libarchive: patch CVE-2025-1632 and CVE-2025-25724

Pick commit referencing this MR which was merged to master.

(From OE-Core rev: a4ff82c789d50a3f411170636679ce46c8f84b25)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-extended/libarchive/libarchive/CVE-2025-1632_CVE-2025-25724.patch

@@ -0,0 +1,83 @@
+From c9bc934e7e91d302e0feca6e713ccc38d6d01532 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Peter=20K=C3=A4stle?= <peter@piie.net>
+Date: Mon, 10 Mar 2025 16:43:04 +0100
+Subject: [PATCH] fix CVE-2025-1632 and CVE-2025-25724 (#2532)
+
+Hi,
+
+please find my approach to fix the CVE-2025-1632 and CVE-2025-25724
+vulnerabilities in this pr.
+As both error cases did trigger a NULL pointer deref (and triggered
+hopefully everywhere a coredump), we can safely replace the actual
+information by a predefined invalid string without breaking any
+functionality.
+
+CVE: CVE-2025-1632
+CVE: CVE-2025-25724
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---------
+
+Signed-off-by: Peter Kaestle <peter@piie.net>
+---
+ tar/util.c       |  5 ++++-
+ unzip/bsdunzip.c | 10 +++++++---
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/tar/util.c b/tar/util.c
+index 3b099cb5..f3cbdf0b 100644
+--- a/tar/util.c
++++ b/tar/util.c
+@@ -748,7 +748,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
+ #else
+ 	ltime = localtime(&tim);
+ #endif
+-	strftime(tmp, sizeof(tmp), fmt, ltime);
++	if (ltime)
++		strftime(tmp, sizeof(tmp), fmt, ltime);
++	else
++		sprintf(tmp, "-- -- ----");
+ 	fprintf(out, " %s ", tmp);
+ 	safe_fprintf(out, "%s", archive_entry_pathname(entry));
+ 
+diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
+index 7c8cafc3..4a9028b7 100644
+--- a/unzip/bsdunzip.c
++++ b/unzip/bsdunzip.c
+@@ -904,6 +904,7 @@ list(struct archive *a, struct archive_entry *e)
+ 	char buf[20];
+ 	time_t mtime;
+ 	struct tm *tm;
++	const char *pathname;
+ 
+ 	mtime = archive_entry_mtime(e);
+ 	tm = localtime(&mtime);
+@@ -912,22 +913,25 @@ list(struct archive *a, struct archive_entry *e)
+ 	else
+ 		strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
+ 
++	pathname = archive_entry_pathname(e);
++	if (!pathname)
++		pathname = "";
+ 	if (!zipinfo_mode) {
+ 		if (v_opt == 1) {
+ 			printf(" %8ju  %s   %s\n",
+ 			    (uintmax_t)archive_entry_size(e),
+-			    buf, archive_entry_pathname(e));
++			    buf, pathname);
+ 		} else if (v_opt == 2) {
+ 			printf("%8ju  Stored  %7ju   0%%  %s  %08x  %s\n",
+ 			    (uintmax_t)archive_entry_size(e),
+ 			    (uintmax_t)archive_entry_size(e),
+ 			    buf,
+ 			    0U,
+-			    archive_entry_pathname(e));
++			    pathname);
+ 		}
+ 	} else {
+ 		if (Z1_opt)
+-			printf("%s\n",archive_entry_pathname(e));
++			printf("%s\n", pathname);
+ 	}
+ 	ac(archive_read_data_skip(a));
+ }

meta/recipes-extended/libarchive/libarchive_3.7.4.bb

@@ -34,6 +34,7 @@ SRC_URI += "file://configurehack.patch \
             file://CVE-2024-48957.patch \
             file://CVE-2024-48958.patch \
             file://CVE-2024-20696.patch \
+            file://CVE-2025-1632_CVE-2025-25724.patch \
            "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"