archival/libarchive: sanitize filenames on output (prevent control sequence attacks

This fixes CVE-2025-46394 (terminal escape sequence injection) Original credit: Ian.Norton at entrust.com function old new delta header_list 9 15 +6 header_verbose_list 239 244 +5 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0) Total: 11 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2026-01-31 16:43:21 +00:00 · 2025-09-24 03:28:47 +02:00 · 2025-09-24 03:28:47 +02:00 · f5e1bf966b
commit f5e1bf966b
parent 381a40a049
2 changed files with 3 additions and 3 deletions
--- a/archival/libarchive/header_list.c
+++ b/archival/libarchive/header_list.c
@ -8,5 +8,5 @@
 void FAST_FUNC header_list(const file_header_t *file_header)
 {
 //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */
-	puts(file_header->name);
+	puts(printable_string(file_header->name));
 }
--- a/archival/libarchive/header_verbose_list.c
+++ b/archival/libarchive/header_verbose_list.c
@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
 		ptm->tm_hour,
 		ptm->tm_min,
 		ptm->tm_sec,
-		file_header->name);
+		printable_string(file_header->name));

 #endif /* FEATURE_TAR_UNAME_GNAME */

 	/* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */
 	if (file_header->link_target) {
-		printf(" -> %s", file_header->link_target);
+		printf(" -> %s", printable_string(file_header->link_target));
 	}
 	bb_putchar('\n');
 }