libarchive: patch CVE-2025-60753

Pick patch from [3] marked in [2] mentioned in [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-60753 [2] https://github.com/libarchive/libarchive/issues/2725 [3] https://github.com/libarchive/libarchive/pull/2787 (From OE-Core rev: 1fbd9eddbdf0da062df0510cabff6f6ee33d5752) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-11-22 23:16:54 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-12-01 07:34:55 -0800
commit: e6bfeed8f3e72c577820e3d01f7d697c4d3fc5d4 (patch)
tree: 5e336288c687cc56a41b69d5d9e8f5147de14673
parent: 842fd60ebb87c607b9a7a4db77d4e9fb8a123bea (diff)
download: poky-e6bfeed8f3e72c577820e3d01f7d697c4d3fc5d4.tar.gz
2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch
new file mode 100644
index 0000000000..730a6128c3
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch
@@ -0,0 +1,76 @@
+From 3150539edb18690c2c5f81c37fd2d3a35c69ace5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?ARJANEN=20Lo=C3=AFc=20Jean=20David?= <ljd@luigiscorner.mu>
+Date: Fri, 14 Nov 2025 20:34:48 +0100
+Subject: [PATCH] Fix bsdtar zero-length pattern issue.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Uses the sed-like way (and Java-like, and .Net-like, and Javascript-like…) to fix this issue of advancing the string to be processed by one if the match is zero-length.
+Fixes libarchive/libarchive#2725 and solves libarchive/libarchive#2438.
+CVE: CVE-2025-60753
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3150539edb18690c2c5f81c37fd2d3a35c69ace5]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tar/subst.c              | 19 ++++++++++++-------
+ tar/test/test_option_s.c |  8 +++++++-
+ 2 files changed, 19 insertions(+), 8 deletions(-)
+diff --git a/tar/subst.c b/tar/subst.c
+index 9747abb9..902a4d64 100644
+--- a/tar/subst.c
+++ b/tar/subst.c
+@@ -235,7 +235,9 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+                        (*result)[0] = 0;
+                }
+ 
+-               while (1) {
+               char isEnd = 0;
+               do {
+            isEnd = *name == '\0';
+                        if (regexec(&rule->re, name, 10, matches, 0))
+                                break;
+ 
+@@ -290,12 +292,15 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+                        }
+ 
+                        realloc_strcat(result, rule->result + j);
+-
+-                       name += matches[0].rm_eo;
+-
+-                       if (!rule->global)
+-                               break;
+-               }
+                       if (matches[0].rm_eo > 0) {
+                name += matches[0].rm_eo;
+            } else {
+                // We skip a character because the match is 0-length
+                // so we need to add it to the output
+                realloc_strncat(result, name, 1);
+                name += 1;
+            }
+               } while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end
+        }
+ 
+        if (got_match)
+diff --git a/tar/test/test_option_s.c b/tar/test/test_option_s.c
+index 564793b9..90b4c471 100644
+--- a/tar/test/test_option_s.c
+++ b/tar/test/test_option_s.c
+@@ -42,7 +42,13 @@ DEFINE_TEST(test_option_s)
+        systemf("%s -cf test1_2.tar -s /d1/d2/ in/d1/foo", testprog);
+        systemf("%s -xf test1_2.tar -C test1", testprog);
+        assertFileContents("foo", 3, "test1/in/d2/foo");
+-
+       systemf("%s -cf test1_3.tar -s /o/#/g in/d1/foo", testprog);
+       systemf("%s -xf test1_3.tar -C test1", testprog);
+       assertFileContents("foo", 3, "test1/in/d1/f##");
+       // For the 0-length pattern check, remember that "test1/" isn't part of the string affected by the regexp
+       systemf("%s -cf test1_4.tar -s /f*/\\<~\\>/g in/d1/foo", testprog);
+       systemf("%s -xf test1_4.tar -C test1", testprog);
+       assertFileContents("foo", 3, "test1/<>i<>n<>/<>d<>1<>/<f><>o<>o<>");
+        /*
+         * Test 2: Basic substitution when extracting archive.
+         */
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index da11e052a7..86ba53aaf2 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -42,6 +42,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
           file://0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch \
           file://0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch \
           file://0001-Merge-pull-request-2768-from-Commandoss-master.patch \
+           file://CVE-2025-60753.patch \
           "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
author	Peter Marko <peter.marko@siemens.com>	2025-11-22 23:16:54 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-12-01 07:34:55 -0800
commit	e6bfeed8f3e72c577820e3d01f7d697c4d3fc5d4 (patch)
tree	5e336288c687cc56a41b69d5d9e8f5147de14673
parent	842fd60ebb87c607b9a7a4db77d4e9fb8a123bea (diff)
download	poky-e6bfeed8f3e72c577820e3d01f7d697c4d3fc5d4.tar.gz

