Compare commits
No commits in common. "c9-beta" and "c8" have entirely different histories.
@ -1 +1 @@
|
||||
4dcefc0e1bc36b11506a354768d82b15e3fe6bb8 SOURCES/cpio-2.13.tar.bz2
|
||||
60358408c76db354f6716724c4bcbcb6e18ab642 SOURCES/cpio-2.12.tar.bz2
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/cpio-2.13.tar.bz2
|
||||
SOURCES/cpio-2.12.tar.bz2
|
||||
|
@ -1,6 +1,6 @@
|
||||
From 8bce60df53f93c9cbfb18274c6700c143a0092c6 Mon Sep 17 00:00:00 2001
|
||||
From 7a4094d382e74aaed0a0b8356dc24d64952852f9 Mon Sep 17 00:00:00 2001
|
||||
From: Pavel Raiskup <praiskup@redhat.com>
|
||||
Date: Fri, 3 Jul 2020 13:00:18 +0200
|
||||
Date: Fri, 3 Jul 2020 12:32:58 +0200
|
||||
Subject: [PATCH] Extract: retain times for symlinks
|
||||
|
||||
Original report by Pat Riehecky at
|
||||
@ -17,14 +17,14 @@ symlinks.
|
||||
---
|
||||
src/copyin.c | 5 ++---
|
||||
src/copypass.c | 2 ++
|
||||
src/util.c | 8 +++++---
|
||||
3 files changed, 9 insertions(+), 6 deletions(-)
|
||||
src/util.c | 6 ++++--
|
||||
3 files changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/copyin.c b/src/copyin.c
|
||||
index bf3b0a8..93b006a 100644
|
||||
index 183b5b5..267ed4b 100644
|
||||
--- a/src/copyin.c
|
||||
+++ b/src/copyin.c
|
||||
@@ -615,9 +615,7 @@ copyin_device (struct cpio_file_stat* file_hdr)
|
||||
@@ -639,9 +639,7 @@ copyin_device (struct cpio_file_stat* file_hdr)
|
||||
/* chown may have turned off some permissions we wanted. */
|
||||
if (chmod (file_hdr->c_name, file_hdr->c_mode) < 0)
|
||||
chmod_error_details (file_hdr->c_name, file_hdr->c_mode);
|
||||
@ -35,7 +35,7 @@ index bf3b0a8..93b006a 100644
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -668,6 +666,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
|
||||
@@ -692,6 +690,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
|
||||
&& errno != EPERM)
|
||||
chown_error_details (file_hdr->c_name, uid, gid);
|
||||
}
|
||||
@ -44,10 +44,10 @@ index bf3b0a8..93b006a 100644
|
||||
}
|
||||
|
||||
diff --git a/src/copypass.c b/src/copypass.c
|
||||
index dc13b5b..a5f9b7b 100644
|
||||
index c5a9899..b4e7169 100644
|
||||
--- a/src/copypass.c
|
||||
+++ b/src/copypass.c
|
||||
@@ -306,6 +306,8 @@ process_copy_pass ()
|
||||
@@ -317,6 +317,8 @@ process_copy_pass ()
|
||||
&& errno != EPERM)
|
||||
chown_error_details (output_name.ds_string, uid, gid);
|
||||
}
|
||||
@ -57,20 +57,18 @@ index dc13b5b..a5f9b7b 100644
|
||||
}
|
||||
#endif
|
||||
diff --git a/src/util.c b/src/util.c
|
||||
index 4421b20..0e8d88c 100644
|
||||
index 6ff6032..11f9c30 100644
|
||||
--- a/src/util.c
|
||||
+++ b/src/util.c
|
||||
@@ -1230,8 +1230,7 @@ set_perms (int fd, struct cpio_file_stat *header)
|
||||
/* chown may have turned off some permissions we wanted. */
|
||||
if (fchmod_or_chmod (fd, header->c_name, header->c_mode) < 0)
|
||||
chmod_error_details (header->c_name, header->c_mode);
|
||||
@@ -1389,7 +1389,6 @@ set_perms (int fd, struct cpio_file_stat *header)
|
||||
we have to refer to it using name+ instead of name. */
|
||||
file_hdr->c_name [cdf_char] = '+';
|
||||
#endif
|
||||
- if (retain_time_flag)
|
||||
- set_file_times (fd, header->c_name, header->c_mtime, header->c_mtime);
|
||||
+ set_file_times (fd, header->c_name, header->c_mtime, header->c_mtime);
|
||||
set_file_times (fd, header->c_name, header->c_mtime, header->c_mtime);
|
||||
}
|
||||
|
||||
void
|
||||
@@ -1239,6 +1238,8 @@ set_file_times (int fd,
|
||||
