Your message dated Sun, 27 Apr 2025 20:46:35 +0000
with message-id <e1u98tx-0007sm...@fasolo.debian.org>
and subject line Bug#1103479: fixed in libarchive 3.7.4-3
has caused the Debian Bug report #1103479,
regarding [SECURITY] [PATCH] Fix for CVE-2025-25724 in libarchive
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1103479: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103479
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libarchive
Version: libarchive-3.7.4-1.1
Severity: important
Tags: security patch
Usertags: CVE-2025-25724
Dear Maintainer,
I'm submitting a patch for CVE-2025-25724 in the libarchive package.
Vulnerability details:
- CVE ID: CVE-2025-25724
- Description: (up to version 3.7.7) doesn't check strftime's return value.
- Affected versions: All versions prior to 3.7.7
- Fixed upstream
in:https://github.com/libarchive/libarchive/pull/2532/commits/6636f89f5fe08a20de3b2d034712c781d3a67985
list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an
strftime return value,
which can lead to a denial of service or unspecified other impact via a crafted
TAR archive that is read with a verbose value of 2.
For example, the 100-byte buffer may not be sufficient for a custom locale.
My patch by detecting NULL return of localtime_r(&tim, &tmbuf),
which could happen in case tim is incredible big.
In case this error is triggered, put an "INVALID DATE" string into the
outbuf.
The patch has been tested on Debian bookworm and works correctly.
Thank you for considering this contribution.
Best regards,
Bo Liu
Description: fix CVE-2025-25724 list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value,
which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2.
For example, the 100-byte buffer may not be sufficient for a custom locale.
.
This patch by detecting NULL return of localtime_r(&tim, &tmbuf),
which could happen in case tim is incredible big.
In case this error is triggered, put an "INVALID DATE" string into the
outbuf.
.
CVE-2025-25724
Author: Bo Liu <liub...@kylinos.cn>
Origin: upstream, https://github.com/libarchive/libarchive/pull/2532/commits/6636f89f5fe08a20de3b2d034712c781d3a67985
Last-Update: 2025-04-18
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- libarchive-3.7.4.orig/tar/util.c
+++ libarchive-3.7.4/tar/util.c
@@ -748,7 +748,10 @@ list_item_verbose(struct bsdtar *bsdtar,
#else
ltime = localtime(&tim);
#endif
- strftime(tmp, sizeof(tmp), fmt, ltime);
+ if (ltime)
+ strftime(tmp, sizeof(tmp), fmt, ltime);
+ else
+ sprintf(tmp, "-- -- ----");
fprintf(out, " %s ", tmp);
safe_fprintf(out, "%s", archive_entry_pathname(entry));
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 3.7.4-3
Done: Peter Pentchev <r...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1103...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Pentchev <r...@debian.org> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 27 Apr 2025 23:19:29 +0300
Source: libarchive
Architecture: source
Version: 3.7.4-3
Distribution: unstable
Urgency: medium
Maintainer: Peter Pentchev <r...@debian.org>
Changed-By: Peter Pentchev <r...@debian.org>
Closes: 1103479
Changes:
libarchive (3.7.4-3) unstable; urgency=medium
.
* Rename the CVE-2025-1632 patch to CVE-2025-1632-25724, use the exact
upstream commit that fixes two problems at once.
Also closes: #1103479
Checksums-Sha1:
7d69494c5142e7fbc5bb8e9024eed96d40efcae2 2714 libarchive_3.7.4-3.dsc
f05e5ff4139806b8e4b361874867fb33cd3c5d44 27908 libarchive_3.7.4-3.debian.tar.xz
Checksums-Sha256:
132df209ecec9e7341b365976b1e24d2029ff2bda388cb5fe91b6f53dda9b824 2714
libarchive_3.7.4-3.dsc
6666a8894fba2739245bfcf204f90b6cfdcd4e40d5406cca88414a4bb2d1cb82 27908
libarchive_3.7.4-3.debian.tar.xz
Files:
72bfd024402274e63a7ad4a04fe6b93a 2714 libs optional libarchive_3.7.4-3.dsc
5280ae1d55e3187ce9ea78e0b40f67aa 27908 libs optional
libarchive_3.7.4-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmgOknQQHHJvYW1AZGVi
aWFuLm9yZwAKCRBlHu+wJSffE2DaEACkt4pJLgPi5EDayA91i+g6FWUNeZ2QULdP
ncowAHSl58cPeLnZq8LIoJLDuXKA9QDPvjQNUX4I9JW3VsKm35Mh0L4QfDEzMZxX
bBiqXEi3oKdl0wuxTRWvnSfgmszSXd+juptHqqCS50WZ2p+0Imr+SjFcefE0o533
RbAx5EbU83MWp5QaXn3rl7JWiFhpSBXLsQXFutauKu6+LYktzEP5nNRLClTt43rQ
IjsfUnLk4XhdydHt+VQC8WkYy1abPZ1hii588Q9vfnBH/HhEvHQ7w++ZHvkGEc4a
RcqMuaIcezEdRp2eAHxJZ+uvjPwpLI/cNTJUjKDhKe5N/hZOfstvcE3urxyDXwo6
pmynp6PMZC0nv+xOA+W24jAadAR8jAmyhN2uJaC5sgXmqJbVZq85nj4iwt518ZJP
LrJfot/TXAl0sdhRs5bAQUMJhe2usWDZPp/VI2WnnbVNpFMICaV7uTkqQmJKTmm6
aupxlOqcSyS6eV6jfYAsTqx7moJbi9dTGFGtgh8BqbkNwNsziqdREHPirEx2vnSU
kuP+kb3OT7GZlUPhqxYbbKZtpprCC0iPpyh5ycXgIcme4N844yKKnO2O7C2dvI2x
Q3JZktuUUlkGCCBXUVN6x3YkvdERGlSrghe2X/Uc/qQeeIibyVz1Ge7i1GiWEKn9
TEUjy5vm2A==
=JLwT
-----END PGP SIGNATURE-----
pgpPKT5W0UDdO.pgp
Description: PGP signature
--- End Message ---
