2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
new file mode 100644
index 0000000000..28f7b6023a
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
@@ -0,0 +1,54 @@
+From 7c02cde37a63580cd1859183fbbd2cf04a89be85 Mon Sep 17 00:00:00 2001
+From: Brian Campbell <Brian.Campbell@ed.ac.uk>
+Date: Sat, 26 Apr 2025 05:11:19 +0100
+Subject: [PATCH] Fix overflow in build_ustar_entry (#2588)
+The calculations for the suffix and prefix can increment the endpoint
+for a trailing slash. Hence the limits used should be one lower than the
+maximum number of bytes.
+Without this patch, when this happens for both the prefix and the
+suffix, we end up with 156 + 100 bytes, and the write of the null at the
+end will overflow the 256 byte buffer. This can be reproduced by running
+```
+mkdir -p foo/bar
+bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar
+```
+when bsdtar is compiled with Address Sanitiser, although I originally
+noticed this by accident with a genuine filename on a CHERI capability
+system, which faults immediately on the buffer overflow.
+CVE: CVE-2025-5917
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ libarchive/archive_write_set_format_pax.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/libarchive/archive_write_set_format_pax.c b/libarchive/archive_write_set_format_pax.c
+index 6e35f70..b2ba959 100644
+--- a/libarchive/archive_write_set_format_pax.c
+++ b/libarchive/archive_write_set_format_pax.c
+@@ -1571,7 +1571,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
+        const char *filename, *filename_end;
+        char *p;
+        int need_slash = 0; /* Was there a trailing slash? */
+-       size_t suffix_length = 99;
+       size_t suffix_length = 98; /* 99 - 1 for trailing slash */
+        size_t insert_length;
+ 
+        /* Length of additional dir element to be added. */
+@@ -1623,7 +1623,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
+        /* Step 2: Locate the "prefix" section of the dirname, including
+         * trailing '/'. */
+        prefix = src;
+-       prefix_end = prefix + 155;
+       prefix_end = prefix + 154 /* 155 - 1 for trailing / */;
+        if (prefix_end > filename)
+                prefix_end = filename;
+        while (prefix_end > prefix && *prefix_end != '/')
+-- 
+2.40.0
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index 250a3c016f..bb8609dd09 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
           file://CVE-2025-5914.patch \
           file://CVE-2025-5915.patch \
           file://CVE-2025-5916.patch \
+           file://CVE-2025-5917.patch \
           "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch new file mode 100644 index 0000000000..28f7b6023a --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
@@ -0,0 +1,54 @@
		1	From 7c02cde37a63580cd1859183fbbd2cf04a89be85 Mon Sep 17 00:00:00 2001
		2	From: Brian Campbell <Brian.Campbell@ed.ac.uk>
		3	Date: Sat, 26 Apr 2025 05:11:19 +0100
		4	Subject: [PATCH] Fix overflow in build_ustar_entry (#2588)
		5
		6	The calculations for the suffix and prefix can increment the endpoint
		7	for a trailing slash. Hence the limits used should be one lower than the
		8	maximum number of bytes.
		9
		10	Without this patch, when this happens for both the prefix and the
		11	suffix, we end up with 156 + 100 bytes, and the write of the null at the
		12	end will overflow the 256 byte buffer. This can be reproduced by running
		13	```
		14	mkdir -p foo/bar
		15	bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar
		16	```
		17	when bsdtar is compiled with Address Sanitiser, although I originally
		18	noticed this by accident with a genuine filename on a CHERI capability
		19	system, which faults immediately on the buffer overflow.
		20
		21	CVE: CVE-2025-5917
		22
		23	Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85]
		24
		25	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		26	---
		27	libarchive/archive_write_set_format_pax.c \| 4 ++--
		28	1 file changed, 2 insertions(+), 2 deletions(-)
		29
		30	diff --git a/libarchive/archive_write_set_format_pax.c b/libarchive/archive_write_set_format_pax.c
		31	index 6e35f70..b2ba959 100644
		32	--- a/libarchive/archive_write_set_format_pax.c
		33	+++ b/libarchive/archive_write_set_format_pax.c
		34	@@ -1571,7 +1571,7 @@ build_ustar_entry_name(char dest, const char src, size_t src_length,
		35	const char filename, filename_end;
		36	char *p;
		37	int need_slash = 0; /* Was there a trailing slash? */
		38	- size_t suffix_length = 99;
		39	+ size_t suffix_length = 98; /* 99 - 1 for trailing slash */
		40	size_t insert_length;
		41
		42	/* Length of additional dir element to be added. */
		43	@@ -1623,7 +1623,7 @@ build_ustar_entry_name(char dest, const char src, size_t src_length,
		44	/* Step 2: Locate the "prefix" section of the dirname, including
		45	* trailing '/'. */
		46	prefix = src;
		47	- prefix_end = prefix + 155;
		48	+ prefix_end = prefix + 154 /* 155 - 1 for trailing / */;
		49	if (prefix_end > filename)
		50	prefix_end = filename;
		51	while (prefix_end > prefix && *prefix_end != '/')
		52	--
		53	2.40.0
		54


diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index 250a3c016f..bb8609dd09 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
34	file://CVE-2025-5914.patch \	34	file://CVE-2025-5914.patch \
35	file://CVE-2025-5915.patch \	35	file://CVE-2025-5915.patch \
36	file://CVE-2025-5916.patch \	36	file://CVE-2025-5916.patch \
		37	file://CVE-2025-5917.patch \
37	"	38	"
38	UPSTREAM_CHECK_URI = "http://libarchive.org/"	39	UPSTREAM_CHECK_URI = "http://libarchive.org/"
39		40