!86 fix CVE-2025-25724

From: @ultra_planet 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock

backport-0001-CVE-2021-36976.patch

@@ -0,0 +1,46 @@
+From 29fd0178a8861af36ab60407cd718b3f262dda15 Mon Sep 17 00:00:00 2001
+From: Emil Velikov <emil.l.velikov@gmail.com>
+Date: Sun, 21 Nov 2021 18:05:19 +0000
+Subject: [PATCH] tar: demote -xa from error to a warning
+
+It's fairly common for people to use caf and xaf on Linux. The former in
+itself being GNU tar specific - libarchive tar does not allow xa.
+
+While it makes little sense to use xaf with libarchive tar, that is
+implementation detail which gets in the way when trying to write trivial
+tooling/scripts.
+
+For the sake of compatibility, reduce the error to a warning and augment
+the message itself. Making it clear that the option makes little sense.
+
+Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
+
+Reference:https://github.com/libarchive/libarchive/commit/56c920eab3352f7877ee0cf9e472c1ab376c7e3e
+Conflict:NA
+---
+ tar/bsdtar.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/tar/bsdtar.c b/tar/bsdtar.c
+index af41be5..f4f008b 100644
+--- a/tar/bsdtar.c
++++ b/tar/bsdtar.c
+@@ -796,8 +796,14 @@ main(int argc, char **argv)
+ 		    "Must specify one of -c, -r, -t, -u, -x");
+ 
+ 	/* Check boolean options only permitted in certain modes. */
+-	if (bsdtar->flags & OPTFLAG_AUTO_COMPRESS)
+-		only_mode(bsdtar, "-a", "c");
++	if (bsdtar->flags & OPTFLAG_AUTO_COMPRESS) {
++		only_mode(bsdtar, "-a", "cx");
++		if (bsdtar->mode == 'x') {
++			bsdtar->flags &= ~OPTFLAG_AUTO_COMPRESS;
++			lafe_warnc(0,
++			    "Ignoring option -a in mode -x");
++		}
++	}
+ 	if (bsdtar->readdisk_flags & ARCHIVE_READDISK_NO_TRAVERSE_MOUNTS)
+ 		only_mode(bsdtar, "--one-file-system", "cru");
+ 	if (bsdtar->flags & OPTFLAG_FAST_READ)
+-- 
+2.27.0

backport-0002-CVE-2021-36976.patch

@@ -0,0 +1,67 @@
+From 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Fri, 12 Feb 2021 20:18:31 +0100
+Subject: [PATCH] RAR5 reader: fix invalid memory access in some files
+
+RAR5 reader uses several variables to manage the window buffer during
+extraction: the buffer itself (`window_buf`), the current size of the
+window buffer (`window_size`), and a helper variable (`window_mask`)
+that is used to constrain read and write offsets to the window buffer.
+
+Some specially crafted files can force the unpacker to update the
+`window_mask` variable to a value that is out of sync with current
+buffer size. If the `window_mask` will be bigger than the actual buffer
+size, then an invalid access operation can happen (SIGSEGV).
+
+This commit ensures that if the `window_size` and `window_mask` will be
+changed, the window buffer will be reallocated to the proper size, so no
+invalid memory operation should be possible.
+
+This commit contains a test file from OSSFuzz #30442.
+
+Reference:https://github.com/libarchive/libarchive/commit/17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f
+Conflict:NA
+---
+ libarchive/archive_read_support_format_rar5.c | 27 ++++++++++++++-----
+ 1 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c
+index a91c73f8b..880ba6612 100644
+--- a/libarchive/archive_read_support_format_rar5.c
++++ b/libarchive/archive_read_support_format_rar5.c
+@@ -1772,14 +1772,29 @@ static int process_head_file(struct archive_read* a, struct rar5* rar,
+ 		}
+ 	}
+ 
+-	/* If we're currently switching volumes, ignore the new definition of
+-	 * window_size. */
+-	if(rar->cstate.switch_multivolume == 0) {
+-		/* Values up to 64M should fit into ssize_t on every
+-		 * architecture. */
+-		rar->cstate.window_size = (ssize_t) window_size;
++	if(rar->cstate.window_size < (ssize_t) window_size &&
++	    rar->cstate.window_buf)
++	{
++		/* If window_buf has been allocated before, reallocate it, so
++		 * that its size will match new window_size. */
++
++		uint8_t* new_window_buf =
++			realloc(rar->cstate.window_buf, window_size);
++
++		if(!new_window_buf) {
++			archive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,
++				"Not enough memory when trying to realloc the window "
++				"buffer.");
++			return ARCHIVE_FATAL;
++		}
++
++		rar->cstate.window_buf = new_window_buf;
+ 	}
+ 
++	/* Values up to 64M should fit into ssize_t on every
++	 * architecture. */
++	rar->cstate.window_size = (ssize_t) window_size;
++
+ 	if(rar->file.solid > 0 && rar->file.solid_window_size == 0) {
+ 		/* Solid files have to have the same window_size across
+ 		   whole archive. Remember the window_size parameter

