diff options
| author | Divya Chellam <divya.chellam@windriver.com> | 2025-07-02 12:21:33 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-07-09 08:43:32 -0700 |
| commit | 3c2bbf4a1cbcc0a7f9b2fbb6e141f80b11c67917 (patch) | |
| tree | 249a4e89cf824c68cf7e2b5f35c9d1a32d152920 | |
| parent | 0bccc5ec8559559167be0c2f772594b772112661 (diff) | |
| download | poky-3c2bbf4a1cbcc0a7f9b2fbb6e141f80b11c67917.tar.gz | |
libarchive: fix CVE-2025-5917
A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-
one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-
byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, lea
ding to unpredictable program behavior, crashes, or in specific circumstances, could be lever
aged as a building block for more sophisticated exploitation.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5917
Upstream-patch:
https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85
(From OE-Core rev: 2b6832b05bab414df1da7c74a0c6a5e5a9d75b29)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch | 54 | ||||
| -rw-r--r-- | meta/recipes-extended/libarchive/libarchive_3.7.9.bb | 1 |
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch new file mode 100644 index 0000000000..28f7b6023a --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch | |||
| @@ -0,0 +1,54 @@ | |||
| 1 | From 7c02cde37a63580cd1859183fbbd2cf04a89be85 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Brian Campbell <Brian.Campbell@ed.ac.uk> | ||
| 3 | Date: Sat, 26 Apr 2025 05:11:19 +0100 | ||
| 4 | Subject: [PATCH] Fix overflow in build_ustar_entry (#2588) | ||
| 5 | |||
| 6 | The calculations for the suffix and prefix can increment the endpoint | ||
| 7 | for a trailing slash. Hence the limits used should be one lower than the | ||
| 8 | maximum number of bytes. | ||
| 9 | |||
| 10 | Without this patch, when this happens for both the prefix and the | ||
| 11 | suffix, we end up with 156 + 100 bytes, and the write of the null at the | ||
| 12 | end will overflow the 256 byte buffer. This can be reproduced by running | ||
| 13 | ``` | ||
| 14 | mkdir -p foo/bar | ||
| 15 | bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar | ||
| 16 | ``` | ||
| 17 | when bsdtar is compiled with Address Sanitiser, although I originally | ||
| 18 | noticed this by accident with a genuine filename on a CHERI capability | ||
| 19 | system, which faults immediately on the buffer overflow. | ||
| 20 | |||
| 21 | CVE: CVE-2025-5917 | ||
| 22 | |||
| 23 | Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85] | ||
| 24 | |||
| 25 | Signed-off-by: Divya Chellam <divya.chellam@windriver.com> | ||
| 26 | --- | ||
| 27 | libarchive/archive_write_set_format_pax.c | 4 ++-- | ||
| 28 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
| 29 | |||
| 30 | diff --git a/libarchive/archive_write_set_format_pax.c b/libarchive/archive_write_set_format_pax.c | ||
| 31 | index 6e35f70..b2ba959 100644 | ||
| 32 | --- a/libarchive/archive_write_set_format_pax.c | ||
| 33 | +++ b/libarchive/archive_write_set_format_pax.c | ||
| 34 | @@ -1571,7 +1571,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length, | ||
| 35 | const char *filename, *filename_end; | ||
| 36 | char *p; | ||
| 37 | int need_slash = 0; /* Was there a trailing slash? */ | ||
| 38 | - size_t suffix_length = 99; | ||
| 39 | + size_t suffix_length = 98; /* 99 - 1 for trailing slash */ | ||
| 40 | size_t insert_length; | ||
| 41 | |||
| 42 | /* Length of additional dir element to be added. */ | ||
| 43 | @@ -1623,7 +1623,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length, | ||
| 44 | /* Step 2: Locate the "prefix" section of the dirname, including | ||
| 45 | * trailing '/'. */ | ||
| 46 | prefix = src; | ||
| 47 | - prefix_end = prefix + 155; | ||
| 48 | + prefix_end = prefix + 154 /* 155 - 1 for trailing / */; | ||
| 49 | if (prefix_end > filename) | ||
| 50 | prefix_end = filename; | ||
| 51 | while (prefix_end > prefix && *prefix_end != '/') | ||
| 52 | -- | ||
| 53 | 2.40.0 | ||
| 54 | |||
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index 250a3c016f..bb8609dd09 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb | |||
| @@ -34,6 +34,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ | |||
| 34 | file://CVE-2025-5914.patch \ | 34 | file://CVE-2025-5914.patch \ |
| 35 | file://CVE-2025-5915.patch \ | 35 | file://CVE-2025-5915.patch \ |
| 36 | file://CVE-2025-5916.patch \ | 36 | file://CVE-2025-5916.patch \ |
| 37 | file://CVE-2025-5917.patch \ | ||
| 37 | " | 38 | " |
| 38 | UPSTREAM_CHECK_URI = "http://libarchive.org/" | 39 | UPSTREAM_CHECK_URI = "http://libarchive.org/" |
| 39 | 40 | ||