chore(dependencies): update dependency libarchive/libarchive to v3.8.7

[renovate]

This PR contains the following updates:

Package	Update	Change
libarchive/libarchive	minor	v3.6.1 → v3.8.7

---

Release Notes

libarchive/libarchive (libarchive/libarchive)

v3.8.7: Libarchive 3.8.7

Compare Source

Libarchive 3.8.7 is a security and bugfix release.

Notable fixes:

• CAB: fix NULL pointer dereference during skip (#​2900)
• CAB: Fix Heap OOB Write in CAB LZX decoder (#​2919)
• cpio: various fixes and improvements (#​2899, #​2908, #​2910, #​2939)
• contrib/untar: fix out-of-bounds read (#​2903)
• iso9660: fix undefined behavior (#​2897)
• iso9660: fix posibble heap buffer overflow on 32-bit systems (#​2934)
• libarchive: fix handling of option failures (#​2871)
• libarchive: do not continue with truncated numbers (#​2911)
• libarchive: lzop and grzip filter support (#​2947)
• RAR: fix LZSS window size mismatch after PPMd block (#​2898)

Full Changelog: libarchive/libarchive@v3.8.6...v3.8.7

v3.8.6: Libarchive 3.8.6

Compare Source

Libarchive 3.8.6 is a security and bugfix release.

Notable fixes:

• libarchive: fix incompatibility with Nettle 4.x (#​2858)
• libarchive: fix NULL pointer dereference in archive_acl_from_text_w() (#​2859)
• bsdunzip: fix ISO week year and Gregorian year confusion (#​2860)
• 7zip: ix SEGV in check_7zip_header_in_sfx via ELF offset validation (#​2864)
• 7zip: fix out-of-bounds access on ELF 64-bit header (#​2875)
• RAR5 reader: fix infinite loop in rar5 decompression (#​2877)
• RAR5 reader: fix potential memory leak (#​2892)
• RAR5: fix SIGSEGV when archive_read_support_format_rar5 is called twice (#​2893)
• CAB reader: fix memory leak on repeated calls to archive_read_support_format_cab (#​2895)
• mtree reader: Fix file descriptor leak in mtree parser cleanup (CWE-775, #​2878)
• various small bugfixes in code and documentation

Full Changelog: libarchive/libarchive@v3.8.5...v3.8.6

v3.8.5: Libarchive 3.8.5

Compare Source

Libarchive 3.8.5 is a bugfix release.

Notable bugxies:

• bsdtar: fix regression from 3.8.4 zero-length pattern issue bugfix (#​2809)
• various small bugfixes in code and documentation

Full Changelog: libarchive/libarchive@v3.8.4...v3.8.5

v3.8.4: Libarchive 3.8.4

Compare Source

Libarchive 3.8.4 is a bugfix release.

Notable bugxies:

• bsdtar: Fix zero-length pattern issue (#​2787)
• lib: Fix regression introduced in libarchive 3.8.2 when walking enterable but unreadable directories (#​2797)

Full Changelog: libarchive/libarchive@v3.8.3...v3.8.4

v3.8.3: Libarchive 3.8.3

Compare Source

Libarchive 3.8.3 is a bugfix and security release.

Security fixes:

• lib: Create temporary files in the target directory (#​2753)
• lha: Fix for an out-of-bounds buffer overrun when using p[H_LEVEL_OFFSET] (#​2768)
• 7-zip: Fix a buffer overrun when reading truncated 7zip headers (#​2769)

Notable bugxies:

• lz4 and zstd: Support both lz4 and zstd data with leading skippable frames (#​2771)

Full Changelog: libarchive/libarchive@v3.8.2...v3.8.3

v3.8.2: Libarchive 3.8.2

Compare Source

Libarchive 3.8.2 is a bugfix and security release.

