239622
* Backport NFSv4 ACL fix from libarchive master branch.Martin Matuska2012-07-307-189/+2065
| | | | | | | | | | Source: https://github.com/libarchive/libarchive/commit/f67370d5 Obtained from: libarchive (master branch) Notes: svn path=/head/; revision=238909