package/libarchive: security bump to v3.8.1

This fixes the following CVEs:

- CVE-2025-5914
    Libarchive: double free at archive_read_format_rar_seek_data()
    in archive_read_support_format_rar.c
    https://www.cve.org/CVERecord?id=CVE-2025-5914

- CVE-2025-5915
    Libarchive: heap buffer over read in copy_from_lzss_window()
    at archive_read_support_format_rar.c
    https://www.cve.org/CVERecord?id=CVE-2025-5915

- CVE-2025-5916
    Libarchive: integer overflow while reading warc files
    at archive_read_support_format_warc.c
    https://www.cve.org/CVERecord?id=CVE-2025-5916

- CVE-2025-5917
    Libarchive: off by one error in build_ustar_entry_name()
    at archive_write_set_format_pax.c
    https://www.cve.org/CVERecord?id=CVE-2025-5917

- CVE-2025-5918
    Libarchive: reading past eof may be triggered for piped file streams
    https://www.cve.org/CVERecord?id=CVE-2025-5918

See the release notes:
- https://github.com/libarchive/libarchive/releases/tag/v3.8.0
- https://github.com/libarchive/libarchive/releases/tag/v3.8.1

In addition to the version bump, the following changes are required:
- The COPYING file has been edited upstream because of filename change on a
  sub-licensed component; see
  https://github.com/libarchive/libarchive/commit/c26f0377457db392bd57a640e8fe25506120f810
- The upstream "sha256sums" is currently unavailable, so the archive checksum
  has been computed locally
- Drop patches for libiconv in configure.ac, which has been properly addressed
  upstream in https://github.com/libarchive/libarchive/pull/2611
- Following the above, AUTORECONF is not needed any longer
- Drop mbedtls patch that has been applied upstream

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>

package/libarchive/0001-Revert-Only-add-iconv-to-the-.pc-file-if-needed-1825.patch

@@ -1,31 +0,0 @@
-From 3879afd473a256173cc626e16293f3fe8875f2d6 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Sat, 6 Jan 2024 09:53:23 +0100
-Subject: [PATCH] Revert "Only add "iconv" to the .pc file if needed (#1825)"
-
-This reverts commit 1f35c466aaa9444335a1b854b0b7223b0d2346c2.
-
-Upstream: no dedicated PR for this revert but there is already plenty of PRs/issues to fix iconv build ...
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- configure.ac | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 93f7af94..204a4e69 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -455,9 +455,7 @@ if test "x$with_iconv" != "xno"; then
-     AC_CHECK_HEADERS([localcharset.h])
-     am_save_LIBS="$LIBS"
-     LIBS="${LIBS} ${LIBICONV}"
--    if test -n "$LIBICONV"; then
--      LIBSREQUIRED="$LIBSREQUIRED${LIBSREQUIRED:+ }iconv"
--    fi
-+    LIBSREQUIRED="$LIBSREQUIRED${LIBSREQUIRED:+ }iconv"
-     AC_CHECK_FUNCS([locale_charset])
-     LIBS="${am_save_LIBS}"
-     if test "x$ac_cv_func_locale_charset" != "xyes"; then
--- 
-2.43.0
-

package/libarchive/0002-autotools-do-not-add-iconv-for-Requires.private.patch

@@ -1,27 +0,0 @@
-From 619c1be8d38ff79622db8f66f3b02832795315f9 Mon Sep 17 00:00:00 2001
-From: Christian Hesse <mail@eworm.de>
-Date: Wed, 14 Dec 2022 09:04:39 +0100
-Subject: [PATCH] autotools: do not add iconv for Requires.private
-
-There is no pkgconfig file for iconv, thus things break with this
-change. Let's drop iconv from Requires.private.
-
-Fixes: a83f3d32 ("autotools: Fix static linking when openssl is enabled in windows")
-Upstream: https://github.com/libarchive/libarchive/pull/1817/commits/619c1be8d38ff79622db8f66f3b02832795315f9
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- configure.ac | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 99bff20d1..f245d0c55 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -455,7 +455,6 @@ if test "x$with_iconv" != "xno"; then
-     AC_CHECK_HEADERS([localcharset.h])
-     am_save_LIBS="$LIBS"
-     LIBS="${LIBS} ${LIBICONV}"
--    LIBSREQUIRED="$LIBSREQUIRED${LIBSREQUIRED:+ }iconv"
-     AC_CHECK_FUNCS([locale_charset])
-     LIBS="${am_save_LIBS}"
-     if test "x$ac_cv_func_locale_charset" != "xyes"; then

