Re: git: 833a452e9f08 - main - libarchive: import changes from upstream

From: Baptiste Daroussin <bapt_at_FreeBSD.org>
Date: Fri, 08 Apr 2022 07:40:12 UTC
On Thu, Apr 07, 2022 at 10:13:30PM -0500, Kyle Evans wrote:
> On Wed, Feb 9, 2022 at 5:52 PM Martin Matuska <mm@freebsd.org> wrote:
> >
> > The branch main has been updated by mm:
> >
> > URL: https://cgit.FreeBSD.org/src/commit/?id=833a452e9f082a7982a31c21f0da437dbbe0a39d
> >
> > Merge: 17a56f3fabdf 84631082f67b
> > Author:     Martin Matuska <mm@FreeBSD.org>
> > AuthorDate: 2022-02-09 23:35:42 +0000
> > Commit:     Martin Matuska <mm@FreeBSD.org>
> > CommitDate: 2022-02-09 23:35:42 +0000
> >
> >     libarchive: import changes from upstream
> >
> >     Libarchive 3.6.0
> >
> >     New features:
> >     PR #1614: tar: new option "--no-read-sparse"
> >     PR #1503: RAR reader: filter support
> >     PR #1585: RAR5 reader: self-extracting archive support
> >
> >     New features (not used in FreeBSD base):
> >     PR #1567: tar: threads support for zstd (#1567)
> >     PR #1518: ZIP reader: zstd decompression support
> >
> >     Security Fixes:
> >     PR #1491, #1492, #1493, CVE-2021-36976:
> >        fix invalid memory access and out of bounds read in RAR5 reader
> >     PR #1566, #1618, CVE-2021-31566:
> >        extended fix for following symlinks when processing the fixup list
> >
> >     Other notable bugfixes and improvements:
> >     PR #1620: tar: respect "--ignore-zeros" in c, r and u modes
> >     PR #1625: reduced size of application binaries
> >
> >     MFC after:      2 weeks
> >     Relnotes:       yes
> >
> 
> Hi,
> 
> This commit makes pkg angry when trying to use zstd support -- I
> tracked it down to libarchive wanting to shell out now, because this
> conditional changed:
> 
> https://cgit.freebsd.org/src/tree/contrib/libarchive/libarchive/archive_write_add_filter_zstd.c#n112
> 
> We should probably make pkg accept ARCHIVE_WARN since shelling out
> isn't so bad, but I have this diff to fix base libarchive:
> 
> https://people.freebsd.org/~kevans/libarchive.diff
> 
> I didn't quite check if there were any other surprises like this,
> though. Is this sufficient and OK to commit?
> 
> Thanks,
> 
> Kyle Evans
> 

It is not the first time, an update of libarchive breaks many things in
particular pkg, we have asked many time if a request for exp-run could be made
before any sync with upstream, but years are passing and libarchive continues to
be updated without prior exp-run.

This is painful.

Making pkg accept ARCHIVE_WARN is not acceptable, in some places we are
extracting inside a capsicum sandbox which will prevent any shelling out.

Best regards,
Bapt