Security issues in libarchive

Hello, while working with CMake, I discovered that it uses an outdated version of libarchive which has some known security issues. Upon diffing with the latest version of libarchive, I found some patches that fix vulnerabilities in libarchive such as null pointer dereferencing. However, these security patches have not been propagated to CMake yet. I would like to suggest that CMake considers incorporating these patches into its latest version as it would ensure more secure and stable software. Thanks.

If you are interested in reviewing the patches that haven’t been propagated into CMake, here are the links of (some) patches:

• Patch 1: libarchive: Handle a `calloc` returning NULL (fixes #1754) · libarchive/libarchive@bff38ef · GitHub
• Patch 2: archive_read_disk_posix: fail if unable to alocate memory in tree_push() · libarchive/libarchive@92d2835 · GitHub

Thanks for the heads up. I’m not 100% familiar with how Brad has the third parties set up in CMake, so I’ll let him get to it when he’s back.

Cc: @brad.king

CMake MR 8431 updates to libarchive 3.6.2 to get those fixes.