From f46be6331cfd42c0c1c12aacfad2cb0df731b2c4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 10 May 2022 03:12:53 -0400 Subject: [PATCH] import cpio-2.12-11.el8 --- .../cpio-2.12-improper-input-validation.patch | 2 +- SOURCES/cpio-2.13-CVE-2021-38185.patch | 1266 +++++++++++++++++ SPECS/cpio.spec | 18 +- 3 files changed, 1284 insertions(+), 2 deletions(-) create mode 100644 SOURCES/cpio-2.13-CVE-2021-38185.patch diff --git a/SOURCES/cpio-2.12-improper-input-validation.patch b/SOURCES/cpio-2.12-improper-input-validation.patch index 25c0b4c..ae75da5 100644 --- a/SOURCES/cpio-2.12-improper-input-validation.patch +++ b/SOURCES/cpio-2.12-improper-input-validation.patch @@ -65,7 +65,7 @@ index e2b5f45..53dc99a 100644 while (digits > 0 && value != 0); + if (value > 0) + { -+ error (0, 0, _("%s: field width not sufficient for storing %s"), ++ error (1, 0, _("%s: field width not sufficient for storing %s"), + filename, fieldname); + return 1; + } diff --git a/SOURCES/cpio-2.13-CVE-2021-38185.patch b/SOURCES/cpio-2.13-CVE-2021-38185.patch new file mode 100644 index 0000000..556959c --- /dev/null +++ b/SOURCES/cpio-2.13-CVE-2021-38185.patch @@ -0,0 +1,1266 @@ +From be54882039632c791493d3657042f7ea9d6f4a20 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Tue, 21 Sep 2021 11:42:02 +0200 +Subject: [PATCH] * src/dstring.c (ds_init): Take a single argument. + (ds_free): New function. (ds_resize): Take a single argument. Use + x2nrealloc to expand the storage. + (ds_reset,ds_append,ds_concat,ds_endswith): New function. (ds_fgetstr): + Rewrite. In particular, this fixes integer overflow. (ds_resize): Take + additional argument: number of bytes to leave available after ds_idx. All + uses changed. * src/dstring.h (dynamic_string): Keep both the allocated + length (ds_size) and index of the next free byte in the string (ds_idx). + (ds_init,ds_resize): Change signature. (ds_len): New macro. + (ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos. * + src/copyin.c: Use new ds_ functions. (read_name_from_file): Handle len == 0. + (read_name_from_file): Print error message and skip file if its name is not + nul-terminated. (long_format): Cast rdev numbers to unsigned long * + src/copyout.c: Likewise. * src/copypass.c: Likewise. * src/util.c: Likewise. + (tape_empty_output_buffer): Fix condition. * src/idcache.c + (getuser,getgroup): Use umaxtostr instead of sprintf. * src/userspec.c + (parse_user_spec): Likewise. + +--- + configure.ac | 4 +- + src/copyin.c | 228 ++++++++++++++++++------------------------------- + src/copyout.c | 77 +++++++++-------- + src/copypass.c | 34 ++++---- + src/cpiohdr.h | 9 +- + src/dstring.c | 89 +++++++++++++------ + src/dstring.h | 30 +++---- + src/extern.h | 22 +++-- + src/idcache.c | 11 ++- + src/makepath.c | 2 +- + src/userspec.c | 9 +- + src/util.c | 53 +++++++++--- + 12 files changed, 294 insertions(+), 274 deletions(-) + +diff --git a/configure.ac b/configure.ac +index c68bd44..49eaacd 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -21,8 +21,8 @@ AC_INIT([GNU cpio], [2.12], [bug-cpio@gnu.org],, + AC_CONFIG_SRCDIR(src/cpio.h) + AC_CONFIG_AUX_DIR([build-aux]) + AC_CONFIG_HEADERS([config.h]) +-AC_PREREQ([2.63]) +-AM_INIT_AUTOMAKE([1.11.1 gnits tar-ustar dist-bzip2 std-options silent-rules]) ++AC_PREREQ([2.64]) ++AM_INIT_AUTOMAKE([1.15 gnits tar-ustar dist-bzip2 std-options silent-rules]) + + # Enable silent rules by default: + AM_SILENT_RULES([yes]) +diff --git a/src/copyin.c b/src/copyin.c +index 267ed4b..2f9da73 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -56,10 +56,10 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out, + static dynamic_string new_name; /* New file name for rename option. */ + static int initialized_new_name = false; + if (!initialized_new_name) +- { +- ds_init (&new_name, 128); +- initialized_new_name = true; +- } ++ { ++ ds_init (&new_name); ++ initialized_new_name = true; ++ } + + if (rename_flag) + { +@@ -76,28 +76,7 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out, + return -1; + } + else +- /* Debian hack: file_hrd.c_name is sometimes set to +- point to static memory by code in tar.c. This +- causes a segfault. This has been fixed and an +- additional check to ensure that the file name +- is not too long has been added. (Reported by +- Horst Knobloch.) This bug has been reported to +- "bug-gnu-utils@prep.ai.mit.edu". (99/1/6) -BEM */ +- { +- if (archive_format != arf_tar && archive_format != arf_ustar) +- { +- free (file_hdr->c_name); +- file_hdr->c_name = xstrdup (new_name.ds_string); +- } +- else +- { +- if (is_tar_filename_too_long (new_name.ds_string)) +- error (0, 0, _("%s: file name too long"), +- new_name.ds_string); +- else +- strcpy (file_hdr->c_name, new_name.ds_string); +- } +- } ++ cpio_set_c_name (file_hdr, new_name.ds_string); + return 0; + } + +@@ -173,10 +152,8 @@ list_file (struct cpio_file_stat* file_hdr, int in_file_des) + } + else + { +- /* Debian hack: Modified to print a list of filenames +- terminiated by a null character when the -t and -0 +- flags are used. This has been submitted as a +- suggestion to "bug-gnu-utils@prep.ai.mit.edu". -BEM */ ++ /* Print out the name as it is. The name_end delimiter is normally ++ '\n', but can be reset to '\0' by the -0 option. */ + printf ("%s%c", file_hdr->c_name, name_end); + } + +@@ -201,7 +178,7 @@ list_file (struct cpio_file_stat* file_hdr, int in_file_des) + + static int + try_existing_file (struct cpio_file_stat* file_hdr, int in_file_des, +- int *existing_dir) ++ bool *existing_dir) + { + struct stat file_stat; + +@@ -344,8 +321,7 @@ create_defered_links_to_skipped (struct cpio_file_stat *file_hdr, + d_prev->next = d->next; + else + deferments = d->next; +- free (file_hdr->c_name); +- file_hdr->c_name = xstrdup(d->header.c_name); ++ cpio_set_c_name (file_hdr, d->header.c_name); + free_deferment (d); + copyin_regular_file(file_hdr, in_file_des); + return 0; +@@ -697,7 +673,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) + static void + copyin_file (struct cpio_file_stat *file_hdr, int in_file_des) + { +- int existing_dir; ++ bool existing_dir = false; + + if (!to_stdout_option + && try_existing_file (file_hdr, in_file_des, &existing_dir) < 0) +@@ -748,7 +724,7 @@ static time_t current_time; + this file is a symbolic link to. */ + + void +-long_format (struct cpio_file_stat *file_hdr, char *link_name) ++long_format (struct cpio_file_stat *file_hdr, char const *link_name) + { + char mbuf[11]; + char tbuf[40]; +@@ -780,92 +756,42 @@ long_format (struct cpio_file_stat *file_hdr, char *link_name) + + if ((file_hdr->c_mode & CP_IFMT) == CP_IFCHR + || (file_hdr->c_mode & CP_IFMT) == CP_IFBLK) +- printf ("%3lu, %3lu ", file_hdr->c_rdev_maj, +- file_hdr->c_rdev_min); ++ printf ("%3lu, %3lu ", ++ (unsigned long) file_hdr->c_rdev_maj, ++ (unsigned long) file_hdr->c_rdev_min); + else + printf ("%8"PRIuMAX" ", (uintmax_t) file_hdr->c_filesize); + + printf ("%s ", tbuf + 4); + +- print_name_with_quoting (file_hdr->c_name); ++ printf ("%s", quotearg (file_hdr->c_name)); + if (link_name) + { + printf (" -> "); +- print_name_with_quoting (link_name); ++ printf ("%s", quotearg (link_name)); + } + putc ('\n', stdout); + } + +-void +-print_name_with_quoting (register char *p) +-{ +- register unsigned char c; +- +- while ( (c = *p++) ) +- { +- switch (c) +- { +- case '\\': +- printf ("\\\\"); +- break; +- +- case '\n': +- printf ("\\n"); +- break; +- +- case '\b': +- printf ("\\b"); +- break; +- +- case '\r': +- printf ("\\r"); +- break; +- +- case '\t': +- printf ("\\t"); +- break; +- +- case '\f': +- printf ("\\f"); +- break; +- +- case ' ': +- printf ("\\ "); +- break; +- +- case '"': +- printf ("\\\""); +- break; +- +- default: +- if (c > 040 && c < 0177) +- putchar (c); +- else +- printf ("\\%03o", (unsigned int) c); +- } +- } +-} +- + /* Read a pattern file (for the -E option). Put a list of + `num_patterns' elements in `save_patterns'. Any patterns that were + already in `save_patterns' (from the command line) are preserved. */ + + static void +-read_pattern_file () ++read_pattern_file (void) + { +- int max_new_patterns; +- char **new_save_patterns; +- int new_num_patterns; ++ char **new_save_patterns = NULL; ++ size_t max_new_patterns; ++ size_t new_num_patterns; + int i; +- dynamic_string pattern_name; ++ dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER; + FILE *pattern_fp; + + if (num_patterns < 0) + num_patterns = 0; +- max_new_patterns = 1 + num_patterns; +- new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *)); + new_num_patterns = num_patterns; +- ds_init (&pattern_name, 128); ++ max_new_patterns = num_patterns; ++ new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0])); + + pattern_fp = fopen (pattern_file_name, "r"); + if (pattern_fp == NULL) +@@ -874,16 +800,16 @@ read_pattern_file () + { + while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL) + { +- if (new_num_patterns >= max_new_patterns) +- { +- max_new_patterns += 1; +- new_save_patterns = (char **) +- xrealloc ((char *) new_save_patterns, +- max_new_patterns * sizeof (char *)); +- } ++ if (new_num_patterns == max_new_patterns) ++ new_save_patterns = x2nrealloc (new_save_patterns, ++ &max_new_patterns, ++ sizeof (new_save_patterns[0])); + new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string); + ++new_num_patterns; + } ++ ++ ds_free (&pattern_name); ++ + if (ferror (pattern_fp) || fclose (pattern_fp) == EOF) + close_error (pattern_file_name); + } +@@ -1066,6 +992,27 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) + } + } + ++static void ++read_name_from_file (struct cpio_file_stat *file_hdr, int fd, uintmax_t len) ++{ ++ if (len == 0) ++ { ++ error (0, 0, _("malformed header: file name of zero length")); ++ } ++ else ++ { ++ cpio_realloc_c_name (file_hdr, len); ++ tape_buffered_read (file_hdr->c_name, fd, len); ++ if (file_hdr->c_name[len-1] != 0) ++ { ++ error (0, 0, _("malformed header: file name is not nul-terminated")); ++ /* Skip this file */ ++ len = 0; ++ } ++ } ++ file_hdr->c_namesize = len; ++} ++ + /* Fill in FILE_HDR by reading an old-format ASCII format cpio header from + file descriptor IN_DES, except for the magic number, which is + already filled in. */ +@@ -1092,14 +1039,9 @@ read_in_old_ascii (struct cpio_file_stat *file_hdr, int in_des) + file_hdr->c_rdev_min = minor (dev); + + file_hdr->c_mtime = FROM_OCTAL (ascii_header.c_mtime); +- file_hdr->c_namesize = FROM_OCTAL (ascii_header.c_namesize); + file_hdr->c_filesize = FROM_OCTAL (ascii_header.c_filesize); + +- /* Read file name from