src/.github/workflows/codeql.yml, branch vendor/libarchive FreeBSD source tree Update vendor/libarchive to 3.8.5 2026-01-05T20:10:21+00:00 Martin Matuska mm@FreeBSD.org 2026-01-05T20:08:25+00:00 01333e8c4dd7b5e2bb90cc773332613cf085ccf4 Important bugfixes: #2809 bsdtar: fix regression from 3.8.4 zero-length pattern issue bugfix Obtained from: libarchive Vendor commit: dd897a78c662a2c7a003e7ec158cea7909557bee 
Important bugfixes:
 #2809 bsdtar: fix regression from 3.8.4 zero-length pattern issue bugfix

Obtained from:	libarchive
Vendor commit:	dd897a78c662a2c7a003e7ec158cea7909557bee
Update vendor/libarchive to 3.8.2 2025-10-16T17:41:19+00:00 Martin Matuska mm@FreeBSD.org 2025-10-16T17:36:33+00:00 8f38cbcd9c4a4f27bdccf2e75a7e20026cff5181 Important bugfixes: #2477 tar writer: fix replacing a regular file with a dir for ARCHIVE_EXTRACT_SAFE_WRITES #2659 lib: improve filter process handling #2664 zip writer: fix a memory leak if write callback error early #2665 lib: archive_read_data: handle sparse holes at end of file correctly #2668 7zip: Fix out of boundary access #2670 zip writer: fix writing with ZSTD compression #2672 lib: fix error checking in writing files #2678 zstd write filter: enable Zstandard's checksum feature #2679 lib: handle possible errors from system calls #2707 lib: avoid leaking file descriptors into subprocesses #2713 RAR5 reader: fix multiple issues in extra field parsing function #2716 RAR5 reader: early fail when file declares data for a dir entry #2717 bsdtar: Allow filename to have CRLF endings #2719 tar reader: fix checking the result of the strftime (CVE-2025-25724) #2737 tar reader: fix an infinite loop when parsing V headers #2742 lib: parse_date: handle dates in 2038 and beyond if time_t is big enough Obtained from: libarchive Vendor commit: 7f53fce04e4e672230f4eb80b219af17975e4f83 Security: CVE-2025-25724 
Important bugfixes:
 #2477 tar writer: fix replacing a regular file with a dir for
       ARCHIVE_EXTRACT_SAFE_WRITES
 #2659 lib: improve filter process handling
 #2664 zip writer: fix a memory leak if write callback error early
 #2665 lib: archive_read_data: handle sparse holes at end of file correctly
 #2668 7zip: Fix out of boundary access
 #2670 zip writer: fix writing with ZSTD compression
 #2672 lib: fix error checking in writing files
 #2678 zstd write filter: enable Zstandard's checksum feature
 #2679 lib: handle possible errors from system calls
 #2707 lib: avoid leaking file descriptors into subprocesses
 #2713 RAR5 reader: fix multiple issues in extra field parsing function
 #2716 RAR5 reader: early fail when file declares data for a dir entry
 #2717 bsdtar: Allow filename to have CRLF endings
 #2719 tar reader: fix checking the result of the strftime (CVE-2025-25724)
 #2737 tar reader: fix an infinite loop when parsing V headers
 #2742 lib: parse_date: handle dates in 2038 and beyond if time_t is big
       enough

