Hi Peter, On Mon, Dec 27, 2021 at 10:10:58PM +0200, Peter Pentchev wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: r...@ringlet.net > > [ Reason ] > This is a future unblock request before I upload > libarchive-3.4.3-2+deb11u1 to fix a couple of bugs that were > fixed in later upstream versions and in unstable. They are all > related to setting permissions and ACLs when extracting > archive members that represent symbolic and hard links. > > [ Impact ] > Extracting some (rarely seen) archives may result in files > having the wrong access permissions. > > [ Tests ] > All the added patches are taken from upstream commits that > include both the bugfixes and the testsuite additions to > check for regressions. > > [ Risks ] > The code is mostly easy to follow, the fixes are straightforward. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > - correctly extract a hardlink to a symlink using the linkat(2) > system call > - do not change the ACLs on symlinks, since that would affect > the symlink target instead > - do not accidentally change the access mode of a symlink target > when a change to the symlink's mode was intended > > [ Other info ] > Thanks in advance for looking at this, and keep up the great work!
> diff -Nru libarchive-3.4.3/debian/changelog libarchive-3.4.3/debian/changelog > --- libarchive-3.4.3/debian/changelog 2020-08-01 21:46:12.000000000 +0300 > +++ libarchive-3.4.3/debian/changelog 2021-12-27 18:45:51.000000000 +0200 > @@ -1,3 +1,12 @@ > +libarchive (3.4.3-2+deb11u1) bullseye; urgency=medium > + > + * Add four upstream fixes for various problems: > + - fix extracting hardlinks to symlinks > + - fix handling of symlink ACLs; Closes: 1001986 > + - never follow symlinks when setting file flags; Closes: 1001990 While at it, can you as well add the CVE references to the debian/changelog? Regards, Salvatore