@@ -1398,6 +1397,8 @@ set_file_times (int fd,
|
||||
const char *name, unsigned long atime, unsigned long mtime)
|
||||
{
|
||||
struct timespec ts[2];
|
||||
@ -79,7 +77,7 @@ index 4421b20..0e8d88c 100644
|
||||
|
||||
memset (&ts, 0, sizeof ts);
|
||||
|
||||
@@ -1247,7 +1248,8 @@ set_file_times (int fd,
|
||||
@@ -1406,7 +1407,8 @@ set_file_times (int fd,
|
||||
|
||||
/* Silently ignore EROFS because reading the file won't have upset its
|
||||
timestamp if it's on a read-only filesystem. */
|
||||
|
154
SOURCES/cpio-2.12-improper-input-validation.patch
Normal file
154
SOURCES/cpio-2.12-improper-input-validation.patch
Normal file
@ -0,0 +1,154 @@
|
||||
From: Thomas Habets <habets@google.com>
|
||||
Subject: [PATCH] Check for size overflow in tar header fields.
|
||||
|
||||
This prevents surprising outputs being created, e.g. this cpio tar
|
||||
output with more than one file:
|
||||
|
||||
tar cf suffix.tar AUTHORS
|
||||
dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar
|
||||
echo suffix.tar | cpio -H tar -o | tar tvf -
|
||||
|
||||
-rw-r--r-- 1000/1000 0 2019-08-30 16:40 suffix.tar
|
||||
-rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS
|
||||
---
|
||||
src/copyout.c | 3 +--
|
||||
src/extern.h | 2 +-
|
||||
src/tar.c | 45 ++++++++++++++++++++++++++++++++-------------
|
||||
3 files changed, 34 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/copyout.c b/src/copyout.c
|
||||
index dcae449..56416ba 100644
|
||||
--- a/src/copyout.c
|
||||
+++ b/src/copyout.c
|
||||
@@ -552,8 +552,7 @@ write_out_header (struct cpio_file_stat *file_hdr, int out_des)
|
||||
error (0, 0, _("%s: file name too long"), file_hdr->c_name);
|
||||
return 1;
|
||||
}
|
||||
- write_out_tar_header (file_hdr, out_des); /* FIXME: No error checking */
|
||||
- return 0;
|
||||
+ return write_out_tar_header (file_hdr, out_des);
|
||||
|
||||
case arf_binary:
|
||||
return write_out_binary_header (makedev (file_hdr->c_rdev_maj,
|
||||
diff --git a/src/extern.h b/src/extern.h
|
||||
index e27d662..47b477a 100644
|
||||
--- a/src/extern.h
|
||||
+++ b/src/extern.h
|
||||
@@ -145,7 +145,7 @@ int make_path (char *argpath, uid_t owner, gid_t group,
|
||||
const char *verbose_fmt_string);
|
||||
|
||||
/* tar.c */
|
||||
-void write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des);
|
||||
+int write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des);
|
||||
int null_block (long *block, int size);
|
||||
void read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des);
|
||||
int otoa (char *s, unsigned long *n);
|
||||
diff --git a/src/tar.c b/src/tar.c
|
||||
index e2b5f45..53dc99a 100644
|
||||
--- a/src/tar.c
|
||||
+++ b/src/tar.c
|
||||
@@ -93,8 +93,9 @@ stash_tar_filename (char *prefix, char *filename)
|
||||
sprintf (where, "%*lo ", digits - 2, value);
|
||||
except that sprintf fills in the trailing NUL and we don't. */
|
||||
|
||||
-static void
|
||||
-to_oct (register long value, register int digits, register char *where)
|
||||
+static int
|
||||
+to_oct_or_error (register long value, register int digits, register char *where,
|
||||
+ const char *filename, const char *fieldname)
|
||||
{
|
||||
--digits; /* Leave the trailing NUL slot alone. */
|
||||
|
||||
@@ -105,10 +106,17 @@ to_oct (register long value, register int digits, register char *where)
|
||||
value >>= 3;
|
||||
}
|
||||
while (digits > 0 && value != 0);
|
||||
+ if (value > 0)
|
||||
+ {
|
||||
