src/libarchive/archive_write_set_format_ustar.c, branch vendor/libarchive FreeBSD source tree Update vendor/libarchive to 3.8.7 2026-04-13T13:29:20+00:00 Martin Matuska mm@FreeBSD.org 2026-04-13T13:22:49+00:00 f2cd95a372000681bafe284df6ba857d5c2541c2 Important bugfixes between 3.8.6 and 3.8.7: #2871 libarchive: fix handling of option failures #2897 iso9660: fix undefined behavior #2898 RAR: fix LZSS window size mismatch after PPMd block #2900 CAB: fix NULL pointer dereference during skip #2911 libarchive: do not continue with truncated numbers #2919 CAB: Fix Heap OOB Write in CAB LZX decoder #2934 iso9660: fix posibble heap buffer overflow on 32-bit systems #2939 cpio: Fix -R memory leak #2947 libarchive: lzop and grzip filter support Important bugfixes between 3.8.5 and 3.8.6: #2860 bsdunzip: fix ISO week year and Gregorian year confusion #2864 7zip: ix SEGV in check_7zip_header_in_sfx via ELF offset validation #2875 7zip: fix out-of-bounds access on ELF 64-bit header #2877 RAR5 reader: fix infinite loop in rar5 decompression #2878 mtree reader: Fix file descriptor leak in mtree parser cleanup (CWE-775) #2892 RAR5 reader: fix potential memory leak #2893 RAR5: fix SIGSEGV when archive_read_support_format_rar5 is called twice #2895 CAB reader: fix memory leak on repeated calls to archive_read_support_format_cab Obtained from: libarchive Vendor commit: ded82291ab41d5e355831b96b0e1ff49e24d8939 
Important bugfixes between 3.8.6 and 3.8.7:
 #2871 libarchive: fix handling of option failures
 #2897 iso9660: fix undefined behavior
 #2898 RAR: fix LZSS window size mismatch after PPMd block
 #2900 CAB: fix NULL pointer dereference during skip
 #2911 libarchive: do not continue with truncated numbers
 #2919 CAB: Fix Heap OOB Write in CAB LZX decoder
 #2934 iso9660: fix posibble heap buffer overflow on 32-bit systems
 #2939 cpio: Fix -R memory leak
 #2947 libarchive: lzop and grzip filter support

Important bugfixes between 3.8.5 and 3.8.6:
 #2860 bsdunzip: fix ISO week year and Gregorian year confusion
 #2864 7zip: ix SEGV in check_7zip_header_in_sfx via ELF offset validation
 #2875 7zip: fix out-of-bounds access on ELF 64-bit header
 #2877 RAR5 reader: fix infinite loop in rar5 decompression
 #2878 mtree reader: Fix file descriptor leak in mtree parser cleanup
       (CWE-775)
 #2892 RAR5 reader: fix potential memory leak
 #2893 RAR5: fix SIGSEGV when archive_read_support_format_rar5 is called
       twice
 #2895 CAB reader: fix memory leak on repeated calls to
       archive_read_support_format_cab

Obtained from:	libarchive
Vendor commit:	ded82291ab41d5e355831b96b0e1ff49e24d8939
Update vendor/libarchive to 3.8.5 2026-01-05T20:10:21+00:00 Martin Matuska mm@FreeBSD.org 2026-01-05T20:08:25+00:00 01333e8c4dd7b5e2bb90cc773332613cf085ccf4 Important bugfixes: #2809 bsdtar: fix regression from 3.8.4 zero-length pattern issue bugfix Obtained from: libarchive Vendor commit: dd897a78c662a2c7a003e7ec158cea7909557bee 
Important bugfixes:
 #2809 bsdtar: fix regression from 3.8.4 zero-length pattern issue bugfix

