From 39673b4aaa9d02ed3a2255e044b2ae89fc2c042a Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Wed, 14 Jan 2026 20:45:49 +0000 Subject: [PATCH] Patch libarchive for CVE-2025-60753 --- SPECS/libarchive/CVE-2025-60753.patch | 78 +++++++++++++++++++ SPECS/libarchive/libarchive.spec | 6 +- .../manifests/package/pkggen_core_aarch64.txt | 4 +- .../manifests/package/pkggen_core_x86_64.txt | 4 +- .../manifests/package/toolchain_aarch64.txt | 6 +- .../manifests/package/toolchain_x86_64.txt | 6 +- 6 files changed, 93 insertions(+), 11 deletions(-) create mode 100644 SPECS/libarchive/CVE-2025-60753.patch diff --git a/SPECS/libarchive/CVE-2025-60753.patch b/SPECS/libarchive/CVE-2025-60753.patch new file mode 100644 index 00000000000..8d2ffc991ba --- /dev/null +++ b/SPECS/libarchive/CVE-2025-60753.patch @@ -0,0 +1,78 @@ +From 0db44b228cf8688a748ed1fb294b2ea43b4b2139 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?ARJANEN=20Lo=C3=AFc=20Jean=20David?= +Date: Fri, 14 Nov 2025 20:34:48 +0100 +Subject: [PATCH] Fix bsdtar zero-length pattern issue. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Uses the sed-like way (and Java-like, and .Net-like, and Javascript-likeā€¦) to fix this issue of advancing the string to be processed by one if the match is zero-length. + +Fixes libarchive/libarchive#2725 and solves libarchive/libarchive#2438. + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/libarchive/libarchive/pull/2787.patch +--- + tar/subst.c | 19 ++++++++++++------- + tar/test/test_option_s.c | 8 +++++++- + 2 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/tar/subst.c b/tar/subst.c +index 0194cc8..25a15d6 100644 +--- a/tar/subst.c ++++ b/tar/subst.c +@@ -234,7 +234,9 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result, + (*result)[0] = 0; + } + +- while (1) { ++ char isEnd = 0; ++ do { ++ isEnd = *name == '\0'; + if (regexec(&rule->re, name, 10, matches, 0)) + break; + +@@ -289,12 +291,15 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result, + } + + realloc_strcat(result, rule->result + j); +- +- name += matches[0].rm_eo; +- +- if (!rule->global) +- break; +- } ++ if (matches[0].rm_eo > 0) { ++ name += matches[0].rm_eo; ++ } else { ++ // We skip a character because the match is 0-length ++ // so we need to add it to the output ++ realloc_strncat(result, name, 1); ++ name += 1; ++ } ++ } while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end + } + + if (got_match) +diff --git a/tar/test/test_option_s.c b/tar/test/test_option_s.c +index 1a36280..c5e75ff 100644 +--- a/tar/test/test_option_s.c ++++ b/tar/test/test_option_s.c +@@ -42,7 +42,13 @@ DEFINE_TEST(test_option_s) + systemf("%s -cf test1_2.tar -s /d1/d2/ in/d1/foo", testprog); + systemf("%s -xf test1_2.tar -C test1", testprog); + assertFileContents("foo", 3, "test1/in/d2/foo"); +- ++ systemf("%s -cf test1_3.tar -s /o/#/g in/d1/foo", testprog); ++ systemf("%s -xf test1_3.tar -C test1", testprog); ++ assertFileContents("foo", 3, "test1/in/d1/f##"); ++ // For the 0-length pattern check, remember that "test1/" isn't part of the string affected by the regexp ++ systemf("%s -cf test1_4.tar -s /f*/\\<~\\>/g in/d1/foo", testprog); ++ systemf("%s -xf test1_4.tar -C test1", testprog); ++ assertFileContents("foo", 3, "test1/<>i<>n<>/<>d<>1<>/<>o<>o<>"); + /* + * Test 2: Basic substitution when extracting archive. + */ +-- +2.45.4 + diff --git a/SPECS/libarchive/libarchive.spec b/SPECS/libarchive/libarchive.spec index 8e4becd3c4b..d338433145a 100644 --- a/SPECS/libarchive/libarchive.spec +++ b/SPECS/libarchive/libarchive.spec @@ -1,7 +1,7 @@ Summary: Multi-format archive and compression library Name: libarchive Version: 3.7.7 -Release: 3%{?dist} +Release: 4%{?dist} # Certain files have individual licenses. For more details see contents of "COPYING". License: BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL) Vendor: Microsoft Corporation @@ -15,6 +15,7 @@ Patch3: CVE-2025-5915.patch Patch4: CVE-2025-5916.patch Patch5: CVE-2025-5917.patch Patch6: CVE-2025-5918.patch +Patch7: CVE-2025-60753.patch Provides: bsdtar = %{version}-%{release} BuildRequires: xz-libs @@ -67,6 +68,9 @@ make %{?_smp_mflags} check %{_libdir}/pkgconfig/*.pc %changelog +* Wed Jan 14 2026 Azure Linux Security Servicing Account - 3.7.7-4 +- Patch for CVE-2025-60753 + * Thu Jun 26 2025 Sumit Jena - 3.7.7-3 - Patch CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index c5ae38d3346..1d7e3448888 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -178,8 +178,8 @@ openssl-static-3.3.5-1.azl3.aarch64.rpm libcap-2.69-10.azl3.aarch64.rpm libcap-devel-2.69-10.azl3.aarch64.rpm debugedit-5.0-2.azl3.aarch64.rpm -libarchive-3.7.7-3.azl3.aarch64.rpm -libarchive-devel-3.7.7-3.azl3.aarch64.rpm +libarchive-3.7.7-4.azl3.aarch64.rpm +libarchive-devel-3.7.7-4.azl3.aarch64.rpm rpm-4.18.2-1.azl3.aarch64.rpm rpm-build-4.18.2-1.azl3.aarch64.rpm rpm-build-libs-4.18.2-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index be1bfd47a0e..e7d69aafca8 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -178,8 +178,8 @@ openssl-static-3.3.5-1.azl3.x86_64.rpm libcap-2.69-10.azl3.x86_64.rpm libcap-devel-2.69-10.azl3.x86_64.rpm debugedit-5.0-2.azl3.x86_64.rpm -libarchive-3.7.7-3.azl3.x86_64.rpm -libarchive-devel-3.7.7-3.azl3.x86_64.rpm +libarchive-3.7.7-4.azl3.x86_64.rpm +libarchive-devel-3.7.7-4.azl3.x86_64.rpm rpm-4.18.2-1.azl3.x86_64.rpm rpm-build-4.18.2-1.azl3.x86_64.rpm rpm-build-libs-4.18.2-1.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 7fe83a5826f..0315b4441c5 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -168,9 +168,9 @@ krb5-devel-1.21.3-2.azl3.aarch64.rpm krb5-lang-1.21.3-2.azl3.aarch64.rpm libacl-2.3.1-2.azl3.aarch64.rpm libacl-devel-2.3.1-2.azl3.aarch64.rpm -libarchive-3.7.7-3.azl3.aarch64.rpm -libarchive-debuginfo-3.7.7-3.azl3.aarch64.rpm -libarchive-devel-3.7.7-3.azl3.aarch64.rpm +libarchive-3.7.7-4.azl3.aarch64.rpm +libarchive-debuginfo-3.7.7-4.azl3.aarch64.rpm +libarchive-devel-3.7.7-4.azl3.aarch64.rpm libassuan-2.5.6-1.azl3.aarch64.rpm libassuan-debuginfo-2.5.6-1.azl3.aarch64.rpm libassuan-devel-2.5.6-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 292ecbc00cc..b34be6cdc30 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -176,9 +176,9 @@ krb5-devel-1.21.3-2.azl3.x86_64.rpm krb5-lang-1.21.3-2.azl3.x86_64.rpm libacl-2.3.1-2.azl3.x86_64.rpm libacl-devel-2.3.1-2.azl3.x86_64.rpm -libarchive-3.7.7-3.azl3.x86_64.rpm -libarchive-debuginfo-3.7.7-3.azl3.x86_64.rpm -libarchive-devel-3.7.7-3.azl3.x86_64.rpm +libarchive-3.7.7-4.azl3.x86_64.rpm +libarchive-debuginfo-3.7.7-4.azl3.x86_64.rpm +libarchive-devel-3.7.7-4.azl3.x86_64.rpm libassuan-2.5.6-1.azl3.x86_64.rpm libassuan-debuginfo-2.5.6-1.azl3.x86_64.rpm libassuan-devel-2.5.6-1.azl3.x86_64.rpm