CMakeLists.txt | 4 2 + 2 - 0 !
README.md | 4 2 + 2 - 0 !
libarchive/archive_read_support_filter_uu.c | 8 4 + 4 - 0 !
libarchive/archive_read_support_format_cpio.c | 6 3 + 3 - 0 !
libarchive/archive_read_support_format_mtree.c | 12 6 + 6 - 0 !
libarchive/archive_string.c | 4 2 + 2 - 0 !
libarchive/test/test_compat_lzip.c | 4 2 + 2 - 0 !
7 files changed, 21 insertions(+), 21 deletions(-)

 correct some typographical errors.

libarchive/archive_read_support_format_rar.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 fix: oob in rar delta filter (#2148)

libarchive/archive_read_support_format_rar.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 fix: oob in rar audio filter (#2149)

libarchive/archive_read_support_format_rar.c | 28 18 + 10 - 0 !
1 file changed, 18 insertions(+), 10 deletions(-)

 rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)

tar/util.c | 5 4 + 1 - 0 !
unzip/bsdunzip.c | 10 7 + 3 - 0 !
2 files changed, 11 insertions(+), 4 deletions(-)

 fix cve-2025-1632 and cve-2025-25724

libarchive/archive_read_support_format_rar.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 rar: fix double free with over 4 billion nodes (#2598)
 If a system is capable of handling 4 billion nodes in memory, a double
 free could occur because of an unsigned integer overflow leading to a
 realloc call with size argument of 0. Eventually, the client will
 release that memory again, triggering a double free.
Bug-Debian: https://bugs.debian.org/1107621

Makefile.am | 2 2 + 0 - 0 !
libarchive/archive_read_support_format_rar.c | 17 10 + 7 - 0 !
libarchive/test/CMakeLists.txt | 1 1 + 0 - 0 !
libarchive/test/test_read_format_rar_overflow.c | 48 48 + 0 - 0 !
libarchive/test/test_read_format_rar_overflow.rar.uu | 11 11 + 0 - 0 !
5 files changed, 72 insertions(+), 7 deletions(-)

 rar: fix heap-buffer-overflow (#2599)
 A filter block size must not be larger than the lzss window, which is
 defined
 by dictionary size, which in turn can be derived from unpacked file
 size.
 .
 While at it, improve error messages and fix lzss window wrap around
 logic.
 .
 Fixes https://github.com/libarchive/libarchive/issues/2565
Bug-Debian: https://bugs.debian.org/1107622

Makefile.am | 1 1 + 0 - 0 !
libarchive/archive_read_support_format_warc.c | 7 5 + 2 - 0 !
libarchive/test/test_read_format_warc.c | 24 24 + 0 - 0 !
libarchive/test/test_read_format_warc_incomplete.warc.uu | 10 10 + 0 - 0 !
4 files changed, 40 insertions(+), 2 deletions(-)

 warc: prevent signed integer overflow (#2568)
 If a warc archive claims to have more than INT64_MAX - 4 content bytes,
 the inevitable failure to skip all these bytes could lead to parsing
 data which should be ignored instead.
 .
 The test case contains a conversation entry with that many bytes and if
 the entry is not properly skipped, the warc implementation would read
 the conversation data as a new file entry.
Bug-Debian: https://bugs.debian.org/1107623

libarchive/archive_write_set_format_pax.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix overflow in build_ustar_entry (#2588)
 The calculations for the suffix and prefix can increment the endpoint
 for a trailing slash. Hence the limits used should be one lower than the
 maximum number of bytes.
 .
 Without this patch, when this happens for both the prefix and the
 suffix, we end up with 156 + 100 bytes, and the write of the null at the
 end will overflow the 256 byte buffer. This can be reproduced by running
 ```
 mkdir -p foo/bar
 bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar
 ```
 when bsdtar is compiled with Address Sanitiser, although I originally
 noticed this by accident with a genuine filename on a CHERI capability
 system, which faults immediately on the buffer overflow.
Bug-Debian: https://bugs.debian.org/1107626