libarchive-3.7.3

[Xi Ruoyao]

New patch version.

[Xi Ruoyao]

New features:

• PCRE2 support (#2031)
• add trailing letter b to bsdtar(1) substitute pattern (#2012)
• add support for long options "--group" and "--owner" to tar(1) (#2054)

Security fixes:

• Fix possible vulnerability in tar error reporting introduced in f27c173 (#2101)

Important bugfixes:

• ISO9660: preserve the natural order of links (#1974)
• rar5: fix decoding unicode filenames on Windows (#1978)
• rar5: fix infinite loop if during rar5 decompression the last block produced no data (#2105)
• xz filter: fix incorrect eof at the end of an lzip member (#2027)
• zip: fix end-of-data marker processing when decompressing zip archives (#2042)
• multiple bsdunzip(1) fixes (#2022, #2030)
• filetime truncation fix on Windows (#2050)

[Xi Ruoyao]

Security fixes:

• Fix possible vulnerability in tar error reporting introduced in f27c173 (#2101)

I'm not sure if we should issue a SA for this one. There's no CVE assigned (as at now) but this "possible vulnerability" has become notorious.

[Xi Ruoyao]

We need to change LC_ALL=C to LC_ALL=C.UTF-8 in the test command, or bsdunzip_test fails.

[Xi Ruoyao]

• PCRE2 support (#2031)

I don't know if we should list PCRE2 as an optional dependency. It's not enabled by default on LFS, and explicitly enabling it won't provide any real benefit (I guess it's mostly a replacement of Glibc regex.h for non-Glibc systems).

[Douglas R. Reno]

Yeah let's file an SA for it. There is a proof of concept public in a Github comment in the post and it does lead to files being unpacked onto a filesystem that are obfuscated in an archive

As for PCRE2, let's just leave it be

[Bruce Dubbs]

Just list pcre2 as optional without any additional comment. Doing more sets a bad precedent.

[Bruce Dubbs]

Fixed at commits

06aeaa1fc0 Update to js-115.9.1 (spidermonkey).
a8586f30a2 Update to libarchive-3.7.3.

[Douglas R. Reno]

SA-12.1-025 issued