azurelinux-security · azurelinux-security · Jan 14, 2026
diff --git a/SPECS/libarchive/CVE-2025-60753.patch b/SPECS/libarchive/CVE-2025-60753.patch
@@ -0,0 +1,78 @@
+From 0db44b228cf8688a748ed1fb294b2ea43b4b2139 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?ARJANEN=20Lo=C3=AFc=20Jean=20David?= <[email protected]>
+Date: Fri, 14 Nov 2025 20:34:48 +0100
+Subject: [PATCH] Fix bsdtar zero-length pattern issue.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Uses the sed-like way (and Java-like, and .Net-like, and Javascript-like…) to fix this issue of advancing the string to be processed by one if the match is zero-length.
+
+Fixes libarchive/libarchive#2725 and solves libarchive/libarchive#2438.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/libarchive/libarchive/pull/2787.patch
+---
+ tar/subst.c              | 19 ++++++++++++-------
+ tar/test/test_option_s.c |  8 +++++++-
+ 2 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/tar/subst.c b/tar/subst.c
+index 0194cc8..25a15d6 100644
+--- a/tar/subst.c
++++ b/tar/subst.c
+@@ -234,7 +234,9 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+ 			(*result)[0] = 0;
+ 		}
+
+-		while (1) {
++		char isEnd = 0;
++		do {
++            isEnd = *name == '\0';
+ 			if (regexec(&rule->re, name, 10, matches, 0))
+ 				break;
+
+@@ -289,12 +291,15 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
+ 			}
+
+ 			realloc_strcat(result, rule->result + j);
+-
+-			name += matches[0].rm_eo;
+-
+-			if (!rule->global)
+-				break;
+-		}
++			if (matches[0].rm_eo > 0) {
++                name += matches[0].rm_eo;
++            } else {
++                // We skip a character because the match is 0-length
++                // so we need to add it to the output
++                realloc_strncat(result, name, 1);
++                name += 1;
++            }
++		} while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end
+ 	}
+
+ 	if (got_match)
+diff --git a/tar/test/test_option_s.c b/tar/test/test_option_s.c
+index 1a36280..c5e75ff 100644
+--- a/tar/test/test_option_s.c
++++ b/tar/test/test_option_s.c
+@@ -42,7 +42,13 @@ DEFINE_TEST(test_option_s)
+ 	systemf("%s -cf test1_2.tar -s /d1/d2/ in/d1/foo", testprog);
+ 	systemf("%s -xf test1_2.tar -C test1", testprog);
+ 	assertFileContents("foo", 3, "test1/in/d2/foo");
+-
++	systemf("%s -cf test1_3.tar -s /o/#/g in/d1/foo", testprog);
++	systemf("%s -xf test1_3.tar -C test1", testprog);
++	assertFileContents("foo", 3, "test1/in/d1/f##");
++	// For the 0-length pattern check, remember that "test1/" isn't part of the string affected by the regexp
++	systemf("%s -cf test1_4.tar -s /f*/\\<~\\>/g in/d1/foo", testprog);
++	systemf("%s -xf test1_4.tar -C test1", testprog);
++	assertFileContents("foo", 3, "test1/<>i<>n<>/<>d<>1<>/<f><>o<>o<>");
+ 	/*
+ 	 * Test 2: Basic substitution when extracting archive.
+ 	 */
+-- 
+2.45.4
+
diff --git a/SPECS/libarchive/libarchive.spec b/SPECS/libarchive/libarchive.spec
@@ -1,7 +1,7 @@
 Summary:        Multi-format archive and compression library
 Name:           libarchive
 Version:        3.7.7
-Release:        3%{?dist}
+Release:        4%{?dist}
 # Certain files have individual licenses. For more details see contents of "COPYING".
 License:        BSD AND Public Domain AND (ASL 2.0 OR CC0 1.0 OR OpenSSL)
 Vendor:         Microsoft Corporation
@@ -15,6 +15,7 @@ Patch3:         CVE-2025-5915.patch
 Patch4:         CVE-2025-5916.patch
 Patch5:         CVE-2025-5917.patch
 Patch6:         CVE-2025-5918.patch
+Patch7:         CVE-2025-60753.patch
 Provides:       bsdtar = %{version}-%{release}
 
