Libarchive 3.8.2 is a bugfix and security release.

Security fixes:

• 7zip: Fix out of boundary access (#2668)
• tar reader: fix checking the result of the strftime (#2719, CVE-2025-25724)

Notable bugfixes:

• bsdtar: Allow filename to have CRLF endings (#2717)
• lib: archive_read_data: handle sparse holes at end of file correctly (#2665)
• lib: improve filter process handling (#2659)
• lib: fix error checking in writing files (#2672)
• lib: handle possible errors from system calls (#2679)
• lib: avoid leaking file descriptors into subprocesses (#2707)
• lib: parse_date: handle dates in 2038 and beyond if time_t is big enough (#2742)
• RAR5 reader: fix multiple issues in extra field parsing function (#2713)
• RAR5 reader: early fail when file declares data for a dir entry (#2716)
• tar writer: fix replacing a regular file with a dir for ARCHIVE_EXTRACT_SAFE_WRITES (#2477)
• tar reader (Windows): check WCS pathname in header_gnutar before overwriting (#2740)
• tar reader: fix an infinite loop when parsing V headers (#2737)
• zip writer: fix a memory leak if write callback error early (#2664)
• zip writer: fix writing with ZSTD compression (#2670)
• zstd write filter: enable Zstandard's checksum feature (#2678)

Full Changelog: v3.8.1...v3.8.2

Libarchive 3.8.1 is a bugfix release.

Notable bugfixes:
libarchive: fix FILE_skip regression (#2642)
compress: Prevent call stack overflow (#2649)
iso9660: always check archive_string_ensure return value (#2651)
tar: Support negative time values with pax (#2634)
tar: Reset accumulated header state after reading macOS metadata blob (#2636)
tar: Keep block alignment after pax error (#2637)
tar: Handle extra bytes after sparse entries (#2643)
windows: check archive_wstring_ensure return value (#2652)

Full Changelog: v3.8.0...v3.8.1

Thanks to all contributors and bug reporters!

Libarchive 3.8.0 is a feature and bugfix release.

New features:
bsdtar: support --mtime and --clamp-mtime (#2601)
lib: mbedtls 3.x compatibility (#2602)
7-zip reader: improve self-extracting archive detection (#2088)
xar: xmllite support for the XAR reader and writer (#2388)
zip writer: added XZ, LZMA, ZSTD and BZIP2 support (#2137, #2284, #2391)
zip writer: added LZMA + RISCV BCJ filter (#2403)

Notable security fixes:
rar: do not skip past EOF while reading (#2584 CVE-2025-5918)
rar: fix double free with over 4 billion nodes (#2598 CVE-2025-5914)
rar: fix heap-buffer-overflow (#2599 CVE-2025-5915)
warc: prevent signed integer overflow (#2568 CVE-2025-5916)
tar: fix overflow in build_ustar_entry (#2588 CVE-2025-5917)

Notable bugfixes:
bsdtar: don't hardlink negative inode files together (#2587)
gz: allow setting the original filename for gzip compressed files (#2544)
lib: improve lseek handling (#2564)
lib: support @-prefixed Unix epoch timestamps as date strings (#2606)
rar: support large headers on 32 bit systems (#2596)
tar reader: Improve LFS support on 32 bit systems (#2582)

Full Changelog: v3.7.9...v3.8.0

Thanks to all contributors and bug reporters!

Libarchive 3.7.9 is a bugfix release

Important bugfixes:

• a regression in libarchive 3.7.8 regarding GNU sparse entries was fixed (#2558)

Full Changelog: v3.7.8...v3.7.9

Thanks to all contributors and bug reporters!

Libarchive 3.7.8 is a bugfix and security release

Security fixes:

• tar reader: Handle truncation in the middle of a GNU long linkname (#2422, CVE-2024-57970)
• unzip: fix null pointer dereference (#2532, CVE-2025-1632)
• tar reader: fix unchecked return value in list_item_verbose() (#2532, CVE-2025-25724)

Important bugfixes:

• 7zip reader: add SPARC (#2399) and POWERPC (#2459) filter support for non-LZMA compressors
• tar reader: Ignore ustar size when pax size is present (#2405)
• tar writer: Fix bug when -s/a/b/ used more than once with b flag (#2435)
• cpio: Fix a Y2038 bug on Windows (#2471)
• libarchive: Handle ARCHIVE_FILTER_LZOP in archive_read_append_filter (#2519)
• libarchive: Adding missing seeker function to archive_read_open_FILE() (#2539)

Full Changelog: v3.7.7...v3.7.8

Thanks to all contributors and bug reporters!

