Libarchive 3.7.4

Libarchive 3.7.4 is a bugfix and security release

Security fixes:

• rar: Fix OOB in rar e8 filter (#2135) (CVE-2024-26256)
• zip: Fix out of boundary access (#2145)

Important bugfixes:

• 7zip: Limit amount of properties (#2131)
• bsdtar: Fix error handling around strtol() usages (#2110)
• passphrase: Improve newline handling on Windows (#2115)
• passphrase: Never allow empty passwords (#2116)
• rar: Fix "File CRC Error" when extracting specific rar4 archives (#2124)
• xar: Avoid infinite link loop (#2123)
• zip: Update AppleDouble support for directories (#2108)
• zstd: Implement core detection (#2083, #2071)

Thanks to all contributors and bug reporters!

Libarchive 3.7.3

Libarchive 3.7.3 is a feature, security and bugfix release.

New features:

• PCRE2 support (#2031)
• add trailing letter b to bsdtar(1) substitute pattern (#2012)
• add support for long options "--group" and "--owner" to tar(1) (#2054)

Security fixes:

• Fix possible vulnerability in tar error reporting introduced in f27c173 (#2101)

Important bugfixes:

• ISO9660: preserve the natural order of links (#1974)
• rar5: fix decoding unicode filenames on Windows (#1978)
• rar5: fix infinite loop if during rar5 decompression the last block produced no data (#2105)
• xz filter: fix incorrect eof at the end of an lzip member (#2027)
• zip: fix end-of-data marker processing when decompressing zip archives (#2042)
• multiple bsdunzip(1) fixes (#2022, #2030)
• filetime truncation fix on Windows (#2050)

Thanks to all contributors and bug reporters.

Libarchive 3.7.2

Libarchive 3.7.2 is a security, bugfix and feature release.

Security fixes:

• Multiple vulnerabilities have been fixed in the PAX writer (1b4e0d0)

Important bugfixes:

• bsdunzip(1) now correctly handles arguments following an -x after the zipfile

New features:

• bsdunzip(1) now supports the "--version" flag
• 7-zip reader now translates Windows permissions into UNIX permissions (#1943)
• uudecode filter in raw mode now supports file name and file mode
• zstd filter now supports the "long" write option (#1962)

Libarchive 3.7.1

Libarchive 3.7.1 is a security, feature and bugfix release.

Security fixes:

• SEGV and stack buffer overflow in verbose mode of cpio (#1934, #1935)

Feature updates:

• bsdunzip updated to match latest upstream code (#1926)

Important bugfixes:

• miscellaneous functional bugfixes (#1731, #1929, #1930)
• build fixes on multiple platforms (Android #1921, older MacOS X #1919, #1933 and others)

Thanks to all contributors and bug reporters.

Libarchive 3.7.0

Libarchive 3.7.0 is a feature and bugfix release.

New features:

• bsdunzip: new tool ported from FreeBSD (#1873)
  drop-in replacement for Info-ZIP unzip, not yet ported for Windows
• 7zip reader: support for Zstandard compression (#1894)
• 7zip reader: support for ARM64 filter (#1918)
• zstd filter: support for multi-frame zstd archives (#1818)

Other notable bugfixes and improvements:

• pax: fix year 2038 problem on platforms with 64-bit time_t (#1840)
• Windows: Universal Windows Platform (UWP) fixes and improvements (#1879, #1883, #1885, #1840)
• Windows: bcrypt usage fixes and improvements (#1881, #1887)
• Windows: time function usage fixes and improvements (#1820, #1824, #1830)

Thanks to all contributors and bug reporters.

Libarchive 3.6.2

Libarchive 3.6.2 is a bugfix and security release.

Important security fixes:

• NULL pointer dereference vulnerability in archive_write.c (#1754, #1759, CVE-2022-36227)

Important bug fixes:

• include ZSTD in Windows builds (#1688)
• SSL fixes on Windows (#1714, #1723, #1724)
• rar5 reader: fix possible garbled output with bsdtar -O (#1745)
• mtree reader: support reading mtree files with tabs (#1783)
• various small fixes for issues found by CodeQL

Libarchive 3.6.1

Libarchive 3.6.1 is a bugfix and security release.

Security fixes:

• 7zip reader: fix PPMD read beyond boundary (#1671)
• ZIP reader: fix possible out of bounds read (OSS-Fuzz 38766 #1672)
• ISO reader: fix possible heap buffer overflow in read_children() (OSS-Fuzz 38764, #1685)
• RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0)
  • fix heap use after free in archive_read_format_rar_read_data() (OSS-Fuzz 44547, 52efa50)
  • fix null dereference in read_data_compressed() (OSS-Fuzz 44843, 1271f77)
  • fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715)

Libarchive 3.6.0

Libarchive 3.6.0 is a feature and bugfix release.

New features:

• tar: new option "--no-read-sparse" (#1614)
• tar: threads support for zstd (#1567)
• RAR reader: filter support (#1503)
• RAR5 reader: self-extracting archive support (#1585)
• ZIP reader: zstd decompression support (#1518)

Other notable bugfixes and improvements:

• tar: respect "--ignore-zeros" in c, r and u modes (#1620)
• reduced size of application binaries (#1625)
• internal code optimizations

Thanks to all contributors and bug reporters.

Libarchive 3.5.3

Libarchive 3.5.3 is a security release

Security Fixes:

• extended fix for following symlinks when processing the fixup list (#1566, #1617, CVE-2021-31566)
• fix invalid memory access and out of bounds read in RAR5 reader (#1491, #1492, #1493, CVE-2021-36976)

Thanks to all contributors and bug reporters.

Libarchive 3.5.2

Libarchive 3.5.2 is a feature and security release.

New minor features:

• CPIO: Support for PWB and v7 binary cpio formats (#1502)
• ZIP reader: Support of deflate algorithm in symbolic link decompression (#1509)

Important security fixes:

• fix handling of symbolic link ACLs on Linux (#1565)
• never follow symlinks when setting file flags on Linux (e2ad1a2)
• do not follow symlinks when processing the fixup list (#1566)

Important bugfixes:

• fix extraction of hardlinks to symlinks (#1044)
• 7zip reader and writer fixes (#1480, #1532)
• RAR reader fixes (#1504, #1521)
• ZIP reader: fix excessive read for padded zip (#1514)
• CAB reader: fix double free (#1520)
• handle short writes from archive_write_callback (#1530)

Thanks to all contributors and bug reporters.