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch new file mode 100644 index 0000000000..730a6128c3 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch
@@ -0,0 +1,76 @@
		1	From 3150539edb18690c2c5f81c37fd2d3a35c69ace5 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?ARJANEN=20Lo=C3=AFc=20Jean=20David?= <ljd@luigiscorner.mu>
		3	Date: Fri, 14 Nov 2025 20:34:48 +0100
		4	Subject: [PATCH] Fix bsdtar zero-length pattern issue.
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Uses the sed-like way (and Java-like, and .Net-like, and Javascript-like…) to fix this issue of advancing the string to be processed by one if the match is zero-length.
		10
		11	Fixes libarchive/libarchive#2725 and solves libarchive/libarchive#2438.
		12
		13	CVE: CVE-2025-60753
		14	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3150539edb18690c2c5f81c37fd2d3a35c69ace5]
		15	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		16	---
		17	tar/subst.c \| 19 ++++++++++++-------
		18	tar/test/test_option_s.c \| 8 +++++++-
		19	2 files changed, 19 insertions(+), 8 deletions(-)
		20
		21	diff --git a/tar/subst.c b/tar/subst.c
		22	index 9747abb9..902a4d64 100644
		23	--- a/tar/subst.c
		24	+++ b/tar/subst.c
		25	@@ -235,7 +235,9 @@ apply_substitution(struct bsdtar bsdtar, const char name, char **result,
		26	(*result)[0] = 0;
		27	}
		28
		29	- while (1) {
		30	+ char isEnd = 0;
		31	+ do {
		32	+ isEnd = *name == '\0';
		33	if (regexec(&rule->re, name, 10, matches, 0))
		34	break;
		35
		36	@@ -290,12 +292,15 @@ apply_substitution(struct bsdtar bsdtar, const char name, char **result,
		37	}
		38
		39	realloc_strcat(result, rule->result + j);
		40	-
		41	- name += matches[0].rm_eo;
		42	-
		43	- if (!rule->global)
		44	- break;
		45	- }
		46	+ if (matches[0].rm_eo > 0) {
		47	+ name += matches[0].rm_eo;
		48	+ } else {
		49	+ // We skip a character because the match is 0-length
		50	+ // so we need to add it to the output
		51	+ realloc_strncat(result, name, 1);
		52	+ name += 1;
		53	+ }
		54	+ } while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end
		55	}
		56
		57	if (got_match)
		58	diff --git a/tar/test/test_option_s.c b/tar/test/test_option_s.c
		59	index 564793b9..90b4c471 100644
		60	--- a/tar/test/test_option_s.c
		61	+++ b/tar/test/test_option_s.c
		62	@@ -42,7 +42,13 @@ DEFINE_TEST(test_option_s)
		63	systemf("%s -cf test1_2.tar -s /d1/d2/ in/d1/foo", testprog);
		64	systemf("%s -xf test1_2.tar -C test1", testprog);
		65	assertFileContents("foo", 3, "test1/in/d2/foo");
		66	-
		67	+ systemf("%s -cf test1_3.tar -s /o/#/g in/d1/foo", testprog);
		68	+ systemf("%s -xf test1_3.tar -C test1", testprog);
		69	+ assertFileContents("foo", 3, "test1/in/d1/f##");
		70	+ // For the 0-length pattern check, remember that "test1/" isn't part of the string affected by the regexp
		71	+ systemf("%s -cf test1_4.tar -s /f*/\\<~\\>/g in/d1/foo", testprog);
		72	+ systemf("%s -xf test1_4.tar -C test1", testprog);
		73	+ assertFileContents("foo", 3, "test1/<>i<>n<>/<>d<>1<>/<f><>o<>o<>");
		74	/*
		75	* Test 2: Basic substitution when extracting archive.
		76	*/


diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index da11e052a7..86ba53aaf2 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -42,6 +42,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
42	file://0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch \	42	file://0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch \
43	file://0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch \	43	file://0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch \
44	file://0001-Merge-pull-request-2768-from-Commandoss-master.patch \	44	file://0001-Merge-pull-request-2768-from-Commandoss-master.patch \
		45	file://CVE-2025-60753.patch \
45	"	46	"
46	UPSTREAM_CHECK_URI = "http://libarchive.org/"	47	UPSTREAM_CHECK_URI = "http://libarchive.org/"
47		48