12 changed files with 952 additions and 403 deletions
--- a/.cpio.metadata
+++ b/.cpio.metadata
@ -1 +1 @@
-4dcefc0e1bc36b11506a354768d82b15e3fe6bb8 SOURCES/cpio-2.13.tar.bz2
+60358408c76db354f6716724c4bcbcb6e18ab642 SOURCES/cpio-2.12.tar.bz2
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/cpio-2.13.tar.bz2
+SOURCES/cpio-2.12.tar.bz2
--- a/SOURCES/cpio-2.11-retain-symlink-times.patch
+++ b/SOURCES/cpio-2.11-retain-symlink-times.patch
@ -1,6 +1,6 @@
-From 8bce60df53f93c9cbfb18274c6700c143a0092c6 Mon Sep 17 00:00:00 2001
+From 7a4094d382e74aaed0a0b8356dc24d64952852f9 Mon Sep 17 00:00:00 2001
 From: Pavel Raiskup <praiskup@redhat.com>
-Date: Fri, 3 Jul 2020 13:00:18 +0200
+Date: Fri, 3 Jul 2020 12:32:58 +0200
 Subject: [PATCH] Extract: retain times for symlinks
 Original report by Pat Riehecky at
@ -17,14 +17,14 @@ symlinks.
 ---
 src/copyin.c   | 5 ++---
 src/copypass.c | 2 ++
- src/util.c     | 8 +++++---
+ src/util.c     | 6 ++++--
- 3 files changed, 9 insertions(+), 6 deletions(-)
+ 3 files changed, 8 insertions(+), 5 deletions(-)
 diff --git a/src/copyin.c b/src/copyin.c
-index bf3b0a8..93b006a 100644
+index 183b5b5..267ed4b 100644
 --- a/src/copyin.c
 +++ b/src/copyin.c
-@@ -615,9 +615,7 @@ copyin_device (struct cpio_file_stat* file_hdr)
+@@ -639,9 +639,7 @@ copyin_device (struct cpio_file_stat* file_hdr)
   /* chown may have turned off some permissions we wanted. */
   if (chmod (file_hdr->c_name, file_hdr->c_mode) < 0)
     chmod_error_details (file_hdr->c_name, file_hdr->c_mode);
@ -35,7 +35,7 @@ index bf3b0a8..93b006a 100644
 }
 static void
-@@ -668,6 +666,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
+@@ -692,6 +690,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
   	  && errno != EPERM)
 	chown_error_details (file_hdr->c_name, uid, gid);
     }
@ -44,10 +44,10 @@ index bf3b0a8..93b006a 100644
 }
 diff --git a/src/copypass.c b/src/copypass.c
-index dc13b5b..a5f9b7b 100644
+index c5a9899..b4e7169 100644
 --- a/src/copypass.c
 +++ b/src/copypass.c
-@@ -306,6 +306,8 @@ process_copy_pass ()
+@@ -317,6 +317,8 @@ process_copy_pass ()
 		  && errno != EPERM)
 	        chown_error_details (output_name.ds_string, uid, gid);
             }
@ -57,20 +57,18 @@ index dc13b5b..a5f9b7b 100644
 	}
 #endif
 diff --git a/src/util.c b/src/util.c
-index 4421b20..0e8d88c 100644
+index 6ff6032..11f9c30 100644
 --- a/src/util.c
 +++ b/src/util.c
-@@ -1230,8 +1230,7 @@ set_perms (int fd, struct cpio_file_stat *header)
+@@ -1389,7 +1389,6 @@ set_perms (int fd, struct cpio_file_stat *header)
-   /* chown may have turned off some permissions we wanted. */
+        we have to refer to it using name+ instead of name.  */
-   if (fchmod_or_chmod (fd, header->c_name, header->c_mode) < 0)
+     file_hdr->c_name [cdf_char] = '+';
-     chmod_error_details (header->c_name, header->c_mode);
+ #endif
 -  if (retain_time_flag)
-    set_file_times (fd, header->c_name, header->c_mtime, header->c_mtime);
+     set_file_times (fd, header->c_name, header->c_mtime, header->c_mtime);
 +  set_file_times (fd, header->c_name, header->c_mtime, header->c_mtime);
 }
- void
+@@ -1398,6 +1397,8 @@ set_file_times (int fd,
@@ -1239,6 +1238,8 @@ set_file_times (int fd,
 		const char *name, unsigned long atime, unsigned long mtime)
 {
   struct timespec ts[2];
@ -79,7 +77,7 @@ index 4421b20..0e8d88c 100644
   memset (&ts, 0, sizeof ts);
-@@ -1247,7 +1248,8 @@ set_file_times (int fd,
+@@ -1406,7 +1407,8 @@ set_file_times (int fd,
   /* Silently ignore EROFS because reading the file won't have upset its 
      timestamp if it's on a read-only filesystem. */
--- a/SOURCES/cpio-2.12-improper-input-validation.patch
+++ b/SOURCES/cpio-2.12-improper-input-validation.patch
@ -0,0 +1,154 @@
 From: Thomas Habets <habets@google.com>
 Subject: [PATCH] Check for size overflow in tar header fields.
