Skip to content

[WIP] fix(libarchive): strip tarball of all pre-compressed test content#18021

Draft
akhila-guruju wants to merge 5 commits into
microsoft:fasttrack/3.0from
Kanishk-Bansal:topic/libarchive/3.0/compress-tarball
Draft

[WIP] fix(libarchive): strip tarball of all pre-compressed test content#18021
akhila-guruju wants to merge 5 commits into
microsoft:fasttrack/3.0from
Kanishk-Bansal:topic/libarchive/3.0/compress-tarball

Conversation

@akhila-guruju

@akhila-guruju akhila-guruju commented Jul 15, 2026

Copy link
Copy Markdown
Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Azure Linux's package signing fails on libarchive because upstream ships test fixtures that the scanner cannot clear:

Password‑encrypted archives: real AES/traditional‑encrypted .zip/.7z/.rar payloads (uuencoded as .uu). A scanner can't decrypt them to prove they're clean, so they're flagged as unscannable.
Intentionally‑corrupted archives: deliberately malformed archives the ptests feed to libarchive to prove it rejects bad input. These trip AV/format heuristics.

These fixtures are only used by test code; nothing in the shipped library depends on them. The clean fix is to remove the offending payloads from the tarball and adapt the tests that referenced them.

28 encrypted fixture files and 24 intentionally-corrupted / fuzz / crash test fixtures were removed
libarchive/test/ — password‑encrypted (22)

7‑Zip (3)

test_read_format_7zip_encryption.7z.uu
test_read_format_7zip_encryption_header.7z.uu
test_read_format_7zip_encryption_partially.7z.uu

RAR (11)

test_read_format_rar4_encrypted.rar.uu
test_read_format_rar4_encrypted_filenames.rar.uu
test_read_format_rar4_solid_encrypted.rar.uu
test_read_format_rar4_solid_encrypted_filenames.rar.uu
test_read_format_rar5_encrypted.rar.uu
test_read_format_rar5_encrypted_filenames.rar.uu
test_read_format_rar5_solid_encrypted.rar.uu
test_read_format_rar5_solid_encrypted_filenames.rar.uu
test_read_format_rar_encryption_data.rar.uu
test_read_format_rar_encryption_header.rar.uu
test_read_format_rar_encryption_partially.rar.uu

ZIP (8)

test_read_format_zip_encryption_data.zip.uu
test_read_format_zip_encryption_header.zip.uu
test_read_format_zip_encryption_partially.zip.uu
test_read_format_zip_traditional_encryption_data.zip.uu
test_read_format_zip_winzip_aes128.zip.uu
test_read_format_zip_winzip_aes256.zip.uu
test_read_format_zip_winzip_aes256_large.zip.uu
test_read_format_zip_winzip_aes256_stored.zip.uu

Note: winzip_aes* are AES‑encrypted ZIPs whose names don't contain "encrypt" — a naive grep encrypt misses them. They were caught by also matching winzip_aes and cross‑checking tests that use the passphrase API.

Other test suites:
password‑encrypted (3)

tar/test/test_option_passphrase.zip.uu (driven via bsdtar --passphrase)
cpio/test/test_option_passphrase.zip.uu (driven via bsdcpio --passphrase)
unzip/test/test_encrypted.zip.uu (driven via bsdunzip -P password)

libarchive/test/ -> intentionally malformed (3)

test_read_format_7zip_malformed.7z.uu
test_read_format_7zip_malformed2.7z.uu
test_read_format_zip_malformed1.zip.uu

Intentionally‑corrupted archives (24)

libarchive/test/ (23):

test_fuzz.cab.uu, test_fuzz.lzh.uu, test_fuzz_1.iso.Z.uu, test_read_format_mtree_crash747.mtree.bz2.uu, test_read_format_rar5_readtables_overflow.rar.uu, test_read_format_rar5_leftshift1.rar.uu, test_read_format_rar5_leftshift2.rar.uu, test_read_format_rar5_distance_overflow.rar.uu, test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu, test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu, test_read_format_rar5_block_size_is_too_small.rar.uu, test_read_format_rar5_data_ready_pointer_leak.rar.uu, test_read_format_rar5_invalid_dict_reference.rar.uu, test_read_format_rar5_truncated_huff.rar.uu, test_read_format_rar_invalid1.rar.uu, test_read_format_rar_ppmd_use_after_free.rar.uu, test_read_format_rar_ppmd_use_after_free2.rar.uu, test_read_format_zip_bz2_hang.zip.uu, test_read_format_zip_lzma_alone_leak.zipx.uu, test_read_format_zip_ppmd8_crash_1.zipx.uu, test_read_format_zip_ppmd8_crash_2.zipx.uu, test_read_format_zip_with_invalid_traditional_eocd.zip.uu, test_read_format_tar_invalid_pax_size.tar.uu

