Bug#1103479: [SECURITY] [PATCH] Fix for CVE-2025-25724 in libarchive

Thu, 17 Apr 2025 20:42:23 -0700 

Package: libarchive
Version: libarchive-3.7.4-1.1
Severity: important
Tags: security patch
Usertags: CVE-2025-25724

Dear Maintainer,

I'm submitting a patch for CVE-2025-25724  in the libarchive package.

Vulnerability details:
- CVE ID: CVE-2025-25724
- Description:  (up to version 3.7.7) doesn't check strftime's return value.
- Affected versions: All versions prior to 3.7.7
- Fixed upstream 
in:https://github.com/libarchive/libarchive/pull/2532/commits/6636f89f5fe08a20de3b2d034712c781d3a67985

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an 
strftime return value,
which can lead to a denial of service or unspecified other impact via a crafted 
TAR archive that is read with a verbose value of 2.
For example, the 100-byte buffer may not be sufficient for a custom locale.

My patch by detecting NULL return of localtime_r(&tim, &tmbuf),
which could happen in case tim is incredible big.
In case this error is triggered, put an "INVALID DATE" string into the
outbuf.

The patch has been tested on Debian bookworm and works correctly.

Thank you for considering this contribution.

Best regards,
Bo Liu

Description: fix CVE-2025-25724 list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, 
which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2.   
For example, the 100-byte buffer may not be sufficient for a custom locale.
 .
This patch by detecting NULL return of localtime_r(&tim, &tmbuf),
which could happen in case tim is incredible big.
In case this error is triggered, put an "INVALID DATE" string into the
outbuf.
 .
  CVE-2025-25724
Author: Bo Liu <liub...@kylinos.cn>
Origin: upstream, https://github.com/libarchive/libarchive/pull/2532/commits/6636f89f5fe08a20de3b2d034712c781d3a67985
Last-Update: 2025-04-18

---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/

--- libarchive-3.7.4.orig/tar/util.c
+++ libarchive-3.7.4/tar/util.c
@@ -748,7 +748,10 @@ list_item_verbose(struct bsdtar *bsdtar,
 #else
 	ltime = localtime(&tim);
 #endif
-	strftime(tmp, sizeof(tmp), fmt, ltime);
+	if (ltime)
+		strftime(tmp, sizeof(tmp), fmt, ltime);
+	else
+		sprintf(tmp, "-- -- ----");
 	fprintf(out, " %s ", tmp);
 	safe_fprintf(out, "%s", archive_entry_pathname(entry));

Reply via email to