backport-CVE-2021-36976.patch

@@ -1,58 +0,0 @@
-From a7ce8a6aa7b710986ab918761c8d2ff1b0e9f537 Mon Sep 17 00:00:00 2001
-From: Samanta Navarro <ferivoz@riseup.net>
-Date: Sat, 28 Aug 2021 11:58:00 +0000
-Subject: [PATCH] Fix size_t cast in read_mac_metadata_blob
-
-The size_t data type on 32 bit systems is smaller than int64_t. Check
-the int64_t value before casting to size_t. If the value is too large
-then stop operation instead of continuing operation with truncated
-value.
-
-Conflict:NA
-Reference:https://github.com/libarchive/libarchive/commit/a7ce8a6aa7b710986ab918761c8d2ff1b0e9f537
----
- libarchive/archive_read_support_format_tar.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
-index 7e8febacf..773796a5d 100644
---- a/libarchive/archive_read_support_format_tar.c
-+++ b/libarchive/archive_read_support_format_tar.c
-@@ -1396,6 +1396,7 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
-     struct archive_entry *entry, const void *h, size_t *unconsumed)
- {
- 	int64_t size;
-+	size_t msize;
- 	const void *data;
- 	const char *p, *name;
- 	const wchar_t *wp, *wname;
-@@ -1434,6 +1435,11 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
- 
-  	/* Read the body as a Mac OS metadata blob. */
- 	size = archive_entry_size(entry);
-+	msize = (size_t)size;
-+	if (size < 0 || (uintmax_t)msize != (uintmax_t)size) {
-+		*unconsumed = 0;
-+		return (ARCHIVE_FATAL);
-+	}
- 
- 	/*
- 	 * TODO: Look beyond the body here to peek at the next header.
-@@ -1447,13 +1453,13 @@ read_mac_metadata_blob(struct archive_read *a, struct tar *tar,
- 	 * Q: Is the above idea really possible?  Even
- 	 * when there are GNU or pax extension entries?
- 	 */
--	data = __archive_read_ahead(a, (size_t)size, NULL);
-+	data = __archive_read_ahead(a, msize, NULL);
- 	if (data == NULL) {
- 		*unconsumed = 0;
- 		return (ARCHIVE_FATAL);
- 	}
--	archive_entry_copy_mac_metadata(entry, data, (size_t)size);
--	*unconsumed = (size_t)((size + 511) & ~ 511);
-+	archive_entry_copy_mac_metadata(entry, data, msize);
-+	*unconsumed = (msize + 511) & ~ 511;
- 	tar_flush_unconsumed(a, unconsumed);
- 	return (tar_read_header(a, tar, entry, unconsumed));
- }
-

backport-CVE-2022-26280.patch

@@ -0,0 +1,28 @@
+From cfaa28168a07ea4a53276b63068f94fce37d6aff Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Thu, 24 Mar 2022 10:35:00 +0100
+Subject: [PATCH] ZIP reader: fix possible out-of-bounds read in
+ zipx_lzma_alone_init()
+
+Fixes #1672
+
+Conflict:NA
+Reference:https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff
+---
+ libarchive/archive_read_support_format_zip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
+index 38ada70b5..9d6c900b2 100644
+--- a/libarchive/archive_read_support_format_zip.c
++++ b/libarchive/archive_read_support_format_zip.c
+@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip)
+ 	 */
+ 
+ 	/* Read magic1,magic2,lzma_params from the ZIPX stream. */
+-	if((p = __archive_read_ahead(a, 9, NULL)) == NULL) {
++	if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) {
+ 		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ 		    "Truncated lzma data");
+ 		return (ARCHIVE_FATAL);
+

