rpms/libarchive
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI libarchive-3.5.3-5.el9_6

Browse Source
This commit is contained in:
eabdullin 2025-06-24 11:07:56 +00:00
parent 2ac1172144
commit b0a5559c02
2 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
SOURCES/libarchive-3.5.3-Fix-CVE-2025-25724.patch Normal file
View File

@ -0,0 +1,37 @@
From c9bc934e7e91d302e0feca6e713ccc38d6d01532 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20K=C3=A4stle?= <peter@piie.net>
Date: Mon, 10 Mar 2025 16:43:04 +0100
Subject: [PATCH] fix CVE-2025-1632 and CVE-2025-25724 (#2532)
Hi,
please find my approach to fix the CVE-2025-25724
vulnerabilities in this pr.
As both error cases did trigger a NULL pointer deref (and triggered
hopefully everywhere a coredump), we can safely replace the actual
information by a predefined invalid string without breaking any
functionality.
---------
Signed-off-by: Peter Kaestle <peter@piie.net>
---
tar/util.c | 5 ++++-
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/tar/util.c b/tar/util.c
index 3b099cb5..f3cbdf0b 100644
--- a/tar/util.c
+++ b/tar/util.c
@@ -749,7 +749,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
#else
ltime = localtime(&tim);
#endif
- strftime(tmp, sizeof(tmp), fmt, ltime);
+ if (ltime)
+ strftime(tmp, sizeof(tmp), fmt, ltime);
+ else
+ sprintf(tmp, "-- -- ----");
fprintf(out, " %s ", tmp);
safe_fprintf(out, "%s", archive_entry_pathname(entry));

7
SPECS/libarchive.spec
View File

@ -2,7 +2,7 @@
Name: libarchive Name: libarchive
Version: 3.5.3 Version: 3.5.3
Release: 4%{?dist} Release: 5%{?dist}
Summary: A library for handling streaming archive formats Summary: A library for handling streaming archive formats
License: BSD License: BSD
@ -16,6 +16,8 @@ Patch2: %{name}-3.5.3-Fix-CVE-2022-26280.patch
Patch3: %{name}-3.5.3-Fix-size-filed-in-pax-header.patch Patch3: %{name}-3.5.3-Fix-size-filed-in-pax-header.patch
# Source: https://github.com/libarchive/libarchive/commit/fd180c36036df7181a64931264732a10ad8cd024 # Source: https://github.com/libarchive/libarchive/commit/fd180c36036df7181a64931264732a10ad8cd024
Patch4: %{name}-3.5.3-Fix-CVE-2022-36227.patch Patch4: %{name}-3.5.3-Fix-CVE-2022-36227.patch
# Source: https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532
Patch5: %{name}-3.5.3-Fix-CVE-2025-25724.patch
BuildRequires: automake BuildRequires: automake
BuildRequires: bison BuildRequires: bison
@ -219,6 +221,9 @@ run_testsuite
%changelog %changelog
* Thu Jun 05 2025 Lukas Javorsky <ljavorsk@redhat.com> - 3.5.3-5
- Resolves: CVE-2025-25724
* Wed Nov 23 2022 Lukas Javorsky <ljavorsk@redhat.com> - 3.5.3-4 * Wed Nov 23 2022 Lukas Javorsky <ljavorsk@redhat.com> - 3.5.3-4
- Resolves: CVE-2022-36227 - Resolves: CVE-2022-36227