Obtained from:	libarchive
Vendor commit:	7f53fce04e4e672230f4eb80b219af17975e4f83
Security:	CVE-2025-25724
Update vendor/libarchive to 3.8.0 2025-05-20T10:47:29+00:00 Martin Matuska mm@FreeBSD.org 2025-05-20T10:43:26+00:00 b0ea71a8555c0b726319dc2a618cc6d17a4fa4f1 New features: #2088 7-zip reader: improve self-extracting archive detection #2137 zip writer: added XZ, LZMA, ZSTD and BZIP2 support #2403 zip writer: added LZMA + RISCV BCJ filter #2601 bsdtar: support --mtime and --clamp-mtime #2602 libarchive: mbedtls 3.x compatibility Security fixes: #2422 tar reader: Handle truncation in the middle of a GNU long linkname CVE-2024-57970 #2532 tar reader: fix unchecked return value in list_item_verbose() CVE-2025-25724 #2532 unzip: fix null pointer dereference CVE-2025-1632 #2568 warc: prevent signed integer overflow #2584 rar: do not skip past EOF while reading #2588 tar: fix overflow in build_ustar_entry #2598 rar: fix double free with over 4 billion nodes #2599 rar: fix heap-buffer-overflow Important bugfixes: #2399 7-zip reader: add SPARC filter support for non-LZMA compressors #2405 tar reader: ignore ustar size when pax size is present #2435 tar writer: fix bug when -s/a/b/ used more than once with b flag #2459 7-zip reader: add POWERPC filter support for non-LZMA compressors #2519 libarchive: handle ARCHIVE_FILTER_LZOP in archive_read_append_filter #2539 libarchive: add missing seeker function to archive_read_open_FILE() #2544 gzip: allow setting the original filename for gzip compressed files #2564 libarchive: improve lseek handling #2582 rar: support large headers on 32 bit systems #2587 bsdtar: don't hardlink negative inode files together #2596 rar: support large headers on 32 bit systems #2606 libarchive: support @-prefixed Unix epoch timestamps as date strings Obtained from: libarchive Vendor commit: 70ff28fcf04ec129a1d064f96e49aa57fcc90e37 CVE: CVE-2024-57970, CVE-2025-1632, CVE-2025-25724 
New features:
 #2088 7-zip reader: improve self-extracting archive detection
 #2137 zip writer: added XZ, LZMA, ZSTD and BZIP2 support
 #2403 zip writer: added LZMA + RISCV BCJ filter
 #2601 bsdtar: support --mtime and --clamp-mtime
 #2602 libarchive: mbedtls 3.x compatibility

Security fixes:
 #2422 tar reader: Handle truncation in the middle of a GNU long linkname
       CVE-2024-57970
 #2532 tar reader: fix unchecked return value in list_item_verbose()
       CVE-2025-25724
 #2532 unzip: fix null pointer dereference
       CVE-2025-1632
 #2568 warc: prevent signed integer overflow
 #2584 rar: do not skip past EOF while reading
 #2588 tar: fix overflow in build_ustar_entry
 #2598 rar: fix double free with over 4 billion nodes
 #2599 rar: fix heap-buffer-overflow

Important bugfixes:
  #2399 7-zip reader: add SPARC filter support for non-LZMA compressors
  #2405 tar reader: ignore ustar size when pax size is present
  #2435 tar writer: fix bug when -s/a/b/ used more than once with b flag
  #2459 7-zip reader: add POWERPC filter support for non-LZMA compressors
  #2519 libarchive: handle ARCHIVE_FILTER_LZOP in archive_read_append_filter
  #2539 libarchive: add missing seeker function to archive_read_open_FILE()
  #2544 gzip: allow setting the original filename for gzip compressed files
  #2564 libarchive: improve lseek handling
  #2582 rar: support large headers on 32 bit systems
  #2587 bsdtar: don't hardlink negative inode files together
  #2596 rar: support large headers on 32 bit systems
  #2606 libarchive: support @-prefixed Unix epoch timestamps as date strings

Obtained from:	libarchive
Vendor commit:	70ff28fcf04ec129a1d064f96e49aa57fcc90e37
CVE:		CVE-2024-57970, CVE-2025-1632, CVE-2025-25724
Update vendor/libarchive to 3.7.7 2024-10-13T08:34:52+00:00 Martin Matuska mm@FreeBSD.org 2024-10-13T08:34:11+00:00 eff4ff4791c83686dfc7251c9ab3fe8ab9e60f0e Security fixes: #2364 tar: don't crash on truncated tar archives #2366 gzip: prevent a hang when processing a malformed gzip inside a gzip #2377 tar: fix two leaks in tar header parsing Important bugfixes: #2096 rar5: report encrypted entries #2252 7-zip: read/write symlink paths as UTF-8 #2360 tar: fix truncation of entry pathnames in specific archives Obtained from: libarchive Vendor commit: b439d586f53911c84be5e380445a8a259e19114c 
Security fixes:
 #2364 tar: don't crash on truncated tar archives
 #2366 gzip: prevent a hang when processing a malformed gzip inside a gzip
 #2377 tar: fix two leaks in tar header parsing

