[Bug 1967127] Re: [FFe] update libarchive to 3.6.0
This bug was fixed in the package evince - 42.1-2 --- evince (42.1-2) unstable; urgency=medium * debian/control.in: Bump minimum libarchive to 3.6.0 * Drop libarchive revert commits (LP: #1967127) -- Jeremy Bicha Wed, 30 Mar 2022 08:17:47 -0400 ** Changed in: evince (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1967127 Title: [FFe] update libarchive to 3.6.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1967127/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1967127] Re: [FFe] update libarchive to 3.6.0
This bug was fixed in the package libarchive - 3.6.0-1ubuntu1 --- libarchive (3.6.0-1ubuntu1) jammy; urgency=medium * Sync with Debian. (LP: #1967127) - Includes upstream fixes for CVE-2021-36976 * debian/rules: fix broken check for nocheck DEB_BUILD_OPTION * SECURITY UPDATE: possible out-of-bounds read - Cherry-pick CVE-2022-26280.patch to fix zipx_lzma_alone_init() - CVE-2022-26280 libarchive (3.6.0-1) unstable; urgency=medium * New upstream version (Closes: #1007120): - update the upstream copyright information - drop some patches that were taken from the upstream source: - lzip-large-dict - upstream-fix-32bit-size-cast - upstream-fixup-file-flags - upstream-fixup-symlinks - add another spelling correction to the typos patch - update the line numbers in the typos patch * Add the year 2022 to my debian/* copyright notice. * Reorder the copyright file so that it makes sense. -- Jeremy Bicha Wed, 06 Apr 2022 16:33:16 -0400 ** Changed in: libarchive (Ubuntu) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-36976 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-26280 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1967127 Title: [FFe] update libarchive to 3.6.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1967127/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1967127] Re: [FFe] update libarchive to 3.6.0
** Changed in: libarchive (Ubuntu) Assignee: (unassigned) => Jeremy Bicha (jbicha) ** Changed in: evince (Ubuntu) Assignee: (unassigned) => Jeremy Bicha (jbicha) ** Changed in: libarchive (Ubuntu) Status: Triaged => Fix Committed ** Changed in: evince (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1967127 Title: [FFe] update libarchive to 3.6.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1967127/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1967127] Re: [FFe] update libarchive to 3.6.0
> https://github.com/libarchive/libarchive/releases/tag/v3.6.0 This looks fine. > https://github.com/libarchive/libarchive/compare/v3.5.2...v3.6.0 I'm not reading this. An FFe request should include a human-readable *summary* of upstream feature-freeze-breaking that may introduce risk of regression; a git log is not that. FFe granted. ** Changed in: libarchive (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1967127 Title: [FFe] update libarchive to 3.6.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1967127/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1967127] Re: [FFe] update libarchive to 3.6.0
** Description changed: - . + I request a Feature Freeze Exception to update libarchive from 3.5.2 to + 3.6.0 and build evince with libarchive 3.6. + + This will allow us to drop 2 revert commits we added to evince to build with the older libarchive. + https://salsa.debian.org/gnome-team/evince/-/commit/badb5b65b + + Changes + --- + https://github.com/libarchive/libarchive/releases/tag/v3.6.0 + https://github.com/libarchive/libarchive/compare/v3.5.2...v3.6.0 + + Other Changes + - + 1. I am cherry-picking a security fix for CVE-2022-26280 + 2. debian/rules was only running dh_auto_test if 'check' was set in DEB_BUILD_OPTIONS. I am changing that to only run if 'nocheck' is not set. That way we run the build tests by default. + + I'm forwarding both those changes to Debian soon. + + Build logs + -- + https://launchpad.net/~jbicha/+archive/ubuntu/arch/+sourcepub/13404994/+listing-archive-extra + + https://buildd.debian.org/status/package.php?p=evince + + Testing done + + No errors in the install logs + + Evince still works fine to open a variety of PDFs and a .cbz file I have. + File Roller still works fine to open a variety of compressed file types. ** Also affects: evince (Ubuntu) Importance: Undecided Status: New ** Description changed: I request a Feature Freeze Exception to update libarchive from 3.5.2 to 3.6.0 and build evince with libarchive 3.6. This will allow us to drop 2 revert commits we added to evince to build with the older libarchive. https://salsa.debian.org/gnome-team/evince/-/commit/badb5b65b Changes --- https://github.com/libarchive/libarchive/releases/tag/v3.6.0 https://github.com/libarchive/libarchive/compare/v3.5.2...v3.6.0 Other Changes - - 1. I am cherry-picking a security fix for CVE-2022-26280 - 2. debian/rules was only running dh_auto_test if 'check' was set in DEB_BUILD_OPTIONS. I am changing that to only run if 'nocheck' is not set. That way we run the build tests by default. + 1. libarchive: I am cherry-picking a security fix for CVE-2022-26280 + 2. libarchive: debian/rules was only running dh_auto_test if 'check' was set in DEB_BUILD_OPTIONS. I am changing that to only run if 'nocheck' is not set. That way we run the build tests by default. I'm forwarding both those changes to Debian soon. Build logs -- https://launchpad.net/~jbicha/+archive/ubuntu/arch/+sourcepub/13404994/+listing-archive-extra https://buildd.debian.org/status/package.php?p=evince Testing done No errors in the install logs Evince still works fine to open a variety of PDFs and a .cbz file I have. File Roller still works fine to open a variety of compressed file types. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to evince in Ubuntu. https://bugs.launchpad.net/bugs/1967127 Title: [FFe] update libarchive to 3.6.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1967127/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs