archival/libarchive: sanitize filenames on output (prevent control sequence attacks

This fixes CVE-2025-46394 (terminal escape sequence injection)

Original credit: Ian.Norton at entrust.com

function                                             old     new   delta
header_list                                            9      15      +6
header_verbose_list                                  239     244      +5
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0)               Total: 11 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

2 files changed, 3 insertions, 3 deletions

diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c
index 0621aa406..9490b3635 100644
--- a/archival/libarchive/header_list.c
+++ b/archival/libarchive/header_list.c
@@ -8,5 +8,5 @@
 void FAST_FUNC header_list(const file_header_t *file_header)
 {
 //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */
-	puts(file_header->name);
+	puts(printable_string(file_header->name));
 }
diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c
index a575a08a0..e7a09430d 100644
--- a/archival/libarchive/header_verbose_list.c
+++ b/archival/libarchive/header_verbose_list.c
@@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
 		ptm->tm_hour,
 		ptm->tm_min,
 		ptm->tm_sec,
-		file_header->name);
+		printable_string(file_header->name));
 
 #endif /* FEATURE_TAR_UNAME_GNAME */
 
 	/* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */
 	if (file_header->link_target) {
-		printf(" -> %s", file_header->link_target);
+		printf(" -> %s", printable_string(file_header->link_target));
 	}
 	bb_putchar('\n');
 }