[WIP] fix(libarchive): strip tarball of all pre-compressed test content#18021
Draft
akhila-guruju wants to merge 5 commits into
Draft
[WIP] fix(libarchive): strip tarball of all pre-compressed test content#18021akhila-guruju wants to merge 5 commits into
akhila-guruju wants to merge 5 commits into
Conversation
|
Azure Pipelines: There may be pipelines that require an authorized user to comment /azp run to run. |
akhila-guruju
force-pushed
the
topic/libarchive/3.0/compress-tarball
branch
from
July 15, 2026 09:06
a689d44 to
cce5d48
Compare
Kanishk-Bansal
requested changes
Jul 15, 2026
Kanishk-Bansal
left a comment
There was a problem hiding this comment.
instead of skipping the tests in tarball do it through patch
akhila-guruju
force-pushed
the
topic/libarchive/3.0/compress-tarball
branch
from
July 15, 2026 11:06
359e088 to
a8296f4
Compare
akhila-guruju
force-pushed
the
topic/libarchive/3.0/compress-tarball
branch
from
July 16, 2026 05:14
8b7f4df to
bc99811
Compare
akhila-guruju
force-pushed
the
topic/libarchive/3.0/compress-tarball
branch
from
July 16, 2026 08:16
bc99811 to
74a6929
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassAzure Linux's package signing fails on libarchive because upstream ships test fixtures that the scanner cannot clear:
Password‑encrypted archives: real AES/traditional‑encrypted .zip/.7z/.rar payloads (uuencoded as .uu). A scanner can't decrypt them to prove they're clean, so they're flagged as unscannable.
Intentionally‑corrupted archives: deliberately malformed archives the ptests feed to libarchive to prove it rejects bad input. These trip AV/format heuristics.
These fixtures are only used by test code; nothing in the shipped library depends on them. The clean fix is to remove the offending payloads from the tarball and adapt the tests that referenced them.
28 encrypted fixture files and 24 intentionally-corrupted / fuzz / crash test fixtures were removed
libarchive/test/ — password‑encrypted (22)
7‑Zip (3)
RAR (11)
ZIP (8)
Note: winzip_aes* are AES‑encrypted ZIPs whose names don't contain "encrypt" — a naive grep encrypt misses them. They were caught by also matching winzip_aes and cross‑checking tests that use the passphrase API.
Other test suites:
password‑encrypted (3)
libarchive/test/ -> intentionally malformed (3)
Intentionally‑corrupted archives (24)
libarchive/test/ (23):
test_fuzz.cab.uu, test_fuzz.lzh.uu, test_fuzz_1.iso.Z.uu, test_read_format_mtree_crash747.mtree.bz2.uu, test_read_format_rar5_readtables_overflow.rar.uu, test_read_format_rar5_leftshift1.rar.uu, test_read_format_rar5_leftshift2.rar.uu, test_read_format_rar5_distance_overflow.rar.uu, test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu, test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu, test_read_format_rar5_block_size_is_too_small.rar.uu, test_read_format_rar5_data_ready_pointer_leak.rar.uu, test_read_format_rar5_invalid_dict_reference.rar.uu, test_read_format_rar5_truncated_huff.rar.uu, test_read_format_rar_invalid1.rar.uu, test_read_format_rar_ppmd_use_after_free.rar.uu, test_read_format_rar_ppmd_use_after_free2.rar.uu, test_read_format_zip_bz2_hang.zip.uu, test_read_format_zip_lzma_alone_leak.zipx.uu, test_read_format_zip_ppmd8_crash_1.zipx.uu, test_read_format_zip_ppmd8_crash_2.zipx.uu, test_read_format_zip_with_invalid_traditional_eocd.zip.uu, test_read_format_tar_invalid_pax_size.tar.uuunzip/test/ (1):
test_t_bad.zip.uucat/test/contains no encrypted or corrupted fixtures, so nothing was removed there.Some of the CVE patches contain intentionally-corrupted archive fixtures (spec-violating ISO/RAR/WARC files). Removed the 4 offending
.uufixtures and skipped tests through patchNo change to the actual CVE code fixes. only the crafted binary test inputs are stripped and the corresponding tests are skipped. Signing is unblocked; all other ptests run unchanged.
The tests that consumed the removed fixtures were skipped through patch:
DEFINE_TESTfunctions across some test files now begin withAttaching the patches used to create this tarball.
patch1 -> 0001-libarchive-binary-test-files.patch
patch2 -> 0001-other-binary-test-files.patch
patch3 -> 0001-corrupted-binary-test-files.patch
Change Log
modified: SPECS/libarchive/libarchive.signatures.json
modified: SPECS/libarchive/libarchive.spec
new file: SPECS/libarchive/skip-stripped-fixture-tests.patch
Does this affect the toolchain?
YES
Associated issues
Test Methodology