+ error (1, 0, _("%s: field width not sufficient for storing %s"),
|
||||
+ filename, fieldname);
|
||||
+ return 1;
|
||||
+ }
|
||||
|
||||
/* Add leading zeroes, if necessary. */
|
||||
while (digits > 0)
|
||||
where[--digits] = '0';
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
|
||||
@@ -139,7 +147,7 @@ tar_checksum (struct tar_header *tar_hdr)
|
||||
/* Write out header FILE_HDR, including the file name, to file
|
||||
descriptor OUT_DES. */
|
||||
|
||||
-void
|
||||
+int
|
||||
write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
|
||||
{
|
||||
int name_len;
|
||||
@@ -168,11 +176,16 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
|
||||
|
||||
/* Ustar standard (POSIX.1-1988) requires the mode to contain only 3 octal
|
||||
digits */
|
||||
- to_oct (file_hdr->c_mode & MODE_ALL, 8, tar_hdr->mode);
|
||||
- to_oct (file_hdr->c_uid, 8, tar_hdr->uid);
|
||||
- to_oct (file_hdr->c_gid, 8, tar_hdr->gid);
|
||||
- to_oct (file_hdr->c_filesize, 12, tar_hdr->size);
|
||||
- to_oct (file_hdr->c_mtime, 12, tar_hdr->mtime);
|
||||
+ if (to_oct_or_error (file_hdr->c_mode & MODE_ALL, 8, tar_hdr->mode, file_hdr->c_name, _("mode")))
|
||||
+ return 1;
|
||||
+ if (to_oct_or_error (file_hdr->c_uid, 8, tar_hdr->uid, file_hdr->c_name, _("uid")))
|
||||
+ return 1;
|
||||
+ if (to_oct_or_error (file_hdr->c_gid, 8, tar_hdr->gid, file_hdr->c_name, _("gid")))
|
||||
+ return 1;
|
||||
+ if (to_oct_or_error (file_hdr->c_filesize, 12, tar_hdr->size, file_hdr->c_name, _("file size")))
|
||||
+ return 1;
|
||||
+ if (to_oct_or_error (file_hdr->c_mtime, 12, tar_hdr->mtime, file_hdr->c_name, _("modification time")))
|
||||
+ return 1;
|
||||
|
||||
switch (file_hdr->c_mode & CP_IFMT)
|
||||
{
|
||||
@@ -184,7 +197,8 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
|
||||
strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
|
||||
TARLINKNAMESIZE);
|
||||
tar_hdr->typeflag = LNKTYPE;
|
||||
- to_oct (0, 12, tar_hdr->size);
|
||||
+ if (to_oct_or_error (0, 12, tar_hdr->size, file_hdr->c_name, _("file size")))
|
||||
+ return 1;
|
||||
}
|
||||
else
|
||||
tar_hdr->typeflag = REGTYPE;
|
||||
@@ -210,7 +224,8 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
|
||||
than TARLINKNAMESIZE. */
|
||||
strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
|
||||
TARLINKNAMESIZE);
|
||||
- to_oct (0, 12, tar_hdr->size);
|
||||
+ if (to_oct_or_error (0, 12, tar_hdr->size, file_hdr->c_name, _("file size")))
|
||||
+ return 1;
|
||||
break;
|
||||
#endif /* CP_IFLNK */
|
||||
}
|
||||
@@ -229,13 +244,17 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
|
||||
if (name)
|
||||
strcpy (tar_hdr->gname, name);
|
||||
|
||||
- to_oct (file_hdr->c_rdev_maj, 8, tar_hdr->devmajor);
|
||||
- to_oct (file_hdr->c_rdev_min, 8, tar_hdr->devminor);
|
||||
+ if (to_oct_or_error (file_hdr->c_rdev_maj, 8, tar_hdr->devmajor, file_hdr->c_name, _("rdev major")))
|
||||
+ return 1;
|
||||
+ if (to_oct_or_error (file_hdr->c_rdev_min, 8, tar_hdr->devminor, file_hdr->c_name, _("rdev minor")))
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
- to_oct (tar_checksum (tar_hdr), 8, tar_hdr->chksum);
|
||||
+ if (to_oct_or_error (tar_checksum (tar_hdr), 8, tar_hdr->chksum, file_hdr->c_name, _("checksum")))
|
||||
+ return 1;
|
||||
|
||||
tape_buffered_write ((char *) &tar_rec, out_des, TARRECORDSIZE);
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/* Return nonzero iff all the bytes in BLOCK are NUL.
