Ubuntu
libarchive package

[FFe] update libarchive to 3.6.0

Bug #1967127 reported by Jeremy Bícha
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Fix Released
Undecided
Jeremy Bícha
libarchive (Ubuntu)
Fix Released
Undecided
Jeremy Bícha

Bug Description

I request a Feature Freeze Exception to update libarchive from 3.5.2 to 3.6.0 and build evince with libarchive 3.6.

This will allow us to drop 2 revert commits we added to evince to build with the older libarchive.
https://salsa.debian.org/gnome-team/evince/-/commit/badb5b65b

Changes
-------
https://github.com/libarchive/libarchive/releases/tag/v3.6.0
https://github.com/libarchive/libarchive/compare/v3.5.2...v3.6.0

Other Changes
-------------
1. libarchive: I am cherry-picking a security fix for CVE-2022-26280
2. libarchive: debian/rules was only running dh_auto_test if 'check' was set in DEB_BUILD_OPTIONS. I am changing that to only run if 'nocheck' is not set. That way we run the build tests by default.

I'm forwarding both those changes to Debian soon.

Build logs
----------
https://launchpad.net/~jbicha/+archive/ubuntu/arch/+sourcepub/13404994/+listing-archive-extra

https://buildd.debian.org/status/package.php?p=evince

Testing done
------------
No errors in the install logs

Evince still works fine to open a variety of PDFs and a .cbz file I have.
File Roller still works fine to open a variety of compressed file types.

See original description

CVE References

Jeremy Bícha (jbicha)
description: updated
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

> https://github.com/libarchive/libarchive/releases/tag/v3.6.0

This looks fine.

> https://github.com/libarchive/libarchive/compare/v3.5.2...v3.6.0

I'm not reading this. An FFe request should include a human-readable *summary* of upstream feature-freeze-breaking that may introduce risk of regression; a git log is not that.

FFe granted.

Changed in libarchive (Ubuntu):
status: New → Triaged
Sebastien Bacher (seb128)
Changed in libarchive (Ubuntu):
assignee: nobody → Jeremy Bicha (jbicha)
Changed in evince (Ubuntu):
assignee: nobody → Jeremy Bicha (jbicha)
Changed in libarchive (Ubuntu):
status: Triaged → Fix Committed
Changed in evince (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libarchive - 3.6.0-1ubuntu1

---------------
libarchive (3.6.0-1ubuntu1) jammy; urgency=medium

  * Sync with Debian. (LP: #1967127)
    - Includes upstream fixes for CVE-2021-36976
  * debian/rules: fix broken check for nocheck DEB_BUILD_OPTION
  * SECURITY UPDATE: possible out-of-bounds read
    - Cherry-pick CVE-2022-26280.patch to fix zipx_lzma_alone_init()
    - CVE-2022-26280

libarchive (3.6.0-1) unstable; urgency=medium

  * New upstream version (Closes: #1007120):
    - update the upstream copyright information
    - drop some patches that were taken from the upstream source:
      - lzip-large-dict
      - upstream-fix-32bit-size-cast
      - upstream-fixup-file-flags
      - upstream-fixup-symlinks
    - add another spelling correction to the typos patch
    - update the line numbers in the typos patch
  * Add the year 2022 to my debian/* copyright notice.
  * Reorder the copyright file so that it makes sense.

 -- Jeremy Bicha <email address hidden> Wed, 06 Apr 2022 16:33:16 -0400

Changed in libarchive (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 42.1-2

---------------
evince (42.1-2) unstable; urgency=medium

  * debian/control.in: Bump minimum libarchive to 3.6.0
  * Drop libarchive revert commits (LP: #1967127)

 -- Jeremy Bicha <email address hidden> Wed, 30 Mar 2022 08:17:47 -0400

Changed in evince (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.