Obtained from:	libarchive
Vendor commit:	dd897a78c662a2c7a003e7ec158cea7909557bee
Update vendor/libarchive to 3.7.7 2024-10-13T08:34:52+00:00 Martin Matuska mm@FreeBSD.org 2024-10-13T08:34:11+00:00 eff4ff4791c83686dfc7251c9ab3fe8ab9e60f0e Security fixes: #2364 tar: don't crash on truncated tar archives #2366 gzip: prevent a hang when processing a malformed gzip inside a gzip #2377 tar: fix two leaks in tar header parsing Important bugfixes: #2096 rar5: report encrypted entries #2252 7-zip: read/write symlink paths as UTF-8 #2360 tar: fix truncation of entry pathnames in specific archives Obtained from: libarchive Vendor commit: b439d586f53911c84be5e380445a8a259e19114c 
Security fixes:
 #2364 tar: don't crash on truncated tar archives
 #2366 gzip: prevent a hang when processing a malformed gzip inside a gzip
 #2377 tar: fix two leaks in tar header parsing

Important bugfixes:
 #2096 rar5: report encrypted entries
 #2252 7-zip: read/write symlink paths as UTF-8
 #2360 tar: fix truncation of entry pathnames in specific archives

Obtained from:	libarchive
Vendor commit:	b439d586f53911c84be5e380445a8a259e19114c
Update vendor/libarchive to 3.7.5 2024-09-14T09:48:57+00:00 Martin Matuska mm@FreeBSD.org 2024-09-14T09:40:31+00:00 2022efa03048f4b6b5cef39bdd900d61dd484734 Security fixes: #2158 rpm: calculate huge header sizes correctly #2160 util: fix out of boundary access in mktemp functions #2168 uu: stop processing if lines are too long #2174 lzop: prevent integer overflow #2172 rar4: protect copy_from_lzss_window_to_unp() (CVE-2024-20696) #2175 unzip: unify EOF handling #2179 rar4: fix out of boundary access with large files #2203 rar4: fix OOB access with unicode filenames #2210 rar4: add boundary checks to rgb filter #2248 rar4: fix OOB in delta filter #2249 rar4: fix OOB in audio filter #2256 fix multiple vulnerabilities identified by SAST #2258 cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing #2265 rar5: clear 'data ready' cache on window buffer reallocs #2269 rar4: fix CVE-2024-26256 (CVE-2024-26256) Important bugfixes: #2150 xar: fix another infinite loop and expat error handling #2173 shar: check strdup return value #2161 lha: fix integer truncation on 32-bit systems #2245 7zip: fix issue when skipping first file in 7zip archive that is a multiple of 65536 bytes #2259 rar5: don't try to read rediculously long names #2290 ar: fix archive entries having no type Obtained from: libarchive Vendor commit: 12ecf8418ab3595d66cdea1abadcea8b6a9d288b CVE: CVE-2024-20696, CVE-2024-26256 
Security fixes:
 #2158 rpm: calculate huge header sizes correctly
 #2160 util: fix out of boundary access in mktemp functions
 #2168 uu: stop processing if lines are too long
 #2174 lzop: prevent integer overflow
 #2172 rar4: protect copy_from_lzss_window_to_unp() (CVE-2024-20696)
 #2175 unzip: unify EOF handling
 #2179 rar4: fix out of boundary access with large files
 #2203 rar4: fix OOB access with unicode filenames
 #2210 rar4: add boundary checks to rgb filter
 #2248 rar4: fix OOB in delta filter
 #2249 rar4: fix OOB in audio filter
 #2256 fix multiple vulnerabilities identified by SAST
 #2258 cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing
 #2265 rar5: clear 'data ready' cache on window buffer reallocs
 #2269 rar4: fix CVE-2024-26256 (CVE-2024-26256)

Important bugfixes:
 #2150 xar: fix another infinite loop and expat error handling
 #2173 shar: check strdup return value
 #2161 lha: fix integer truncation on 32-bit systems
 #2245 7zip: fix issue when skipping first file in 7zip archive that
       is a multiple of 65536 bytes
 #2259 rar5: don't try to read rediculously long names
 #2290 ar: fix archive entries having no type

