Bug 285592 - archivers/libarchive: Update to 3.7.9
Summary: archivers/libarchive: Update to 3.7.9
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Daniel Engberg
URL: https://github.com/libarchive/libarch...
Keywords:
Depends on:
Blocks:
 
Reported: 2025-03-23 00:36 UTC by Daniel Engberg
Modified: 2025-04-16 20:59 UTC (History)
2 users (show)

See Also:
glewis: maintainer-feedback+

Attachments
Patch for libarchive (1.35 KB, patch)
2025-03-23 00:36 UTC, Daniel Engberg 		no flags Details | Diff
Patch for libarchive v2 (1.35 KB, patch)
2025-03-30 21:52 UTC, Daniel Engberg 		no flags Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Engberg freebsd_committer freebsd_triage 2025-03-23 00:36:30 UTC 
Created attachment 258930 [details]
Patch for libarchive

Fixes multiple CVEs:
CVE-2024-57970, CVE-2025-1632, CVE-2025-25724

Compile and runtime tested on FreeBSD 14.2-RELEASE (amd64) (make, make check-plist, make test)

Poudriere testport OK 13.4-RELEASE (amd64)
Poudriere testport OK 13.4-RELEASE (i386)
Poudriere testport OK 14.2-RELEASE (amd64)

Tested with following consumers using Podriere on 13.4-RELEASE (amd64):
graphics/vips
net/samba416
net/samba419
net/samba420
science/v_sim
archivers/ark
archivers/file-roller
archivers/gnome-autoar
archivers/pixz
archivers/rpm4
archivers/rubygem-libarchive
archivers/unmakeself
astro/opencpn
audio/ardour
audio/cardinal (fails, unrelated)
audio/fooyin
audio/hydrogen
cad/horizon-eda
deskutils/pinot
devel/appstream-glib
devel/cmake-gui
devel/libtifiles2
devel/zeal
emulators/cemu
emulators/fceux
emulators/nemu
emulators/nestopia
emulators/qmc2 (fails, unrelated)
filesystems/archivemount
filesystems/gvfs
games/lordsawar
games/meandmyshadow
games/melonds
graphics/akira
graphics/atril
graphics/atril-lite
graphics/evince
graphics/filmulator
graphics/geeqie
graphics/glaxnimate
graphics/libgxps
graphics/minder
graphics/photoqt
graphics/pqiv
graphics/tesseract
graphics/vips
graphics/zathura-cb
irc/epic5
lang/swipl
mail/claws-mail-archive
mail/evolution
misc/far2l
multimedia/lms
multimedia/mlt7-glaxnimate
multimedia/mpv
multimedia/qmmp-qt5
multimedia/qmmp-qt6
multimedia/totem-pl-parser
multimedia/vlc
net/grilo-plugins
net-mgmt/seafile-client
net-mgmt/seafile-server
ports-mgmt/appstream-generator
science/avogadro2
science/avogadrolibs
sysutils/ftwin
sysutils/fwup
sysutils/nix
sysutils/osinfo-db-tools
sysutils/pacman
sysutils/rdup
textproc/libgepub
www/epiphany
www/midori
x11/gnome-pie
x11-fonts/font-manager
Comment 1 Daniel Engberg freebsd_committer freebsd_triage 2025-03-30 21:52:51 UTC 
Created attachment 259196 [details]
Patch for libarchive v2

Update to 3.7.9
Comment 2 Greg Lewis freebsd_committer freebsd_triage 2025-03-31 16:04:45 UTC 
LGTM
Comment 3 commit-hook freebsd_committer freebsd_triage 2025-04-01 05:01:57 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7042301865d982a0af47108ae3203afd37d90d59

commit 7042301865d982a0af47108ae3203afd37d90d59
Author:     Daniel Engberg <diizzy@FreeBSD.org>
AuthorDate: 2025-04-01 04:57:44 +0000
Commit:     Daniel Engberg <diizzy@FreeBSD.org>
CommitDate: 2025-04-01 04:57:47 +0000

    archivers/libarchive: Update to 3.7.9

    Previous version 3.7.8 fixed following CVEs:
    CVE-2024-57970, CVE-2025-1632, CVE-2025-25724

    Changelog(s):
    https://github.com/libarchive/libarchive/releases/tag/v3.7.9
    https://github.com/libarchive/libarchive/releases/tag/v3.7.8

    PR:             285592
    Reviewed by:    glewis (maintainer)

 archivers/libarchive/Makefile  | 3 +--
 archivers/libarchive/distinfo  | 6 +++---
 archivers/libarchive/pkg-plist | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)
Comment 4 Daniel Engberg freebsd_committer freebsd_triage 2025-04-01 05:05:20 UTC 
Committed, thanks!
Comment 5 Robert Clausecker freebsd_committer freebsd_triage 2025-04-15 15:59:36 UTC 
For some reason libarchive now doesn't build on quarterly; it fails in lib-depends.
Comment 6 Daniel Engberg freebsd_committer freebsd_triage 2025-04-16 20:26:17 UTC 
(In reply to Robert Clausecker from comment #5)
Any log or such? Can't find anything relevant looking in pkg-fallout.
Comment 7 Robert Clausecker freebsd_committer freebsd_triage 2025-04-16 20:45:01 UTC 
(In reply to Daniel Engberg from comment #6)

Happens on my riscv64 box building 2025Q2.  I think we don't build this on the cluster, which is how you don't notice.  Here's the relevant part of the logs:

=======================<phase: lib-depends    >============================
===== env: USE_PACKAGE_DEPENDS_ONLY=1 USER=root UID=0 GID=0
===>   libarchive-3.7.9,1 depends on shared library: libexpat.so - not found
===>   Installing existing package /packages/All/expat-2.7.0.pkg
[15Rrv64-quarterly-job-04] Installing expat-2.7.0...
[15Rrv64-quarterly-job-04] Extracting expat-2.7.0: .......... done
===>   libarchive-3.7.9,1 depends on shared library: libexpat.so - found (/usr/local/lib/libexpat.so)
===>   Returning to build of libarchive-3.7.9,1
===>   libarchive-3.7.9,1 depends on shared library: liblz4.so - not found
===>   Installing existing package /packages/All/liblz4-1.10.0,1.pkg
[15Rrv64-quarterly-job-04] Installing liblz4-1.10.0,1...
[15Rrv64-quarterly-job-04] Extracting liblz4-1.10.0,1: .......... done
===>   libarchive-3.7.9,1 depends on shared library: liblz4.so - found (/usr/local/lib/liblz4.so)
===>   Returning to build of libarchive-3.7.9,1
===>   libarchive-3.7.9,1 depends on shared library: libzstd.so - not found
===>   Installing existing package /packages/All/zstd-1.5.7.pkg
[15Rrv64-quarterly-job-04] Installing zstd-1.5.7...
pkg-static: Missing shlib dependency: liblz4.so.1

Failed to install the following 1 package(s): /packages/All/zstd-1.5.7.pkg

... I'm puzzles as well.
Comment 8 Daniel Engberg freebsd_committer freebsd_triage 2025-04-16 20:55:39 UTC 
(In reply to Robert Clausecker from comment #7)
Seems like we don't build riscv at all?
https://pkg-status.freebsd.org/
Comment 9 Robert Clausecker freebsd_committer freebsd_triage 2025-04-16 20:59:18 UTC 
(In reply to Daniel Engberg from comment #8)

Yeah, could be.