From 3150539edb18690c2c5f81c37fd2d3a35c69ace5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?ARJANEN=20Lo=C3=AFc=20Jean=20David?= Date: Fri, 14 Nov 2025 20:34:48 +0100 Subject: [PATCH] Fix bsdtar zero-length pattern issue. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Uses the sed-like way (and Java-like, and .Net-like, and Javascript-likeā€¦) to fix this issue of advancing the string to be processed by one if the match is zero-length. Fixes libarchive/libarchive#2725 and solves libarchive/libarchive#2438. CVE: CVE-2025-60753 Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3150539edb18690c2c5f81c37fd2d3a35c69ace5] Signed-off-by: Peter Marko --- tar/subst.c | 19 ++++++++++++------- tar/test/test_option_s.c | 8 +++++++- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/tar/subst.c b/tar/subst.c index 9747abb9..902a4d64 100644 --- a/tar/subst.c +++ b/tar/subst.c @@ -237,7 +237,9 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result, continue; } - while (1) { + char isEnd = 0; + do { + isEnd = *name == '\0'; if (regexec(&rule->re, name, 10, matches, 0)) break; @@ -291,12 +293,15 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result, } realloc_strcat(result, rule->result + j); - - name += matches[0].rm_eo; - - if (!rule->global) - break; - } + if (matches[0].rm_eo > 0) { + name += matches[0].rm_eo; + } else { + // We skip a character because the match is 0-length + // so we need to add it to the output + realloc_strncat(result, name, 1); + name += 1; + } + } while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end } if (got_match) diff --git a/tar/test/test_option_s.c b/tar/test/test_option_s.c index 564793b9..90b4c471 100644 --- a/tar/test/test_option_s.c +++ b/tar/test/test_option_s.c @@ -61,7 +61,13 @@ DEFINE_TEST(test_option_s) systemf("%s -cf test1_2.tar -s /d1/d2/ in/d1/foo", testprog); systemf("%s -xf test1_2.tar -C test1", testprog); assertFileContents("foo", 3, "test1/in/d2/foo"); - + systemf("%s -cf test1_3.tar -s /o/#/g in/d1/foo", testprog); + systemf("%s -xf test1_3.tar -C test1", testprog); + assertFileContents("foo", 3, "test1/in/d1/f##"); + // For the 0-length pattern check, remember that "test1/" isn't part of the string affected by the regexp + systemf("%s -cf test1_4.tar -s /f*/\\<~\\>/g in/d1/foo", testprog); + systemf("%s -xf test1_4.tar -C test1", testprog); + assertFileContents("foo", 3, "test1/<>i<>n<>/<>d<>1<>/<>o<>o<>"); /* * Test 2: Basic substitution when extracting archive. */