Libarchive 3.2.0 released

Skip to first unread message

Tim Kientzle

May 1, 2016, 1:06:59 PM5/1/16
Libarchive 3.2.0 is a feature, bug fix, and security release.

This includes nearly 3 years of accumulated changes since the release of libarchive 3.1.2, including the following:

Security Fixes

CVE-2016-1541, aka TALOS-CAN-155: Libarchive 3.1.2 and early mishandle the "compressed" and "uncompressed" sizes in certain Zip archive entries in a way that would allow someone to overwrite parts of the heap in a controlled fashion.


* bsdcat: New command-line program automatically detects and decompresses a variety of files
* LZ4 compression
* Warc format support
* 'Raw' format writer
* Zip: Support archives >4GB, entries >4GB
* Zip: Support encrypting and decrypting entries
* Zip: Support experimental streaming extension
* Identify encrypted entries in several formats
* Libarchive now builds on AIX
* Libarchive now builds for Android
* New --clear-nochange-flags option to bsdtar tries to remove noschg and similar flags before deleting files
* New --ignore-zeros option to bsdtar to handle concatenated tar archives
* Use multi-threaded LZMA decompression if liblzma supports it
* Expose version info for libraries used by libarchive

Notable Bug Fixes

* Many crash bugs fixed
* Many test bugs fixed
* Fixes to several formats to correctly handle empty filenames
* Limit recursion when selecting decompression; don't crash on quines
* Improved handling of sparse files, including files that consist of only a single large hole
* Improved test for extraction through symlinks
* Remove some properties from "restricted pax" that prevent using libarchive to build bit-for-bit identical results.
* Reduce memory usage when reading corrupted RAR archives
* Warn if hardlink extraction fails due to a missing target
* Limit recursion when assembling directories from ISO images

Reply all
Reply to author
0 new messages