Security fixes:

• 7zip: Fix out of boundary access (#​2668)
• tar reader: fix checking the result of the strftime (#​2719, CVE-2025-25724)

Notable bugfixes:

• bsdtar: Allow filename to have CRLF endings (#​2717)
• lib: archive_read_data: handle sparse holes at end of file correctly (#​2665)
• lib: improve filter process handling (#​2659)
• lib: fix error checking in writing files (#​2672)
• lib: handle possible errors from system calls (#​2679)
• lib: avoid leaking file descriptors into subprocesses (#​2707)
• lib: parse_date: handle dates in 2038 and beyond if time_t is big enough (#​2742)
• RAR5 reader: fix multiple issues in extra field parsing function (#​2713)
• RAR5 reader: early fail when file declares data for a dir entry (#​2716)
• tar writer: fix replacing a regular file with a dir for ARCHIVE_EXTRACT_SAFE_WRITES (#​2477)
• tar reader (Windows): check WCS pathname in header_gnutar before overwriting (#​2740)
• tar reader: fix an infinite loop when parsing V headers (#​2737)
• zip writer: fix a memory leak if write callback error early (#​2664)
• zip writer: fix writing with ZSTD compression (#​2670)
• zstd write filter: enable Zstandard's checksum feature (#​2678)

Full Changelog: libarchive/libarchive@v3.8.1...v3.8.2

v3.8.1: Libarchive 3.8.1

Compare Source

Libarchive 3.8.1 is a bugfix release.

Notable bugfixes:
libarchive: fix FILE_skip regression (#​2642)
compress: Prevent call stack overflow (#​2649)
iso9660: always check archive_string_ensure return value (#​2651)
tar: Support negative time values with pax (#​2634)
tar: Reset accumulated header state after reading macOS metadata blob (#​2636)
tar: Keep block alignment after pax error (#​2637)
tar: Handle extra bytes after sparse entries (#​2643)
windows: check archive_wstring_ensure return value (#​2652)

Full Changelog: libarchive/libarchive@v3.8.0...v3.8.1

Thanks to all contributors and bug reporters!

v3.8.0: Libarchive 3.8.0

Compare Source

Libarchive 3.8.0 is a feature and bugfix release.

New features:
bsdtar: support --mtime and --clamp-mtime (#​2601)
lib: mbedtls 3.x compatibility (#​2602)
7-zip reader: improve self-extracting archive detection (#​2088)
xar: xmllite support for the XAR reader and writer (#​2388)
zip writer: added XZ, LZMA, ZSTD and BZIP2 support (#​2137, #​2284, #​2391)
zip writer: added LZMA + RISCV BCJ filter (#​2403)

Notable security fixes:
rar: do not skip past EOF while reading (#​2584 CVE-2025-5918)
rar: fix double free with over 4 billion nodes (#​2598 CVE-2025-5914)
rar: fix heap-buffer-overflow (#​2599 CVE-2025-5915)
warc: prevent signed integer overflow (#​2568 CVE-2025-5916)
tar: fix overflow in build_ustar_entry (#​2588 CVE-2025-5917)

Notable bugfixes:
bsdtar: don't hardlink negative inode files together (#​2587)
gz: allow setting the original filename for gzip compressed files (#​2544)
lib: improve lseek handling (#​2564)
lib: support @​-prefixed Unix epoch timestamps as date strings (#​2606)
rar: support large headers on 32 bit systems (#​2596)
tar reader: Improve LFS support on 32 bit systems (#​2582)

Full Changelog: libarchive/libarchive@v3.7.9...v3.8.0

Thanks to all contributors and bug reporters!

v3.7.9: Libarchive 3.7.9

Compare Source

Libarchive 3.7.9 is a bugfix release

Important bugfixes:

• a regression in libarchive 3.7.8 regarding GNU sparse entries was fixed (#​2558)

Full Changelog: libarchive/libarchive@v3.7.8...v3.7.9

Thanks to all contributors and bug reporters!

v3.7.8: Libarchive 3.7.8

Compare Source

Libarchive 3.7.8 is a bugfix and security release

Security fixes:

• tar reader: Handle truncation in the middle of a GNU long linkname (#​2422, CVE-2024-57970)
• unzip: fix null pointer dereference (#​2532, CVE-2025-1632)
• tar reader: fix unchecked return value in list_item_verbose() (#​2532, CVE-2025-25724)

Important bugfixes:

