[AutoPR- Security] Patch libarchive for CVE-2025-60753 [MEDIUM]

SPECS/libarchive/CVE-2025-60753.patch

@@ -0,0 +1,124 @@
+From 53ae6c41397282053db9fda29c3226fc01f07d10 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?ARJANEN=20Lo=C3=AFc=20Jean=20David?= <ljd@luigiscorner.mu>
+Date: Fri, 14 Nov 2025 20:34:48 +0100
+Subject: [PATCH 1/2] Fix bsdtar zero-length pattern issue.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Uses the sed-like way (and Java-like, and .Net-like, and Javascript-like…) to fix this issue of advancing the string to be processed by one if the match is zero-length.
+
+Fixes libarchive/libarchive#2725 and solves libarchive/libarchive#2438.
+---
+ tar/subst.c              | 19 ++++++++++++-------
+ tar/test/test_option_s.c |  8 +++++++-
+ 2 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/tar/subst.c b/tar/subst.c
+index 39c54ac..1f3e62f 100644
+--- a/tar/subst.c
++++ b/tar/subst.c
+@@ -237,7 +237,9 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+ 				continue;
+ 		}
+
+-		while (1) {
++		char isEnd = 0;
++		do {
++            isEnd = *name == '\0';
+ 			if (regexec(&rule->re, name, 10, matches, 0))
+ 				break;
+
+@@ -291,12 +293,15 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+ 			}
+
+ 			realloc_strcat(result, rule->result + j);
+-
+-			name += matches[0].rm_eo;
+-
+-			if (!rule->global)
+-				break;
+-		}
++			if (matches[0].rm_eo > 0) {
++                name += matches[0].rm_eo;
++            } else {
++                // We skip a character because the match is 0-length
++                // so we need to add it to the output
++                realloc_strncat(result, name, 1);
++                name += 1;
++            }
++		} while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end
+ 	}
+
+ 	if (got_match)
+diff --git a/tar/test/test_option_s.c b/tar/test/test_option_s.c
+index fa799a2..50eaeea 100644
+--- a/tar/test/test_option_s.c
++++ b/tar/test/test_option_s.c
+@@ -61,7 +61,13 @@ DEFINE_TEST(test_option_s)
+ 	systemf("%s -cf test1_2.tar -s /d1/d2/ in/d1/foo", testprog);
+ 	systemf("%s -xf test1_2.tar -C test1", testprog);
+ 	assertFileContents("foo", 3, "test1/in/d2/foo");
+-
++	systemf("%s -cf test1_3.tar -s /o/#/g in/d1/foo", testprog);
++	systemf("%s -xf test1_3.tar -C test1", testprog);
++	assertFileContents("foo", 3, "test1/in/d1/f##");
++	// For the 0-length pattern check, remember that "test1/" isn't part of the string affected by the regexp
++	systemf("%s -cf test1_4.tar -s /f*/\\<~\\>/g in/d1/foo", testprog);
++	systemf("%s -xf test1_4.tar -C test1", testprog);
++	assertFileContents("foo", 3, "test1/<>i<>n<>/<>d<>1<>/<f><>o<>o<>");
+ 	/*
+ 	 * Test 2: Basic substitution when extracting archive.
+ 	 */
+-- 
+2.45.4
+
+
+From 8064b971013d55daa727ec3d054e25e64e4239ad Mon Sep 17 00:00:00 2001
+From: Martin Matuska <martin@matuska.de>
+Date: Mon, 8 Dec 2025 21:40:46 +0100
+Subject: [PATCH 2/2] tar: fix off-bounds read resulting from #2787 (3150539ed)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/libarchive/libarchive/pull/2787.patch https://patch-diff.githubusercontent.com/raw/libarchive/libarchive/pull/2809.patch
+---
+ tar/subst.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/tar/subst.c b/tar/subst.c
+index 1f3e62f..44c8632 100644
+--- a/tar/subst.c
++++ b/tar/subst.c
+@@ -239,7 +239,7 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+
+ 		char isEnd = 0;
+ 		do {
+-            isEnd = *name == '\0';
++			isEnd = *name == '\0';
+ 			if (regexec(&rule->re, name, 10, matches, 0))
+ 				break;
+
+@@ -294,13 +294,13 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+
+ 			realloc_strcat(result, rule->result + j);
+ 			if (matches[0].rm_eo > 0) {
+-                name += matches[0].rm_eo;
+-            } else {
+-                // We skip a character because the match is 0-length
+-                // so we need to add it to the output
+-                realloc_strncat(result, name, 1);
+-                name += 1;
+-            }
++				name += matches[0].rm_eo;
++			} else if (!isEnd) {
++				// We skip a character because the match is 0-length
++				// so we need to add it to the output
++				realloc_strncat(result, name, 1);
++				name += 1;
++			}
+ 		} while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end
+ 	}
+
+-- 
+2.45.4
+

