Package: libarchive Version: libarchive-3.7.4-1.1 Severity: important Tags: security patch Usertags:CVE-2025-1632 <https://security-tracker.debian.org/tracker/CVE-2025-25724>
Dear Maintainer, I'm submitting a patch forCVE-2025- <https://security-tracker.debian.org/tracker/CVE-2025-25724>1632 in the libarchive package. Vulnerability details: - CVE ID:CVE-2025- <https://security-tracker.debian.org/tracker/CVE-2025-25724>1632 - Description: (up to version 3.7.7) fix NULL ptr dereference issue inside - Affected versions: All versions prior to 3.7.7 - Fixed upstream in:https://github.com/libarchive/libarchive/pull/2532/commits/0a35ab97fae6fb9acecab46b570c14e3be1646e7 <https://github.com/libarchive/libarchive/pull/2532/commits/6636f89f5fe08a20de3b2d034712c781d3a67985> A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Error poc:https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc My patch by detecting NULL return of archive_entry_pathname() and replacing it by "INVALID PATH" string. The patch has been tested on Debian sid and works correctly. Thank you for considering this contribution. Best regards, Bo Liu
Description: fix CVE-2025-1632 A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc . This patch by detecting NULL return of archive_entry_pathname() and replacing it by "INVALID PATH" string. . CVE-2025-1632 Author: Bo Liu <liub...@kylinos.cn> Origin: upstream, https://github.com/libarchive/libarchive/pull/2532/commits/0a35ab97fae6fb9acecab46b570c14e3be1646e7 Last-Update: 2025-04-18 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- libarchive-3.7.4.orig/unzip/bsdunzip.c +++ libarchive-3.7.4/unzip/bsdunzip.c @@ -904,6 +904,7 @@ list(struct archive *a, struct archive_e char buf[20]; time_t mtime; struct tm *tm; + const char *pathname; mtime = archive_entry_mtime(e); tm = localtime(&mtime); @@ -912,22 +913,25 @@ list(struct archive *a, struct archive_e else strftime(buf, sizeof(buf), "%m-%d-%g %R", tm); + pathname = archive_entry_pathname(e); + if (!pathname) + pathname = ""; if (!zipinfo_mode) { if (v_opt == 1) { printf(" %8ju %s %s\n", (uintmax_t)archive_entry_size(e), - buf, archive_entry_pathname(e)); + buf, pathname); } else if (v_opt == 2) { printf("%8ju Stored %7ju 0%% %s %08x %s\n", (uintmax_t)archive_entry_size(e), (uintmax_t)archive_entry_size(e), buf, 0U, - archive_entry_pathname(e)); + pathname); } } else { if (Z1_opt) - printf("%s\n",archive_entry_pathname(e)); + printf("%s\n", pathname); } ac(archive_read_data_skip(a)); }
