Page MenuHomeFreeBSD
Differential D54508

tar: fix off-bounds read resulting from #2787 (3150539ed)
AbandonedPublic
Actions

Authored by ngie on Jan 5 2026, 1:30 AM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Jan 20, 4:59 AM
Unknown Object (File)
Sun, Jan 18, 2:59 AM
Unknown Object (File)
Thu, Jan 15, 2:22 AM
Unknown Object (File)
Sat, Jan 10, 3:41 PM
Unknown Object (File)
Sat, Jan 10, 12:39 PM
Unknown Object (File)
Sat, Jan 10, 4:59 AM
Unknown Object (File)
Fri, Jan 9, 11:33 PM
Unknown Object (File)
Fri, Jan 9, 5:29 PM
View All 10 Files
Subscribers
imp
lwhsu
secteam

Details

Reviewers
mm
delphij
Summary

(additional summary proposed by me)

3.8.4 introduced a regression that allowed users of tar could provide -s with specially crafted input could crash tar(1) due to incorrect buffer accesses.

Whether or not this is a CVE-worthy issue is still TBD. I would need to take a look at the NIST CVE rubric to see what the criteria is for rating the issue.

Test Plan

This change unbreaks kyua test -k /usr/tests/usr.bin/tar/Kyuafile on :main and fixes tar -s with specially crafted input.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 69608
Build 66491: arc lint + arc unit

Event Timeline

ngie created this revision.Jan 5 2026, 1:30 AM
Herald added a subscriber: imp. · View Herald TranscriptJan 5 2026, 1:30 AM
ngie requested review of this revision.Jan 5 2026, 1:30 AM
Harbormaster completed remote builds in B69608: Diff 169029.Jan 5 2026, 1:31 AM
ngie edited the test plan for this revision. (Show Details)Jan 5 2026, 1:33 AM
ngie added reviewers: mm, delphij.
ngie added a subscriber: secteam.
ngie edited the summary of this revision. (Show Details)Jan 5 2026, 1:41 AM
ngie edited the test plan for this revision. (Show Details)
ngie added a subscriber: lwhsu.
ngie added inline comments.Jan 5 2026, 1:44 AM
contrib/libarchive/tar/subst.c
297

This is the only net change in the patch: instead of the enclosed blocks being executed in all cases, it's now only executed when isEnd is false, i.e., the current deref'ed pointer is \0.

ngie edited the summary of this revision. (Show Details)Jan 5 2026, 1:45 AM
ngie added inline comments.Jan 5 2026, 5:50 AM
contrib/libarchive/tar/subst.c
297

... the current deref'ed pointer is \0.

I meant to say:

the current deref'ed pointer is not \0.

ngie abandoned this revision.Jan 5 2026, 6:07 PM

Abandoning as @mm is planning on cutting a new libarchive release soon which will include this fix (and others).

Revision Contents
Changeset List

PathSize
contrib/
libarchive/
tar/
16 lines

Diff 169029

View Options

contrib/libarchive/tar/subst.c

Loading...