Hi Peter,

On Sat, Apr 26, 2025 at 09:20:46AM +0000, Debian FTP Masters wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 26 Apr 2025 11:34:57 +0300
Source: libarchive
Architecture: source
Version: 3.7.4-2
Distribution: unstable
Urgency: high
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Peter Pentchev <roam@debian.org>
Closes: 1103494
Changes:
libarchive (3.7.4-2) unstable; urgency=high
.
* Acknowledge NMU; thanks, Salvatore!
* Point to the debian/trixie branch in the gbp.conf file since
the master branch in the repository already contains changes that
did not make it in time for the Trixie freeze.
* Add the CVE-2025-1632 patch. Closes: #1103494
* Add the year 2025 to my debian/* copyright notice.

Was there a reason not to pick the upstream commited https://github.com/libarchive/libarchive/commit/8ce2aca6c7d6f004f860c6619cb6cc98d51ac69a
?

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Apr 26, 2025 at 11:36:46AM +0200, Salvatore Bonaccorso wrote:

Hi Peter,

On Sat, Apr 26, 2025 at 09:20:46AM +0000, Debian FTP Masters wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 26 Apr 2025 11:34:57 +0300
Source: libarchive
Architecture: source
Version: 3.7.4-2
Distribution: unstable
Urgency: high
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Peter Pentchev <roam@debian.org>
Closes: 1103494
Changes:
libarchive (3.7.4-2) unstable; urgency=high
.
* Acknowledge NMU; thanks, Salvatore!
* Point to the debian/trixie branch in the gbp.conf file since
the master branch in the repository already contains changes that
did not make it in time for the Trixie freeze.
* Add the CVE-2025-1632 patch. Closes: #1103494
* Add the year 2025 to my debian/* copyright notice.

Was there a reason not to pick the upstream commited https://github.com/libarchive/libarchive/commit/8ce2aca6c7d6f004f860c6619cb6cc98d51ac69a
?

That was actually a very good question. The only reason I can give you
is that I had a bit of a neuron misfire and made a silly mistake -
I had two versions of the patch ready for testing and somehow I forgot
which one was which, and I kept forgetting even after adding it to
my copy of the package.

So, yeah... Later today or tomorrow I will upload a new version of
libarchive with the upstream patch instead of this one,

Thanks a lot for catching this, I really have no idea how it happened.

G'luck,
Peter

--
Peter Pentchev roam@ringlet.net roam@debian.org peter@morpheusly.com
PGP key: https://www.ringlet.net/roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmgMtKwACgkQZR7vsCUn 3xP7/BAAsxvoLRlHR5jRRdjxNaZqPW3WTMNutEggs131vUOK2n42K+TYiQiQsqak sfh6f3z5VQReodIeJUB7cI7wAC1GrKsymK2sWkBxcFJU19ClHcQhCbd4lt0+wTU2 b4JN6AkWFkNp9k4kdK/K7ZsK8aGRiKhYXQeNshKCd6PAM7x07O4bYzt6n9VxOPNX PtHG3xZiDjdM3NbLlsV8jTzVtWP5WspRfgT5O2cQkGMiej+bnXeJogzgWRp5/EwX J/hMBXWt+ZMtn/1dsnWxR5ha/AjLxcnO8O3g7f5Z7yioZVs12j6rwLzqEhAi/hCC rHD0sVbfj31EvnUnGaxH731aoTp6xD/rXbOjCoQgA7kovq8R0hx7wYxzGHEDRbyJ rBacBmAuQEgJBpbePaqhR17+pxdwdetBbWxbt/MNJ+dS/yD8AwOxaCDvDThdxZl7 yW7aaP74vJCifuFxu+sB1mvp+mkqp6c6VHsfTsCCnZQbuDE5OrD/c6vhw30PuvZC qnv+ewpRCcVLS9usrduHYdw/+bp5QZTtAYfMuHpTO5n067JRT4dyz+eG/IrtwwQR RNttvyGDp6cFKXre7Ls0alQpQqsSt42ffTIC4JQJx6dwZFK7XSecXILpNswLZyRD YNjMtlv/K/kz+WdQGEsu9F+rF8B38YQD7whqN+g6SEhExRyv1L8=
=2ANd

