libarchive: fix CVE-2025-5917

A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by- one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1- byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, lea ding to unpredictable program behavior, crashes, or in specific circumstances, could be lever aged as a building block for more sophisticated exploitation. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5917 Upstream-patch: https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85 (From OE-Core rev: 2b6832b05bab414df1da7c74a0c6a5e5a9d75b29) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-05-30 12:29:55 +00:00 · 2025-07-02 12:21:33 +05:30
parent 0bccc5ec85
commit 3c2bbf4a1c
2 changed files with 55 additions and 0 deletions
@@ -0,0 +1,54 @@
 From 7c02cde37a63580cd1859183fbbd2cf04a89be85 Mon Sep 17 00:00:00 2001
 From: Brian Campbell <Brian.Campbell@ed.ac.uk>
 Date: Sat, 26 Apr 2025 05:11:19 +0100
 Subject: [PATCH] Fix overflow in build_ustar_entry (#2588)
 The calculations for the suffix and prefix can increment the endpoint
 for a trailing slash. Hence the limits used should be one lower than the
 maximum number of bytes.
 Without this patch, when this happens for both the prefix and the
 suffix, we end up with 156 + 100 bytes, and the write of the null at the
 end will overflow the 256 byte buffer. This can be reproduced by running
 ```
 mkdir -p foo/bar
 bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar
 ```
 when bsdtar is compiled with Address Sanitiser, although I originally
 noticed this by accident with a genuine filename on a CHERI capability
 system, which faults immediately on the buffer overflow.
 CVE: CVE-2025-5917
 Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85]
 Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
 ---
 libarchive/archive_write_set_format_pax.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/libarchive/archive_write_set_format_pax.c b/libarchive/archive_write_set_format_pax.c
 index 6e35f70..b2ba959 100644
 --- a/libarchive/archive_write_set_format_pax.c
 +++ b/libarchive/archive_write_set_format_pax.c
@@ -1571,7 +1571,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
 	const char *filename, *filename_end;
 	char *p;
 	int need_slash = 0; /* Was there a trailing slash? */
 -	size_t suffix_length = 99;
 +	size_t suffix_length = 98; /* 99 - 1 for trailing slash */
 	size_t insert_length;
 	/* Length of additional dir element to be added. */
@@ -1623,7 +1623,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
 	/* Step 2: Locate the "prefix" section of the dirname, including
 	 * trailing '/'. */
 	prefix = src;
 -	prefix_end = prefix + 155;
 +	prefix_end = prefix + 154 /* 155 - 1 for trailing / */;
 	if (prefix_end > filename)
 		prefix_end = filename;
 	while (prefix_end > prefix && *prefix_end != '/')
 -- 
 2.40.0
@@ -34,6 +34,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
           file://CVE-2025-5914.patch \
           file://CVE-2025-5915.patch \
           file://CVE-2025-5916.patch \
           file://CVE-2025-5917.patch \
           "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"