• 7zip reader: add SPARC (#​2399) and POWERPC (#​2459) filter support for non-LZMA compressors
• tar reader: Ignore ustar size when pax size is present (#​2405)
• tar writer: Fix bug when -s/a/b/ used more than once with b flag (#​2435)
• cpio: Fix a Y2038 bug on Windows (#​2471)
• libarchive: Handle ARCHIVE_FILTER_LZOP in archive_read_append_filter (#​2519)
• libarchive: Adding missing seeker function to archive_read_open_FILE() (#​2539)

Full Changelog: libarchive/libarchive@v3.7.7...v3.7.8

Thanks to all contributors and bug reporters!

v3.7.7: Libarchive 3.7.7

Compare Source

Libarchive 3.7.7 is a bugfix and security release

Security fixes:

• gzip: prevent a hang when processing a malformed gzip inside a gzip (#​2366, OSS-Fuzz)
• tar: don't crash on truncated tar archives (#​2364, OSS-Fuzz)
• tar: fix two leaks in tar header parsing (#​2377)

Important bugfixes:

• 7-zip: read/write symlink paths as UTF-8 (#​2252)
• cpio: exit with an error code if an entry could not be extracted (#​2371)
• rar5: report encrypted entries (#​2096)
• tar: fix truncation of entry pathnames in specific archives (#​2360)
• windows: fix ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS (#​2363)

Full Changelog: libarchive/libarchive@v3.7.6...v3.7.7

Thanks to all contributors and bug reporters!

v3.7.6: Libarchive 3.7.6

Compare Source

Libarchive 3.7.6 is a bugfix and security release.
This release fixes a tar regression introduced in libarchive 3.7.5 (#​2331, #​2337)

Important bugfixes.

• tar: clean up linkpath between entries (#​2343)
• tar: fix memory leaks when processing symlinks or parsing pax headers (#​2338)
• iso: be more cautious about parsing ISO-9660 timestamps (#​2330)

Full Changelog: libarchive/libarchive@v3.7.5...v3.7.6

Thanks to all contributors and bug reporters!

v3.7.5: Libarchive 3.7.5

Compare Source

Libarchive 3.7.5 is a bugfix and security release

Security fixes:

• fix multiple vulnerabilities identified by SAST (#​2251, #​2256)
• cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#​2258)
• lzop: prevent integer overflow (#​2174)
• rar4: protect copy_from_lzss_window_to_unp() (#​2172, CVE-2024-20696)
• rar4: fix CVE-2024-26256 (#​2269, CVS-2024-26256)
• rar4: fix OOB in delta and audio filter (#​2148, #​2149)
• rar4: fix out of boundary access with large files (#​2179)
• rar4: add boundary checks to rgb filter (#​2210)
• rar4: fix OOB access with unicode filenames (#​2203)
• rar5: clear 'data ready' cache on window buffer reallocs (#​2265)
• rpm: calculate huge header sizes correctly (#​2158)
• unzip: unify EOF handling (#​2175)
• util: fix out of boundary access in mktemp functions (#​2160)
• uu: stop processing if lines are too long (#​2168)

Important bugfixes:

• 7zip: fix issue when skipping first file in 7zip archive that is a multiple of 65536 bytes (#​2245)
• ar: fix archive entries having no type (#​2290)
• lha: do not allow negative file sizes (#​2155)
• lha: fix integer truncation on 32-bit systems (#​2161)
• shar: check strdup return value (#​2173)
• rar5: don't try to read rediculously long names (#​2259)
• xar: fix another infinite loop and expat error handling (#​2150)
• many Windows fixes, cleanups and improvements

Full Changelog: libarchive/libarchive@v3.7.4...v3.7.5

Thanks to all contributors and bug reporters!

v3.7.4: Libarchive 3.7.4

Compare Source

Libarchive 3.7.4 is a bugfix and security release

Security fixes:

• rar: Fix OOB in rar e8 filter (#​2135) (CVE-2024-26256)
• zip: Fix out of boundary access (#​2145)

Important bugfixes:

• 7zip: Limit amount of properties (#​2131)
• bsdtar: Fix error handling around strtol() usages (#​2110)
• passphrase: Improve newline handling on Windows (#​2115)
• passphrase: Never allow empty passwords (#​2116)
• rar: Fix "File CRC Error" when extracting specific rar4 archives (#​2124)
• xar: Avoid infinite link loop (#​2123)
• zip: Update AppleDouble support for directories (#​2108)
• zstd: Implement core detection (#​2083, #​2071)

Thanks to all contributors and bug reporters!

v3.7.3: Libarchive 3.7.3

Compare Source

Libarchive 3.7.3 is a feature, security and bugfix release.