package/libarchive/0003-Fix-mbedtls-version-3-compatibility-2602.patch

@@ -1,238 +0,0 @@
-From 26ba5ee5d560d62ad05aa6819608fd21cbb962f9 Mon Sep 17 00:00:00 2001
-From: James Hilliard <james.hilliard1@gmail.com>
-Date: Thu, 15 May 2025 04:56:59 -0600
-Subject: [PATCH] Fix mbedtls version 3 compatibility (#2602)
-
-We need to use the new API for mbedtls 3 compatibility
-
-Fixes #2025
-
-Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
-Upstream: https://github.com/libarchive/libarchive/commit/63d7c24eeaa108ecc2ef258c0505eefdadaaaf35
----
- libarchive/archive_digest.c | 72 +++++++++++++++++++++++++++++++++++++
- 1 file changed, 72 insertions(+)
-
-diff --git a/libarchive/archive_digest.c b/libarchive/archive_digest.c
-index 33518740..03f0edd6 100644
---- a/libarchive/archive_digest.c
-+++ b/libarchive/archive_digest.c
-@@ -235,7 +235,11 @@ static int
- __archive_md5init(archive_md5_ctx *ctx)
- {
-   mbedtls_md5_init(ctx);
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_md5_starts(ctx) == 0)
-+#else
-   if (mbedtls_md5_starts_ret(ctx) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -245,7 +249,11 @@ static int
- __archive_md5update(archive_md5_ctx *ctx, const void *indata,
-     size_t insize)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_md5_update(ctx, indata, insize) == 0)
-+#else
-   if (mbedtls_md5_update_ret(ctx, indata, insize) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -254,7 +262,11 @@ __archive_md5update(archive_md5_ctx *ctx, const void *indata,
- static int
- __archive_md5final(archive_md5_ctx *ctx, void *md)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_md5_finish(ctx, md) == 0) {
-+#else
-   if (mbedtls_md5_finish_ret(ctx, md) == 0) {
-+#endif
-     mbedtls_md5_free(ctx);
-     return (ARCHIVE_OK);
-   } else {
-@@ -431,7 +443,11 @@ static int
- __archive_ripemd160init(archive_rmd160_ctx *ctx)
- {
-   mbedtls_ripemd160_init(ctx);
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_ripemd160_starts(ctx) == 0)
-+#else
-   if (mbedtls_ripemd160_starts_ret(ctx) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -441,7 +457,11 @@ static int
- __archive_ripemd160update(archive_rmd160_ctx *ctx, const void *indata,
-     size_t insize)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_ripemd160_update(ctx, indata, insize) == 0)
-+#else
-   if (mbedtls_ripemd160_update_ret(ctx, indata, insize) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -450,7 +470,11 @@ __archive_ripemd160update(archive_rmd160_ctx *ctx, const void *indata,
- static int
- __archive_ripemd160final(archive_rmd160_ctx *ctx, void *md)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_ripemd160_finish(ctx, md) == 0) {
-+#else
-   if (mbedtls_ripemd160_finish_ret(ctx, md) == 0) {
-+#endif
-     mbedtls_ripemd160_free(ctx);
-     return (ARCHIVE_OK);
-   } else {
-@@ -622,7 +646,11 @@ static int
- __archive_sha1init(archive_sha1_ctx *ctx)
- {
-   mbedtls_sha1_init(ctx);
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha1_starts(ctx) == 0)
-+#else
-   if (mbedtls_sha1_starts_ret(ctx) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -632,7 +660,11 @@ static int
- __archive_sha1update(archive_sha1_ctx *ctx, const void *indata,
-     size_t insize)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha1_update(ctx, indata, insize) == 0)
-+#else
-   if (mbedtls_sha1_update_ret(ctx, indata, insize) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -641,7 +673,11 @@ __archive_sha1update(archive_sha1_ctx *ctx, const void *indata,
- static int
- __archive_sha1final(archive_sha1_ctx *ctx, void *md)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha1_finish(ctx, md) == 0) {
-+#else
-   if (mbedtls_sha1_finish_ret(ctx, md) == 0) {
-+#endif
-     mbedtls_sha1_free(ctx);
-     return (ARCHIVE_OK);
-   } else {
-@@ -890,7 +926,11 @@ static int
- __archive_sha256init(archive_sha256_ctx *ctx)
- {
-   mbedtls_sha256_init(ctx);
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha256_starts(ctx, 0) == 0)
-+#else
-   if (mbedtls_sha256_starts_ret(ctx, 0) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -900,7 +940,11 @@ static int
- __archive_sha256update(archive_sha256_ctx *ctx, const void *indata,
-     size_t insize)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha256_update(ctx, indata, insize) == 0)
-+#else
-   if (mbedtls_sha256_update_ret(ctx, indata, insize) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -909,7 +953,11 @@ __archive_sha256update(archive_sha256_ctx *ctx, const void *indata,
- static int
- __archive_sha256final(archive_sha256_ctx *ctx, void *md)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha256_finish(ctx, md) == 0) {
-+#else
-   if (mbedtls_sha256_finish_ret(ctx, md) == 0) {
-+#endif
-     mbedtls_sha256_free(ctx);
-     return (ARCHIVE_OK);
-   } else {
-@@ -1130,7 +1178,11 @@ static int
- __archive_sha384init(archive_sha384_ctx *ctx)
- {
-   mbedtls_sha512_init(ctx);
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha512_starts(ctx, 1) == 0)
-+#else
-   if (mbedtls_sha512_starts_ret(ctx, 1) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -1140,7 +1192,11 @@ static int
- __archive_sha384update(archive_sha384_ctx *ctx, const void *indata,
-     size_t insize)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha512_update(ctx, indata, insize) == 0)
-+#else
-   if (mbedtls_sha512_update_ret(ctx, indata, insize) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -1149,7 +1205,11 @@ __archive_sha384update(archive_sha384_ctx *ctx, const void *indata,
- static int
- __archive_sha384final(archive_sha384_ctx *ctx, void *md)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha512_finish(ctx, md) == 0) {
-+#else
-   if (mbedtls_sha512_finish_ret(ctx, md) == 0) {
-+#endif
-     mbedtls_sha512_free(ctx);
-     return (ARCHIVE_OK);
-   } else {
-@@ -1394,7 +1454,11 @@ static int
- __archive_sha512init(archive_sha512_ctx *ctx)
- {
-   mbedtls_sha512_init(ctx);
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha512_starts(ctx, 0) == 0)
-+#else
-   if (mbedtls_sha512_starts_ret(ctx, 0) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -1404,7 +1468,11 @@ static int
- __archive_sha512update(archive_sha512_ctx *ctx, const void *indata,
-     size_t insize)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha512_update(ctx, indata, insize) == 0)
-+#else
-   if (mbedtls_sha512_update_ret(ctx, indata, insize) == 0)
-+#endif
-     return (ARCHIVE_OK);
-   else
-     return (ARCHIVE_FATAL);
-@@ -1413,7 +1481,11 @@ __archive_sha512update(archive_sha512_ctx *ctx, const void *indata,
- static int
- __archive_sha512final(archive_sha512_ctx *ctx, void *md)
- {
-+#if MBEDTLS_VERSION_NUMBER > 0x03000000
-+  if (mbedtls_sha512_finish(ctx, md) == 0) {
-+#else
-   if (mbedtls_sha512_finish_ret(ctx, md) == 0) {
-+#endif
-     mbedtls_sha512_free(ctx);
-     return (ARCHIVE_OK);
-   } else {
--- 
-2.34.1
-

