libarchive-3.7.5

[Bruce Dubbs]

New point version.

[Xi Ruoyao]

Security fixes:

• fix multiple vulnerabilities identified by SAST (#2251, #2256)
• cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
• lzop: prevent integer overflow (#2174)
• rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
• rar4: fix CVE-2024-26256 (#2269, CVS-2024-26256)
• rar4: fix OOB in delta and audio filter (#2148, #2149)
• rar4: fix out of boundary access with large files (#2179)
• rar4: add boundary checks to rgb filter (#2210)
• rar4: fix OOB access with unicode filenames (#2203)
• rar5: clear 'data ready' cache on window buffer reallocs (#2265)
• rpm: calculate huge header sizes correctly (#2158)
• unzip: unify EOF handling (#2175)
• util: fix out of boundary access in mktemp functions (#2160)
• uu: stop processing if lines are too long (#2168)

Important bugfixes:

• 7zip: fix issue when skipping first file in 7zip archive that is a multiple of 65536 bytes (#2245)
• ar: fix archive entries having no type (#2290)
• lha: do not allow negative file sizes (#2155)
• lha: fix integer truncation on 32-bit systems (#2161)
• shar: check strdup return value (#2173)
• rar5: don't try to read rediculously long names (#2259)
• xar: fix another infinite loop and expat error handling (#2150)
• many Windows fixes, cleanups and improvements

[Xi Ruoyao]

Replying to Xi Ruoyao:

• xar: fix another infinite loop and expat error handling (#2150)

So we can remove --without-expat and move libxml2 back down to optional.

[Bruce Dubbs]

Fixed at commits

5df823f3da Update to libarchive-3.7.5.
b08f250a39 Update to libjxl-0.11.0.
5413be2d50 Update to traceroute-2.1.6.
795b6454e0 Update to libadwaita-1.6.0.

[Douglas R. Reno]

This needs a SA due to CVE-2024-20696, CVE-2024-26256, and CV3-2024-26256

[Douglas R. Reno]

SA-12.2-009 issued