File 0001-archival-libarchive-sanitize-filenames-on-output-pre.patch of Package busybox
From f5e1bf966b19ea1821f00a8c9ecd7774598689b4 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Wed, 24 Sep 2025 03:28:47 +0200
Subject: [PATCH 1/1] archival/libarchive: sanitize filenames on output
(prevent control sequence attacks
This fixes CVE-2025-46394 (terminal escape sequence injection)
Original credit: Ian.Norton at entrust.com
function old new delta
header_list 9 15 +6
header_verbose_list 239 244 +5
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0) Total: 11 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
archival/libarchive/header_list.c | 2 +-
archival/libarchive/header_verbose_list.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c
index 0621aa406..9490b3635 100644
--- a/archival/libarchive/header_list.c
+++ b/archival/libarchive/header_list.c
@@ -8,5 +8,5 @@
void FAST_FUNC header_list(const file_header_t *file_header)
{
//TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */
- puts(file_header->name);
+ puts(printable_string(file_header->name));
}
diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c
index a575a08a0..e7a09430d 100644
--- a/archival/libarchive/header_verbose_list.c
+++ b/archival/libarchive/header_verbose_list.c
@@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
ptm->tm_hour,
ptm->tm_min,
ptm->tm_sec,
- file_header->name);
+ printable_string(file_header->name));
#endif /* FEATURE_TAR_UNAME_GNAME */
/* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */
if (file_header->link_target) {
- printf(" -> %s", file_header->link_target);
+ printf(" -> %s", printable_string(file_header->link_target));
}
bb_putchar('\n');
}
--
2.51.1