Libarchive 3.7.7 is a bugfix and security release

Security fixes:

• gzip: prevent a hang when processing a malformed gzip inside a gzip (#2366, OSS-Fuzz)
• tar: don't crash on truncated tar archives (#2364, OSS-Fuzz)
• tar: fix two leaks in tar header parsing (#2377)

Important bugfixes:

• 7-zip: read/write symlink paths as UTF-8 (#2252)
• cpio: exit with an error code if an entry could not be extracted (#2371)
• rar5: report encrypted entries (#2096)
• tar: fix truncation of entry pathnames in specific archives (#2360)
• windows: fix ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS (#2363)

Full Changelog: v3.7.6...v3.7.7

Thanks to all contributors and bug reporters!

Libarchive 3.7.6 is a bugfix and security release.
This release fixes a tar regression introduced in libarchive 3.7.5 (#2331, #2337)

Important bugfixes.

• tar: clean up linkpath between entries (#2343)
• tar: fix memory leaks when processing symlinks or parsing pax headers (#2338)
• iso: be more cautious about parsing ISO-9660 timestamps (#2330)

Full Changelog: v3.7.5...v3.7.6

Thanks to all contributors and bug reporters!

Libarchive 3.7.5 is a bugfix and security release

Security fixes:

• fix multiple vulnerabilities identified by SAST (#2251, #2256)
• cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
• lzop: prevent integer overflow (#2174)
• rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
• rar4: fix CVE-2024-26256 (#2269, CVS-2024-26256)
• rar4: fix OOB in delta and audio filter (#2148, #2149)
• rar4: fix out of boundary access with large files (#2179)
• rar4: add boundary checks to rgb filter (#2210)
• rar4: fix OOB access with unicode filenames (#2203)
• rar5: clear 'data ready' cache on window buffer reallocs (#2265)
• rpm: calculate huge header sizes correctly (#2158)
• unzip: unify EOF handling (#2175)
• util: fix out of boundary access in mktemp functions (#2160)
• uu: stop processing if lines are too long (#2168)

Important bugfixes:

• 7zip: fix issue when skipping first file in 7zip archive that is a multiple of 65536 bytes (#2245)
• ar: fix archive entries having no type (#2290)
• lha: do not allow negative file sizes (#2155)
• lha: fix integer truncation on 32-bit systems (#2161)
• shar: check strdup return value (#2173)
• rar5: don't try to read rediculously long names (#2259)
• xar: fix another infinite loop and expat error handling (#2150)
• many Windows fixes, cleanups and improvements

Full Changelog: v3.7.4...v3.7.5

Thanks to all contributors and bug reporters!

Libarchive 3.7.4 is a bugfix and security release

Security fixes:

• rar: Fix OOB in rar e8 filter (#2135) (CVE-2024-26256)
• zip: Fix out of boundary access (#2145)

Important bugfixes:

• 7zip: Limit amount of properties (#2131)
• bsdtar: Fix error handling around strtol() usages (#2110)
• passphrase: Improve newline handling on Windows (#2115)
• passphrase: Never allow empty passwords (#2116)
• rar: Fix "File CRC Error" when extracting specific rar4 archives (#2124)
• xar: Avoid infinite link loop (#2123)
• zip: Update AppleDouble support for directories (#2108)
• zstd: Implement core detection (#2083, #2071)

Thanks to all contributors and bug reporters!

Libarchive 3.7.3 is a feature, security and bugfix release.

New features:

• PCRE2 support (#2031)
• add trailing letter b to bsdtar(1) substitute pattern (#2012)
• add support for long options "--group" and "--owner" to tar(1) (#2054)

Security fixes:

• Fix possible vulnerability in tar error reporting introduced in f27c173 (#2101)

Important bugfixes:

• ISO9660: preserve the natural order of links (#1974)
• rar5: fix decoding unicode filenames on Windows (#1978)
• rar5: fix infinite loop if during rar5 decompression the last block produced no data (#2105)
• xz filter: fix incorrect eof at the end of an lzip member (#2027)
• zip: fix end-of-data marker processing when decompressing zip archives (#2042)
• multiple bsdunzip(1) fixes (#2022, #2030)
• filetime truncation fix on Windows (#2050)

Thanks to all contributors and bug reporters.