 This prevents surprising outputs being created, e.g. this cpio tar
 output with more than one file:
 tar cf suffix.tar AUTHORS
 dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar
 echo suffix.tar | cpio -H tar -o | tar tvf -
 -rw-r--r-- 1000/1000       0 2019-08-30 16:40 suffix.tar
 -rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS
 ---
 src/copyout.c |  3 +--
 src/extern.h  |  2 +-
 src/tar.c     | 45 ++++++++++++++++++++++++++++++++-------------
 3 files changed, 34 insertions(+), 16 deletions(-)
 diff --git a/src/copyout.c b/src/copyout.c
 index dcae449..56416ba 100644
 --- a/src/copyout.c
 +++ b/src/copyout.c
@@ -552,8 +552,7 @@ write_out_header (struct cpio_file_stat *file_hdr, int out_des)
 	  error (0, 0, _("%s: file name too long"), file_hdr->c_name);
 	  return 1;
 	}
 -      write_out_tar_header (file_hdr, out_des); /* FIXME: No error checking */
 -      return 0;
 +      return write_out_tar_header (file_hdr, out_des);
     case arf_binary:
       return write_out_binary_header (makedev (file_hdr->c_rdev_maj,
 diff --git a/src/extern.h b/src/extern.h
 index e27d662..47b477a 100644
 --- a/src/extern.h
 +++ b/src/extern.h
@@ -145,7 +145,7 @@ int make_path (char *argpath, uid_t owner, gid_t group,
 	       const char *verbose_fmt_string);
 /* tar.c */
 -void write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des);
 +int write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des);
 int null_block (long *block, int size);
 void read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des);
 int otoa (char *s, unsigned long *n);
 diff --git a/src/tar.c b/src/tar.c
 index e2b5f45..53dc99a 100644
 --- a/src/tar.c
 +++ b/src/tar.c
@@ -93,8 +93,9 @@ stash_tar_filename (char *prefix, char *filename)
    sprintf (where, "%*lo ", digits - 2, value);
    except that sprintf fills in the trailing NUL and we don't.  */
 -static void
 -to_oct (register long value, register int digits, register char *where)
 +static int
 +to_oct_or_error (register long value, register int digits, register char *where,
 +                 const char *filename, const char *fieldname)
 {
   --digits;			/* Leave the trailing NUL slot alone.  */
@@ -105,10 +106,17 @@ to_oct (register long value, register int digits, register char *where)
       value >>= 3;
     }
   while (digits > 0 && value != 0);
 +  if (value > 0)
 +    {
 +      error (1, 0, _("%s: field width not sufficient for storing %s"),
 +             filename, fieldname);
 +      return 1;
 +    }
   /* Add leading zeroes, if necessary.  */
   while (digits > 0)
     where[--digits] = '0';
 +  return 0;
 }
@@ -139,7 +147,7 @@ tar_checksum (struct tar_header *tar_hdr)
 /* Write out header FILE_HDR, including the file name, to file
