Skip to content

Commit 3706907

Browse files
CBL-Mariner-BotKanishk-Bansal
CBL-Mariner-Bot
and
Kanishk-Bansal
authored
[AUTO-CHERRYPICK] Patch libarchive for CVE-2025-1632, CVE-2025-25724 [Medium] - branch 3.0-dev (#13033)
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
1 parent b0001e4 commit 3706907

7 files changed

Lines changed: 111 additions & 11 deletions

File tree

SPECS/libarchive/CVE-2025-1632.patch

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
From 0a35ab97fae6fb9acecab46b570c14e3be1646e7 Mon Sep 17 00:00:00 2001
2+
From: Peter Kaestle <peter@piie.net>
3+
Date: Wed, 5 Mar 2025 15:34:44 +0100
4+
Subject: [PATCH] unzip/bsdunzip.c: fix NULL ptr dereference issue inside
5+
list()
6+
7+
Fix CVE-2025-1632 by detecting NULL return of archive_entry_pathname()
8+
and replacing it by "INVALID PATH" string.
9+
10+
Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc
11+
12+
Upstream Reference : https://github.com/libarchive/libarchive/pull/2532
13+
14+
Signed-off-by: Peter Kaestle <peter@piie.net>
15+
---
16+
unzip/bsdunzip.c | 10 +++++++---
17+
1 file changed, 7 insertions(+), 3 deletions(-)
18+
19+
diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
20+
index 7c8cafc3e..4a9028b79 100644
21+
--- a/unzip/bsdunzip.c
22+
+++ b/unzip/bsdunzip.c
23+
@@ -876,6 +876,7 @@ list(struct archive *a, struct archive_entry *e)
24+
char buf[20];
25+
time_t mtime;
26+
struct tm *tm;
27+
+ const char *pathname;
28+
29+
mtime = archive_entry_mtime(e);
30+
tm = localtime(&mtime);
31+
@@ -884,22 +885,25 @@ list(struct archive *a, struct archive_entry *e)
32+
else
33+
strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
34+
35+
+ pathname = archive_entry_pathname(e);
36+
+ if (!pathname)
37+
+ pathname = "";
38+
if (!zipinfo_mode) {
39+
if (v_opt == 1) {
40+
printf(" %8ju %s %s\n",
41+
(uintmax_t)archive_entry_size(e),
42+
- buf, archive_entry_pathname(e));
43+
+ buf, pathname);
44+
} else if (v_opt == 2) {
45+
printf("%8ju Stored %7ju 0%% %s %08x %s\n",
46+
(uintmax_t)archive_entry_size(e),
47+
(uintmax_t)archive_entry_size(e),
48+
buf,
49+
0U,
50+
- archive_entry_pathname(e));
51+
+ pathname);
52+
}
53+
} else {
54+
if (Z1_opt)
55+
- printf("%s\n",archive_entry_pathname(e));
56+
+ printf("%s\n", pathname);
57+
}
58+
ac(archive_read_data_skip(a));
59+
}

SPECS/libarchive/CVE-2025-25724.patch

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
From 6636f89f5fe08a20de3b2d034712c781d3a67985 Mon Sep 17 00:00:00 2001
2+
From: Peter Kaestle <peter@piie.net>
3+
Date: Wed, 5 Mar 2025 15:01:14 +0100
4+
Subject: [PATCH] tar/util.c: fix NULL pointer dereference issue on strftime
5+
6+
Fix CVE-2025-25724 by detecting NULL return of localtime_r(&tim, &tmbuf),
7+
which could happen in case tim is incredible big.
8+
9+
In case this error is triggered, put an "INVALID DATE" string into the
10+
outbuf.
11+
12+
Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdtarbug
13+
14+
Upstream Reference : https://github.com/libarchive/libarchive/pull/2532
15+
16+
Signed-off-by: Peter Kaestle <peter@piie.net>
17+
---
18+
tar/util.c | 5 ++++-
19+
1 file changed, 4 insertions(+), 1 deletion(-)
20+
21+
diff --git a/tar/util.c b/tar/util.c
22+
index 3b099cb5f..f3cbdf0bb 100644
23+
--- a/tar/util.c
24+
+++ b/tar/util.c
25+
@@ -749,7 +749,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
26+
#else
27+
ltime = localtime(&tim);
28+
#endif
29+
- strftime(tmp, sizeof(tmp), fmt, ltime);
30+
+ if (ltime)
31+
+ strftime(tmp, sizeof(tmp), fmt, ltime);
32+
+ else
33+
+ sprintf(tmp, "-- -- ----");
34+
fprintf(out, " %s ", tmp);
35+
safe_fprintf(out, "%s", archive_entry_pathname(entry));
36+

