[AutoPR- Security] Patch libarchive for CVE-2025-60753 [MEDIUM] (microsoft#15528)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: azurelinux-security

SPECS/libarchive/CVE-2025-60753.patch

@@ -0,0 +1,124 @@
+From 362d934368309d74829572eab884364f3e6ab475 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?ARJANEN=20Lo=C3=AFc=20Jean=20David?= <ljd@luigiscorner.mu>
+Date: Fri, 14 Nov 2025 20:34:48 +0100
+Subject: [PATCH 1/2] Fix bsdtar zero-length pattern issue.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Uses the sed-like way (and Java-like, and .Net-like, and Javascript-like…) to fix this issue of advancing the string to be processed by one if the match is zero-length.
+
+Fixes libarchive/libarchive#2725 and solves libarchive/libarchive#2438.
+---
+ tar/subst.c              | 19 ++++++++++++-------
+ tar/test/test_option_s.c |  8 +++++++-
+ 2 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/tar/subst.c b/tar/subst.c
+index 0194cc8..25a15d6 100644
+--- a/tar/subst.c
++++ b/tar/subst.c
+@@ -234,7 +234,9 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+ 			(*result)[0] = 0;
+ 		}
+ 
+-		while (1) {
++		char isEnd = 0;
++		do {
++            isEnd = *name == '\0';
+ 			if (regexec(&rule->re, name, 10, matches, 0))
+ 				break;
+ 
+@@ -289,12 +291,15 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+ 			}
+ 
+ 			realloc_strcat(result, rule->result + j);
+-
+-			name += matches[0].rm_eo;
+-
+-			if (!rule->global)
+-				break;
+-		}
++			if (matches[0].rm_eo > 0) {
++                name += matches[0].rm_eo;
++            } else {
++                // We skip a character because the match is 0-length
++                // so we need to add it to the output
++                realloc_strncat(result, name, 1);
++                name += 1;
++            }
++		} while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end
+ 	}
+ 
+ 	if (got_match)
+diff --git a/tar/test/test_option_s.c b/tar/test/test_option_s.c
+index 1a36280..c5e75ff 100644
+--- a/tar/test/test_option_s.c
++++ b/tar/test/test_option_s.c
+@@ -42,7 +42,13 @@ DEFINE_TEST(test_option_s)
+ 	systemf("%s -cf test1_2.tar -s /d1/d2/ in/d1/foo", testprog);
+ 	systemf("%s -xf test1_2.tar -C test1", testprog);
+ 	assertFileContents("foo", 3, "test1/in/d2/foo");
+-
++	systemf("%s -cf test1_3.tar -s /o/#/g in/d1/foo", testprog);
++	systemf("%s -xf test1_3.tar -C test1", testprog);
++	assertFileContents("foo", 3, "test1/in/d1/f##");
++	// For the 0-length pattern check, remember that "test1/" isn't part of the string affected by the regexp
++	systemf("%s -cf test1_4.tar -s /f*/\\<~\\>/g in/d1/foo", testprog);
++	systemf("%s -xf test1_4.tar -C test1", testprog);
++	assertFileContents("foo", 3, "test1/<>i<>n<>/<>d<>1<>/<f><>o<>o<>");
+ 	/*
+ 	 * Test 2: Basic substitution when extracting archive.
+ 	 */
+-- 
+2.45.4
+
+
+From 0086b1c784724f5e341991973807d8cc6fb9ba76 Mon Sep 17 00:00:00 2001
+From: Martin Matuska <martin@matuska.de>
+Date: Mon, 8 Dec 2025 21:40:46 +0100
+Subject: [PATCH 2/2] tar: fix off-bounds read resulting from #2787 (3150539ed)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/libarchive/libarchive/pull/2787.patch https://patch-diff.githubusercontent.com/raw/libarchive/libarchive/pull/2809.patch
+---
+ tar/subst.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/tar/subst.c b/tar/subst.c
+index 25a15d6..df83ca2 100644
+--- a/tar/subst.c
++++ b/tar/subst.c
+@@ -236,7 +236,7 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+ 
+ 		char isEnd = 0;
+ 		do {
+-            isEnd = *name == '\0';
++			isEnd = *name == '\0';
+ 			if (regexec(&rule->re, name, 10, matches, 0))
+ 				break;
+ 
+@@ -292,13 +292,13 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+ 
+ 			realloc_strcat(result, rule->result + j);
+ 			if (matches[0].rm_eo > 0) {
+-                name += matches[0].rm_eo;
+-            } else {
+-                // We skip a character because the match is 0-length
+-                // so we need to add it to the output
+-                realloc_strncat(result, name, 1);
+-                name += 1;
+-            }
++				name += matches[0].rm_eo;
++			} else if (!isEnd) {
++				// We skip a character because the match is 0-length
++				// so we need to add it to the output
++				realloc_strncat(result, name, 1);
++				name += 1;
++			}
+ 		} while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end
+ 	}
+ 
+-- 
+2.45.4
+

