Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1
Hi Peter,
On Mon, Dec 27, 2021 at 10:10:58PM +0200, Peter Pentchev wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: roam@ringlet.net
>
> [ Reason ]
> This is a future unblock request before I upload
> libarchive-3.4.3-2+deb11u1 to fix a couple of bugs that were
> fixed in later upstream versions and in unstable. They are all
> related to setting permissions and ACLs when extracting
> archive members that represent symbolic and hard links.
>
> [ Impact ]
> Extracting some (rarely seen) archives may result in files
> having the wrong access permissions.
>
> [ Tests ]
> All the added patches are taken from upstream commits that
> include both the bugfixes and the testsuite additions to
> check for regressions.
>
> [ Risks ]
> The code is mostly easy to follow, the fixes are straightforward.
>
> [ Checklist ]
> [x] *all* changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in stable
> [x] the issue is verified as fixed in unstable
>
> [ Changes ]
> - correctly extract a hardlink to a symlink using the linkat(2)
> system call
> - do not change the ACLs on symlinks, since that would affect
> the symlink target instead
> - do not accidentally change the access mode of a symlink target
> when a change to the symlink's mode was intended
>
> [ Other info ]
> Thanks in advance for looking at this, and keep up the great work!
> diff -Nru libarchive-3.4.3/debian/changelog libarchive-3.4.3/debian/changelog
> --- libarchive-3.4.3/debian/changelog 2020-08-01 21:46:12.000000000 +0300
> +++ libarchive-3.4.3/debian/changelog 2021-12-27 18:45:51.000000000 +0200
> @@ -1,3 +1,12 @@
> +libarchive (3.4.3-2+deb11u1) bullseye; urgency=medium
> +
> + * Add four upstream fixes for various problems:
> + - fix extracting hardlinks to symlinks
> + - fix handling of symlink ACLs; Closes: 1001986
> + - never follow symlinks when setting file flags; Closes: 1001990
While at it, can you as well add the CVE references to the
debian/changelog?
Regards,
Salvatore
Reply to: