285592 – archivers/libarchive: Update to 3.7.9

Bug 285592 - archivers/libarchive: Update to 3.7.9

Summary: archivers/libarchive: Update to 3.7.9

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Daniel Engberg

URL:	https://github.com/libarchive/libarch...
Keywords:

Depends on:
Blocks:

Reported:	2025-03-23 00:36 UTC by Daniel Engberg
Modified:	2025-04-01 05:05 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	glewis: maintainer-feedback+

Attachments
Patch for libarchive (1.35 KB, patch) 2025-03-23 00:36 UTC, Daniel Engberg	no flags	Details \| Diff
Patch for libarchive v2 (1.35 KB, patch) 2025-03-30 21:52 UTC, Daniel Engberg	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Engberg freebsd_committer

2025-03-23 00:36:30 UTC

Created attachment 258930 [details]
Patch for libarchive

Fixes multiple CVEs:
CVE-2024-57970, CVE-2025-1632, CVE-2025-25724

Compile and runtime tested on FreeBSD 14.2-RELEASE (amd64) (make, make check-plist, make test)

Poudriere testport OK 13.4-RELEASE (amd64)
Poudriere testport OK 13.4-RELEASE (i386)
Poudriere testport OK 14.2-RELEASE (amd64)

Tested with following consumers using Podriere on 13.4-RELEASE (amd64):
graphics/vips
net/samba416
net/samba419
net/samba420
science/v_sim
archivers/ark
archivers/file-roller
archivers/gnome-autoar
archivers/pixz
archivers/rpm4
archivers/rubygem-libarchive
archivers/unmakeself
astro/opencpn
audio/ardour
audio/cardinal (fails, unrelated)
audio/fooyin
audio/hydrogen
cad/horizon-eda
deskutils/pinot
devel/appstream-glib
devel/cmake-gui
devel/libtifiles2
devel/zeal
emulators/cemu
emulators/fceux
emulators/nemu
emulators/nestopia
emulators/qmc2 (fails, unrelated)
filesystems/archivemount
filesystems/gvfs
games/lordsawar
games/meandmyshadow
games/melonds
graphics/akira
graphics/atril
graphics/atril-lite
graphics/evince
graphics/filmulator
graphics/geeqie
graphics/glaxnimate
graphics/libgxps
graphics/minder
graphics/photoqt
graphics/pqiv
graphics/tesseract
graphics/vips
graphics/zathura-cb
irc/epic5
lang/swipl
mail/claws-mail-archive
mail/evolution
misc/far2l
multimedia/lms
multimedia/mlt7-glaxnimate
multimedia/mpv
multimedia/qmmp-qt5
multimedia/qmmp-qt6
multimedia/totem-pl-parser
multimedia/vlc
net/grilo-plugins
net-mgmt/seafile-client
net-mgmt/seafile-server
ports-mgmt/appstream-generator
science/avogadro2
science/avogadrolibs
sysutils/ftwin
sysutils/fwup
sysutils/nix
sysutils/osinfo-db-tools
sysutils/pacman
sysutils/rdup
textproc/libgepub
www/epiphany
www/midori
x11/gnome-pie
x11-fonts/font-manager

Comment 1 Daniel Engberg freebsd_committer

2025-03-30 21:52:51 UTC

Created attachment 259196 [details]
Patch for libarchive v2

Update to 3.7.9

Comment 2 Greg Lewis freebsd_committer

2025-03-31 16:04:45 UTC

LGTM

Comment 3 commit-hook freebsd_committer

2025-04-01 05:01:57 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7042301865d982a0af47108ae3203afd37d90d59

commit 7042301865d982a0af47108ae3203afd37d90d59
Author:     Daniel Engberg <diizzy@FreeBSD.org>
AuthorDate: 2025-04-01 04:57:44 +0000
Commit:     Daniel Engberg <diizzy@FreeBSD.org>
CommitDate: 2025-04-01 04:57:47 +0000

    archivers/libarchive: Update to 3.7.9

    Previous version 3.7.8 fixed following CVEs:
    CVE-2024-57970, CVE-2025-1632, CVE-2025-25724

    Changelog(s):
    https://github.com/libarchive/libarchive/releases/tag/v3.7.9
    https://github.com/libarchive/libarchive/releases/tag/v3.7.8

    PR:             285592
    Reviewed by:    glewis (maintainer)

 archivers/libarchive/Makefile  | 3 +--
 archivers/libarchive/distinfo  | 6 +++---
 archivers/libarchive/pkg-plist | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)

Comment 4 Daniel Engberg freebsd_committer

2025-04-01 05:05:20 UTC

Committed, thanks!