On Sat, Apr 26, 2025 at 01:25:52PM +0300, Peter Pentchev wrote:

On Sat, Apr 26, 2025 at 11:36:46AM +0200, Salvatore Bonaccorso wrote:

Hi Peter,

On Sat, Apr 26, 2025 at 09:20:46AM +0000, Debian FTP Masters wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 26 Apr 2025 11:34:57 +0300
Source: libarchive
Architecture: source
Version: 3.7.4-2
Distribution: unstable
Urgency: high
Maintainer: Peter Pentchev <roam@debian.org>
Changed-By: Peter Pentchev <roam@debian.org>
Closes: 1103494
Changes:
libarchive (3.7.4-2) unstable; urgency=high
.
* Acknowledge NMU; thanks, Salvatore!
* Point to the debian/trixie branch in the gbp.conf file since
the master branch in the repository already contains changes that
did not make it in time for the Trixie freeze.
* Add the CVE-2025-1632 patch. Closes: #1103494
* Add the year 2025 to my debian/* copyright notice.

Was there a reason not to pick the upstream commited https://github.com/libarchive/libarchive/commit/8ce2aca6c7d6f004f860c6619cb6cc98d51ac69a
?

That was actually a very good question. The only reason I can give you
is that I had a bit of a neuron misfire and made a silly mistake -
I had two versions of the patch ready for testing and somehow I forgot
which one was which, and I kept forgetting even after adding it to
my copy of the package.

So, yeah... Later today or tomorrow I will upload a new version of
libarchive with the upstream patch instead of this one,

Thanks a lot for catching this, I really have no idea how it happened.

Right, so I uploaded libarchive/3.7.4-3 and, um, Salvatore, I'm sorry that
that even though it is kinda sorta in the name of the new patch, again
I forgot to mention CVE-2025-25724 by name in the changelog entry :/

Thanks again for spotting this and pointing it out!

G'luck,
Peter

--
Peter Pentchev roam@ringlet.net roam@debian.org peter@morpheusly.com
PGP key: https://www.ringlet.net/roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmgOqngACgkQZR7vsCUn 3xMOHA/+JBFJvKT/JZCoF1WXxQX8xua49tyqrZV4iLm2b6yAS8A9nPkg+pVzCK47 nXslFkWTdY7mTmym29E+A3KZDzmb1jkcvtZvfx9YmS4VH5MSGC7/mUNwscKxUDgY Yq3ddp5fDSgoWPrhb88/anSJgDv1Q0F5V7KpSmgleCwJcmEMH/SGhqu0OccYUUNA v4AJF/aMj7FBc0TesLEsuupuvMz/AuVvZGpSDyYORZzWTRgbpEm8Kbh1qV9Wewhj zCM4+d8jXzo0i+QCKln9PzEADfex8aHkAxRsSF0hGeCFv1jN3quCKH0B2zcbggNH Z2WFb5gx2y6TC1rgyD89bUWayb/fEIrjpAi8LvUpHyZcvc4GRD+J7m66WUJ83/3V w3Im0pqwYRJWY0Aaj9H8kG17iRv4Yu1QknQrQHSGJ630/OAN3qD8qhBmOyp3Mcxt t/R4Yi0BbEijtyd3J/L9rfaJHuJXV7eP9oZ/cC9YCLdBJtIaADML4xyv5PrkTFpt qQSq8qaOzbssI1KfY2nAAeIVomBFgAZLVqSn6Gtw8LUfDtlECpPWitkz00UkIHbi NzNvULaLNz+suJOFN3Ls6p1wuVOQhzgHsAIOhD2MOJFjjkbq9/AVx0I+lkOv9PoO lLCykvCjenBPfwEtxb0NOQcli/539wQK9VYJQRRP8UsO70CkuDg=
=ZFki