Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1

To: Peter Pentchev <roam@ringlet.net>, 1002703@bugs.debian.org
Subject: Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 30 Dec 2021 21:10:34 +0100
Message-id: <[🔎] Yc4SOgnRdSNt0F3z@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1002703@bugs.debian.org
In-reply-to: <[🔎] 164063575821.1862516.13086955940058413010.reportbug@straylight.m.ringlet.net>
References: <[🔎] 164063575821.1862516.13086955940058413010.reportbug@straylight.m.ringlet.net> <[🔎] 164063575821.1862516.13086955940058413010.reportbug@straylight.m.ringlet.net>

Hi Peter,

On Mon, Dec 27, 2021 at 10:10:58PM +0200, Peter Pentchev wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: roam@ringlet.net
> 
> [ Reason ]
> This is a future unblock request before I upload
> libarchive-3.4.3-2+deb11u1 to fix a couple of bugs that were
> fixed in later upstream versions and in unstable. They are all
> related to setting permissions and ACLs when extracting
> archive members that represent symbolic and hard links.
> 
> [ Impact ]
> Extracting some (rarely seen) archives may result in files
> having the wrong access permissions.
> 
> [ Tests ]
> All the added patches are taken from upstream commits that
> include both the bugfixes and the testsuite additions to
> check for regressions.
> 
> [ Risks ]
> The code is mostly easy to follow, the fixes are straightforward.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> - correctly extract a hardlink to a symlink using the linkat(2)
>   system call
> - do not change the ACLs on symlinks, since that would affect
>   the symlink target instead
> - do not accidentally change the access mode of a symlink target
>   when a change to the symlink's mode was intended
> 
> [ Other info ]
> Thanks in advance for looking at this, and keep up the great work!

> diff -Nru libarchive-3.4.3/debian/changelog libarchive-3.4.3/debian/changelog
> --- libarchive-3.4.3/debian/changelog	2020-08-01 21:46:12.000000000 +0300
> +++ libarchive-3.4.3/debian/changelog	2021-12-27 18:45:51.000000000 +0200
> @@ -1,3 +1,12 @@
> +libarchive (3.4.3-2+deb11u1) bullseye; urgency=medium
> +
> +  * Add four upstream fixes for various problems:
> +    - fix extracting hardlinks to symlinks
> +    - fix handling of symlink ACLs; Closes: 1001986
> +    - never follow symlinks when setting file flags; Closes: 1001990

While at it, can you as well add the CVE references to the
debian/changelog?

Regards,
Salvatore

Reply to:

References:
- Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1
  - From: Peter Pentchev <roam@ringlet.net>

Prev by Date: Bug#1001815: transition: notcurses
Next by Date: Bug#1002627: transition: alglib
Previous by thread: Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1
Next by thread: Bug#1002740: buster-pu: package rustc-mozilla/1.51.0+dfsg1-1~deb10u2
Index(es):
- Date
- Thread