Hi!
Commit f5e1bf966b fixes CVE-2025-46394 by using printable_string()
to output file names. However, it missed one place in
archival/libarchive/header_verbose_list.c, - first alternative in
#if FEATURE_TAR_UNAME_GNAME .. #else .. #endif. Second alternative
is patched, while the first one is not.
The trivial diff is attached.
Thanks,
/mjt
diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c
index a575a08a0..e4ee939c0 100644
--- a/archival/libarchive/header_verbose_list.c
+++ b/archival/libarchive/header_verbose_list.c
@@ -40,7 +40,7 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
ptm->tm_hour,
ptm->tm_min,
ptm->tm_sec,
- file_header->name);
+ printable_string(file_header->name));
#else /* !FEATURE_TAR_UNAME_GNAME */
_______________________________________________
busybox mailing list
[email protected]
https://lists.busybox.net/mailman/listinfo/busybox