    descriptor OUT_DES.  */
 -void
 +int
 write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
 {
   int name_len;
@@ -168,11 +176,16 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
   /* Ustar standard (POSIX.1-1988) requires the mode to contain only 3 octal
      digits */
 -  to_oct (file_hdr->c_mode & MODE_ALL, 8, tar_hdr->mode);
 -  to_oct (file_hdr->c_uid, 8, tar_hdr->uid);
 -  to_oct (file_hdr->c_gid, 8, tar_hdr->gid);
 -  to_oct (file_hdr->c_filesize, 12, tar_hdr->size);
 -  to_oct (file_hdr->c_mtime, 12, tar_hdr->mtime);
 +  if (to_oct_or_error (file_hdr->c_mode & MODE_ALL, 8, tar_hdr->mode, file_hdr->c_name, _("mode")))
 +    return 1;
 +  if (to_oct_or_error (file_hdr->c_uid, 8, tar_hdr->uid, file_hdr->c_name, _("uid")))
 +    return 1;
 +  if (to_oct_or_error (file_hdr->c_gid, 8, tar_hdr->gid, file_hdr->c_name, _("gid")))
 +    return 1;
 +  if (to_oct_or_error (file_hdr->c_filesize, 12, tar_hdr->size, file_hdr->c_name, _("file size")))
 +    return 1;
 +  if (to_oct_or_error (file_hdr->c_mtime, 12, tar_hdr->mtime, file_hdr->c_name, _("modification time")))
 +    return 1;
   switch (file_hdr->c_mode & CP_IFMT)
     {
@@ -184,7 +197,8 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
 	  strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
 		   TARLINKNAMESIZE);
 	  tar_hdr->typeflag = LNKTYPE;
 -	  to_oct (0, 12, tar_hdr->size);
 +	  if (to_oct_or_error (0, 12, tar_hdr->size, file_hdr->c_name, _("file size")))
 +            return 1;
 	}
       else
 	tar_hdr->typeflag = REGTYPE;
@@ -210,7 +224,8 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
 	 than TARLINKNAMESIZE.  */
       strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
 	       TARLINKNAMESIZE);
 -      to_oct (0, 12, tar_hdr->size);
 +      if (to_oct_or_error (0, 12, tar_hdr->size, file_hdr->c_name, _("file size")))
 +        return 1;
       break;
 #endif /* CP_IFLNK */
     }
@@ -229,13 +244,17 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
       if (name)
 	strcpy (tar_hdr->gname, name);
 -      to_oct (file_hdr->c_rdev_maj, 8, tar_hdr->devmajor);
 -      to_oct (file_hdr->c_rdev_min, 8, tar_hdr->devminor);
 +      if (to_oct_or_error (file_hdr->c_rdev_maj, 8, tar_hdr->devmajor, file_hdr->c_name, _("rdev major")))
 +        return 1;
 +      if (to_oct_or_error (file_hdr->c_rdev_min, 8, tar_hdr->devminor, file_hdr->c_name, _("rdev minor")))
 +        return 1;
     }
 -  to_oct (tar_checksum (tar_hdr), 8, tar_hdr->chksum);
 +  if (to_oct_or_error (tar_checksum (tar_hdr), 8, tar_hdr->chksum, file_hdr->c_name, _("checksum")))
 +    return 1;
   tape_buffered_write ((char *) &tar_rec, out_des, TARRECORDSIZE);
 +  return 0;
 }
 /* Return nonzero iff all the bytes in BLOCK are NUL.