input. */ +- if (file_hdr->c_name != NULL) +- free (file_hdr->c_name); +- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize + 1); +- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); ++ read_name_from_file (file_hdr, in_des, FROM_OCTAL (ascii_header.c_namesize)); + + /* HP/UX cpio creates archives that look just like ordinary archives, + but for devices it sets major = 0, minor = 1, and puts the +@@ -1154,14 +1096,9 @@ read_in_new_ascii (struct cpio_file_stat *file_hdr, int in_des) + file_hdr->c_dev_min = FROM_HEX (ascii_header.c_dev_min); + file_hdr->c_rdev_maj = FROM_HEX (ascii_header.c_rdev_maj); + file_hdr->c_rdev_min = FROM_HEX (ascii_header.c_rdev_min); +- file_hdr->c_namesize = FROM_HEX (ascii_header.c_namesize); + file_hdr->c_chksum = FROM_HEX (ascii_header.c_chksum); + +- /* Read file name from input. */ +- if (file_hdr->c_name != NULL) +- free (file_hdr->c_name); +- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize); +- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); ++ read_name_from_file (file_hdr, in_des, FROM_HEX (ascii_header.c_namesize)); + + /* In SVR4 ASCII format, the amount of space allocated for the header + is rounded up to the next long-word, so we might need to drop +@@ -1209,16 +1146,10 @@ read_in_binary (struct cpio_file_stat *file_hdr, + file_hdr->c_rdev_min = minor ((unsigned short)short_hdr->c_rdev); + file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16 + | short_hdr->c_mtimes[1]; +- +- file_hdr->c_namesize = short_hdr->c_namesize; + file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16 + | short_hdr->c_filesizes[1]; + +- /* Read file name from input. */ +- if (file_hdr->c_name != NULL) +- free (file_hdr->c_name); +- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize); +- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); ++ read_name_from_file (file_hdr, in_des, short_hdr->c_namesize); + + /* In binary mode, the amount of space allocated in the header for + the filename is `c_namesize' rounded up to the next short-word, +@@ -1278,14 +1209,14 @@ swab_array (char *ptr, int count) + in the file system. */ + + void +-process_copy_in () ++process_copy_in (void) + { +- char done = false; /* True if trailer reached. */ + FILE *tty_in = NULL; /* Interactive file for rename option. */ + FILE *tty_out = NULL; /* Interactive file for rename option. */ + FILE *rename_in = NULL; /* Batch file for rename option. */ + struct stat file_stat; /* Output file stat record. */ +- struct cpio_file_stat file_hdr; /* Output header information. */ ++ struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER; ++ /* Output header information. */ + int in_file_des; /* Input file descriptor. */ + char skip_file; /* Flag for use with patterns. */ + int i; /* Loop index variable. */ +@@ -1298,8 +1229,7 @@ process_copy_in () + { + read_pattern_file (); + } +- file_hdr.c_name = NULL; +- ++ file_hdr.c_namesize = 0; + if (rename_batch_file) + { + rename_in = fopen (rename_batch_file, "r"); +@@ -1352,7 +1282,7 @@ process_copy_in () + change_dir (); + + /* While there is more input in the collection, process the input. */ +- while (!done) ++ while (1) + { + swapping_halfwords = swapping_bytes = false; + +@@ -1380,30 +1310,32 @@ process_copy_in () + + } + #endif +- /* Is this the header for the TRAILER file? */ +- if (strcmp (CPIO_TRAILER_NAME, file_hdr.c_name) == 0) ++ if (file_hdr.c_namesize == 0) ++ skip_file = true; ++ else + { +- done = true; +- break; +- } ++ /* Is this the header for the TRAILER file? */ ++ if (strcmp (CPIO_TRAILER_NAME, file_hdr.c_name) == 0) ++ break; + +- cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, +- false); ++ cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, ++ false); + +- /* Does the file name match one of the given patterns? */ +- if (num_patterns <= 0) +- skip_file = false; +- else +- { +- skip_file = copy_matching_files; +- for (i = 0; i < num_patterns +- && skip_file == copy_matching_files; i++) ++ /* Does the file name match one of the given patterns? */ ++ if (num_patterns <= 0) ++ skip_file = false; ++ else + { +- if (fnmatch (save_patterns[i], file_hdr.c_name, 0) == 0) +- skip_file = !copy_matching_files; ++ skip_file = copy_matching_files; ++ for (i = 0; i < num_patterns ++ && skip_file == copy_matching_files; i++) ++ { ++ if (fnmatch (save_patterns[i], file_hdr.c_name, 0) == 0) ++ skip_file = !copy_matching_files; ++ } + } + } +- ++ + if (skip_file) + { + /* If we're skipping a file with links, there might be other +@@ -1494,6 +1426,8 @@ process_copy_in () + fputc ('\n', stderr); + + apply_delayed_set_stat (); ++ ++ cpio_file_stat_free (&file_hdr); + + if (append_flag) + return; +diff --git a/src/copyout.c b/src/copyout.c +index 56416ba..a576f27 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -269,26 +269,32 @@ writeout_final_defers (int out_des) + so it should be moved to paxutils too. + Allowed values for logbase are: 1 (binary), 2, 3 (octal), 4 (hex) */ + int +-to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase) ++to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase, bool nul) + { + static char codetab[] = "0123456789ABCDEF"; +- int i = digits; + +- do ++ if (nul) ++ where[--digits] = 0; ++ while (digits > 0) + { +- where[--i] = codetab[(v & ((1 << logbase) - 1))]; ++ where[--digits] = codetab[(v & ((1 << logbase) - 1))]; + v >>= logbase; + } +- while (i); + + return v != 0; + } + +-static void +-field_width_error (const char *filename, const char *fieldname) ++void ++field_width_error (const char *filename, const char *fieldname, ++ uintmax_t value, size_t width, bool nul) + { +- error (1, 0, _("%s: field width not sufficient for storing %s"), +- filename, fieldname); ++ char valbuf[UINTMAX_STRSIZE_BOUND + 1]; ++ char maxbuf[UINTMAX_STRSIZE_BOUND + 1]; ++ error (1, 0, _("%s: value %s %s out of allowed range 0..