From 981479997e29953c1a12c9c7376c9d259d035311 Mon Sep 17 00:00:00 2001
From: Radoslav Kolev <radoslav.kolev@suse.com>
Date: Mon, 16 Feb 2026 11:50:04 +0200
Subject: [PATCH] tar: only strip unsafe components from hardlinks, not
 symlinks

commit 3fb6b31c7 introduced a check for unsafe components in
tar archive hardlinks, but it was being applied to symlinks too
which broke "Symlinks and hardlinks coexist" tar test.

Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

CVE: CVE-2026-26157
CVE: CVE-2026-26158
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=599f5dd8fac390c18b79cba4c14c334957605dae]
(Alternative mirrored URL: https://gogs.librecmc.org/OWEALS/busybox/commit/599f5dd8fac390c18b79cba4c14c334957605dae)
Signed-off-by: Ernst Persson <ernst.persson@non.se.com>
---
 archival/libarchive/get_header_tar.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c
index 1c40ece..606d806 100644
--- a/archival/libarchive/get_header_tar.c
+++ b/archival/libarchive/get_header_tar.c
@@ -455,7 +455,7 @@ char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
 
 	/* Everything up to and including last ".." component is stripped */
 	strip_unsafe_prefix(file_header->name);
-	if (file_header->link_target) {
+	if (file_header->link_target && !S_ISLNK(file_header->mode)) {
 		/* GNU tar 1.34 examples:
 		 * tar: Removing leading '/' from hard link targets
 		 * tar: Removing leading '../' from hard link targets
