libarchive: updated to 3.8.6

Libarchive 3.8.6 is a security and bugfix release.

Notable fixes:

libarchive: fix incompatibility with Nettle 4.x
libarchive: fix NULL pointer dereference in archive_acl_from_text_w()
bsdunzip: fix ISO week year and Gregorian year confusion
7zip: ix SEGV in check_7zip_header_in_sfx via ELF offset validation
7zip: fix out-of-bounds access on ELF 64-bit header
RAR5 reader: fix infinite loop in rar5 decompression
RAR5 reader: fix potential memory leak
RAR5: fix SIGSEGV when archive_read_support_format_rar5 is called twice
CAB reader: fix memory leak on repeated calls to archive_read_support_format_cab
mtree reader: Fix file descriptor leak in mtree parser cleanup
various small bugfixes in code and documentation

Author: adam

archivers/libarchive/Makefile.common

@@ -1,8 +1,8 @@
-# $NetBSD: Makefile.common,v 1.26 2026/01/06 11:55:20 adam Exp $
+# $NetBSD: Makefile.common,v 1.27 2026/03/26 11:20:04 adam Exp $
 # used by archivers/bsdtar/Makefile
 # used by archivers/libarchive/Makefile
 
-DISTNAME=	libarchive-3.8.5
+DISTNAME=	libarchive-3.8.6
 CATEGORIES=	archivers
 MASTER_SITES=	https://www.libarchive.org/downloads/
 DISTFILES=	# empty

archivers/libarchive/files/Makefile.am

@@ -516,6 +516,7 @@ libarchive_test_SOURCES= \
 	libarchive/test/test_read_format_lha_bugfix_0.c \
 	libarchive/test/test_read_format_lha_filename.c \
 	libarchive/test/test_read_format_lha_filename_utf16.c \
+	libarchive/test/test_read_format_lha_oversize_header.c \
 	libarchive/test/test_read_format_mtree.c \
 	libarchive/test/test_read_format_mtree_crash747.c \
 	libarchive/test/test_read_format_pax_bz2.c \
@@ -528,6 +529,7 @@ libarchive_test_SOURCES= \
 	libarchive/test/test_read_format_rar_invalid1.c \
 	libarchive/test/test_read_format_rar_overflow.c \
 	libarchive/test/test_read_format_rar5.c \
+	libarchive/test/test_read_format_rar5_loop_bug.c \
 	libarchive/test/test_read_format_raw.c \
 	libarchive/test/test_read_format_tar.c \
 	libarchive/test/test_read_format_tar_V_negative_size.c \
@@ -829,9 +831,11 @@ libarchive_test_EXTRA_DIST=\
 	libarchive/test/test_read_format_7zip_lzma2_sparc.7z.uu \
 	libarchive/test/test_read_format_7zip_malformed.7z.uu \
 	libarchive/test/test_read_format_7zip_malformed2.7z.uu \
+	libarchive/test/test_read_format_7zip_malformed3.7z.uu \
 	libarchive/test/test_read_format_7zip_packinfo_digests.7z.uu \
 	libarchive/test/test_read_format_7zip_ppmd.7z.uu \
 	libarchive/test/test_read_format_7zip_sfx_elf.elf.uu \
+	libarchive/test/test_read_format_7zip_sfx_elf64trunc.elf.uu \
 	libarchive/test/test_read_format_7zip_sfx_modified_pe.exe.uu \
 	libarchive/test/test_read_format_7zip_sfx_pe.exe.uu \
 	libarchive/test/test_read_format_7zip_solid_zstd.7z.uu \
@@ -893,6 +897,7 @@ libarchive_test_EXTRA_DIST=\
 	libarchive/test/test_read_format_lha_lh0.lzh.uu \
 	libarchive/test/test_read_format_lha_lh6.lzh.uu \
 	libarchive/test/test_read_format_lha_lh7.lzh.uu \
+	libarchive/test/test_read_format_lha_oversize_header.lzh.uu \
 	libarchive/test/test_read_format_lha_withjunk.lzh.uu \
 	libarchive/test/test_read_format_mtree.mtree.uu \
 	libarchive/test/test_read_format_mtree_nomagic.mtree.uu \
@@ -947,6 +952,7 @@ libarchive_test_EXTRA_DIST=\
 	libarchive/test/test_read_format_rar5_invalid_dict_reference.rar.uu \
 	libarchive/test/test_read_format_rar5_leftshift1.rar.uu \
 	libarchive/test/test_read_format_rar5_leftshift2.rar.uu \
+	libarchive/test/test_read_format_rar5_loop_bug.rar.uu \
 	libarchive/test/test_read_format_rar5_multiarchive.part01.rar.uu \
 	libarchive/test/test_read_format_rar5_multiarchive.part02.rar.uu \
 	libarchive/test/test_read_format_rar5_multiarchive.part03.rar.uu \

