Ubuntu
libarchive package

Update libarchive to 3.4.2

Bug #1867390 reported by Amr Ibrahim
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libarchive (Debian)
Fix Released
Unknown
libarchive (Ubuntu)
Fix Released
Wishlist
Unassigned
Focal
Triaged
Wishlist
Unassigned

Bug Description

Please update libarchive to 3.4.2, also fixes LP: #1814109.

The bug and security fixes outweighs the new features added in 3.4.1 and 3.4.2.

https://github.com/libarchive/libarchive/releases

Libarchive 3.4.2 is a feature and security release.

New features:

support for atomic file extraction (bsdtar -x --safe-writes) (#1289)
support for mbed TLS (PolarSSL) (#1301)

Important bugfixes:

security fixes in RAR5 reader (#1280 #1326)
compression buffer fix in XAR writer (#1317)
fix uname and gname longer than 32 characters in PAX writer (#1319)
fix segfault when archiving hard links in ISO9660 and XAR writers (#1325)
fix support for extracting 7z archive entries with Delta filter (fixes LP: #1814109) (#987)

Libarchive 3.4.1 is a feature and security release.

New features:

Unicode filename support for reading lha/lzh archives
New pax write option "xattrhdr"

Important bugfixes:

security fixes in wide string processing (#1276 #1298)
security fixes in RAR5 reader (#1212 #1217 #1296)
security fixes and optimizations to write filter logic (#351)
security fix related to use of readlink(2) (1dae5a5)
sparse file handling fixes (#1218 #1260)

See original description
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank, when request a version update afer feature freeze please state why you think that update should be done despite the freeze

Note that it has been reported to Debian also and is being worked there but non trivial, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953553

Changed in libarchive (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
Amr Ibrahim (amribrahim1987)
description: updated
Amr Ibrahim (amribrahim1987)
information type: Public → Public Security
Bug Watch Updater (bug-watch-updater)
Changed in libarchive (Debian):
status: Unknown → New
Revision history for this message
Brian Murray (brian-murray) wrote :

3.4.2-1 is now available in groovy which will become Ubuntu 20.10. I'll open a task for Ubuntu 20.04 LTS (focal) though.

Changed in libarchive (Ubuntu):
status: Triaged → Fix Released
Changed in libarchive (Ubuntu Focal):
status: New → Triaged
importance: Undecided → Wishlist
Bug Watch Updater (bug-watch-updater)
Changed in libarchive (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.