%s"), ++ filename, fieldname, ++ STRINGIFY_BIGINT (value, valbuf), ++ STRINGIFY_BIGINT (MAX_VAL_WITH_DIGITS (width - nul, LG_8), ++ maxbuf)); + } + + static void +@@ -303,7 +309,7 @@ to_ascii_or_warn (char *where, uintmax_t n, size_t digits, + unsigned logbase, + const char *filename, const char *fieldname) + { +- if (to_ascii (where, n, digits, logbase)) ++ if (to_ascii (where, n, digits, logbase, false)) + field_width_warning (filename, fieldname); + } + +@@ -312,9 +318,9 @@ to_ascii_or_error (char *where, uintmax_t n, size_t digits, + unsigned logbase, + const char *filename, const char *fieldname) + { +- if (to_ascii (where, n, digits, logbase)) ++ if (to_ascii (where, n, digits, logbase, false)) + { +- field_width_error (filename, fieldname); ++ field_width_error (filename, fieldname, n, digits, false); + return 1; + } + return 0; +@@ -371,7 +377,7 @@ write_out_new_ascii_header (const char *magic_string, + _("name size"))) + return 1; + p += 8; +- to_ascii (p, file_hdr->c_chksum & 0xffffffff, 8, LG_16); ++ to_ascii (p, file_hdr->c_chksum & 0xffffffff, 8, LG_16, false); + + tape_buffered_write (ascii_header, out_des, sizeof ascii_header); + +@@ -388,7 +394,7 @@ write_out_old_ascii_header (dev_t dev, dev_t rdev, + char ascii_header[76]; + char *p = ascii_header; + +- to_ascii (p, file_hdr->c_magic, 6, LG_8); ++ to_ascii (p, file_hdr->c_magic, 6, LG_8, false); + p += 6; + to_ascii_or_warn (p, dev, 6, LG_8, file_hdr->c_name, _("device number")); + p += 6; +@@ -492,7 +498,10 @@ write_out_binary_header (dev_t rdev, + short_hdr.c_namesize = file_hdr->c_namesize & 0xFFFF; + if (short_hdr.c_namesize != file_hdr->c_namesize) + { +- field_width_error (file_hdr->c_name, _("name size")); ++ char maxbuf[UINTMAX_STRSIZE_BOUND + 1]; ++ error (1, 0, _("%s: value %s %s out of allowed range 0..%u"), ++ file_hdr->c_name, _("name size"), ++ STRINGIFY_BIGINT (file_hdr->c_namesize, maxbuf), 0xFFFFu); + return 1; + } + +@@ -502,7 +511,10 @@ write_out_binary_header (dev_t rdev, + if (((off_t)short_hdr.c_filesizes[0] << 16) + short_hdr.c_filesizes[1] + != file_hdr->c_filesize) + { +- field_width_error (file_hdr->c_name, _("file size")); ++ char maxbuf[UINTMAX_STRSIZE_BOUND + 1]; ++ error (1, 0, _("%s: value %s %s out of allowed range 0..%lu"), ++ file_hdr->c_name, _("file size"), ++ STRINGIFY_BIGINT (file_hdr->c_namesize, maxbuf), 0xFFFFFFFFlu); + return 1; + } + +@@ -582,17 +594,18 @@ assign_string (char **pvar, char *value) + The format of the header depends on the compatibility (-c) flag. */ + + void +-process_copy_out () ++process_copy_out (void) + { +- dynamic_string input_name; /* Name of file read from stdin. */ ++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of file read from stdin. */ + struct stat file_stat; /* Stat record for file. */ +- struct cpio_file_stat file_hdr; /* Output header information. */ ++ struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER; ++ /* Output header information. */ + int in_file_des; /* Source file descriptor. */ + int out_file_des; /* Output file descriptor. */ + char *orig_file_name = NULL; + + /* Initialize the copy out. */ +- ds_init (&input_name, 128); + file_hdr.c_magic = 070707; + + /* Check whether the output file might be a tape. */ +@@ -644,14 +657,9 @@ process_copy_out () + { + if (file_hdr.c_mode & CP_IFDIR) + { +- int len = strlen (input_name.ds_string); + /* Make sure the name ends with a slash */ +- if (input_name.ds_string[len-1] != '/') +- { +- ds_resize (&input_name, len + 2); +- input_name.ds_string[len] = '/'; +- input_name.ds_string[len+1] = 0; +- } ++ if (!ds_endswith (&input_name, '/')) ++ ds_append (&input_name, '/'); + } + } + +@@ -659,8 +667,7 @@ process_copy_out () + cpio_safer_name_suffix (input_name.ds_string, false, + !no_abs_paths_flag, true); + #ifndef HPUX_CDF +- file_hdr.c_name = input_name.ds_string; +- file_hdr.c_namesize = strlen (input_name.ds_string) + 1; ++ cpio_set_c_name (&file_hdr, input_name.ds_string); + #else + if ( (archive_format != arf_tar) && (archive_format != arf_ustar) ) + { +@@ -669,16 +676,15 @@ process_copy_out () + properly recreate the directory as hidden (in case the + files of a directory go into the archive before the + directory itself (e.g from "find ... -depth ... | cpio")). */ +- file_hdr.c_name = add_cdf_double_slashes (input_name.ds_string); +- file_hdr.c_namesize = strlen (file_hdr.c_name) + 1; ++ cpio_set_c_name (&file_hdr, ++ add_cdf_double_slashes (input_name.ds_string)); + } + else + { + /* We don't mark CDF's in tar files. We assume the "hidden" + directory will always go into the archive before any of + its files. */ +- file_hdr.c_name = input_name.ds_string; +- file_hdr.c_namesize = strlen (input_name.ds_string) + 