libarchive-3.8.0

[Bruce Dubbs]

New minor version.

[thomas]

Libarchive 3.8.0 is a feature and bugfix release.

New features:
bsdtar: support --mtime and --clamp-mtime (#2601)
lib: mbedtls 3.x compatibility (#2602)
7-zip reader: improve self-extracting archive detection (#2088)
xar: xmllite support for the XAR reader and writer (#2388)
zip writer: added XZ, LZMA, ZSTD and BZIP2 support (#2137, #2284, #2391)
zip writer: added LZMA + RISCV BCJ filter (#2403)

Notable security fixes:
rar: do not skip past EOF while reading (#2584)
rar: fix double free with over 4 billion nodes (#2598)
rar: fix heap-buffer-overflow (#2599)
warc: prevent signed integer overflow (#2568)
tar: fix overflow in build_ustar_entry (#2588)

Notable bugfixes:
bsdtar: don't hardlink negative inode files together (#2587)
gz: allow setting the original filename for gzip compressed files (#2544)
lib: improve lseek handling (#2564)
lib: support @-prefixed Unix epoch timestamps as date strings (#2606)
rar: support large headers on 32 bit systems (#2596)
tar reader: Improve LFS support on 32 bit systems (#2582)

[thomas]

Fixed in [bf9ef871]

[Douglas R. Reno]

Mark as elevated here to file an advisory, though no CVEs have been assigned so we'll just link to the bug reports instead.

For this one I was really on the fence about actually assigning the security tag and going through the process, but the heap buffer overflow and the integer overflow changed my mind, since the others just cause denial of service.

[Douglas R. Reno]

SA-12.3-037 issued