New features:

• PCRE2 support (#​2031)
• add trailing letter b to bsdtar(1) substitute pattern (#​2012)
• add support for long options "--group" and "--owner" to tar(1) (#​2054)

Security fixes:

• Fix possible vulnerability in tar error reporting introduced in f27c173 (#​2101)

Important bugfixes:

• ISO9660: preserve the natural order of links (#​1974)
• rar5: fix decoding unicode filenames on Windows (#​1978)
• rar5: fix infinite loop if during rar5 decompression the last block produced no data (#​2105)
• xz filter: fix incorrect eof at the end of an lzip member (#​2027)
• zip: fix end-of-data marker processing when decompressing zip archives (#​2042)
• multiple bsdunzip(1) fixes (#​2022, #​2030)
• filetime truncation fix on Windows (#​2050)

Thanks to all contributors and bug reporters.

v3.7.2: Libarchive 3.7.2

Compare Source

Libarchive 3.7.2 is a security, bugfix and feature release.

Security fixes:

• Multiple vulnerabilities have been fixed in the PAX writer (1b4e0d0)

Important bugfixes:

• bsdunzip(1) now correctly handles arguments following an -x after the zipfile

New features:

• bsdunzip(1) now supports the "--version" flag
• 7-zip reader now translates Windows permissions into UNIX permissions (#​1943)
• uudecode filter in raw mode now supports file name and file mode
• zstd filter now supports the "long" write option (#​1962)

v3.7.1: Libarchive 3.7.1

Compare Source

Libarchive 3.7.1 is a security, feature and bugfix release.

Security fixes:

• SEGV and stack buffer overflow in verbose mode of cpio (#​1934, #​1935)

Feature updates:

• bsdunzip updated to match latest upstream code (#​1926)

Important bugfixes:

• miscellaneous functional bugfixes (#​1731, #​1929, #​1930)
• build fixes on multiple platforms (Android #​1921, older MacOS X #​1919, #​1933 and others)

Thanks to all contributors and bug reporters.

v3.7.0: Libarchive 3.7.0

Compare Source

Libarchive 3.7.0 is a feature and bugfix release.

New features:

• bsdunzip: new tool ported from FreeBSD (#​1873)
  drop-in replacement for Info-ZIP unzip, not yet ported for Windows
• 7zip reader: support for Zstandard compression (#​1894)
• 7zip reader: support for ARM64 filter (#​1918)
• zstd filter: support for multi-frame zstd archives (#​1818)

Other notable bugfixes and improvements:

• pax: fix year 2038 problem on platforms with 64-bit time_t (#​1840)
• Windows: Universal Windows Platform (UWP) fixes and improvements (#​1879, #​1883, #​1885, #​1840)
• Windows: bcrypt usage fixes and improvements (#​1881, #​1887)
• Windows: time function usage fixes and improvements (#​1820, #​1824, #​1830)

Thanks to all contributors and bug reporters.

v3.6.2: Libarchive 3.6.2

Compare Source

Libarchive 3.6.2 is a bugfix and security release.

Important security fixes:

• NULL pointer dereference vulnerability in archive_write.c (#​1754, #​1759, CVE-2022-36227)

Important bug fixes:

• include ZSTD in Windows builds (#​1688)
• SSL fixes on Windows (#​1714, #​1723, #​1724)
• rar5 reader: fix possible garbled output with bsdtar -O (#​1745)
• mtree reader: support reading mtree files with tabs (#​1783)
• various small fixes for issues found by CodeQL

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: LIBARCHIVE_VERSION

Post-upgrade command 'echo 0 > VERSION' has not been added to the allowed list in allowedCommands