Security fixes:
* 7zip: Fix out-of-boundary access
* tar reader: fix checking the result of strftime (CVE-2025-25724)
* lib: Create temporary files in the target directory
* lha: Fix for an out-of-bounds buffer overrun when using p[H_LEVEL_OFFSET]
* 7-zip: Fix a buffer overrun when reading truncated 7zip headers
New features:
bsdtar: support --mtime and --clamp-mtime
7-zip reader: improve self-extracting archive detection
zip writer: added XZ, LZMA, ZSTD and BZIP2 support
zip writer: added LZMA + RISCV BCJ filter
Notable security fixes:
rar: do not skip past EOF while reading
rar: fix double free with over 4 billion nodes
rar: fix heap-buffer-overflow
warc: prevent signed integer overflow
tar: fix overflow in build_ustar_entry
Security fixes:
* tar reader: Handle truncation in a GNU long linkname (CVE-2024-57970)
* unzip: fix null pointer dereference (CVE-2025-1632)
* tar reader: fix unchecked return value (CVE-2025-25724)
Important bugfixes:
* 7zip reader: add SPARC and POWERPC filter support for non-LZMA compressors
* tar reader: Ignore ustar size when pax size is present
* tar writer: Fix bug when -s/a/b/ used more than once with b flag
* libarchive: Handle ARCHIVE_FILTER_LZOP in archive_read_append_filter
* libarchive: Adding missing seeker function to archive_read_open_FILE()
Security fixes:
* gzip: prevent a hang when processing a malformed gzip inside a gzip
* tar: don't crash on truncated tar archives
* tar: fix two leaks in tar header parsing
Important bugfixes:
* 7-zip: read/write symlink paths as UTF-8
* cpio: exit with an error code if an entry could not be extracted
* rar5: report encrypted entries
* tar: fix truncation of entry pathnames in specific archives
Important bugfixes:
* tar: clean up linkpath between entries
* tar: fix memory leaks when processing symlinks or parsing pax headers
* iso: be more cautious about parsing ISO-9660 timestamps
Security fixes:
* Multiple vulnerabilities have been fixed in the PAX writer
Important bugfixes:
* bsdunzip(1) now correctly handles arguments following an -x after the zipfile
New features:
* bsdunzip(1) now supports the "--version" flag
* 7-zip reader now translates Windows permissions into UNIX permissions
* uudecode filter in raw mode now supports file name and file mode
* zstd filter now supports the "long" write option
New features:
* bsdunzip: new tool, drop-in replacement for Info-ZIP unzip
* 7zip reader: support for Zstandard compression
* 7zip reader: support for ARM64 filter
* zstd filter: support for multi-frame zstd archives
Security fixes:
* SEGV and stack buffer overflow in verbose mode of cpio
ISO reader: fix possible heap buffer overflow in read_children()
RAR reader: fix heap-use-after-free in RAR (v4) filter code
RAR reader: fix null-dereference in RAR (v4) filter code
RAR reader: fix heap-use-after-free in run_filters()
ok naddy
New features:
* tar: new option "--no-read-sparse"
* tar: threads support for zstd
* RAR reader: filter support
* RAR5 reader: self-extracting archive support
* ZIP reader: zstd decompression support
* Fixes for reading Android APK and JAR archives
* Support for non-recursive list and extract
* New tar option: --exclude-vcs
* Important fixes for storing file attributes and flags
* Support for xz, lzma, ppmd8 and bzip2 decompression in ZIP files
* RAR 5.0 reader
* Avoid super-linear slowdown on malformed mtree files
* NO_OVERWRITE doesn't change existing directory attributes
* New support for Zstandard read and write filters
... plus unmentioned bug fixes.
* Incorporate patches for crash and overflow bugs
* Add support for lz4 compression
* Add bsdcat command-line tool
Also avoid picking up ext2fs header; reported by rpe@
- CVE-2013-0211: denial of service via unspecified vectors
- CVE-2015-2304: directory traveral via absolute paths
- crash/infinite loop on malformed CPIO archives
From upstream git (commits 2253154, 5935715, 3865cf2, e6c9668, 24f5de6)
via FreeBSD.
Minor bump for the new ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS option.
naddy