Obtained from:	libarchive
Vendor commit: 	12ecf8418ab3595d66cdea1abadcea8b6a9d288b
CVE:		CVE-2024-20696, CVE-2024-26256
Update vendor/libarchive to 3.7.3 2024-04-11T13:48:20+00:00 Martin Matuska mm@FreeBSD.org 2024-04-11T13:37:34+00:00 a509d68f27b9f114b876bbe3b9caa9d0ee0c5606 New features: #1941 uudecode filter: support file name and file mode in raw mode #1943 7-zip reader: translate Windows permissions into UNIX permissions #1962 zstd filter now supports the "long" write option #2012 add trailing letter b to bsdtar(1) substitute pattern #2031 PCRE2 support #2054 add support for long options "--group" and "--owner" to tar(1) Security fixes: #2101 Fix possible vulnerability in tar error reporting introduced in f27c173 Important bugfixes: #1974 ISO9660: preserve the natural order of links #2105 rar5: fix infinite loop if during rar5 decompression the last block produced no data #2027 xz filter: fix incorrect eof at the end of an lzip member #2043 zip: fix end-of-data marker processing when decompressing zip archives Obtained from: libarchive Libarchive commit: 4fcc02d906cca4b9e21a78a833f1142a2689ec52 
New features:
  #1941 uudecode filter: support file name and file mode in raw mode
  #1943 7-zip reader: translate Windows permissions into UNIX
        permissions
  #1962 zstd filter now supports the "long" write option
  #2012 add trailing letter b to bsdtar(1) substitute pattern
  #2031 PCRE2 support
  #2054 add support for long options "--group" and "--owner" to tar(1)

Security fixes:
  #2101 Fix possible vulnerability in tar error reporting introduced
        in f27c173

Important bugfixes:
  #1974 ISO9660: preserve the natural order of links
  #2105 rar5: fix infinite loop if during rar5 decompression the last
        block produced no data
  #2027 xz filter: fix incorrect eof at the end of an lzip member
  #2043 zip: fix end-of-data marker processing when decompressing zip
        archives

Obtained from:		libarchive
Libarchive commit:	4fcc02d906cca4b9e21a78a833f1142a2689ec52
Update vendor/libarchive/dist to git 3288ebb0353beb51dfb09d444dedbe9235ead53d 2020-02-11T23:48:03+00:00 Martin Matuska mm@FreeBSD.org 2020-02-11T23:48:03+00:00 8185c4ae244f9a52ad987b36e7d6300500054d00 Libarchive 3.4.2 Relevant vendor changes: PR #1289: atomic extraction support (bsdtar -x --safe-writes) PR #1308: big endian fix for UTF16 support in LHA reader PR #1326: reject RAR5 files that declare invalid header flags Issue #987: fix support 7z archive entries with Delta filter Issue #1317: fix compression output buffer handling in XAR writer Issue #1319: fix uname or gname longer than 32 characters in pax writer Issue #1325: fix use after free when archiving hardlinks in ISO9660 or XAR Use localtime_r() and gmtime_r() instead of localtime() and gmtime() 
Libarchive 3.4.2

Relevant vendor changes:
  PR #1289: atomic extraction support (bsdtar -x --safe-writes)
  PR #1308: big endian fix for UTF16 support in LHA reader
  PR #1326: reject RAR5 files that declare invalid header flags
  Issue #987: fix support 7z archive entries with Delta filter
  Issue #1317: fix compression output buffer handling in XAR writer
  Issue #1319: fix uname or gname longer than 32 characters in pax writer
  Issue #1325: fix use after free when archiving hardlinks in ISO9660 or XAR
  Use localtime_r() and gmtime_r() instead of localtime() and gmtime()
Update vendor/libarchive/dist to git 31c0a517c91f44eeee717a04db8b075cadda83d8 2019-02-12T22:29:41+00:00 Martin Matuska mm@FreeBSD.org 2019-02-12T22:29:41+00:00 fbb1b16ad8bc7a6f9a32424ddbd61e59ad5a4d4d Relevant vendor changes: PR #1085: Fix a null pointer dereference bug in zip writer PR #1110: ZIP reader added support for XZ, LZMA, PPMD8 and BZIP2 decopmpression PR #1116: Add support for 64-bit ar format PR #1120: Fix a 7zip crash [1] and a ISO9660 infinite loop [2] PR #1125: RAR5 reader - fix an invalid read and a memory leak PR #1131: POSIX reader - do not fail when tree_current_lstat() fails due to ENOENT [3] PR #1134: Delete unnecessary null pointer checks before calls of free() OSS-Fuzz 10843: Force intermediate to uint64_t to make UBSAN happy. OSS-Fuzz 11011: Avoid buffer overflow in rar5 reader PR: 233006 [3] Security: CVE-2019-1000019 [1], CVE-2019-1000020 [2] 
Relevant vendor changes:
  PR #1085: Fix a null pointer dereference bug in zip writer
  PR #1110: ZIP reader added support for XZ, LZMA, PPMD8 and BZIP2
            decopmpression
  PR #1116: Add support for 64-bit ar format
  PR #1120: Fix a 7zip crash [1] and a ISO9660 infinite loop [2]
  PR #1125: RAR5 reader - fix an invalid read and a memory leak
  PR #1131: POSIX reader - do not fail when tree_current_lstat() fails
            due to ENOENT [3]
  PR #1134: Delete unnecessary null pointer checks before calls of free()
  OSS-Fuzz 10843: Force intermediate to uint64_t to make UBSAN happy.
  OSS-Fuzz 11011: Avoid buffer overflow in rar5 reader