archivers/libarchive/files/Makefile.in

@@ -1,3 +1,5 @@
+Mar 10, 2026: libarchive 3.8.6 released
+
 Jan 05, 2026: libarchive 3.8.5 released
 
 Dec 01, 2025: libarchive 3.8.4 released

archivers/libarchive/files/NEWS

@@ -642,6 +642,9 @@ typedef uint64_t uintmax_t;
 /* Define to 1 if you have the `getea' function. */
 #cmakedefine HAVE_GETEA 1
 
+/* Define to 1 if you have the `getegid' function. */
+#cmakedefine HAVE_GETEGID 1
+
 /* Define to 1 if you have the `geteuid' function. */
 #cmakedefine HAVE_GETEUID 1
 

archivers/libarchive/files/build/cmake/config.h.in

@@ -1 +1 @@
-3008005
+3008006

archivers/libarchive/files/build/version

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.72 for libarchive 3.8.5.
+# Generated by GNU Autoconf 2.72 for libarchive 3.8.6.
 #
 # Report bugs to <libarchive-discuss@googlegroups.com>.
 #
@@ -614,8 +614,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='libarchive'
 PACKAGE_TARNAME='libarchive'
-PACKAGE_VERSION='3.8.5'
-PACKAGE_STRING='libarchive 3.8.5'
+PACKAGE_VERSION='3.8.6'
+PACKAGE_STRING='libarchive 3.8.6'
 PACKAGE_BUGREPORT='libarchive-discuss@googlegroups.com'
 PACKAGE_URL=''
 
@@ -1442,7 +1442,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-'configure' configures libarchive 3.8.5 to adapt to many kinds of systems.
+'configure' configures libarchive 3.8.6 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1513,7 +1513,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of libarchive 3.8.5:";;
+     short | recursive ) echo "Configuration of libarchive 3.8.6:";;
    esac
   cat <<\_ACEOF
 
@@ -1698,7 +1698,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-libarchive configure 3.8.5
+libarchive configure 3.8.6
 generated by GNU Autoconf 2.72
 
 Copyright (C) 2023 Free Software Foundation, Inc.
@@ -2518,7 +2518,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by libarchive $as_me 3.8.5, which was
+It was created by libarchive $as_me 3.8.6, which was
 generated by GNU Autoconf 2.72.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -4002,7 +4002,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='libarchive'
- VERSION='3.8.5'
+ VERSION='3.8.6'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -4099,15 +4099,15 @@ AM_DEFAULT_VERBOSITY=0
 
 # Libtool interface version bumps on any API change, so increments
 # whenever libarchive minor version does.
-ARCHIVE_MINOR=$(( (3008005 / 1000) % 1000 ))
+ARCHIVE_MINOR=$(( (3008006 / 1000) % 1000 ))
 # Libarchive 2.7 == libtool interface 9 = 2 + 7
 # Libarchive 2.8 == libtool interface 10 = 2 + 8
 # Libarchive 2.9 == libtool interface 11 = 2 + 9
 # Libarchive 3.0 == libtool interface 12
 # Libarchive 3.1 == libtool interface 13
 ARCHIVE_INTERFACE=`echo $((13 + ${ARCHIVE_MINOR}))`
 # Libarchive revision is bumped on any source change === libtool revision
-ARCHIVE_REVISION=$(( 3008005 % 1000 ))
+ARCHIVE_REVISION=$(( 3008006 % 1000 ))
 # Libarchive minor is bumped on any interface addition === libtool age
 ARCHIVE_LIBTOOL_VERSION=$ARCHIVE_INTERFACE:$ARCHIVE_REVISION:$ARCHIVE_MINOR
 