unzip/test/ (1):

test_t_bad.zip.uu

cat/test/ contains no encrypted or corrupted fixtures, so nothing was removed there.

Some of the CVE patches contain intentionally-corrupted archive fixtures (spec-violating ISO/RAR/WARC files). Removed the 4 offending .uu fixtures and skipped tests through patch

test_read_format_iso_zisofs_overflow.iso.uu (CVE-2026-5121)
test_read_format_rar5_loop_bug.rar.uu (CVE-2026-4111)
test_read_format_rar_overflow.rar.uu (CVE-2025-5915)
test_read_format_warc_incomplete.warc.uu (CVE-2025-5916)

No change to the actual CVE code fixes. only the crafted binary test inputs are stripped and the corresponding tests are skipped. Signing is unblocked; all other ptests run unchanged.

The tests that consumed the removed fixtures were skipped through patch:
DEFINE_TEST functions across some test files now begin with

skipping("test fixture stripped from Azure Linux source tarball");
return;

Attaching the patches used to create this tarball.
patch1 -> 0001-libarchive-binary-test-files.patch
patch2 -> 0001-other-binary-test-files.patch
patch3 -> 0001-corrupted-binary-test-files.patch


Change Log

modified: SPECS/libarchive/libarchive.signatures.json
modified: SPECS/libarchive/libarchive.spec
new file: SPECS/libarchive/skip-stripped-fixture-tests.patch

Does this affect the toolchain?

YES

Associated issues
  • #xxxx
Test Methodology
  • Local Build
  • new patch applied cleanly
image

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
There may be pipelines that require an authorized user to comment /azp run to run.

@akhila-guruju akhila-guruju changed the title strip libarchive's tarball of all pre-compressed test content fix: strip libarchive's tarball of all pre-compressed test content Jul 15, 2026
@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging fasttrack/3.0 PRs Destined for Azure Linux 3.0 labels Jul 15, 2026
@akhila-guruju akhila-guruju changed the title fix: strip libarchive's tarball of all pre-compressed test content fix(libarchive): strip tarball of all pre-compressed test content Jul 15, 2026
@akhila-guruju
akhila-guruju force-pushed the topic/libarchive/3.0/compress-tarball branch from a689d44 to cce5d48 Compare July 15, 2026 09:06

@Kanishk-Bansal Kanishk-Bansal left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of skipping the tests in tarball do it through patch

@akhila-guruju
akhila-guruju force-pushed the topic/libarchive/3.0/compress-tarball branch from 359e088 to a8296f4 Compare July 15, 2026 11:06
@akhila-guruju akhila-guruju changed the title fix(libarchive): strip tarball of all pre-compressed test content [WIP] fix(libarchive): strip tarball of all pre-compressed test content Jul 15, 2026
@akhila-guruju akhila-guruju changed the title [WIP] fix(libarchive): strip tarball of all pre-compressed test content fix(libarchive): strip tarball of all pre-compressed test content Jul 15, 2026
@akhila-guruju akhila-guruju changed the title fix(libarchive): strip tarball of all pre-compressed test content [WIP] fix(libarchive): strip tarball of all pre-compressed test content Jul 15, 2026
@akhila-guruju
akhila-guruju force-pushed the topic/libarchive/3.0/compress-tarball branch from 8b7f4df to bc99811 Compare July 16, 2026 05:14
@akhila-guruju
akhila-guruju force-pushed the topic/libarchive/3.0/compress-tarball branch from bc99811 to 74a6929 Compare July 16, 2026 08:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

fasttrack/3.0 PRs Destined for Azure Linux 3.0 Packaging security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants