tar: fix off-bounds read resulting from #2787 (3150539ed)
AbandonedPublic
Actions

Authored by ngie on Jan 5 2026, 1:30 AM.

Details

Reviewers

mm
delphij

Summary

(additional summary proposed by me)

3.8.4 introduced a regression that allowed users of tar could provide -s with specially crafted input could crash tar(1) due to incorrect buffer accesses.

Whether or not this is a CVE-worthy issue is still TBD. I would need to take a look at the NIST CVE rubric to see what the criteria is for rating the issue.

Test Plan

This change unbreaks kyua test -k /usr/tests/usr.bin/tar/Kyuafile on :main and fixes tar -s with specially crafted input.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 69608
Build 66491: arc lint + arc unit

Event Timeline

ngie created this revision.Jan 5 2026, 1:30 AM

Herald added a subscriber: imp. · View Herald TranscriptJan 5 2026, 1:30 AM

ngie requested review of this revision.Jan 5 2026, 1:30 AM

Harbormaster completed remote builds in B69608: Diff 169029.Jan 5 2026, 1:31 AM

ngie edited the test plan for this revision. (Show Details)Jan 5 2026, 1:33 AM

ngie added reviewers: mm, delphij.

ngie added a subscriber: secteam.

ngie edited the summary of this revision. (Show Details)Jan 5 2026, 1:41 AM

ngie edited the test plan for this revision. (Show Details)

ngie added a subscriber: lwhsu.

ngie added inline comments.Jan 5 2026, 1:44 AM

contrib/libarchive/tar/subst.c
297	This is the only net change in the patch: instead of the enclosed blocks being executed in all cases, it's now only executed when `isEnd` is false, i.e., the current deref'ed pointer is `\0`.

ngie edited the summary of this revision. (Show Details)Jan 5 2026, 1:45 AM

ngie added inline comments.Jan 5 2026, 5:50 AM

contrib/libarchive/tar/subst.c
297	... the current deref'ed pointer is `\0`. I meant to say: the current deref'ed pointer is not `\0`.

Abandoning as @mm is planning on cutting a new libarchive release soon which will include this fix (and others).

Revision Contents
Changeset List

Path

Size

contrib/

libarchive/

tar/

subst.c

16 line(s)

Diff 169029

View Options

contrib/libarchive/tar/subst.c

tar: fix off-bounds read resulting from #2787 (3150539ed)AbandonedPublicActions