diff --git a/backport-CVE-2025-60753.patch b/backport-CVE-2025-60753.patch new file mode 100644 index 0000000000000000000000000000000000000000..5f59d30be234474246e094dfc969f3ea1e7b72cf --- /dev/null +++ b/backport-CVE-2025-60753.patch @@ -0,0 +1,72 @@ +From 3150539edb18690c2c5f81c37fd2d3a35c69ace5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?ARJANEN=20Lo=C3=AFc=20Jean=20David?= +Date: Fri, 14 Nov 2025 20:34:48 +0100 +Subject: [PATCH] Fix bsdtar zero-length pattern issue. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Uses the sed-like way (and Java-like, and .Net-like, and Javascript-likeā€¦) to fix this issue of advancing the string to be processed by one if the match is zero-length. + +Fixes libarchive/libarchive#2725 and solves libarchive/libarchive#2438. +--- + tar/subst.c | 19 ++++++++++++------- + tar/test/test_option_s.c | 8 +++++++- + 2 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/tar/subst.c b/tar/subst.c +index 9747abb906..902a4d6485 100644 +--- a/tar/subst.c ++++ b/tar/subst.c +@@ -252,7 +252,9 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result, + (*result)[0] = 0; + } + +- while (1) { ++ char isEnd = 0; ++ do { ++ isEnd = *name == '\0'; + if (regexec(&rule->re, name, 10, matches, 0)) + break; + +@@ -307,12 +309,15 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result, + } + + realloc_strcat(result, rule->result + j); +- +- name += matches[0].rm_eo; +- +- if (!rule->global) +- break; +- } ++ if (matches[0].rm_eo > 0) { ++ name += matches[0].rm_eo; ++ } else { ++ // We skip a character because the match is 0-length ++ // so we need to add it to the output ++ realloc_strncat(result, name, 1); ++ name += 1; ++ } ++ } while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end + } + + if (got_match) +diff --git a/tar/test/test_option_s.c b/tar/test/test_option_s.c +index 564793b97d..90b4c471c1 100644 +--- a/tar/test/test_option_s.c ++++ b/tar/test/test_option_s.c +@@ -60,7 +60,13 @@ DEFINE_TEST(test_option_s) + systemf("%s -cf test1_2.tar -s /d1/d2/ in/d1/foo", testprog); + systemf("%s -xf test1_2.tar -C test1", testprog); + assertFileContents("foo", 3, "test1/in/d2/foo"); +- ++ systemf("%s -cf test1_3.tar -s /o/#/g in/d1/foo", testprog); ++ systemf("%s -xf test1_3.tar -C test1", testprog); ++ assertFileContents("foo", 3, "test1/in/d1/f##"); ++ // For the 0-length pattern check, remember that "test1/" isn't part of the string affected by the regexp ++ systemf("%s -cf test1_4.tar -s /f*/\\<~\\>/g in/d1/foo", testprog); ++ systemf("%s -xf test1_4.tar -C test1", testprog); ++ assertFileContents("foo", 3, "test1/<>i<>n<>/<>d<>1<>/<>o<>o<>"); + /* + * Test 2: Basic substitution when extracting archive. + */ diff --git a/libarchive.spec b/libarchive.spec index f73a8a2effa2b5fe28a4b280d20b86d433e2da3f..b75907c68a2021e6453b1b9ce16ac7572e267dd6 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -2,12 +2,14 @@ Name: libarchive Version: 3.8.3 -Release: 1 +Release: 2 Summary: Multi-format archive and compression library License: BSD-2-Clause URL: https://www.libarchive.org/ Source0: https://github.com/libarchive/libarchive/releases/download/v%{version}/%{name}-%{version}.tar.xz +Patch6000: backport-CVE-2025-60753.patch + BuildRequires: gcc bison sharutils zlib-devel bzip2-devel xz-devel BuildRequires: e2fsprogs-devel libacl-devel libattr-devel BuildRequires: openssl-devel libxml2-devel lz4-devel libzstd-devel @@ -185,6 +187,9 @@ run_testsuite %{_bindir}/bsdunzip %changelog +* Fri Nov 21 2025 lingsheng - 3.8.3-2 +- fix CVE-2025-60753 + * Tue Nov 18 2025 Funda Wang - 3.8.3-1 - update to 3.8.3