|
||||
--
|
||||
2.26.0
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,39 +0,0 @@
|
||||
Subject: [PATCH 2/7] set exit code to 1 when cpio fails to store file > 4GB
|
||||
(#183224)
|
||||
|
||||
diff --git a/src/copyout.c b/src/copyout.c
|
||||
index 8b0beb6..4b7336b 100644
|
||||
--- a/src/copyout.c
|
||||
+++ b/src/copyout.c
|
||||
@@ -290,7 +290,7 @@ field_width_error (const char *filename, const char *fieldname,
|
||||
{
|
||||
char valbuf[UINTMAX_STRSIZE_BOUND + 1];
|
||||
char maxbuf[UINTMAX_STRSIZE_BOUND + 1];
|
||||
- error (0, 0, _("%s: value %s %s out of allowed range 0..%s"),
|
||||
+ error (1, 0, _("%s: value %s %s out of allowed range 0..%s"),
|
||||
filename, fieldname,
|
||||
STRINGIFY_BIGINT (value, valbuf),
|
||||
STRINGIFY_BIGINT (MAX_VAL_WITH_DIGITS (width - nul, LG_8),
|
||||
diff --git a/tests/CVE-2019-14866.at b/tests/CVE-2019-14866.at
|
||||
index e877b39..50ad60b 100644
|
||||
--- a/tests/CVE-2019-14866.at
|
||||
+++ b/tests/CVE-2019-14866.at
|
||||
@@ -30,6 +30,5 @@ fi
|
||||
[0],
|
||||
[],
|
||||
[cpio: file: value size 17179869184 out of allowed range 0..8589934591
|
||||
-2 blocks
|
||||
])
|
||||
AT_CLEANUP
|
||||
diff --git a/tests/testsuite b/tests/testsuite
|
||||
index b45c731..fd8454d 100755
|
||||
--- a/tests/testsuite
|
||||
+++ b/tests/testsuite
|
||||
@@ -2885,7 +2885,6 @@ fi
|
||||
at_status=$? at_failed=false
|
||||
$at_check_filter
|
||||
echo >>"$at_stderr"; $as_echo "cpio: file: value size 17179869184 out of allowed range 0..8589934591
|
||||
-2 blocks
|
||||
" | \
|
||||
$at_diff - "$at_stderr" || at_failed=:
|
||||
at_fn_diff_devnull "$at_stdout" || at_failed=:
|
@ -1,13 +0,0 @@
|
||||
diff -up cpio-2.13/src/global.c.me cpio-2.13/src/global.c
|
||||
--- cpio-2.13/src/global.c.me 2020-01-30 17:17:42.015259283 +0100
|
||||
+++ cpio-2.13/src/global.c 2020-01-30 17:24:12.680794025 +0100
|
||||
@@ -184,9 +184,6 @@ unsigned int warn_option = 0;
|
||||
/* Extract to standard output? */
|
||||
bool to_stdout_option = false;
|
||||
|
||||
-/* The name this program was run with. */
|
||||
-char *program_name;
|
||||
-
|
||||
/* A pointer to either lstat or stat, depending on whether
|
||||
dereferencing of symlinks is done for input files. */
|
||||
int (*xstat) ();
|
@ -1,63 +0,0 @@
|
||||
From 5913893d6f3de65b16e1ad294b88893305efb20f Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Dubaj <odubaj@redhat.com>
|
||||
Date: Thu, 18 Feb 2021 09:59:31 +0100
|
||||
Subject: [PATCH] * lib/system.h (ERRNO_IS_EACCES): Remove. Not used anymore.
