File CVE-2025-25724.patch of Package libarchive.39705

From 6636f89f5fe08a20de3b2d034712c781d3a67985 Mon Sep 17 00:00:00 2001
From: Peter Kaestle <peter@piie.net>
Date: Wed, 5 Mar 2025 15:01:14 +0100
Subject: [PATCH] tar/util.c: fix NULL pointer dereference issue on strftime

Fix CVE-2025-25724 by detecting NULL return of localtime_r(&tim, &tmbuf),
which could happen in case tim is incredible big.

In case this error is triggered, put an "INVALID DATE" string into the
outbuf.

Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdtarbug

Signed-off-by: Peter Kaestle <peter@piie.net>
---
 tar/util.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tar/util.c b/tar/util.c
index 3b099cb5f..f3cbdf0bb 100644
--- a/tar/util.c
+++ b/tar/util.c
@@ -749,7 +749,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
 #else
 	ltime = localtime(&tim);
 #endif
-	strftime(tmp, sizeof(tmp), fmt, ltime);
+	if (ltime)
+		strftime(tmp, sizeof(tmp), fmt, ltime);
+	else
+		sprintf(tmp, "-- -- ----");
 	fprintf(out, " %s ", tmp);
 	safe_fprintf(out, "%s", archive_entry_pathname(entry));