SPECS/libarchive/libarchive.spec

@@ -1,7 +1,7 @@
 Summary:        Multi-format archive and compression library
 Name:           libarchive
 Version:        3.6.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 # Certain files have individual licenses. For more details see contents of "COPYING".
 License:        BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL)
 Vendor:         Microsoft Corporation
@@ -21,6 +21,7 @@ Patch8:         CVE-2025-5915.patch
 Patch9:         CVE-2025-5916.patch
 Patch10:        CVE-2025-5917.patch
 Patch11:        CVE-2025-5918.patch
+Patch12:        CVE-2025-60753.patch
 Provides:       bsdtar = %{version}-%{release}
 
 BuildRequires:  xz-libs
@@ -74,6 +75,9 @@ make %{?_smp_mflags} check
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Mon Jan 19 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.6.1-8
+- Patch for CVE-2025-60753
+
 * Thu Jun 26 2025 Sumit Jena <v-sumitjena@microsoft.com> - 3.6.1-7
 - Patch CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -173,8 +173,8 @@ openssl-static-1.1.1k-37.cm2.aarch64.rpm
 libcap-2.60-4.cm2.aarch64.rpm
 libcap-devel-2.60-4.cm2.aarch64.rpm
 debugedit-5.0-2.cm2.aarch64.rpm
-libarchive-3.6.1-7.cm2.aarch64.rpm
-libarchive-devel-3.6.1-7.cm2.aarch64.rpm
+libarchive-3.6.1-8.cm2.aarch64.rpm
+libarchive-devel-3.6.1-8.cm2.aarch64.rpm
 rpm-4.18.0-4.cm2.aarch64.rpm
 rpm-build-4.18.0-4.cm2.aarch64.rpm
 rpm-build-libs-4.18.0-4.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -173,8 +173,8 @@ openssl-static-1.1.1k-37.cm2.x86_64.rpm
 libcap-2.60-4.cm2.x86_64.rpm
 libcap-devel-2.60-4.cm2.x86_64.rpm
 debugedit-5.0-2.cm2.x86_64.rpm
-libarchive-3.6.1-7.cm2.x86_64.rpm
-libarchive-devel-3.6.1-7.cm2.x86_64.rpm
+libarchive-3.6.1-8.cm2.x86_64.rpm
+libarchive-devel-3.6.1-8.cm2.x86_64.rpm
 rpm-4.18.0-4.cm2.x86_64.rpm
 rpm-build-4.18.0-4.cm2.x86_64.rpm
 rpm-build-libs-4.18.0-4.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -144,9 +144,9 @@ krb5-1.19.4-4.cm2.aarch64.rpm
 krb5-debuginfo-1.19.4-4.cm2.aarch64.rpm
 krb5-devel-1.19.4-4.cm2.aarch64.rpm
 krb5-lang-1.19.4-4.cm2.aarch64.rpm
-libarchive-3.6.1-7.cm2.aarch64.rpm
-libarchive-debuginfo-3.6.1-7.cm2.aarch64.rpm
-libarchive-devel-3.6.1-7.cm2.aarch64.rpm
+libarchive-3.6.1-8.cm2.aarch64.rpm
+libarchive-debuginfo-3.6.1-8.cm2.aarch64.rpm
+libarchive-devel-3.6.1-8.cm2.aarch64.rpm
 libassuan-2.5.5-2.cm2.aarch64.rpm
 libassuan-debuginfo-2.5.5-2.cm2.aarch64.rpm
 libassuan-devel-2.5.5-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -150,9 +150,9 @@ krb5-1.19.4-4.cm2.x86_64.rpm
 krb5-debuginfo-1.19.4-4.cm2.x86_64.rpm
 krb5-devel-1.19.4-4.cm2.x86_64.rpm
 krb5-lang-1.19.4-4.cm2.x86_64.rpm
-libarchive-3.6.1-7.cm2.x86_64.rpm
-libarchive-debuginfo-3.6.1-7.cm2.x86_64.rpm
-libarchive-devel-3.6.1-7.cm2.x86_64.rpm
+libarchive-3.6.1-8.cm2.x86_64.rpm
+libarchive-debuginfo-3.6.1-8.cm2.x86_64.rpm
+libarchive-devel-3.6.1-8.cm2.x86_64.rpm
 libassuan-2.5.5-2.cm2.x86_64.rpm
 libassuan-debuginfo-2.5.5-2.cm2.x86_64.rpm
 libassuan-devel-2.5.5-2.cm2.x86_64.rpm