1; ++ cpio_set_c_name (&file_hdr, input_name.ds_string); + } + #endif + +@@ -865,8 +871,7 @@ process_copy_out () + file_hdr.c_chksum = 0; + + file_hdr.c_filesize = 0; +- file_hdr.c_namesize = 11; +- file_hdr.c_name = CPIO_TRAILER_NAME; ++ cpio_set_c_name (&file_hdr, CPIO_TRAILER_NAME); + if (archive_format != arf_tar && archive_format != arf_ustar) + write_out_header (&file_hdr, out_file_des); + else +@@ -884,6 +889,8 @@ process_copy_out () + ngettext ("%lu block\n", "%lu blocks\n", + (unsigned long) blocks), (unsigned long) blocks); + } ++ cpio_file_stat_free (&file_hdr); ++ ds_free (&input_name); + } + + +diff --git a/src/tar.c b/src/tar.c +index 1b1156e..0a34845 100644 +--- a/src/tar.c ++++ b/src/tar.c +@@ -282,7 +282,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) + if (null_block ((long *) &tar_rec, TARRECORDSIZE)) + #endif + { +- file_hdr->c_name = CPIO_TRAILER_NAME; ++ cpio_set_c_name (file_hdr, CPIO_TRAILER_NAME); + return; + } + #if 0 +@@ -316,9 +316,11 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) + } + + if (archive_format != arf_ustar) +- file_hdr->c_name = stash_tar_filename (NULL, tar_hdr->name); ++ cpio_set_c_name (file_hdr, stash_tar_filename (NULL, tar_hdr->name)); + else +- file_hdr->c_name = stash_tar_filename (tar_hdr->prefix, tar_hdr->name); ++ cpio_set_c_name (file_hdr, stash_tar_filename (tar_hdr->prefix, ++ tar_hdr->name)); ++ + file_hdr->c_nlink = 1; + file_hdr->c_mode = FROM_OCTAL (tar_hdr->mode); + file_hdr->c_mode = file_hdr->c_mode & 07777; +@@ -398,7 +400,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) + case AREGTYPE: + /* Old tar format; if the last char in filename is '/' then it is + a directory, otherwise it's a regular file. */ +- if (file_hdr->c_name[strlen (file_hdr->c_name) - 1] == '/') ++ if (file_hdr->c_name[file_hdr->c_namesize - 1] == '/') + file_hdr->c_mode |= CP_IFDIR; + else + file_hdr->c_mode |= CP_IFREG; +diff --git a/src/copypass.c b/src/copypass.c +index b4e7169..8378a9b 100644 +--- a/src/copypass.c ++++ b/src/copypass.c +@@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char *name, struct stat *st) + If `link_flag', link instead of copying. */ + + void +-process_copy_pass () ++process_copy_pass (void) + { +- dynamic_string input_name; /* Name of file from stdin. */ +- dynamic_string output_name; /* Name of new file. */ ++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of file from stdin. */ ++ dynamic_string output_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of new file. */ + size_t dirname_len; /* Length of `directory_name'. */ + int res; /* Result of functions. */ + char *slash; /* For moving past slashes in input name. */ +@@ -69,25 +71,19 @@ process_copy_pass () + created files */ + + /* Initialize the copy pass. */ +- ds_init (&input_name, 128); + + dirname_len = strlen (directory_name); + if (change_directory_option && !ISSLASH (directory_name[0])) + { + char *pwd = xgetcwd (); + +- dirname_len += strlen (pwd) + 1; +- ds_init (&output_name, dirname_len + 2); +- strcpy (output_name.ds_string, pwd); +- strcat (output_name.ds_string, "/"); +- strcat (output_name.ds_string, directory_name); ++ ds_concat (&output_name, pwd); ++ ds_append (&output_name, '/'); + } +- else +- { +- ds_init (&output_name, dirname_len + 2); +- strcpy (output_name.ds_string, directory_name); +- } +- output_name.ds_string[dirname_len] = '/'; ++ ++ ds_concat (&output_name, directory_name); ++ ds_append (&output_name, '/'); ++ dirname_len = ds_len (&output_name); + output_is_seekable = true; + + change_dir (); +@@ -127,8 +123,8 @@ process_copy_pass () + keep track of which directories in a path are "hidden". */ + slash = add_cdf_double_slashes (slash); + #endif +- ds_resize (&output_name, dirname_len + strlen (slash) + 2); +- strcpy (output_name.ds_string + dirname_len + 1, slash); ++ ds_reset (&output_name, dirname_len); ++ ds_concat (&output_name, slash); + + existing_dir = false; + if (lstat (output_name.ds_string, &out_file_stat) == 0) +@@ -346,6 +342,8 @@ process_copy_pass () + (unsigned long) blocks), + (unsigned long) blocks); + } ++ ds_free (&input_name); ++ ds_free (&output_name); + } + + /* Try and create a hard link from FILE_NAME to another file +@@ -385,7 +383,7 @@ link_to_maj_min_ino (char *file_name, int st_dev_maj, int st_dev_min, + is created, -1 otherwise. */ + + int +-link_to_name (char *link_name, char *link_target) ++link_to_name (char const *link_name, char const *link_target) + { + int res = link (link_target, link_name); + if (res < 0 && create_dir_flag) +diff --git a/src/cpiohdr.h b/src/cpiohdr.h +index b29e6fb..aa4a8c4 100644 +--- a/src/cpiohdr.h ++++ b/src/cpiohdr.h +@@ -126,8 +126,15 @@ struct cpio_file_stat /* Internal representation of a CPIO header */ + size_t c_namesize; + uint32_t c_chksum; + char *c_name; +- char *c_tar_linkname; ++ size_t c_name_buflen; ++ char const *c_tar_linkname; + }; + ++#define CPIO_FILE_STAT_INITIALIZER \ ++ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, NULL, 0, NULL } ++void cpio_file_stat_init (struct cpio_file_stat *file_hdr); ++void cpio_file_stat_free (struct cpio_file_stat *file_hdr); ++void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name); ++void cpio_realloc_c_name (struct cpio_file_stat *file_hdr, size_t len); + + #endif /* cpiohdr.h */ +diff --git a/src/dstring.c b/src/dstring.c +index 2e6b97b..b70d72e 100644 +--- a/src/dstring.c ++++ b/src/dstring.c +@@ -22,37 +22,52 @@ + #endif + + #include ++#include + #if defined(HAVE_STRING_H) || defined(STDC_HEADERS) + #include + #else + #include + #endif + #include "dstring.h" +- +-char *xmalloc (unsigned n); +-char *xrealloc (char *p, unsigned n); ++#include + + /* Initialiaze dynamic string STRING with space for SIZE characters. */ + + void +-ds_init (dynamic_string *string, int size) ++ds_init (dynamic_string *string) ++{ ++ memset (string, 0, sizeof *string); ++} ++ ++/* Free the dynamic string storage. */ ++ ++void ++ds_free (dynamic_string *string) + { +- string->ds_length = size; +- string->ds_string = (char *) xmalloc (size); ++ free (string->ds_string); + } + +-/* Expand dynamic string STRING, if necessary, to hold SIZE characters. */ ++/* Expand dynamic string STRING, if necessary. */ + + void +-ds_resize (dynamic_string *string, int size) ++ds_resize (dynamic_string *string, size_t len) + { +- if (size > string->ds_length) ++ while (len + string->ds_idx >= string->ds_size) + { +- string->ds_length = size; +- string->ds_string = (char *) xrealloc ((char *) string->ds_string, size); ++ string->ds_string = x2nrealloc (string->ds_string, &string->ds_size, ++ 1); + } + } + ++/* Reset the index of the dynamic string S to LEN. */ ++ ++void ++ds_reset (dynamic_string *s, size_t len) ++{ ++ ds_resize (s, len); ++ s->ds_idx = len; ++} ++ + /* Dynamic string S gets a string terminated by the EOS character + (which is removed) from file F. S will increase + in size during the function if the string from F is longer than +@@ -63,34 +78,49 @@ ds_resize (dynamic_string *string, int size) + char * + ds_fgetstr (FILE *f, dynamic_string *s, char eos) + { +- int insize; /* Amount needed for line. */ +- int strsize; /* Amount allocated for S. */ + int next_ch; + + /* Initialize. */ +- insize = 0; +- strsize = s->ds_length; ++ s->ds_idx = 0; + + /* Read the input string. */ +- next_ch = getc (f); +- while (next_ch != eos && next_ch != EOF) ++ while ((next_ch = getc (f)) != eos && next_ch != EOF) + { +- if (insize >= strsize - 1) +- { +- ds_resize (s, strsize * 2 + 2); +- strsize = s->ds_length; +- } +- s->ds_string[insize++] = next_ch; +- next_ch = getc (f); ++ ds_resize (s, 0); ++ s->ds_string[s->ds_idx++] = next_ch; + } +- s->ds_string[insize++] = '\0'; ++ ds_resize (s, 0); ++ s->ds_string[s->ds_idx] = '\0'; + +- if (insize == 1 && next_ch == EOF) ++ if (s->ds_idx == 0 && next_ch == EOF) + return NULL; + else + return s->ds_string; + } + ++void ++ds_append (dynamic_string *s, int c) ++{ ++ ds_resize (s, 0); ++ s->ds_string[s->ds_idx] = c; ++ if (c) ++ { ++ s->ds_idx++; ++ ds_resize (s, 0); ++ s->ds_string[s->ds_idx] = 0; ++ } ++} ++ ++void ++ds_concat (dynamic_string *s, char const *str) ++{ ++ size_t len = strlen (str); ++ ds_resize (s, len); ++ memcpy (s->ds_string + s->ds_idx, str, len); ++ s->ds_idx += len; ++ s->ds_string[s->ds_idx] = 0; ++} ++ + char * + ds_fgets (FILE *f, dynamic_string *s) + { +@@ -102,3 +132,10 @@ ds_fgetname (FILE *f, dynamic_string *s) + { + return ds_fgetstr (f, s, '\0'); + } ++ ++/* Return true if the dynamic string S ends with character C. */ ++int ++ds_endswith (dynamic_string *s, int c) ++{ ++ return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c); ++} +diff --git a/src/dstring.h b/src/dstring.h +index 5b49def..a2b6183 100644 +--- a/src/dstring.h ++++ b/src/dstring.h +@@ -17,10 +17,6 @@ + Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301 USA. */ + +-#ifndef NULL +-#define NULL 0 +-#endif +- + /* A dynamic string consists of record that records the size of an + allocated string and the pointer to that string. The actual string + is a normal zero byte terminated string that can be used with the +@@ -30,22 +26,24 @@ + + typedef struct + { +- int ds_length; /* Actual amount of storage allocated. */ +- char *ds_string; /* String. */ ++ size_t ds_size; /* Actual amount of storage allocated. */ ++ size_t ds_idx; /* Index of the next free byte in the string. */ ++ char *ds_string; /* String storage. */ + } dynamic_string; + ++#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL } + +-/* Macros that look similar to the original string functions. +- WARNING: These macros work only on pointers to dynamic string records. +- If used with a real record, an "&" must be used to get the pointer. */ +-#define ds_strlen(s) strlen ((s)->ds_string) +-#define ds_strcmp(s1, s2) strcmp ((s1)->ds_string, (s2)->ds_string) +-#define ds_strncmp(s1, s2, n) strncmp ((s1)->ds_string, (s2)->ds_string, n) +-#define ds_index(s, c) index ((s)->ds_string, c) +-#define ds_rindex(s, c) rindex ((s)->ds_string, c) ++void ds_init (dynamic_string *string); ++void ds_free (dynamic_string *string); ++void ds_reset (dynamic_string *s, size_t len); + +-void ds_init (dynamic_string *string, int size); +-void ds_resize (dynamic_string *string, int size); ++/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */ + char *ds_fgetname (FILE *f, dynamic_string *s); + char *ds_fgets (FILE *f, dynamic_string *s); + char *ds_fgetstr (FILE *f, dynamic_string *s, char eos); ++void ds_append (dynamic_string *s, int c); ++void ds_concat (dynamic_string *s, char