|
||||
(sys_reset_uid_gid): Re-initialize supplementary groups when switching
|
||||
privileges. Fix ordering of setgid and setuid calls.
|
||||
|
||||
---
|
||||
lib/system.h | 32 +++++++++++++++++++++++++-------
|
||||
1 file changed, 25 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/lib/system.h b/lib/system.h
|
||||
index 1c1a5d0..4fd3ce9 100644
|
||||
--- a/lib/system.h
|
||||
+++ b/lib/system.h
|
||||
@@ -470,19 +470,37 @@ char *getenv ();
|
||||
#if MSDOS
|
||||
# include <process.h>
|
||||
# define SET_BINARY_MODE(arc) setmode(arc, O_BINARY)
|
||||
-# define ERRNO_IS_EACCES errno == EACCES
|
||||
# define mkdir(file, mode) (mkdir) (file)
|
||||
# define TTY_NAME "con"
|
||||
# define sys_reset_uid_gid()
|
||||
#else
|
||||
# define SET_BINARY_MODE(arc)
|
||||
-# define ERRNO_IS_EACCES 0
|
||||
# define TTY_NAME "/dev/tty"
|
||||
-# define sys_reset_uid_gid() \
|
||||
- do { \
|
||||
- if (! (setuid (getuid ()) == 0 && setgid (getgid ()) == 0)) \
|
||||
- abort (); \
|
||||
- } while (0)
|
||||
+# include <paxlib.h>
|
||||
+static inline void
|
||||
+sys_reset_uid_gid (void)
|
||||
+{
|
||||
+ struct passwd *pw;
|
||||
+ uid_t uid = getuid ();
|
||||
+ gid_t gid = getgid ();
|
||||
+
|
||||
+ if ((pw = getpwuid (uid)) == NULL)
|
||||
+ {
|
||||
+ FATAL_ERROR ((0, errno, "%s(%lu)", "getpwuid", (unsigned long)uid));
|
||||
+ }
|
||||
+ if (initgroups (pw->pw_name, getgid ()))
|
||||
+ {
|
||||
+ FATAL_ERROR ((0, errno, "%s", "initgroups"));
|
||||
+ }
|
||||
+ if (gid != getegid () && setgid (gid) && errno != EPERM)
|
||||
+ {
|
||||
+ FATAL_ERROR ((0, errno, "%s", "setgid"));
|
||||
+ }
|
||||
+ if (uid != geteuid () && setuid (uid) && errno != EPERM)
|
||||
+ {
|
||||
+ FATAL_ERROR ((0, errno, "%s", "setuid"));
|
||||
+ }
|
||||
+}
|
||||
#endif
|
||||
|
||||
#if XENIX
|
||||
--
|
||||
2.26.0
|
||||
|
@ -1,91 +0,0 @@
|
||||
revert fix for CVE-2015-1197 as it causes shutdown issues
|
||||
|
||||
revert suggested as a workaround by upstream:
|
||||
https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html
|
||||
|
||||
--- b/src/copyin.c
|
||||
+++ a/src/copyin.c
|
||||
@@ -645,14 +645,13 @@
|
||||
link_name = xstrdup (file_hdr->c_tar_linkname);
|
||||
}
|
||||
|
||||
- cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false);
|
||||
-
|
||||
res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
|
||||
file_hdr->c_mode);
|
||||
if (res < 0 && create_dir_flag)
|
||||
{
|
||||
create_all_directories (file_hdr->c_name);
|
||||
+ res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
|
||||
+ file_hdr->c_mode);
|
||||
- res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode);
|
||||
}
|
||||
if (res < 0)
|
||||
{
|
||||
--- b/tests/CVE-2015-1197.at
|
||||
+++ /dev/null
|
||||
@@ -1,43 +0,0 @@
|
||||
-# Process this file with autom4te to create testsuite. -*- Autotest -*-
|
||||
-# Copyright (C) 2009-2019 Free Software Foundation, Inc.
|
||||
-#
|
||||
-# This program is free software; you can redistribute it and/or modify
|
||||
-# it under the terms of the GNU General Public License as published by
|
||||
-# the Free Software Foundation; either version 3, or (at your option)
|
||||
-# any later version.