SPECS/libarchive/libarchive.spec

@@ -1,7 +1,7 @@
 Summary:        Multi-format archive and compression library
 Name:           libarchive
 Version:        3.7.7
-Release:        3%{?dist}
+Release:        4%{?dist}
 # Certain files have individual licenses. For more details see contents of "COPYING".
 License:        BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL)
 Vendor:         Microsoft Corporation
@@ -15,6 +15,7 @@ Patch3:         CVE-2025-5915.patch
 Patch4:         CVE-2025-5916.patch
 Patch5:         CVE-2025-5917.patch
 Patch6:         CVE-2025-5918.patch
+Patch7:         CVE-2025-60753.patch
 Provides:       bsdtar = %{version}-%{release}
 
 BuildRequires:  xz-libs
@@ -45,6 +46,7 @@ make %{?_smp_mflags}
 rm -rf %{buildroot}%{_infodir}
 make DESTDIR=%{buildroot} install
 find %{buildroot} -type f -name "*.la" -delete -print
+mv %{buildroot}%{_mandir}/man1/* .
 
 %check
 make %{?_smp_mflags} check
@@ -55,6 +57,10 @@ make %{?_smp_mflags} check
 %files
 %defattr(-,root,root)
 %license COPYING
+%license bsdcat.1
+%license bsdtar.1
+%license bsdcpio.1
+%license bsdunzip.1
 %{_libdir}/*.so.*
 %{_bindir}
 %exclude %{_libdir}/debug/
@@ -67,6 +73,9 @@ make %{?_smp_mflags} check
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Mon Jan 19 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.7.7-4
+- Patch for CVE-2025-60753
+
 * Thu Jun 26 2025 Sumit Jena <v-sumitjena@microsoft.com> - 3.7.7-3
 - Patch CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -178,8 +178,8 @@ openssl-static-3.3.5-1.azl3.aarch64.rpm
 libcap-2.69-11.azl3.aarch64.rpm
 libcap-devel-2.69-11.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm
-libarchive-3.7.7-3.azl3.aarch64.rpm
-libarchive-devel-3.7.7-3.azl3.aarch64.rpm
+libarchive-3.7.7-4.azl3.aarch64.rpm
+libarchive-devel-3.7.7-4.azl3.aarch64.rpm
 rpm-4.18.2-1.azl3.aarch64.rpm
 rpm-build-4.18.2-1.azl3.aarch64.rpm
 rpm-build-libs-4.18.2-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -178,8 +178,8 @@ openssl-static-3.3.5-1.azl3.x86_64.rpm
 libcap-2.69-11.azl3.x86_64.rpm
 libcap-devel-2.69-11.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm
-libarchive-3.7.7-3.azl3.x86_64.rpm
-libarchive-devel-3.7.7-3.azl3.x86_64.rpm
+libarchive-3.7.7-4.azl3.x86_64.rpm
+libarchive-devel-3.7.7-4.azl3.x86_64.rpm
 rpm-4.18.2-1.azl3.x86_64.rpm
 rpm-build-4.18.2-1.azl3.x86_64.rpm
 rpm-build-libs-4.18.2-1.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -168,9 +168,9 @@ krb5-devel-1.21.3-2.azl3.aarch64.rpm
 krb5-lang-1.21.3-2.azl3.aarch64.rpm
 libacl-2.3.1-2.azl3.aarch64.rpm
 libacl-devel-2.3.1-2.azl3.aarch64.rpm
-libarchive-3.7.7-3.azl3.aarch64.rpm
-libarchive-debuginfo-3.7.7-3.azl3.aarch64.rpm
-libarchive-devel-3.7.7-3.azl3.aarch64.rpm
+libarchive-3.7.7-4.azl3.aarch64.rpm
+libarchive-debuginfo-3.7.7-4.azl3.aarch64.rpm
+libarchive-devel-3.7.7-4.azl3.aarch64.rpm
 libassuan-2.5.6-1.azl3.aarch64.rpm
 libassuan-debuginfo-2.5.6-1.azl3.aarch64.rpm
 libassuan-devel-2.5.6-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -176,9 +176,9 @@ krb5-devel-1.21.3-2.azl3.x86_64.rpm
 krb5-lang-1.21.3-2.azl3.x86_64.rpm
 libacl-2.3.1-2.azl3.x86_64.rpm
 libacl-devel-2.3.1-2.azl3.x86_64.rpm
-libarchive-3.7.7-3.azl3.x86_64.rpm
-libarchive-debuginfo-3.7.7-3.azl3.x86_64.rpm
-libarchive-devel-3.7.7-3.azl3.x86_64.rpm
+libarchive-3.7.7-4.azl3.x86_64.rpm
+libarchive-debuginfo-3.7.7-4.azl3.x86_64.rpm
+libarchive-devel-3.7.7-4.azl3.x86_64.rpm
 libassuan-2.5.6-1.azl3.x86_64.rpm
 libassuan-debuginfo-2.5.6-1.azl3.x86_64.rpm
 libassuan-devel-2.5.6-1.azl3.x86_64.rpm