 -- 
 2.26.0
--- a/SOURCES/cpio-2.13-CVE-2021-38185.patch
+++ b/SOURCES/cpio-2.13-CVE-2021-38185.patch
--- a/SOURCES/cpio-2.13-exitCode.patch
+++ b/SOURCES/cpio-2.13-exitCode.patch
@ -1,39 +0,0 @@
 Subject: [PATCH 2/7] set exit code to 1 when cpio fails to store file > 4GB
 (#183224)
 diff --git a/src/copyout.c b/src/copyout.c
 index 8b0beb6..4b7336b 100644
 --- a/src/copyout.c
 +++ b/src/copyout.c
@@ -290,7 +290,7 @@ field_width_error (const char *filename, const char *fieldname,
 {
   char valbuf[UINTMAX_STRSIZE_BOUND + 1];
   char maxbuf[UINTMAX_STRSIZE_BOUND + 1];
 -  error (0, 0, _("%s: value %s %s out of allowed range 0..%s"),
 +  error (1, 0, _("%s: value %s %s out of allowed range 0..%s"),
 	 filename, fieldname,
 	 STRINGIFY_BIGINT (value, valbuf),
 	 STRINGIFY_BIGINT (MAX_VAL_WITH_DIGITS (width - nul, LG_8),
 diff --git a/tests/CVE-2019-14866.at b/tests/CVE-2019-14866.at
 index e877b39..50ad60b 100644
 --- a/tests/CVE-2019-14866.at
 +++ b/tests/CVE-2019-14866.at
@@ -30,6 +30,5 @@ fi
 [0],
 [],
 [cpio: file: value size 17179869184 out of allowed range 0..8589934591
 -2 blocks
 ])
 AT_CLEANUP
 diff --git a/tests/testsuite b/tests/testsuite
 index b45c731..fd8454d 100755
 --- a/tests/testsuite
 +++ b/tests/testsuite
@@ -2885,7 +2885,6 @@ fi
 at_status=$? at_failed=false
 $at_check_filter
 echo >>"$at_stderr"; $as_echo "cpio: file: value size 17179869184 out of allowed range 0..8589934591
 -2 blocks
 " | \
   $at_diff - "$at_stderr" || at_failed=:
 at_fn_diff_devnull "$at_stdout" || at_failed=:
--- a/SOURCES/cpio-2.13-mutiple-definition.patch
+++ b/SOURCES/cpio-2.13-mutiple-definition.patch
@ -1,13 +0,0 @@
 diff -up cpio-2.13/src/global.c.me cpio-2.13/src/global.c
 --- cpio-2.13/src/global.c.me	2020-01-30 17:17:42.015259283 +0100
 +++ cpio-2.13/src/global.c	2020-01-30 17:24:12.680794025 +0100
@@ -184,9 +184,6 @@ unsigned int warn_option = 0;
 /* Extract to standard output? */
 bool to_stdout_option = false;
 -/* The name this program was run with.  */
 -char *program_name;
 -
 /* A pointer to either lstat or stat, depending on whether
    dereferencing of symlinks is done for input files.  */
 int (*xstat) ();
--- a/SOURCES/cpio-2.13-reset-gid-uid.patch
+++ b/SOURCES/cpio-2.13-reset-gid-uid.patch
@ -1,63 +0,0 @@
 From 5913893d6f3de65b16e1ad294b88893305efb20f Mon Sep 17 00:00:00 2001
 From: Ondrej Dubaj <odubaj@redhat.com>
 Date: Thu, 18 Feb 2021 09:59:31 +0100
 Subject: [PATCH] * lib/system.h (ERRNO_IS_EACCES): Remove.  Not used anymore.
 (sys_reset_uid_gid): Re-initialize supplementary groups when switching
 privileges. Fix ordering of setgid and setuid calls.