|
||||
-#
|
||||
-# This program is distributed in the hope that it will be useful,
|
||||
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
-# GNU General Public License for more details.
|
||||
-#
|
||||
-# You should have received a copy of the GNU General Public License
|
||||
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
-
|
||||
-AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)])
|
||||
-AT_CHECK([
|
||||
-tempdir=$(pwd)/tmp
|
||||
-mkdir $tempdir
|
||||
-touch $tempdir/file
|
||||
-ln -s $tempdir dir
|
||||
-AT_DATA([filelist],
|
||||
-[dir
|
||||
-dir/file
|
||||
-])
|
||||
-ln -s /tmp dir
|
||||
-touch /tmp/file
|
||||
-cpio -o < filelist > test.cpio
|
||||
-rm dir /tmp/file
|
||||
-cpio --no-absolute-filenames -iv < test.cpio
|
||||
-],
|
||||
-[2],
|
||||
-[],
|
||||
-[1 block
|
||||
-cpio: Removing leading `/' from hard link targets
|
||||
-dir
|
||||
-cpio: dir/file: Cannot open: No such file or directory
|
||||
-dir/file
|
||||
-1 block
|
||||
-])
|
||||
-AT_CLEANUP
|
||||
-
|
||||
--- b/tests/Makefile.am
|
||||
+++ a/tests/Makefile.am
|
||||
@@ -56,9 +56,8 @@
|
||||
symlink-long.at\
|
||||
symlink-to-stdout.at\
|
||||
version.at\
|
||||
big-block-size.at\
|
||||
- CVE-2015-1197.at\
|
||||
CVE-2019-14866.at
|
||||
|
||||
TESTSUITE = $(srcdir)/testsuite
|
||||
|
||||
--- b/tests/testsuite.at
|
||||
+++ a/tests/testsuite.at
|
||||
@@ -43,6 +43,5 @@
|
||||
m4_include([setstat04.at])
|
||||
m4_include([setstat05.at])
|
||||
m4_include([big-block-size.at])
|
||||
|
||||
-m4_include([CVE-2015-1197.at])
|
||||
m4_include([CVE-2019-14866.at])
|
@ -3,10 +3,10 @@ Date: Mon, 14 Sep 2015 09:37:15 +0200
|
||||
Subject: [PATCH 3/7] Support major/minor device numbers over 127 (bz#450109)
|
||||
|
||||
diff --git a/src/copyin.c b/src/copyin.c
|
||||
index b29f348..1142d6a 100644
|
||||
index cde911e..12bd27c 100644
|
||||
--- a/src/copyin.c
|
||||
+++ b/src/copyin.c
|
||||
@@ -1123,15 +1123,15 @@ read_in_binary (struct cpio_file_stat *file_hdr,
|
||||
@@ -1196,15 +1196,15 @@ read_in_binary (struct cpio_file_stat *file_hdr,
|
||||
swab_array ((char *) short_hdr, 13);
|
||||
}
|
||||
|
||||
@ -25,4 +25,4 @@ index b29f348..1142d6a 100644
|
||||
+ file_hdr->c_rdev_min = minor ((unsigned short)short_hdr->c_rdev);
|
||||
file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16
|
||||
| short_hdr->c_mtimes[1];
|
||||
file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16
|
||||
|
18
SOURCES/cpio-2.9-exitCode.patch
Normal file
18
SOURCES/cpio-2.9-exitCode.patch
Normal file
@ -0,0 +1,18 @@
|
||||
From: Peter Vrabec <pvrabec@redhat.com>
|
||||
Date: Mon, 14 Sep 2015 09:31:08 +0200
|
||||
Subject: [PATCH 2/7] set exit code to 1 when cpio fails to store file > 4GB
|
||||
(#183224)
|
||||
|
||||
diff --git a/src/copyout.c b/src/copyout.c
|
||||
index 1f0987a..dcae449 100644
|
||||
--- a/src/copyout.c
|
||||
+++ b/src/copyout.c
|
||||
@@ -287,7 +287,7 @@ to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase)
|
||||
static void
|
||||
field_width_error (const char *filename, const char *fieldname)
|
||||
{
|
||||
- error (0, 0, _("%s: field width not sufficient for storing %s"),
|
||||
+ error (1, 0, _("%s: field width not sufficient for storing %s"),
|
||||
filename, fieldname);
|
||||
}
|
||||
|
112
SPECS/cpio.spec
112
SPECS/cpio.spec
@ -1,10 +1,10 @@
|
||||
Summary: A GNU archiving program
|
||||
Name: cpio
|
||||
Version: 2.13
|
||||
Release: 16%{?dist}
|
||||
Version: 2.12
|
||||
Release: 11%{?dist}
|