SPECS/libarchive/libarchive.spec

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,15 @@
11
Summary: Multi-format archive and compression library
22
Name: libarchive
33
Version: 3.7.7
4-
Release: 1%{?dist}
4+
Release: 2%{?dist}
55
# Certain files have individual licenses. For more details see contents of "COPYING".
66
License: BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL)
77
Vendor: Microsoft Corporation
88
Distribution: Azure Linux
99
URL: https://www.libarchive.org/
1010
Source0: https://github.com/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.gz
11+
Patch0: CVE-2025-1632.patch
12+
Patch1: CVE-2025-25724.patch
1113
Provides: bsdtar = %{version}-%{release}
1214

1315
BuildRequires: xz-libs
@@ -60,6 +62,9 @@ make %{?_smp_mflags} check
6062
%{_libdir}/pkgconfig/*.pc
6163

6264
%changelog
65+
* Tue Mar 11 2025 Kanishk Bansal <kanbansal@microsoft.com> - 3.7.7-2
66+
- Patch CVE-2025-1632, CVE-2025-25724
67+
6368
* Tue Oct 15 2024 Nan Liu <liunan@microsoft.com> - 3.7.7-1
6469
- Upgrade to 3.7.7 - Fix CVE-2024-48957, CVE-2024-48958, CVE-2024-20696
6570
- Remove unused patches

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -178,8 +178,8 @@ openssl-static-3.3.3-2.azl3.aarch64.rpm
178178
libcap-2.69-3.azl3.aarch64.rpm
179179
libcap-devel-2.69-3.azl3.aarch64.rpm
180180
debugedit-5.0-2.azl3.aarch64.rpm
181-
libarchive-3.7.7-1.azl3.aarch64.rpm
182-
libarchive-devel-3.7.7-1.azl3.aarch64.rpm
181+
libarchive-3.7.7-2.azl3.aarch64.rpm
182+
libarchive-devel-3.7.7-2.azl3.aarch64.rpm
183183
rpm-4.18.2-1.azl3.aarch64.rpm
184184
rpm-build-4.18.2-1.azl3.aarch64.rpm
185185
rpm-build-libs-4.18.2-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -178,8 +178,8 @@ openssl-static-3.3.3-2.azl3.x86_64.rpm
178178
libcap-2.69-3.azl3.x86_64.rpm
179179
libcap-devel-2.69-3.azl3.x86_64.rpm
180180
debugedit-5.0-2.azl3.x86_64.rpm
181-
libarchive-3.7.7-1.azl3.x86_64.rpm
182-
libarchive-devel-3.7.7-1.azl3.x86_64.rpm
181+
libarchive-3.7.7-2.azl3.x86_64.rpm
182+
libarchive-devel-3.7.7-2.azl3.x86_64.rpm
183183
rpm-4.18.2-1.azl3.x86_64.rpm
184184
rpm-build-4.18.2-1.azl3.x86_64.rpm
185185
rpm-build-libs-4.18.2-1.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -168,9 +168,9 @@ krb5-devel-1.21.3-2.azl3.aarch64.rpm
168168
krb5-lang-1.21.3-2.azl3.aarch64.rpm
169169
libacl-2.3.1-2.azl3.aarch64.rpm
170170
libacl-devel-2.3.1-2.azl3.aarch64.rpm
171-
libarchive-3.7.7-1.azl3.aarch64.rpm
172-
libarchive-debuginfo-3.7.7-1.azl3.aarch64.rpm
173-
libarchive-devel-3.7.7-1.azl3.aarch64.rpm
171+
libarchive-3.7.7-2.azl3.aarch64.rpm
172+
libarchive-debuginfo-3.7.7-2.azl3.aarch64.rpm
173+
libarchive-devel-3.7.7-2.azl3.aarch64.rpm
174174
libassuan-2.5.6-1.azl3.aarch64.rpm
175175
libassuan-debuginfo-2.5.6-1.azl3.aarch64.rpm
176176
libassuan-devel-2.5.6-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -176,9 +176,9 @@ krb5-devel-1.21.3-2.azl3.x86_64.rpm
176176
krb5-lang-1.21.3-2.azl3.x86_64.rpm
177177
libacl-2.3.1-2.azl3.x86_64.rpm
178178
libacl-devel-2.3.1-2.azl3.x86_64.rpm
179-
libarchive-3.7.7-1.azl3.x86_64.rpm
180-
libarchive-debuginfo-3.7.7-1.azl3.x86_64.rpm
181-
libarchive-devel-3.7.7-1.azl3.x86_64.rpm
179+
libarchive-3.7.7-2.azl3.x86_64.rpm
180+
libarchive-debuginfo-3.7.7-2.azl3.x86_64.rpm
181+
libarchive-devel-3.7.7-2.azl3.x86_64.rpm
182182
libassuan-2.5.6-1.azl3.x86_64.rpm
183183
libassuan-debuginfo-2.5.6-1.azl3.x86_64.rpm
184184
libassuan-devel-2.5.6-1.azl3.x86_64.rpm

0 commit comments

Comments
 (0)