package/libarchive/libarchive.hash

@@ -1,4 +1,5 @@
-# From https://www.libarchive.de/downloads/sha256sums
-sha256  ed8b5732e4cd6e30fae909fb945cad8ff9cb7be5c6cdaa3944ec96e4a200c04c  libarchive-3.7.9.tar.xz
+# Locally computed after verifying the signature from
+# https://www.libarchive.de/downloads/libarchive-3.8.1.tar.xz.asc
+sha256  19f917d42d530f98815ac824d90c7eaf648e9d9a50e4f309c812457ffa5496b5  libarchive-3.8.1.tar.xz
 # Locally computed:
-sha256  b2cdf763345de2de34cebf54394df3c61a105c3b71288603c251f2fa638200ba  COPYING
+sha256  30e556b3959e3985d66efefec5eaac51d4995053caa1d3cffe6eb916f146f229  COPYING

package/libarchive/libarchive.mk

@@ -4,17 +4,13 @@
 #
 ################################################################################
 
-LIBARCHIVE_VERSION = 3.7.9
+LIBARCHIVE_VERSION = 3.8.1
 LIBARCHIVE_SOURCE = libarchive-$(LIBARCHIVE_VERSION).tar.xz
 LIBARCHIVE_SITE = https://www.libarchive.de/downloads
 LIBARCHIVE_INSTALL_STAGING = YES
 LIBARCHIVE_LICENSE = BSD-2-Clause, BSD-3-Clause, CC0-1.0, OpenSSL, Apache-2.0
 LIBARCHIVE_LICENSE_FILES = COPYING
 LIBARCHIVE_CPE_ID_VENDOR = libarchive
-# We're patching configure.ac
-LIBARCHIVE_AUTORECONF = YES
-# needed for autoreconf
-LIBARCHIVE_DEPENDENCIES += host-pkgconf
 
 ifeq ($(BR2_PACKAGE_LIBARCHIVE_BSDTAR),y)
 ifeq ($(BR2_STATIC_LIBS),y)