Important bugfixes:
 #2096 rar5: report encrypted entries
 #2252 7-zip: read/write symlink paths as UTF-8
 #2360 tar: fix truncation of entry pathnames in specific archives

Obtained from:	libarchive
Vendor commit:	b439d586f53911c84be5e380445a8a259e19114c
Update vendor/libarchive to 3.7.5 2024-09-14T09:48:57+00:00 Martin Matuska mm@FreeBSD.org 2024-09-14T09:40:31+00:00 2022efa03048f4b6b5cef39bdd900d61dd484734 Security fixes: #2158 rpm: calculate huge header sizes correctly #2160 util: fix out of boundary access in mktemp functions #2168 uu: stop processing if lines are too long #2174 lzop: prevent integer overflow #2172 rar4: protect copy_from_lzss_window_to_unp() (CVE-2024-20696) #2175 unzip: unify EOF handling #2179 rar4: fix out of boundary access with large files #2203 rar4: fix OOB access with unicode filenames #2210 rar4: add boundary checks to rgb filter #2248 rar4: fix OOB in delta filter #2249 rar4: fix OOB in audio filter #2256 fix multiple vulnerabilities identified by SAST #2258 cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing #2265 rar5: clear 'data ready' cache on window buffer reallocs #2269 rar4: fix CVE-2024-26256 (CVE-2024-26256) Important bugfixes: #2150 xar: fix another infinite loop and expat error handling #2173 shar: check strdup return value #2161 lha: fix integer truncation on 32-bit systems #2245 7zip: fix issue when skipping first file in 7zip archive that is a multiple of 65536 bytes #2259 rar5: don't try to read rediculously long names #2290 ar: fix archive entries having no type Obtained from: libarchive Vendor commit: 12ecf8418ab3595d66cdea1abadcea8b6a9d288b CVE: CVE-2024-20696, CVE-2024-26256 
Security fixes:
 #2158 rpm: calculate huge header sizes correctly
 #2160 util: fix out of boundary access in mktemp functions
 #2168 uu: stop processing if lines are too long
 #2174 lzop: prevent integer overflow
 #2172 rar4: protect copy_from_lzss_window_to_unp() (CVE-2024-20696)
 #2175 unzip: unify EOF handling
 #2179 rar4: fix out of boundary access with large files
 #2203 rar4: fix OOB access with unicode filenames
 #2210 rar4: add boundary checks to rgb filter
 #2248 rar4: fix OOB in delta filter
 #2249 rar4: fix OOB in audio filter
 #2256 fix multiple vulnerabilities identified by SAST
 #2258 cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing
 #2265 rar5: clear 'data ready' cache on window buffer reallocs
 #2269 rar4: fix CVE-2024-26256 (CVE-2024-26256)

Important bugfixes:
 #2150 xar: fix another infinite loop and expat error handling
 #2173 shar: check strdup return value
 #2161 lha: fix integer truncation on 32-bit systems
 #2245 7zip: fix issue when skipping first file in 7zip archive that
       is a multiple of 65536 bytes
 #2259 rar5: don't try to read rediculously long names
 #2290 ar: fix archive entries having no type

Obtained from:	libarchive
Vendor commit: 	12ecf8418ab3595d66cdea1abadcea8b6a9d288b
CVE:		CVE-2024-20696, CVE-2024-26256
Update vendor/libarchive to 3.7.4 2024-04-26T10:11:59+00:00 Martin Matuska mm@FreeBSD.org 2024-04-26T10:11:59+00:00 d6f77d3cfa8e56aed99e2ea250fdb242f51747df Security fixes: #2135 rar: Fix OOB in rar e8 filter (CVE-2024-26256) #2145 zip: Fix out of boundary access Important bugfixes: #2131 7zip: Limit amount of properties #2110 bsdtar: Fix error handling around strtol() usages #2116 passphrase: Never allow empty passwords #2124 rar: Fix "File CRC Error" when extracting specific rar4 archives #2123 xar: Avoid infinite link loop #2108 zip: Update AppleDouble support for directories #2071 zstd: Implement core detection Obained from: libarchive Libarchive commit: 313aa1fa10b657de791e3202c168a6c833bc3543 
Security fixes:
 #2135 rar: Fix OOB in rar e8 filter (CVE-2024-26256)
 #2145 zip: Fix out of boundary access