backport-CVE-2022-36227.patch

@@ -0,0 +1,38 @@
+From bff38efe8c110469c5080d387bec62a6ca15b1a5 Mon Sep 17 00:00:00 2001
+From: obiwac <obiwac@gmail.com>
+Date: Fri, 22 Jul 2022 22:41:10 +0200
+Subject: [PATCH] libarchive: Handle a `calloc` returning NULL (fixes #1754)
+
+Conflict:NA
+Reference:https://github.com/libarchive/libarchive/commit/fd180c36036df7181a64931264732a10ad8cd024
+---
+ libarchive/archive_write.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
+index 66592e826..27626b541 100644
+--- a/libarchive/archive_write.c
++++ b/libarchive/archive_write.c
+@@ -201,6 +201,10 @@ __archive_write_allocate_filter(struct archive *_a)
+ 	struct archive_write_filter *f;
+ 
+ 	f = calloc(1, sizeof(*f));
++
++	if (f == NULL)
++		return (NULL);
++
+ 	f->archive = _a;
+ 	f->state = ARCHIVE_WRITE_FILTER_STATE_NEW;
+ 	if (a->filter_first == NULL)
+@@ -548,6 +552,10 @@ archive_write_open2(struct archive *_a, void *client_data,
+ 	a->client_data = client_data;
+ 
+ 	client_filter = __archive_write_allocate_filter(_a);
++
++	if (client_filter == NULL)
++		return (ARCHIVE_FATAL);
++
+ 	client_filter->open = archive_write_client_open;
+ 	client_filter->write = archive_write_client_write;
+ 	client_filter->close = archive_write_client_close;
+

backport-CVE-2024-20696.patch

@@ -0,0 +1,119 @@
+From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001
+From: "Dustin L. Howett" <dustin@howett.net>
+Date: Thu, 9 May 2024 18:59:17 -0500
+Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)
+
+copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
+both of its callers were holding a `size_t`.
+
+A lzss opcode chain could be constructed that resulted in a negative
+copy length, which when passed into memcpy would result in a very, very
+large positive number.
+
+Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
+properly bounds-check length.
+
+In addition, this patch also ensures that `length` is not itself larger
+than the destination buffer.
+
+Security: CVE-2024-20696
+
+Reference:https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1
+Conflict:copy_from_lzss_window_to_unp() -> copy_from_lzss_window();adapt context
+---
+ libarchive/archive_read_support_format_rar.c | 28 +++++++++++++-------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index c2666b2..512f5a6 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -358,7 +358,7 @@ static int make_table_recurse(struct archive_read *, struct huffman_code *, int,
+                               struct huffman_table_entry *, int, int);
+ static int64_t expand(struct archive_read *, int64_t);
+ static int copy_from_lzss_window(struct archive_read *, const void **,
+-                                   int64_t, int);
++                                   int64_t, size_t);
+ static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *);
+ 
+ /*
+@@ -1936,7 +1936,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
+         bs = rar->unp_buffer_size - rar->unp_offset;
+       else
+         bs = (size_t)rar->bytes_uncopied;
+-      ret = copy_from_lzss_window(a, buff, rar->offset, (int)bs);
++      ret = copy_from_lzss_window(a, buff, rar->offset, bs);
+       if (ret != ARCHIVE_OK)
+         return (ret);
+       rar->offset += bs;
+@@ -2065,7 +2065,7 @@ read_data_compressed(struct archive_read *a, const void **buff, size_t *size,
+       bs = rar->unp_buffer_size - rar->unp_offset;
+     else
+       bs = (size_t)rar->bytes_uncopied;
+-    ret = copy_from_lzss_window(a, buff, rar->offset, (int)bs);
++    ret = copy_from_lzss_window(a, buff, rar->offset, bs);
+     if (ret != ARCHIVE_OK)
+       return (ret);
+     rar->offset += bs;
+@@ -2923,11 +2923,16 @@ bad_data:
+ 
+ static int
+ copy_from_lzss_window(struct archive_read *a, const void **buffer,
+-                        int64_t startpos, int length)
++                        int64_t startpos, size_t length)
+ {
+   int windowoffs, firstpart;
+   struct rar *rar = (struct rar *)(a->format->data);
+ 
++  if (length > rar->unp_buffer_size)
++  {
++    goto fatal;
++  }
++
+   if (!rar->unp_buffer)
+   {
+     if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
+@@ -2939,17 +2944,17 @@ copy_from_lzss_window(struct archive_read *a, const void **buffer,
+   }
+ 
+   windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
+-  if(windowoffs + length <= lzss_size(&rar->lzss)) {
++  if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
+     memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
+            length);
+-  } else if (length <= lzss_size(&rar->lzss)) {
++  } else if (length <= (size_t)lzss_size(&rar->lzss)) {
+     firstpart = lzss_size(&rar->lzss) - windowoffs;
+     if (firstpart < 0) {
+       archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                         "Bad RAR file data");
+       return (ARCHIVE_FATAL);
+     }
+-    if (firstpart < length) {
++    if ((size_t)firstpart < length) {
+       memcpy(&rar->unp_buffer[rar->unp_offset],
+              &rar->lzss.window[windowoffs], firstpart);
+       memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
+@@ -2959,9 +2964,7 @@ copy_from_lzss_window(struct archive_read *a, const void **buffer,
+              &rar->lzss.window[windowoffs], length);
+     }
+   } else {
+-      archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+-                        "Bad RAR file data");
+-      return (ARCHIVE_FATAL);
++      goto fatal;
+   }
+   rar->unp_offset += length;
+   if (rar->unp_offset >= rar->unp_buffer_size)
+@@ -2969,6 +2972,11 @@ copy_from_lzss_window(struct archive_read *a, const void **buffer,
+   else
+     *buffer = NULL;
+   return (ARCHIVE_OK);
++
++fatal:
++  archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++                    "Bad RAR file data");
++  return (ARCHIVE_FATAL);
+ }
+ 
+ static const void *