@@ -4116,33 +4116,33 @@ ARCHIVE_LIBTOOL_VERSION=$ARCHIVE_INTERFACE:$ARCHIVE_REVISION:$ARCHIVE_MINOR
 printf "%s\n" "#define __LIBARCHIVE_CONFIG_H_INCLUDED 1" >>confdefs.h
 
 
-printf "%s\n" "#define LIBARCHIVE_VERSION_STRING \"3.8.5\"" >>confdefs.h
+printf "%s\n" "#define LIBARCHIVE_VERSION_STRING \"3.8.6\"" >>confdefs.h
 
 
-printf "%s\n" "#define LIBARCHIVE_VERSION_NUMBER \"3008005\"" >>confdefs.h
+printf "%s\n" "#define LIBARCHIVE_VERSION_NUMBER \"3008006\"" >>confdefs.h
 
 
-printf "%s\n" "#define BSDCPIO_VERSION_STRING \"3.8.5\"" >>confdefs.h
+printf "%s\n" "#define BSDCPIO_VERSION_STRING \"3.8.6\"" >>confdefs.h
 
 
-printf "%s\n" "#define BSDTAR_VERSION_STRING \"3.8.5\"" >>confdefs.h
+printf "%s\n" "#define BSDTAR_VERSION_STRING \"3.8.6\"" >>confdefs.h
 
 
-printf "%s\n" "#define BSDCAT_VERSION_STRING \"3.8.5\"" >>confdefs.h
+printf "%s\n" "#define BSDCAT_VERSION_STRING \"3.8.6\"" >>confdefs.h
 
 
-printf "%s\n" "#define BSDUNZIP_VERSION_STRING \"3.8.5\"" >>confdefs.h
+printf "%s\n" "#define BSDUNZIP_VERSION_STRING \"3.8.6\"" >>confdefs.h
 
 
 # The shell variables here must be the same as the AC_SUBST() variables
 # below, but the shell variable names apparently cannot be the same as
 # the m4 macro names above.  Why?  Ask autoconf.
-BSDCPIO_VERSION_STRING=3.8.5
-BSDTAR_VERSION_STRING=3.8.5
-BSDCAT_VERSION_STRING=3.8.5
-BSDUNZIP_VERSION_STRING=3.8.5
-LIBARCHIVE_VERSION_STRING=3.8.5
-LIBARCHIVE_VERSION_NUMBER=3008005
+BSDCPIO_VERSION_STRING=3.8.6
+BSDTAR_VERSION_STRING=3.8.6
+BSDCAT_VERSION_STRING=3.8.6
+BSDUNZIP_VERSION_STRING=3.8.6
+LIBARCHIVE_VERSION_STRING=3.8.6
+LIBARCHIVE_VERSION_NUMBER=3008006
 
 # Substitute the above version numbers into the various files below.
 # Yes, I believe this is the fourth time we define what are essentially
@@ -26364,7 +26364,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by libarchive $as_me 3.8.5, which was
+This file was extended by libarchive $as_me 3.8.6, which was
 generated by GNU Autoconf 2.72.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -26432,7 +26432,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-libarchive config.status 3.8.5
+libarchive config.status 3.8.6
 configured by $0, generated by GNU Autoconf 2.72,
   with options \\"\$ac_cs_config\\"
 

archivers/libarchive/files/configure

@@ -4,8 +4,8 @@ dnl First, define all of the version numbers up front.
 dnl In particular, this allows the version macro to be used in AC_INIT
 
 dnl These first two version numbers are updated automatically on each release.
-m4_define([LIBARCHIVE_VERSION_S],[3.8.5])
-m4_define([LIBARCHIVE_VERSION_N],[3008005])
+m4_define([LIBARCHIVE_VERSION_S],[3.8.6])
+m4_define([LIBARCHIVE_VERSION_N],[3008006])
 
 dnl bsdtar and bsdcpio versioning tracks libarchive
 m4_define([BSDTAR_VERSION_S],LIBARCHIVE_VERSION_S())

archivers/libarchive/files/configure.ac

@@ -6,6 +6,13 @@
  */
 #include "test.h"
 
+#ifdef HAVE_GETEUID
+#define getuid() geteuid()
+#endif
+#ifdef HAVE_GETEGID
+#define getgid() getegid()
+#endif
+
 /* Number of bytes needed to pad 'n' to multiple of 'block', assuming
  * that 'block' is a power of two. This trick can be more easily
  * remembered as -n & (block - 1), but many compilers quite reasonably