||||
License: GPLv3+
|
||||
URL: https://www.gnu.org/software/cpio/
|
||||
Source: https://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2
|
||||
URL: http://www.gnu.org/software/cpio/
|
||||
Source: ftp://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2
|
||||
|
||||
# help2man generated manual page distributed only in RHEL/Fedora
|
||||
Source1: cpio.1
|
||||
@ -15,11 +15,11 @@ Patch1: cpio-2.9-rh.patch
|
||||
# fix warn_if_file_changed() and set exit code to 1 when cpio fails to store
|
||||
# file > 4GB (#183224)
|
||||
# http://lists.gnu.org/archive/html/bug-cpio/2006-11/msg00000.html
|
||||
Patch2: cpio-2.13-exitCode.patch
|
||||
Patch2: cpio-2.9-exitCode.patch
|
||||
|
||||
# Support major/minor device numbers over 127 (bz#450109)
|
||||
# http://lists.gnu.org/archive/html/bug-cpio/2008-07/msg00000.html
|
||||
Patch3: cpio-2.13-dev_number.patch
|
||||
Patch3: cpio-2.9-dev_number.patch
|
||||
|
||||
# Define default remote shell as /usr/bin/ssh (#452904)
|
||||
Patch4: cpio-2.9.90-defaultremoteshell.patch
|
||||
@ -36,24 +36,18 @@ Patch7: cpio-2.10-longnames-split.patch
|
||||
# Cpio does Sum32 checksum, not CRC (downstream)
|
||||
Patch8: cpio-2.11-crc-fips-nit.patch
|
||||
|
||||
# Fix multiple definition of `program_name'
|
||||
Patch9: cpio-2.13-mutiple-definition.patch
|
||||
|
||||
# Revert fix for CVE-2015-1197 (#1797163)
|
||||
# reverts upstream commit 45b0ee2b4
|
||||
Patch10: cpio-2.13-revert-CVE-2015-1197-fix.patch
|
||||
|
||||
# Extract: retain times for symlinks
|
||||
# downstream patch (#1486364)
|
||||
# downstream patch (#1487673)
|
||||
# https://www.mail-archive.com/bug-cpio@gnu.org/msg00605.html
|
||||
Patch11: cpio-2.11-retain-symlink-times.patch
|
||||
Patch9: cpio-2.11-retain-symlink-times.patch
|
||||
|
||||
# Properly drop priviledges for remote command
|
||||
# http://git.savannah.gnu.org/cgit/paxutils.git/commit/?id=d247e3c2809a37b6d0c3067251d96bb7f12555e7
|
||||
Patch12: cpio-2.13-reset-gid-uid.patch
|
||||
# Fixed improper input validation when writing tar header fields
|
||||
# upstream patch (#1766223)
|
||||
# https://cement.retrofitta.se/tmp/cpio-tar.patch
|
||||
Patch10: cpio-2.12-improper-input-validation.patch
|
||||
|
||||
# Fixed integer overflow in ds_fgetstr()
|
||||
# upstream patch (#1992512)
|
||||
# upstream patch (#1992511)
|
||||
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
|
||||
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dfc801c44a93bed7b3951905b188823d6a0432c8
|
||||
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=236684f6deb3178043fe72a8e2faca538fa2aae1
|
||||
@ -62,14 +56,13 @@ Patch12: cpio-2.13-reset-gid-uid.patch
|
||||
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7dd8ba91d8b6a2640e6c01c3e3a4234828646f23
|
||||
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=684b7ac5767e676cda78c161aeb7fe7b45a07529
|
||||
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=b1c85839bf1381f749dd45bf6a5a38924e3315a0
|
||||
Patch13: cpio-2.13-CVE-2021-38185.patch
|
||||
Patch11: cpio-2.13-CVE-2021-38185.patch
|
||||
|
||||
|
||||
Provides: bundled(gnulib)
|
||||
Provides: bundled(paxutils)
|
||||
Provides: /bin/cpio
|
||||
BuildRequires: gcc
|
||||
BuildRequires: texinfo, autoconf, automake, gettext, gettext-devel, rmt
|
||||
BuildRequires: make
|
||||
|
||||
%description
|
||||
GNU cpio copies files into or out of a cpio or tar archive. Archives
|
||||
@ -94,12 +87,12 @@ Install cpio if you need a program to manage file archives.