const *str); ++ ++#define ds_len(s) ((s)->ds_idx) ++ ++int ds_endswith (dynamic_string *s, int c); +diff --git a/src/extern.h b/src/extern.h +index 47b477a..6330e04 100644 +--- a/src/extern.h ++++ b/src/extern.h +@@ -111,18 +111,21 @@ void read_in_binary (struct cpio_file_stat *file_hdr, + struct old_cpio_header *short_hdr, int in_des); + void swab_array (char *arg, int count); + void process_copy_in (void); +-void long_format (struct cpio_file_stat *file_hdr, char *link_name); +-void print_name_with_quoting (char *p); ++void long_format (struct cpio_file_stat *file_hdr, char const *link_name); + + /* copyout.c */ + int write_out_header (struct cpio_file_stat *file_hdr, int out_des); + void process_copy_out (void); ++int to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase, ++ bool nul); ++void field_width_error (const char *filename, const char *fieldname, ++ uintmax_t value, size_t width, bool nul); + + /* copypass.c */ + void process_copy_pass (void); + int link_to_maj_min_ino (char *file_name, int st_dev_maj, + int st_dev_min, ino_t st_ino); +-int link_to_name (char *link_name, char *link_target); ++int link_to_name (char const *link_name, char const *link_target); + + /* dirname.c */ + char *dirname (char *path); +@@ -141,7 +144,7 @@ void process_args (int argc, char *argv[]); + void initialize_buffers (void); + + /* makepath.c */ +-int make_path (char *argpath, uid_t owner, gid_t group, ++int make_path (char const *argpath, uid_t owner, gid_t group, + const char *verbose_fmt_string); + + /* tar.c */ +@@ -169,7 +172,7 @@ void copy_files_disk_to_tape (int in_des, int out_des, off_t num_bytes, char *fi + void copy_files_disk_to_disk (int in_des, int out_des, off_t num_bytes, char *filename); + void warn_if_file_changed (char *file_name, off_t old_file_size, + time_t old_file_mtime); +-void create_all_directories (char *name); ++void create_all_directories (char const *name); + void prepare_append (int out_file_des); + char *find_inode_file (ino_t node_num, + unsigned long major_num, unsigned long minor_num); +@@ -204,10 +207,17 @@ void cpio_safer_name_suffix (char *name, bool link_target, + int cpio_create_dir (struct cpio_file_stat *file_hdr, int existing_dir); + void change_dir (void); + +-/* FIXME: These two defines should be defined in paxutils */ ++/* FIXME: The following three should be defined in paxutils */ + #define LG_8 3 + #define LG_16 4 + ++/* The maximum uintmax_t value that can be represented with DIGITS digits, ++ assuming that each digit is BITS_PER_DIGIT wide. */ ++#define MAX_VAL_WITH_DIGITS(digits, bits_per_digit) \ ++ ((digits) * (bits_per_digit) < sizeof (uintmax_t) * CHAR_BIT \ ++ ? ((uintmax_t) 1 << ((digits) * (bits_per_digit))) - 1 \ ++ : (uintmax_t) -1) ++ + uintmax_t from_ascii (char const *where, size_t digs, unsigned logbase); + + #define FROM_OCTAL(f) from_ascii (f, sizeof f, LG_8) +diff --git a/src/idcache.c b/src/idcache.c +index c89e7f1..e82414e 100644 +--- a/src/idcache.c ++++ b/src/idcache.c +@@ -34,6 +34,7 @@ + #endif + + #include ++#include + + struct userid + { +@@ -59,7 +60,6 @@ getuser (uid_t uid) + { + register struct userid *tail; + struct passwd *pwent; +- char usernum_string[20]; + + for (tail = user_alist; tail; tail = tail->next) + if (tail->id.u == uid) +@@ -70,8 +70,8 @@ getuser (uid_t uid) + tail->id.u = uid; + if (pwent == 0) + { +- sprintf (usernum_string, "%u", (unsigned) uid); +- tail->name = xstrdup (usernum_string); ++ char nbuf[UINTMAX_STRSIZE_BOUND]; ++ tail->name = xstrdup (umaxtostr (uid, nbuf)); + } + else + tail->name = xstrdup (pwent->pw_name); +@@ -134,7 +134,6 @@ getgroup (gid_t gid) + { + register struct userid *tail; + struct group *grent; +- char groupnum_string[20]; + + for (tail = group_alist; tail; tail = tail->next) + if (tail->id.g == gid) +@@ -145,8 +144,8 @@ getgroup (gid_t gid) + tail->id.g = gid; + if (grent == 0) + { +- sprintf (groupnum_string, "%u", (unsigned int) gid); +- tail->name = xstrdup (groupnum_string); ++ char nbuf[UINTMAX_STRSIZE_BOUND]; ++ tail->name = xstrdup (umaxtostr (gid, nbuf)); + } + else + tail->name = xstrdup (grent->gr_name); +diff --git a/src/makepath.c b/src/makepath.c +index 18d5b69..bad2537 100644 +--- a/src/makepath.c ++++ b/src/makepath.c +@@ -49,7 +49,7 @@ + ownership and permissions when done, otherwise 1. */ + + int +-make_path (char *argpath, ++make_path (char const *argpath, + uid_t owner, + gid_t group, + const char *verbose_fmt_string) +diff --git a/src/userspec.c b/src/userspec.c +index 14d608c..7b8bf2f 100644 +--- a/src/userspec.c ++++ b/src/userspec.