#1068106 bookworm-pu: package libarchive/3.6.2-1+deb12u1

#1068106#5
Date:
2024-03-30 18:51:10 UTC
From:
To:
[ Reason ]
Revert a change made by the same person that smuggled
the backdoor into xz. See #1068047 for more details.

[ Impact ]
In the discussion in the upstream bugtracker, the consensus is that
the reverted change may not really introduce any vulnerability, but
still some concerns were expressed regarding some unlikely scenarios.
It might be a safer bet to revert it, just in case.

[ Tests ]
None yet.

[ Risks ]
The change reverting the previous one is straightforward, limited to
a specific piece of code (specific error logging in
the bsdtar(1) command-line tool), and changes the source code back to
using the same error reporting functions that are used elsewhere
throughout the bsdtar and libarchive source code. Thus, IMHO the risks
are negligible, if any.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Introduce a patch that uses libarchive's own error reporting functions
instead of unchecked fprintf().

#1068106#12
Date:
2024-03-31 10:01:22 UTC
From:
To:
Right, so it seems that I was a bit impatient filing this bug, right
after I got the "processing" e-mail from the archive for libarchive-3.7.2-2
in unstable, but before I got the "accepted" one... and before I had
noticed the d-d-a e-mail about the paused archive processing.

So yeah, this is still a pre-upload approval request, but it will
apparently need to wait until 3.7.2-2 makes it into unstable :)

Thanks in advance, and sorry for the bother!

G'luck,
Peter

#1068106#17
Date:
2024-04-06 21:27:38 UTC
From:
To:
Hi,

Please go ahead. However I wonder if you also want to wait for a patch for
https://github.com/libarchive/libarchive/issues/2107 and include that? If
so please un-confirm this bug and provide an updated debdiff when ready.

Thanks,

#1068106#24
Date:
2024-09-03 07:44:36 UTC
From:
To:
Hi,

This request was approved for 12.6 but not uploaded in time; is it still
relevant for 12.7?

Thanks,

#1068106#29
Date:
2024-11-09 09:00:16 UTC
From:
To:
hi Peter,

Can you rebase your changes post 12.8 to have it included in 12.9?

Regards,
Salvatore

#1068106#34
Date:
2025-02-28 19:56:57 UTC
From:
To:
Hi Peter,

There is an upcoming point release for bookworm soon, are you still
interested in getting that in?

Regards,
Salvatore

#1068106#39
Date:
2025-08-27 19:10:38 UTC
From:
To:
package release.debian.org
tags 1068106 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: libarchive
Version: 3.6.2-1+deb12u3

Explanation: fix integer overflow issues [CVE-2025-5914 CVE-2025-5916], buffer over read issue [CVE-2025-5915], buffer overlow issue [CVE-2025-5917]

#1068106#44
Date:
2025-08-27 19:10:38 UTC
From:
To:
package release.debian.org
tags 1068106 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: libarchive
Version: 3.6.2-1+deb12u3

Explanation: fix integer overflow issues [CVE-2025-5914 CVE-2025-5916], buffer over read issue [CVE-2025-5915], buffer overlow issue [CVE-2025-5917]

#1068106#49
Date:
2025-08-27 20:03:02 UTC
From:
To:
Control: tags -1 +confirmed -pending

It was pointed out that I mixed up two different changes to the same
package here. Fixing.

Regards,

Adam

#1068106#56
Date:
2025-08-27 20:03:02 UTC
From:
To:
Control: tags -1 +confirmed -pending

It was pointed out that I mixed up two different changes to the same
package here. Fixing.

Regards,

Adam

#1068106#61
Date:
2025-08-27 20:07:47 UTC
From:
To:
Hi Peter,

There is little time yet for the next one, do you have time to rebase
those on top of the changes from Moritz, so on top of 3.6.2-1+deb12u3
as 3.6.2-1+deb12u4?

Regards,
Salvatore

#1068106#66
Date:
2026-05-06 17:52:34 UTC
From:
To:
Things have moved on again, so this would now need to be rebased on top
of 3.6.2-1+deb12u4 to become 3.6.2-1+deb12u5.

Note that the window for the penultimate bookworm point release is
closing this coming weekend.

Regards,

Adam