fix CVE-2025-1632 CVE-2025-25724

backport-CVE-2025-1632.patch

@@ -0,0 +1,57 @@
+From 0a35ab97fae6fb9acecab46b570c14e3be1646e7 Mon Sep 17 00:00:00 2001
+From: Peter Kaestle <peter@piie.net>
+Date: Wed, 5 Mar 2025 15:34:44 +0100
+Subject: [PATCH] unzip/bsdunzip.c: fix NULL ptr dereference issue inside
+ list()
+
+Fix CVE-2025-1632 by detecting NULL return of archive_entry_pathname()
+and replacing it by "INVALID PATH" string.
+
+Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc
+
+Signed-off-by: Peter Kaestle <peter@piie.net>
+---
+ unzip/bsdunzip.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
+index 7c8cafc3e..4a9028b79 100644
+--- a/unzip/bsdunzip.c
++++ b/unzip/bsdunzip.c
+@@ -876,6 +876,7 @@ list(struct archive *a, struct archive_entry *e)
+ 	char buf[20];
+ 	time_t mtime;
+ 	struct tm *tm;
++	const char *pathname;
+ 
+ 	mtime = archive_entry_mtime(e);
+ 	tm = localtime(&mtime);
+@@ -884,22 +885,25 @@ list(struct archive *a, struct archive_entry *e)
+ 	else
+ 		strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
+ 
++	pathname = archive_entry_pathname(e);
++	if (!pathname)
++		pathname = "";
+ 	if (!zipinfo_mode) {
+ 		if (v_opt == 1) {
+ 			printf(" %8ju  %s   %s\n",
+ 			    (uintmax_t)archive_entry_size(e),
+-			    buf, archive_entry_pathname(e));
++			    buf, pathname);
+ 		} else if (v_opt == 2) {
+ 			printf("%8ju  Stored  %7ju   0%%  %s  %08x  %s\n",
+ 			    (uintmax_t)archive_entry_size(e),
+ 			    (uintmax_t)archive_entry_size(e),
+ 			    buf,
+ 			    0U,
+-			    archive_entry_pathname(e));
++			    pathname);
+ 		}
+ 	} else {
+ 		if (Z1_opt)
+-			printf("%s\n",archive_entry_pathname(e));
++			printf("%s\n", pathname);
+ 	}
+ 	ac(archive_read_data_skip(a));
+ }

backport-CVE-2025-25724.patch

@@ -0,0 +1,34 @@
+From 6636f89f5fe08a20de3b2d034712c781d3a67985 Mon Sep 17 00:00:00 2001
+From: Peter Kaestle <peter@piie.net>
+Date: Wed, 5 Mar 2025 15:01:14 +0100
+Subject: [PATCH] tar/util.c: fix NULL pointer dereference issue on strftime
+
+Fix CVE-2025-25724 by detecting NULL return of localtime_r(&tim, &tmbuf),
+which could happen in case tim is incredible big.
+
+In case this error is triggered, put an "INVALID DATE" string into the
+outbuf.
+
+Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdtarbug
+
+Signed-off-by: Peter Kaestle <peter@piie.net>
+---
+ tar/util.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tar/util.c b/tar/util.c
+index 3b099cb5f..f3cbdf0bb 100644
+--- a/tar/util.c
++++ b/tar/util.c
+@@ -749,7 +749,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
+ #else
+ 	ltime = localtime(&tim);
+ #endif
+-	strftime(tmp, sizeof(tmp), fmt, ltime);
++	if (ltime)
++		strftime(tmp, sizeof(tmp), fmt, ltime);
++	else
++		sprintf(tmp, "-- -- ----");
+ 	fprintf(out, " %s ", tmp);
+ 	safe_fprintf(out, "%s", archive_entry_pathname(entry));
+ 

libarchive.spec

@@ -2,7 +2,7 @@
 
 Name:           libarchive
 Version:        3.7.1
-Release:        5
+Release:        6
 Summary:        Multi-format archive and compression library
 License:        BSD
 URL:            https://www.libarchive.org/
@@ -13,6 +13,8 @@ Patch6001:      backport-CVE-2024-20696.patch
 Patch6002:      backport-CVE-2024-26256-CVE-2024-43495.patch
 Patch6003:      backport-CVE-2024-48957.patch
 Patch6004:      backport-CVE-2024-48958.patch
+Patch6005:      backport-CVE-2025-1632.patch
+Patch6006:      backport-CVE-2025-25724.patch
 
 BuildRequires:  gcc bison sharutils zlib-devel bzip2-devel xz-devel
 BuildRequires:  lzo-devel e2fsprogs-devel libacl-devel libattr-devel
@@ -204,6 +206,12 @@ run_testsuite
 %{_mandir}/*/bsdunzip*
 
 %changelog
+* Tue Mar 11 2025 lingsheng <lingsheng1@h-partners.com> - 3.7.1-6
+- Type:CVE
+- ID:CVE-2025-1632,CVE-2025-25724
+- SUG:NA
+- DESC:fix CVE-2025-1632 CVE-2025-25724
+
 * Sat Oct 12 2024 lingsheng <lingsheng1@h-partners.com> - 3.7.1-5
 - Type:CVE
 - ID:CVE-2024-48957,CVE-2024-48958