From nobody Thu Sep 07 15:24:15 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RhNM40Kvjz4rvbk; Thu, 7 Sep 2023 15:24:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RhNM372HLz3CmK; Thu, 7 Sep 2023 15:24:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694100256; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Zmz9lm0aQsf+IGCGz4e7x/ZnMck3zYF+IIHG7jU2Idk=; b=VtmFZpx9XAsqRrnf2Ss5eGtk9ZzGW/u1nQvvMjjqcJAHNKBEJrSrh+60KKqik44agvdl4T 13TxcIhukh37nxEekSmVig2FAlLdU2YnJDk3D1Kbli4AVZnxV5OcEPm1sDgfIKNhtgLMUE AJBabrofY9IHkk1bRt4qRUeqL1u8/+fb4jLP1LgT698aTHfuEN1n5eg+LZzO4ldIpFO5Jp vbdFybO8EF/aI+NYQNK5Ny8k5XYED7gYjZ4XrJzirStJ3SDoTn2HzHTBDbOYR8qZAGt8TX jNJpKPF2CPLBUhnF0U5TwRgWX+bpzrpg/4FSUfsADNyqhZ2785ORY+Ix7Qy1WA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694100256; a=rsa-sha256; cv=none; b=mxXugcWutszG8SOuTZ13fCQiSgs77q8w/2IFRZmeFD9JjqEdZATbkJkKnzLbgujIsYOQ6q P0QNft66V5C9N0RFDuDpBak8tpmvffRXlStl3dHNXXrHsawcMeElKJAtrHLal3f82gg5h9 j0JGmgV28rFm5qVdVvr2ZUij2rzyAMYY/iKlbqd1m1ICHNB1JKpim1JF1yVtUupWtTvz7N 3Yt3R219OTVz4paAbRvBACzs2aLTnbjPMXBGoB6A2GRtHtOw4YQy32qDwqRtRLoFjqhWED zddptpUZdW3APPb6qLo13tCGIdKP9iur5ECkNRORRie5QpQz0QMSDcqJ64WEKQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694100256; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Zmz9lm0aQsf+IGCGz4e7x/ZnMck3zYF+IIHG7jU2Idk=; b=n7mn2d/muv9djIRX6wtbMqPExuxN+ejf8+H3MMkM1ZlQnl7TMI8GJgi0I7Jcd/0kmyMlUM KlhrHnYxtv7rK4Mh+Fk6lrJoES73Z5UY9WE3WQYF0VjU1fRkhw6SId9Z7F8J8NkdMNVUvb BMGKKyABKqM5AvRdase6ggWX/tzOtRr3WO44k8QqEME1wVpA5igPYdV1tTGzZgOrxzjISH 72q/2fWUnkXeytK5sNcHtTAmOSZHLdyZMRP+mgytwq0XQV+7mWDq9QFcz5gRm2eepQ5S4Y ZrpwVL3dtWDZVPyC4LBf+cXGIdUHP8Fv7vmdY+zoYjrl9MH6D/daZ8F2kbTKMw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RhNM35sfZz140l; Thu, 7 Sep 2023 15:24:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 387FOFw6066261; Thu, 7 Sep 2023 15:24:15 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 387FOFTN066258; Thu, 7 Sep 2023 15:24:15 GMT (envelope-from git) Date: Thu, 7 Sep 2023 15:24:15 GMT Message-Id: <202309071524.387FOFTN066258@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Martin Matuska Subject: git: f10f65999fe5 - main - libarchive: merge security fix from vendor branch List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mm X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f10f65999fe56e92f00b5bc5d27ac342cfea5364 Auto-Submitted: auto-generated The branch main has been updated by mm: URL: https://cgit.FreeBSD.org/src/commit/?id=f10f65999fe56e92f00b5bc5d27ac342cfea5364 commit f10f65999fe56e92f00b5bc5d27ac342cfea5364 Merge: 2afef29b2c0b a5913a473bb0 Author: Martin Matuska AuthorDate: 2023-09-07 15:18:12 +0000 Commit: Martin Matuska CommitDate: 2023-09-07 15:22:34 +0000 libarchive: merge security fix from vendor branch This commit fixes a couple of security vulnerabilities in the PAX writer: 1. Heap overflow in url_encode() in archive_write_set_format_pax.c 2. NULL dereference in archive_write_pax_header_xattrs() 3. Another NULL dereference in archive_write_pax_header_xattrs() 4. NULL dereference in archive_write_pax_header_xattr() Security: No known reference yet Obtained from: https://github.com/libarchive/libarchive/commit/1b4e0d0f9 MFC after: 3 days .../libarchive/archive_write_set_format_pax.c | 35 +++++++++++++++------- 1 file changed, 25 insertions(+), 10 deletions(-)