From 29b1706544c1013181757c85d64c6e49cea95681 Mon Sep 17 00:00:00 2001 From: Petr Kubat Date: Wed, 5 Feb 2020 09:51:18 +0100 Subject: [PATCH] revert fix for CVE-2015-1197 as it causes shutdown issues revert suggested as a workaround by upstream: https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html revert patch touches Makefile.am so run autoreconf as well Resolves: #1797163 --- cpio-2.13-revert-CVE-2015-1197-fix.patch | 91 ++++++++++++++++++++++++ cpio.spec | 10 ++- 2 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 cpio-2.13-revert-CVE-2015-1197-fix.patch diff --git a/cpio-2.13-revert-CVE-2015-1197-fix.patch b/cpio-2.13-revert-CVE-2015-1197-fix.patch new file mode 100644 index 0000000..1106ac7 --- /dev/null +++ b/cpio-2.13-revert-CVE-2015-1197-fix.patch @@ -0,0 +1,91 @@ +revert fix for CVE-2015-1197 as it causes shutdown issues + +revert suggested as a workaround by upstream: +https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html + +--- b/src/copyin.c ++++ a/src/copyin.c +@@ -645,14 +645,13 @@ + link_name = xstrdup (file_hdr->c_tar_linkname); + } + +- cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false); +- + res = UMASKED_SYMLINK (link_name, file_hdr->c_name, + file_hdr->c_mode); + if (res < 0 && create_dir_flag) + { + create_all_directories (file_hdr->c_name); ++ res = UMASKED_SYMLINK (link_name, file_hdr->c_name, ++ file_hdr->c_mode); +- res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode); + } + if (res < 0) + { +--- b/tests/CVE-2015-1197.at ++++ /dev/null +@@ -1,43 +0,0 @@ +-# Process this file with autom4te to create testsuite. -*- Autotest -*- +-# Copyright (C) 2009-2019 Free Software Foundation, Inc. +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; either version 3, or (at your option) +-# any later version. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program. If not, see . +- +-AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)]) +-AT_CHECK([ +-tempdir=$(pwd)/tmp +-mkdir $tempdir +-touch $tempdir/file +-ln -s $tempdir dir +-AT_DATA([filelist], +-[dir +-dir/file +-]) +-ln -s /tmp dir +-touch /tmp/file +-cpio -o < filelist > test.cpio +-rm dir /tmp/file +-cpio --no-absolute-filenames -iv < test.cpio +-], +-[2], +-[], +-[1 block +-cpio: Removing leading `/' from hard link targets +-dir +-cpio: dir/file: Cannot open: No such file or directory +-dir/file +-1 block +-]) +-AT_CLEANUP +- +--- b/tests/Makefile.am ++++ a/tests/Makefile.am +@@ -56,9 +56,8 @@ + symlink-long.at\ + symlink-to-stdout.at\ + version.at\ + big-block-size.at\ +- CVE-2015-1197.at\ + CVE-2019-14866.at + + TESTSUITE = $(srcdir)/testsuite + +--- b/tests/testsuite.at ++++ a/tests/testsuite.at +@@ -43,6 +43,5 @@ + m4_include([setstat04.at]) + m4_include([setstat05.at]) + m4_include([big-block-size.at]) + +-m4_include([CVE-2015-1197.at]) + m4_include([CVE-2019-14866.at]) diff --git a/cpio.spec b/cpio.spec index b9f8fad..7cf2b54 100644 --- a/cpio.spec +++ b/cpio.spec @@ -1,7 +1,7 @@ Summary: A GNU archiving program Name: cpio Version: 2.13 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv3+ URL: http://www.gnu.org/software/cpio/ Source: ftp://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2 @@ -39,6 +39,10 @@ Patch8: cpio-2.11-crc-fips-nit.patch # Fix multiple definition of `program_name' Patch9: cpio-2.13-mutiple-definition.patch +# Revert fix for CVE-2015-1197 (#1797163) +# reverts upstream commit 45b0ee2b4 +Patch10: cpio-2.13-revert-CVE-2015-1197-fix.patch + Provides: bundled(gnulib) Provides: bundled(paxutils) Provides: /bin/cpio @@ -65,6 +69,7 @@ Install cpio if you need a program to manage file archives. %build +autoreconf -fi export CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -pedantic -fno-strict-aliasing -Wall $CFLAGS" %configure --with-rmt="%{_sysconfdir}/rmt" make %{?_smp_mflags} @@ -99,6 +104,9 @@ make check || { %{_infodir}/*.info* %changelog +* Wed Feb 05 2020 Petr Kubat - 2.13-4 +- Revert fix for CVE-2015-1197 as it causes shutdown issues (#1797163) + * Thu Jan 30 2020 Than Ngo - 2.13-3 - Fix multiple definition of program_name