diff --git a/backport-CVE-2025-1632.patch b/backport-CVE-2025-1632.patch new file mode 100644 index 0000000..46c7d65 --- /dev/null +++ b/backport-CVE-2025-1632.patch @@ -0,0 +1,57 @@ +From 0a35ab97fae6fb9acecab46b570c14e3be1646e7 Mon Sep 17 00:00:00 2001 +From: Peter Kaestle +Date: Wed, 5 Mar 2025 15:34:44 +0100 +Subject: [PATCH] unzip/bsdunzip.c: fix NULL ptr dereference issue inside + list() + +Fix CVE-2025-1632 by detecting NULL return of archive_entry_pathname() +and replacing it by "INVALID PATH" string. + +Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc + +Signed-off-by: Peter Kaestle +--- + unzip/bsdunzip.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c +index 7c8cafc3e..4a9028b79 100644 +--- a/unzip/bsdunzip.c ++++ b/unzip/bsdunzip.c +@@ -876,6 +876,7 @@ list(struct archive *a, struct archive_entry *e) + char buf[20]; + time_t mtime; + struct tm *tm; ++ const char *pathname; + + mtime = archive_entry_mtime(e); + tm = localtime(&mtime); +@@ -884,22 +885,25 @@ list(struct archive *a, struct archive_entry *e) + else + strftime(buf, sizeof(buf), "%m-%d-%g %R", tm); + ++ pathname = archive_entry_pathname(e); ++ if (!pathname) ++ pathname = ""; + if (!zipinfo_mode) { + if (v_opt == 1) { + printf(" %8ju %s %s\n", + (uintmax_t)archive_entry_size(e), +- buf, archive_entry_pathname(e)); ++ buf, pathname); + } else if (v_opt == 2) { + printf("%8ju Stored %7ju 0%% %s %08x %s\n", + (uintmax_t)archive_entry_size(e), + (uintmax_t)archive_entry_size(e), + buf, + 0U, +- archive_entry_pathname(e)); ++ pathname); + } + } else { + if (Z1_opt) +- printf("%s\n",archive_entry_pathname(e)); ++ printf("%s\n", pathname); + } + ac(archive_read_data_skip(a)); + } diff --git a/backport-CVE-2025-25724.patch b/backport-CVE-2025-25724.patch new file mode 100644 index 0000000..1cbbfaa --- /dev/null +++ b/backport-CVE-2025-25724.patch @@ -0,0 +1,34 @@ +From 6636f89f5fe08a20de3b2d034712c781d3a67985 Mon Sep 17 00:00:00 2001 +From: Peter Kaestle +Date: Wed, 5 Mar 2025 15:01:14 +0100 +Subject: [PATCH] tar/util.c: fix NULL pointer dereference issue on strftime + +Fix CVE-2025-25724 by detecting NULL return of localtime_r(&tim, &tmbuf), +which could happen in case tim is incredible big. + +In case this error is triggered, put an "INVALID DATE" string into the +outbuf. + +Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdtarbug + +Signed-off-by: Peter Kaestle +--- + tar/util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tar/util.c b/tar/util.c +index 3b099cb5f..f3cbdf0bb 100644 +--- a/tar/util.c ++++ b/tar/util.c +@@ -749,7 +749,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry) + #else + ltime = localtime(&tim); + #endif +- strftime(tmp, sizeof(tmp), fmt, ltime); ++ if (ltime) ++ strftime(tmp, sizeof(tmp), fmt, ltime); ++ else ++ sprintf(tmp, "-- -- ----"); + fprintf(out, " %s ", tmp); + safe_fprintf(out, "%s", archive_entry_pathname(entry)); + diff --git a/libarchive.spec b/libarchive.spec index 5e1219c..22b967d 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -2,7 +2,7 @@ Name: libarchive Version: 3.7.1 -Release: 5 +Release: 6 Summary: Multi-format archive and compression library License: BSD URL: https://www.libarchive.org/ @@ -13,6 +13,8 @@ Patch6001: backport-CVE-2024-20696.patch Patch6002: backport-CVE-2024-26256-CVE-2024-43495.patch Patch6003: backport-CVE-2024-48957.patch Patch6004: backport-CVE-2024-48958.patch +Patch6005: backport-CVE-2025-1632.patch +Patch6006: backport-CVE-2025-25724.patch BuildRequires: gcc bison sharutils zlib-devel bzip2-devel xz-devel BuildRequires: lzo-devel e2fsprogs-devel libacl-devel libattr-devel @@ -204,6 +206,12 @@ run_testsuite %{_mandir}/*/bsdunzip* %changelog +* Tue Mar 11 2025 lingsheng - 3.7.1-6 +- Type:CVE +- ID:CVE-2025-1632,CVE-2025-25724 +- SUG:NA +- DESC:fix CVE-2025-1632 CVE-2025-25724 + * Sat Oct 12 2024 lingsheng - 3.7.1-5 - Type:CVE - ID:CVE-2024-48957,CVE-2024-48958