fix CVE-2025-1632 and CVE-2025-25724 (#2532)

Hi,

please find my approach to fix the CVE-2025-1632 and CVE-2025-25724
vulnerabilities in this pr.
As both error cases did trigger a NULL pointer deref (and triggered
hopefully everywhere a coredump), we can safely replace the actual
information by a predefined invalid string without breaking any
functionality.

---------

Signed-off-by: Peter Kaestle <peter@piie.net>

diff --git a/tar/util.c b/tar/util.c
index 3b099cb5fce0c0c42279fa3e3087400ef678f72e..f3cbdf0bb44cfd76bbd44adffebe12c7d4fc7486 100644 (file)
--- a/tar/util.c
+++ b/tar/util.c
@@ -749,7 +749,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
 #else
        ltime = localtime(&tim);
 #endif
-       strftime(tmp, sizeof(tmp), fmt, ltime);
+       if (ltime)
+               strftime(tmp, sizeof(tmp), fmt, ltime);
+       else
+               sprintf(tmp, "-- -- ----");
        fprintf(out, " %s ", tmp);
        safe_fprintf(out, "%s", archive_entry_pathname(entry));
 

diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
index 7c8cafc3effde8c93e2c1238106152407127f4cb..4a9028b79b2c56c37b6079191a829796e37841a5 100644 (file)
--- a/unzip/bsdunzip.c
+++ b/unzip/bsdunzip.c
@@ -876,6 +876,7 @@ list(struct archive *a, struct archive_entry *e)
        char buf[20];
        time_t mtime;
        struct tm *tm;
+       const char *pathname;
 
        mtime = archive_entry_mtime(e);
        tm = localtime(&mtime);
@@ -884,22 +885,25 @@ list(struct archive *a, struct archive_entry *e)
        else
                strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
 
+       pathname = archive_entry_pathname(e);
+       if (!pathname)
+               pathname = "";
        if (!zipinfo_mode) {
                if (v_opt == 1) {
                        printf(" %8ju  %s   %s\n",
                            (uintmax_t)archive_entry_size(e),
-                           buf, archive_entry_pathname(e));
+                           buf, pathname);
                } else if (v_opt == 2) {
                        printf("%8ju  Stored  %7ju   0%%  %s  %08x  %s\n",
                            (uintmax_t)archive_entry_size(e),
                            (uintmax_t)archive_entry_size(e),
                            buf,
                            0U,
-                           archive_entry_pathname(e));
+                           pathname);
                }
        } else {
                if (Z1_opt)
-                       printf("%s\n",archive_entry_pathname(e));
+                       printf("%s\n", pathname);
        }
        ac(archive_read_data_skip(a));
 }