[Bug 1967127] Re: [FFe] update libarchive to 3.6.0

Launchpad Bug Tracker 1967127 at bugs.launchpad.net
Thu Apr 7 18:29:19 UTC 2022 

This bug was fixed in the package libarchive - 3.6.0-1ubuntu1

---------------
libarchive (3.6.0-1ubuntu1) jammy; urgency=medium

  * Sync with Debian. (LP: #1967127)
    - Includes upstream fixes for CVE-2021-36976
  * debian/rules: fix broken check for nocheck DEB_BUILD_OPTION
  * SECURITY UPDATE: possible out-of-bounds read
    - Cherry-pick CVE-2022-26280.patch to fix zipx_lzma_alone_init()
    - CVE-2022-26280

libarchive (3.6.0-1) unstable; urgency=medium

  * New upstream version (Closes: #1007120):
    - update the upstream copyright information
    - drop some patches that were taken from the upstream source:
      - lzip-large-dict
      - upstream-fix-32bit-size-cast
      - upstream-fixup-file-flags
      - upstream-fixup-symlinks
    - add another spelling correction to the typos patch
    - update the line numbers in the typos patch
  * Add the year 2022 to my debian/* copyright notice.
  * Reorder the copyright file so that it makes sense.

 -- Jeremy Bicha <jbicha at ubuntu.com>  Wed, 06 Apr 2022 16:33:16 -0400

** Changed in: libarchive (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-36976

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-26280

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libarchive in Ubuntu.
https://bugs.launchpad.net/bugs/1967127

Title:
  [FFe] update libarchive to 3.6.0

Status in evince package in Ubuntu:
  In Progress
Status in libarchive package in Ubuntu:
  Fix Released

Bug description:
  I request a Feature Freeze Exception to update libarchive from 3.5.2
  to 3.6.0 and build evince with libarchive 3.6.

  This will allow us to drop 2 revert commits we added to evince to build with the older libarchive.
  https://salsa.debian.org/gnome-team/evince/-/commit/badb5b65b

  Changes
  -------
  https://github.com/libarchive/libarchive/releases/tag/v3.6.0
  https://github.com/libarchive/libarchive/compare/v3.5.2...v3.6.0

  Other Changes
  -------------
  1. libarchive: I am cherry-picking a security fix for CVE-2022-26280
  2. libarchive: debian/rules was only running dh_auto_test if 'check' was set in DEB_BUILD_OPTIONS. I am changing that to only run if 'nocheck' is not set. That way we run the build tests by default.

  I'm forwarding both those changes to Debian soon.

  Build logs
  ----------
  https://launchpad.net/~jbicha/+archive/ubuntu/arch/+sourcepub/13404994/+listing-archive-extra

  https://buildd.debian.org/status/package.php?p=evince

  Testing done
  ------------
  No errors in the install logs

  Evince still works fine to open a variety of PDFs and a .cbz file I have.
  File Roller still works fine to open a variety of compressed file types.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1967127/+subscriptions

More information about the foundations-bugs mailing list