Important bugfixes:
 #2131 7zip: Limit amount of properties
 #2110 bsdtar: Fix error handling around strtol() usages
 #2116 passphrase: Never allow empty passwords
 #2124 rar: Fix "File CRC Error" when extracting specific rar4 archives
 #2123 xar: Avoid infinite link loop
 #2108 zip: Update AppleDouble support for directories
 #2071 zstd: Implement core detection

Obained from:		libarchive
Libarchive commit:	313aa1fa10b657de791e3202c168a6c833bc3543
Update vendor/libarchive to 3.7.3 2024-04-11T13:48:20+00:00 Martin Matuska mm@FreeBSD.org 2024-04-11T13:37:34+00:00 a509d68f27b9f114b876bbe3b9caa9d0ee0c5606 New features: #1941 uudecode filter: support file name and file mode in raw mode #1943 7-zip reader: translate Windows permissions into UNIX permissions #1962 zstd filter now supports the "long" write option #2012 add trailing letter b to bsdtar(1) substitute pattern #2031 PCRE2 support #2054 add support for long options "--group" and "--owner" to tar(1) Security fixes: #2101 Fix possible vulnerability in tar error reporting introduced in f27c173 Important bugfixes: #1974 ISO9660: preserve the natural order of links #2105 rar5: fix infinite loop if during rar5 decompression the last block produced no data #2027 xz filter: fix incorrect eof at the end of an lzip member #2043 zip: fix end-of-data marker processing when decompressing zip archives Obtained from: libarchive Libarchive commit: 4fcc02d906cca4b9e21a78a833f1142a2689ec52 
New features:
  #1941 uudecode filter: support file name and file mode in raw mode
  #1943 7-zip reader: translate Windows permissions into UNIX
        permissions
  #1962 zstd filter now supports the "long" write option
  #2012 add trailing letter b to bsdtar(1) substitute pattern
  #2031 PCRE2 support
  #2054 add support for long options "--group" and "--owner" to tar(1)

Security fixes:
  #2101 Fix possible vulnerability in tar error reporting introduced
        in f27c173

Important bugfixes:
  #1974 ISO9660: preserve the natural order of links
  #2105 rar5: fix infinite loop if during rar5 decompression the last
        block produced no data
  #2027 xz filter: fix incorrect eof at the end of an lzip member
  #2043 zip: fix end-of-data marker processing when decompressing zip
        archives

Obtained from:		libarchive
Libarchive commit:	4fcc02d906cca4b9e21a78a833f1142a2689ec52
Update vendor/libarchive to libarchive/libarchive@ba80276cc 2022-12-09T16:28:02+00:00 Martin Matuska mm@FreeBSD.org 2022-12-09T16:26:30+00:00 b5a00e61e90d12782d023f98d9bf9bebf65733ed Important Bugfixes: rar5 reader: fix possible garbled output with bsdtar -O (#1745) mtree reader: support reading mtree files with tabs (#1783) various small fixes for issues found by CodeQL Obtained from: libarchive Libarchive commit: ba80276ccc3c941c4918ec6e2460059f0c525c43 Libarcive tag: v3.6.2 
Important Bugfixes:
  rar5 reader: fix possible garbled output with bsdtar -O (#1745)
  mtree reader: support reading mtree files with tabs (#1783)
  various small fixes for issues found by CodeQL

Obtained from:		libarchive
Libarchive commit:	ba80276ccc3c941c4918ec6e2460059f0c525c43
Libarcive tag:		v3.6.2