Building off Ian Norton's previous work, https://lists.busybox.net/pipermail/busybox/2025-April/091461.html, here is a more minimal change to specifically resolve CVE-2025-46394. Based on other conversations about sanitization, there may be a larger overall solution but this one resolves the immediate CVE issue.
From: Kyle Steere <[email protected]> Date: Wed, 27 Aug 2025 12:00:00 +0000 Subject: [PATCH] tar: fix CVE-2025-46394 terminal escape sequence injection (minimal) Original credit: Ian Norton - Ian.Norton at entrust.com Prevent unprintable bytes including terminal escapes being printed when listing tar file contents in a terminal as this can be used to hide malicious archive content from users prior to unpacking a files Fixes: #16018 CVE-2025-46394: https://www.openwall.com/lists/oss-security/2025/04/24/3 --- archival/libarchive/header_list.c | 7 ++++++- archival/libarchive/header_verbose_list.c | 18 ++++++++++++++++-- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c index 0621aa406..8b7305fe5 100644 --- a/archival/libarchive/header_list.c +++ b/archival/libarchive/header_list.c @@ -8,5 +8,10 @@ void FAST_FUNC header_list(const file_header_t *file_header) { //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */ - puts(file_header->name); + /* Sanitize output to TTY to prevent escape sequence injection */ + if (isatty(1)) { + puts(printable_string(file_header->name)); + } else { + puts(file_header->name); + } } diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c index a575a08a0..c45391b4a 100644 --- a/archival/libarchive/header_verbose_list.c +++ b/archival/libarchive/header_verbose_list.c @@ -63,9 +63,23 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header) #endif /* FEATURE_TAR_UNAME_GNAME */ + /* Sanitize output to TTY to prevent escape sequence injection */ + if (isatty(1)) { + fputs(printable_string(file_header->name), stdout); + } else { + fputs(file_header->name, stdout); + } + /* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */ if (file_header->link_target) { - printf(" -> %s", file_header->link_target); + printf(" -> "); + /* Also sanitize link target */ + if (isatty(1)) { + fputs(printable_string(file_header->link_target), stdout); + } else { + fputs(file_header->link_target, stdout); + } } + bb_putchar('\n'); } Kyle Steere Senior Software Engineer Chainguard [email protected] | chainguard.dev <http://www.chainguard.dev> <https://github.com/chainguard-dev> <https://www.linkedin.com/company/chainguard-dev/> <https://x.com/chainguard_dev>
_______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox
