-
Notifications
You must be signed in to change notification settings - Fork 312
/
Copy pathCVE-2025-1632_CVE-2025-25724.patch
79 lines (71 loc) · 2.25 KB
/
CVE-2025-1632_CVE-2025-25724.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
From c9bc934e7e91d302e0feca6e713ccc38d6d01532 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20K=C3=A4stle?= <peter@piie.net>
Date: Mon, 10 Mar 2025 16:43:04 +0100
Subject: [PATCH] fix CVE-2025-1632 and CVE-2025-25724 (#2532)
Hi,
please find my approach to fix the CVE-2025-1632 and CVE-2025-25724
vulnerabilities in this pr.
As both error cases did trigger a NULL pointer deref (and triggered
hopefully everywhere a coredump), we can safely replace the actual
information by a predefined invalid string without breaking any
functionality.
---------
Signed-off-by: Peter Kaestle <peter@piie.net>
---
tar/util.c | 5 ++++-
unzip/bsdunzip.c | 10 +++++++---
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/tar/util.c b/tar/util.c
index 3b099cb5f..f3cbdf0bb 100644
--- a/tar/util.c
+++ b/tar/util.c
@@ -749,7 +749,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
#else
ltime = localtime(&tim);
#endif
- strftime(tmp, sizeof(tmp), fmt, ltime);
+ if (ltime)
+ strftime(tmp, sizeof(tmp), fmt, ltime);
+ else
+ sprintf(tmp, "-- -- ----");
fprintf(out, " %s ", tmp);
safe_fprintf(out, "%s", archive_entry_pathname(entry));
diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
index 7c8cafc3e..4a9028b79 100644
--- a/unzip/bsdunzip.c
+++ b/unzip/bsdunzip.c
@@ -876,6 +876,7 @@ list(struct archive *a, struct archive_entry *e)
char buf[20];
time_t mtime;
struct tm *tm;
+ const char *pathname;
mtime = archive_entry_mtime(e);
tm = localtime(&mtime);
@@ -884,22 +885,25 @@ list(struct archive *a, struct archive_entry *e)
else
strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
+ pathname = archive_entry_pathname(e);
+ if (!pathname)
+ pathname = "";
if (!zipinfo_mode) {
if (v_opt == 1) {
printf(" %8ju %s %s\n",
(uintmax_t)archive_entry_size(e),
- buf, archive_entry_pathname(e));
+ buf, pathname);
} else if (v_opt == 2) {
printf("%8ju Stored %7ju 0%% %s %08x %s\n",
(uintmax_t)archive_entry_size(e),
(uintmax_t)archive_entry_size(e),
buf,
0U,
- archive_entry_pathname(e));
+ pathname);
}
} else {
if (Z1_opt)
- printf("%s\n",archive_entry_pathname(e));
+ printf("%s\n", pathname);
}
ac(archive_read_data_skip(a));
}