 BuildRequires:  xz-libs
@@ -67,6 +68,9 @@ make %{?_smp_mflags} check
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Wed Jan 14 2026 Azure Linux Security Servicing Account <[email protected]> - 3.7.7-4
+- Patch for CVE-2025-60753
+
 * Thu Jun 26 2025 Sumit Jena <[email protected]> - 3.7.7-3
 - Patch CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918
 

diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -178,8 +178,8 @@ openssl-static-3.3.5-1.azl3.aarch64.rpm
 libcap-2.69-10.azl3.aarch64.rpm
 libcap-devel-2.69-10.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm
-libarchive-3.7.7-3.azl3.aarch64.rpm
-libarchive-devel-3.7.7-3.azl3.aarch64.rpm
+libarchive-3.7.7-4.azl3.aarch64.rpm
+libarchive-devel-3.7.7-4.azl3.aarch64.rpm
 rpm-4.18.2-1.azl3.aarch64.rpm
 rpm-build-4.18.2-1.azl3.aarch64.rpm
 rpm-build-libs-4.18.2-1.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -178,8 +178,8 @@ openssl-static-3.3.5-1.azl3.x86_64.rpm
 libcap-2.69-10.azl3.x86_64.rpm
 libcap-devel-2.69-10.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm
-libarchive-3.7.7-3.azl3.x86_64.rpm
-libarchive-devel-3.7.7-3.azl3.x86_64.rpm
+libarchive-3.7.7-4.azl3.x86_64.rpm
+libarchive-devel-3.7.7-4.azl3.x86_64.rpm
 rpm-4.18.2-1.azl3.x86_64.rpm
 rpm-build-4.18.2-1.azl3.x86_64.rpm
 rpm-build-libs-4.18.2-1.azl3.x86_64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -168,9 +168,9 @@ krb5-devel-1.21.3-2.azl3.aarch64.rpm
 krb5-lang-1.21.3-2.azl3.aarch64.rpm
 libacl-2.3.1-2.azl3.aarch64.rpm
 libacl-devel-2.3.1-2.azl3.aarch64.rpm
-libarchive-3.7.7-3.azl3.aarch64.rpm
-libarchive-debuginfo-3.7.7-3.azl3.aarch64.rpm
-libarchive-devel-3.7.7-3.azl3.aarch64.rpm
+libarchive-3.7.7-4.azl3.aarch64.rpm
+libarchive-debuginfo-3.7.7-4.azl3.aarch64.rpm
+libarchive-devel-3.7.7-4.azl3.aarch64.rpm
 libassuan-2.5.6-1.azl3.aarch64.rpm
 libassuan-debuginfo-2.5.6-1.azl3.aarch64.rpm
 libassuan-devel-2.5.6-1.azl3.aarch64.rpm

diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -176,9 +176,9 @@ krb5-devel-1.21.3-2.azl3.x86_64.rpm
 krb5-lang-1.21.3-2.azl3.x86_64.rpm
 libacl-2.3.1-2.azl3.x86_64.rpm
 libacl-devel-2.3.1-2.azl3.x86_64.rpm
-libarchive-3.7.7-3.azl3.x86_64.rpm
-libarchive-debuginfo-3.7.7-3.azl3.x86_64.rpm
-libarchive-devel-3.7.7-3.azl3.x86_64.rpm
+libarchive-3.7.7-4.azl3.x86_64.rpm
+libarchive-debuginfo-3.7.7-4.azl3.x86_64.rpm
+libarchive-devel-3.7.7-4.azl3.x86_64.rpm
 libassuan-2.5.6-1.azl3.x86_64.rpm
 libassuan-debuginfo-2.5.6-1.azl3.x86_64.rpm
 libassuan-devel-2.5.6-1.azl3.x86_64.rpm