libarchive: patch CVE-2025-5917

Pick commit per [1] [1] https://security-tracker.debian.org/tracker/CVE-2025-5917 (From OE-Core rev: 59b3c2f9dcf523a441bdaeac52c590d469b0b8ac) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-08-23 23:51:05 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-08-29 10:02:59 -0700
commit: 3c89580ab00446b843e06dfd6fe898c1cd7c64a0 (patch)
tree: 02336e942e5e984fb6d9a411aa51e2d4054fc65f
parent: 7570380173cf5059f47403428e2b2faff1247742 (diff)
download: poky-3c89580ab00446b843e06dfd6fe898c1cd7c64a0.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
new file mode 100644
index 0000000000..eb3f64d63d
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
@@ -0,0 +1,49 @@
+From 7c02cde37a63580cd1859183fbbd2cf04a89be85 Mon Sep 17 00:00:00 2001
+From: Brian Campbell <Brian.Campbell@ed.ac.uk>
+Date: Sat, 26 Apr 2025 05:11:19 +0100
+Subject: [PATCH] Fix overflow in build_ustar_entry (#2588)
+The calculations for the suffix and prefix can increment the endpoint
+for a trailing slash. Hence the limits used should be one lower than the
+maximum number of bytes.
+Without this patch, when this happens for both the prefix and the
+suffix, we end up with 156 + 100 bytes, and the write of the null at the
+end will overflow the 256 byte buffer. This can be reproduced by running
+```
+mkdir -p foo/bar
+bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar
+```
+when bsdtar is compiled with Address Sanitiser, although I originally
+noticed this by accident with a genuine filename on a CHERI capability
+system, which faults immediately on the buffer overflow.
+CVE: CVE-2025-5917
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libarchive/archive_write_set_format_pax.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/libarchive/archive_write_set_format_pax.c b/libarchive/archive_write_set_format_pax.c
+index 0db45344..66e6d751 100644
+--- a/libarchive/archive_write_set_format_pax.c
+++ b/libarchive/archive_write_set_format_pax.c
+@@ -1571,7 +1571,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
+        const char *filename, *filename_end;
+        char *p;
+        int need_slash = 0; /* Was there a trailing slash? */
+-       size_t suffix_length = 99;
+       size_t suffix_length = 98; /* 99 - 1 for trailing slash */
+        size_t insert_length;
+ 
+        /* Length of additional dir element to be added. */
+@@ -1623,7 +1623,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
+        /* Step 2: Locate the "prefix" section of the dirname, including
+         * trailing '/'. */
+        prefix = src;
+-       prefix_end = prefix + 155;
+       prefix_end = prefix + 154 /* 155 - 1 for trailing / */;
+        if (prefix_end > filename)
+                prefix_end = filename;
+        while (prefix_end > prefix && *prefix_end != '/')
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index 1015de3fce..a0f5d67700 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://libarchive.org/downloads/libarchive-${PV}.tar.gz \
           file://CVE-2025-5914.patch \
           file://CVE-2025-5915.patch \
           file://CVE-2025-5916.patch \
+           file://CVE-2025-5917.patch \
           "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
author	Peter Marko <peter.marko@siemens.com>	2025-08-23 23:51:05 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-08-29 10:02:59 -0700
commit	3c89580ab00446b843e06dfd6fe898c1cd7c64a0 (patch)
tree	02336e942e5e984fb6d9a411aa51e2d4054fc65f
parent	7570380173cf5059f47403428e2b2faff1247742 (diff)
download	poky-3c89580ab00446b843e06dfd6fe898c1cd7c64a0.tar.gz

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch new file mode 100644 index 0000000000..eb3f64d63d --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
@@ -0,0 +1,49 @@
		1	From 7c02cde37a63580cd1859183fbbd2cf04a89be85 Mon Sep 17 00:00:00 2001
		2	From: Brian Campbell <Brian.Campbell@ed.ac.uk>
		3	Date: Sat, 26 Apr 2025 05:11:19 +0100
		4	Subject: [PATCH] Fix overflow in build_ustar_entry (#2588)
		5
		6	The calculations for the suffix and prefix can increment the endpoint
		7	for a trailing slash. Hence the limits used should be one lower than the
		8	maximum number of bytes.
		9
		10	Without this patch, when this happens for both the prefix and the
		11	suffix, we end up with 156 + 100 bytes, and the write of the null at the
		12	end will overflow the 256 byte buffer. This can be reproduced by running
		13	```
		14	mkdir -p foo/bar
		15	bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar
		16	```
		17	when bsdtar is compiled with Address Sanitiser, although I originally
		18	noticed this by accident with a genuine filename on a CHERI capability
		19	system, which faults immediately on the buffer overflow.
		20
		21	CVE: CVE-2025-5917
		22	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85]
		23	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		24	---
		25	libarchive/archive_write_set_format_pax.c \| 4 ++--
		26	1 file changed, 2 insertions(+), 2 deletions(-)
		27
		28	diff --git a/libarchive/archive_write_set_format_pax.c b/libarchive/archive_write_set_format_pax.c
		29	index 0db45344..66e6d751 100644
		30	--- a/libarchive/archive_write_set_format_pax.c
		31	+++ b/libarchive/archive_write_set_format_pax.c
		32	@@ -1571,7 +1571,7 @@ build_ustar_entry_name(char dest, const char src, size_t src_length,
		33	const char filename, filename_end;
		34	char *p;
		35	int need_slash = 0; /* Was there a trailing slash? */
		36	- size_t suffix_length = 99;
		37	+ size_t suffix_length = 98; /* 99 - 1 for trailing slash */
		38	size_t insert_length;
		39
		40	/* Length of additional dir element to be added. */
		41	@@ -1623,7 +1623,7 @@ build_ustar_entry_name(char dest, const char src, size_t src_length,
		42	/* Step 2: Locate the "prefix" section of the dirname, including
		43	* trailing '/'. */
		44	prefix = src;
		45	- prefix_end = prefix + 155;
		46	+ prefix_end = prefix + 154 /* 155 - 1 for trailing / */;
		47	if (prefix_end > filename)
		48	prefix_end = filename;
		49	while (prefix_end > prefix && *prefix_end != '/')


diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index 1015de3fce..a0f5d67700 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://libarchive.org/downloads/libarchive-${PV}.tar.gz \
33	file://CVE-2025-5914.patch \	33	file://CVE-2025-5914.patch \
34	file://CVE-2025-5915.patch \	34	file://CVE-2025-5915.patch \
35	file://CVE-2025-5916.patch \	35	file://CVE-2025-5916.patch \
		36	file://CVE-2025-5917.patch \
36	"	37	"
37		38
38	UPSTREAM_CHECK_URI = "http://libarchive.org/"	39	UPSTREAM_CHECK_URI = "http://libarchive.org/"