backport-CVE-2025-25724.patch

@@ -0,0 +1,34 @@
+From 6636f89f5fe08a20de3b2d034712c781d3a67985 Mon Sep 17 00:00:00 2001
+From: Peter Kaestle <peter@piie.net>
+Date: Wed, 5 Mar 2025 15:01:14 +0100
+Subject: [PATCH] tar/util.c: fix NULL pointer dereference issue on strftime
+
+Fix CVE-2025-25724 by detecting NULL return of localtime_r(&tim, &tmbuf),
+which could happen in case tim is incredible big.
+
+In case this error is triggered, put an "INVALID DATE" string into the
+outbuf.
+
+Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdtarbug
+
+Signed-off-by: Peter Kaestle <peter@piie.net>
+---
+ tar/util.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tar/util.c b/tar/util.c
+index 3b099cb5f..f3cbdf0bb 100644
+--- a/tar/util.c
++++ b/tar/util.c
+@@ -749,7 +749,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
+ #else
+ 	ltime = localtime(&tim);
+ #endif
+-	strftime(tmp, sizeof(tmp), fmt, ltime);
++	if (ltime)
++		strftime(tmp, sizeof(tmp), fmt, ltime);
++	else
++		sprintf(tmp, "-- -- ----");
+ 	fprintf(out, " %s ", tmp);
+ 	safe_fprintf(out, "%s", archive_entry_pathname(entry));
+ 

libarchive.spec

@@ -2,7 +2,7 @@
 
 Name:           libarchive
 Version:        3.5.2
-Release:        3
+Release:        8
 Summary:        Multi-format archive and compression library
 
 License:        BSD
@@ -14,8 +14,13 @@ BuildRequires:  lzo-devel e2fsprogs-devel libacl-devel libattr-devel
 BuildRequires:  openssl-devel libxml2-devel lz4-devel automake libzstd-devel
 
 Patch6000:      backport-libarchive-3.5.2-symlink-fix.patch
-Patch6001:	backport-CVE-2021-36976.patch
-Patch6002:	backport-CVE-2021-31566.patch
+Patch6001:	backport-0001-CVE-2021-36976.patch
+Patch6002:	backport-0002-CVE-2021-36976.patch
+Patch6003:	backport-CVE-2021-31566.patch
+Patch6004:	backport-CVE-2022-26280.patch
+Patch6005:	backport-CVE-2022-36227.patch
+Patch6006:	backport-CVE-2024-20696.patch
+Patch6007:	backport-CVE-2025-25724.patch
 
 Patch9000:	libarchive-uninitialized-value.patch
 
@@ -190,6 +195,27 @@ run_testsuite
 %{_bindir}/bsdcat
 
 %changelog
+* Tue Mar 11 2025 lingsheng <lingsheng1@h-partners.com> - 3.5.2-8
+- Type:CVE
+- ID:CVE-2025-25724
+- SUG:NA
+- DESC:fix CVE-2025-25724
+
+* Thu Jun 06 2024 lingsheng <lingsheng1@h-partners.com> - 3.5.2-7
+- Type:CVE
+- ID:CVE-2024-20696
+- SUG:NA
+- DESC:fix CVE-2024-20696
+
+* Thu Mar 02 2023 zhangpan <zhangpan103@h-paetners.com> - 3.5.2-6
+- fix CVE-2021-36976 patch
+
+* Fri Nov 25 2022 wangkerong <wangkerong@h-paetners.com> - 3.5.2-5
+- fix CVE-2022-36227
+
+* Mon Jul 04 2022 wangkerong <wangkerong@h-paetners.com> - 3.5.2-4
+- fix CVE-2022-26280
+
 * Sat Apr 09 2022 wangkerong <wangkerong@h-paetners.com> - 3.5.2-3
 - fix CVE-2021-36976,CVE-2021-31566,fix fuzz test