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #ifndef HAVE_ENDPWENT + # define endpwent() +@@ -141,12 +142,8 @@ parse_user_spec (const char *spec_arg, uid_t *uid, gid_t *gid, + grp = getgrgid (pwd->pw_gid); + if (grp == NULL) + { +- /* This is enough room to hold the unsigned decimal +- representation of any 32-bit quantity and the trailing +- zero byte. */ +- char uint_buf[21]; +- sprintf (uint_buf, "%u", (unsigned) (pwd->pw_gid)); +- V_STRDUP (groupname, uint_buf); ++ char nbuf[UINTMAX_STRSIZE_BOUND]; ++ V_STRDUP (groupname, umaxtostr (pwd->pw_gid, nbuf)); + } + else + { +diff --git a/src/util.c b/src/util.c +index 11f9c30..097304f 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -79,8 +79,7 @@ tape_empty_output_buffer (int out_des) + + if (output_is_special + && (bytes_written >= 0 +- || (bytes_written < 0 +- && (errno == ENOSPC || errno == EIO || errno == ENXIO)))) ++ || (errno == ENOSPC || errno == EIO || errno == ENXIO))) + { + get_next_reel (out_des); + if (bytes_written > 0) +@@ -596,7 +595,7 @@ warn_if_file_changed (char *file_name, off_t old_file_size, + Do not destroy any nondirectories while creating directories. */ + + void +-create_all_directories (char *name) ++create_all_directories (char const *name) + { + char *dir; + int mode; +@@ -718,7 +717,6 @@ find_inode_val (ino_t node_num, unsigned long major_num, + unsigned long minor_num) + { + struct inode_val sample; +- struct inode_val *ival; + + if (!hash_table) + return NULL; +@@ -768,7 +766,7 @@ add_inode (ino_t node_num, char *file_name, unsigned long major_num, + return e; + } + +-static ino_t ++static void + get_inode_and_dev (struct cpio_file_stat *hdr, struct stat *st) + { + if (renumber_inodes_option) +@@ -859,11 +857,9 @@ get_next_reel (int tape_des) + FILE *tty_out; /* File for interacting with user. */ + int old_tape_des; + char *next_archive_name; +- dynamic_string new_name; ++ dynamic_string new_name = DYNAMIC_STRING_INITIALIZER; + char *str_res; + +- ds_init (&new_name, 128); +- + /* Open files for interactive communication. */ + tty_in = fopen (TTY_NAME, "r"); + if (tty_in == NULL) +@@ -938,7 +934,7 @@ get_next_reel (int tape_des) + error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"), + old_tape_des, tape_des); + +- free (new_name.ds_string); ++ ds_free (&new_name); + fclose (tty_in); + fclose (tty_out); + } +@@ -1412,8 +1408,28 @@ set_file_times (int fd, + utime_error (name); + } + ++/* Reallocate file_hdr->c_name to accomodate len bytes (including final \0) */ ++void ++cpio_realloc_c_name (struct cpio_file_stat *file_hdr, size_t len) ++{ ++ while (file_hdr->c_name_buflen < len) ++ file_hdr->c_name = x2realloc (file_hdr->c_name, &file_hdr->c_name_buflen); ++} ++ ++void ++cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name) ++{ ++ size_t len = strlen (name) + 1; ++ ++ cpio_realloc_c_name (file_hdr, len); ++ file_hdr->c_namesize = len; ++ memmove (file_hdr->c_name, name, len); ++} ++ + /* Do we have to ignore absolute paths, and if so, does the filename +- have an absolute path? */ ++ have an absolute path? Before calling this function make sure that the ++ allocated NAME buffer has capacity at least 2 bytes. */ ++ + void + cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, + bool strip_leading_dots) +@@ -1428,6 +1444,10 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, + ++p; + } + if (p != name) ++ /* The 'p' string is shortened version of 'name' with one exception; when ++ the 'name' points to an empty string (buffer where name[0] == '\0') the ++ 'p' then points to static string ".". So caller needs to ensure there ++ are at least two bytes available in 'name' buffer so memmove succeeds. */ + memmove (name, p, (size_t)(strlen (p) + 1)); + } + +@@ -1689,4 +1709,17 @@ arf_stores_inode_p (enum archive_format arf) + } + return 1; + } ++ ++void ++cpio_file_stat_init (struct cpio_file_stat *file_hdr) ++{ ++ memset (file_hdr, 0, sizeof (*file_hdr)); ++} ++ ++void ++cpio_file_stat_free (struct cpio_file_stat *file_hdr) ++{ ++ free (file_hdr->c_name); ++ cpio_file_stat_init (file_hdr); ++} + +-- +2.31.1 + diff --git a/SPECS/cpio.spec b/SPECS/cpio.spec index 4a3b745..ee1404e 100644 --- a/SPECS/cpio.spec +++ b/SPECS/cpio.spec @@ -1,7 +1,7 @@ Summary: A GNU archiving program Name: cpio Version: 2.12 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv3+ URL: http://www.gnu.org/software/cpio/ Source: ftp://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2 @@ -46,6 +46,18 @@ Patch9: cpio-2.11-retain-symlink-times.patch # https://cement.retrofitta.se/tmp/cpio-tar.patch Patch10: cpio-2.12-improper-input-validation.patch +# Fixed integer overflow in ds_fgetstr() +# upstream patch (#1992511) +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dfc801c44a93bed7b3951905b188823d6a0432c8 +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=236684f6deb3178043fe72a8e2faca538fa2aae1 +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=4d169305dcb34137dc41acc761d8703eae2c63bf +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=86dacfe3e060ce95d5a2c0c5ec01f6437b0b6089 +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7dd8ba91d8b6a2640e6c01c3e3a4234828646f23 +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=684b7ac5767e676cda78c161aeb7fe7b45a07529 +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=b1c85839bf1381f749dd45bf6a5a38924e3315a0 +Patch11: cpio-2.13-CVE-2021-38185.patch + Provides: bundled(gnulib) Provides: /bin/cpio @@ -72,6 +84,7 @@ Install cpio if you need a program to manage file archives. %build +autoreconf -fi export CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -pedantic -fno-strict-aliasing -Wall $CFLAGS" %configure --with-rmt="%{_sysconfdir}/rmt" make %{?_smp_mflags} @@ -106,6 +119,9 @@ make check || { %{_infodir}/*.info* %changelog +* Mon Sep 20 2021 Ondrej Dubaj - 2.12-11 +- Fixed CVE-2021-38185 (#1992511) + * Thu Jan 21 2021 Ondrej Dubaj - 2.12-10 - Fixed improper input validation when writing tar header fields (#1766223)