|
||||
autoreconf -fi
|
||||
export CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -pedantic -fno-strict-aliasing -Wall $CFLAGS"
|
||||
%configure --with-rmt="%{_sysconfdir}/rmt"
|
||||
%make_build
|
||||
make %{?_smp_mflags}
|
||||
(cd po && make update-gmo)
|
||||
|
||||
|
||||
%install
|
||||
%make_install
|
||||
make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
|
||||
|
||||
rm -f $RPM_BUILD_ROOT%{_libexecdir}/rmt
|
||||
rm -f $RPM_BUILD_ROOT%{_infodir}/dir
|
||||
@ -119,77 +112,24 @@ make check || {
|
||||
|
||||
%files -f %{name}.lang
|
||||
%doc AUTHORS ChangeLog NEWS README THANKS TODO
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%{_bindir}/*
|
||||
%{_mandir}/man*/*
|
||||
%{_infodir}/*.info*
|
||||
|
||||
%changelog
|
||||
* Thu Aug 26 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-16
|
||||
- Fixed CVE-2021-38185 (#1992512)
|
||||
* Mon Sep 20 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.12-11
|
||||
- Fixed CVE-2021-38185 (#1992511)
|
||||
|
||||
* Thu Aug 19 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-15
|
||||
- Revert patch for CVE-2021-38185 (#1992512)
|
||||
* Thu Jan 21 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.12-10
|
||||
- Fixed improper input validation when writing tar header fields (#1766223)
|
||||
|
||||
* Mon Aug 16 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-14
|
||||
- Minor fix for CVE-2021-38185 (#1992512)
|
||||
* Mon Jun 15 2020 Ondrej Dubaj <odubaj@redhat.com> - 2.12-9
|
||||
- Extract: retain times for symlinks (#1487673)
|
||||
|
||||
* Mon Aug 16 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-13
|
||||
- Fixed CVE-2021-38185 (#1992512)
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.13-12
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.13-11
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Thu Feb 18 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-10
|
||||
- Properly drop priviledges for remote command
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.13-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.13-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 2.13-7
|
||||
- Use make macros
|
||||
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||
|
||||
* Mon Jun 15 2020 Ondrej Dubaj <odubaj@redhat.com> - 2.13-6
|
||||
- Extract: retain times for symlinks (#1486364)
|
||||
|
||||
* Tue Apr 07 2020 Ondrej Dubaj <odubaj@redhat.com> - 2.13-5.1
|
||||
- Release bump due to testing of gating
|
||||
|
||||
* Wed Feb 05 2020 Petr Kubat <pkubat@redhat.com> - 2.13-4
|
||||
- Revert fix for CVE-2015-1197 as it causes shutdown issues (#1797163)
|
||||
|
||||
* Thu Jan 30 2020 Than Ngo <than@redhat.com> - 2.13-3
|
||||
- Fix multiple definition of program_name
|
||||
|
||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.13-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Wed Nov 06 2019 Pavel Raiskup <praiskup@redhat.com> - 2.13-1
|
||||
- new upstream release, per release notes
|
||||
https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html
|
||||
|
||||
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-12
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Tue Feb 19 2019 Pavel Raiskup <praiskup@redhat.com> - 2.12-11
|
||||
- admit that we bundle paxutils project
|
||||
|
||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Wed Apr 11 2018 Pavel Raiskup <praiskup@redhat.com> - 2.12-8
|
||||
- spring spec cleanup
|
||||
* Tue Jul 17 2018 Pavel Raiskup <praiskup@redhat.com> - 2.12-8
|
||||
- cleanup, sync with rawhide
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
Loading…
Reference in New Issue
Block a user