PR:		233006 [3]
Security:	CVE-2019-1000019 [1], CVE-2019-1000020 [2]
Update vendor/libarchive to git to 30528ed7a9f479f1c363ee8cfa1c5eb4c7d9be10 2016-12-15T15:35:53+00:00 Martin Matuska mm@FreeBSD.org 2016-12-15T15:35:53+00:00 8e86d3576b5d090c0d44d5fd2c4829fce64e3b34 Vendor bugfixes: PR 826: OpenSSL 1.1 support PR 830, 831, 833: Spelling fixes OSS-Fuzz 227, 230, 239: Fix possible memory leak in archive_read_free() OSS-Fuzz 237: Fix heap buffer overflow when reading invalid ar archives 
Vendor bugfixes:

PR 826: OpenSSL 1.1 support
PR 830, 831, 833: Spelling fixes
OSS-Fuzz 227, 230, 239: Fix possible memory leak in archive_read_free()
OSS-Fuzz 237: Fix heap buffer overflow when reading invalid ar archives
Update vendor/libarchive to git ddb3954bfdb9a0a98d50fb1c50cbecb603d9adf0 2016-12-06T00:35:20+00:00 Martin Matuska mm@FreeBSD.org 2016-12-06T00:35:20+00:00 36f3c6516a97ac526e7eb80728aa2af5b0d1f1df Vendor bugfixes: libarchive #831: Spelling fixes libarchive #832: Relax sanity checks of number fields in tar header even more OSS-Fuzz #16: Fix possible hang in uudecode_filter_read() OSS-Fuzz #220: Reject an 'ar' filename table larger than 1GB or a filename larger than 1MB. 
Vendor bugfixes:

libarchive #831:
  Spelling fixes
libarchive #832:
  Relax sanity checks of number fields in tar header even more
OSS-Fuzz #16:
  Fix possible hang in uudecode_filter_read()
OSS-Fuzz #220:
  Reject an 'ar' filename table larger than 1GB or a filename larger
  than 1MB.
Update vendor/libarchive to git 6a0d970f70102fe50ee9f1e51a2e4c048985e616 2016-08-13T21:20:06+00:00 Martin Matuska mm@FreeBSD.org 2016-08-13T21:20:06+00:00 5b0ba629933ba7fd02398bcd8600d27a17fdf9b0 Vendor issues fixed: Issue #744: Very long pathnames evade symlink checks Issue #748: libarchive can compress, but cannot decompress zip some files PR #750: ustar: fix out of bounds read on empty string ("") filename PR #755: fix use of acl_get_flagset_np() on FreeBSD 
Vendor issues fixed:

Issue #744: Very long pathnames evade symlink checks
Issue #748: libarchive can compress, but cannot decompress zip some files
PR #750: ustar: fix out of bounds read on empty string ("") filename
PR #755: fix use of acl_get_flagset_np() on FreeBSD