 ---
 lib/system.h | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)
 diff --git a/lib/system.h b/lib/system.h
 index 1c1a5d0..4fd3ce9 100644
 --- a/lib/system.h
 +++ b/lib/system.h
@@ -470,19 +470,37 @@ char *getenv ();
 #if MSDOS
 # include <process.h>
 # define SET_BINARY_MODE(arc) setmode(arc, O_BINARY)
 -# define ERRNO_IS_EACCES errno == EACCES
 # define mkdir(file, mode) (mkdir) (file)
 # define TTY_NAME "con"
 # define sys_reset_uid_gid()
 #else
 # define SET_BINARY_MODE(arc)
 -# define ERRNO_IS_EACCES 0
 # define TTY_NAME "/dev/tty"
 -# define sys_reset_uid_gid()					\
 -  do {								\
 -    if (! (setuid (getuid ()) == 0 && setgid (getgid ()) == 0)) \
 -      abort ();							\
 -  } while (0)
 +# include <paxlib.h>
 +static inline void
 +sys_reset_uid_gid (void)
 +{
 +  struct passwd *pw;
 +  uid_t uid = getuid ();
 +  gid_t gid = getgid ();
 +  
 +  if ((pw = getpwuid (uid)) == NULL)
 +    {
 +      FATAL_ERROR ((0, errno, "%s(%lu)", "getpwuid", (unsigned long)uid));
 +    }
 +  if (initgroups (pw->pw_name, getgid ()))
 +    {
 +      FATAL_ERROR ((0, errno, "%s", "initgroups"));
 +    }
 +  if (gid != getegid () && setgid (gid) && errno != EPERM)
 +    {
 +      FATAL_ERROR ((0, errno, "%s", "setgid"));
 +    }
 +  if (uid != geteuid () && setuid (uid) && errno != EPERM)
 +    {
 +      FATAL_ERROR ((0, errno, "%s", "setuid"));
 +    }
 +}
 #endif
 #if XENIX
 -- 
 2.26.0
--- a/SOURCES/cpio-2.13-revert-CVE-2015-1197-fix.patch
+++ b/SOURCES/cpio-2.13-revert-CVE-2015-1197-fix.patch
@ -1,91 +0,0 @@
 revert fix for CVE-2015-1197 as it causes shutdown issues
 revert suggested as a workaround by upstream:
 https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html
 --- b/src/copyin.c
 +++ a/src/copyin.c
@@ -645,14 +645,13 @@
       link_name = xstrdup (file_hdr->c_tar_linkname);
     }
 -  cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false);
 -  
   res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
 			 file_hdr->c_mode);
   if (res < 0 && create_dir_flag)
     {
       create_all_directories (file_hdr->c_name);
 +      res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
 +			     file_hdr->c_mode);
 -      res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode);
     }
   if (res < 0)
     {
 --- b/tests/CVE-2015-1197.at
 +++ /dev/null
@@ -1,43 +0,0 @@
 -# Process this file with autom4te to create testsuite.  -*- Autotest -*-
 -# Copyright (C) 2009-2019 Free Software Foundation, Inc.
 -#
 -# This program is free software; you can redistribute it and/or modify
 -# it under the terms of the GNU General Public License as published by
 -# the Free Software Foundation; either version 3, or (at your option)
 -# any later version.
 -#
 -# This program is distributed in the hope that it will be useful,
 -# but WITHOUT ANY WARRANTY; without even the implied warranty of
 -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 -# GNU General Public License for more details.
 -#
 -# You should have received a copy of the GNU General Public License
 -# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 -
 -AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)])
 -AT_CHECK([
 -tempdir=$(pwd)/tmp
 -mkdir $tempdir
 -touch $tempdir/file
 -ln -s $tempdir dir
 -AT_DATA([filelist],
 -[dir
 -dir/file
 -])
 -ln -s /tmp dir
 -touch /tmp/file
 -cpio -o < filelist > test.cpio
 -rm dir /tmp/file
 -cpio --no-absolute-filenames -iv < test.cpio
 -],
 -[2],
 -[],
 -[1 block
 -cpio: Removing leading `/' from hard link targets
 -dir
 -cpio: dir/file: Cannot open: No such file or directory
 -dir/file
 -1 block
 -])
 -AT_CLEANUP
 -
 --- b/tests/Makefile.am
 +++ a/tests/Makefile.am
@@ -56,9 +56,8 @@
  symlink-long.at\
  symlink-to-stdout.at\
  version.at\
  big-block-size.at\
 - CVE-2015-1197.at\
  CVE-2019-14866.at
 TESTSUITE = $(srcdir)/testsuite
 --- b/tests/testsuite.at
 +++ a/tests/testsuite.at
@@ -43,6 +43,5 @@
 m4_include([setstat04.at])
 m4_include([setstat05.at])
 m4_include([big-block-size.at])
 -m4_include([CVE-2015-1197.at])
 m4_include([CVE-2019-14866.at])
--- a/SOURCES/cpio-2.13-dev_number.patch
+++ b/SOURCES/cpio-2.13-dev_number.patch
@ -3,10 +3,10 @@ Date: Mon, 14 Sep 2015 09:37:15 +0200
 Subject: [PATCH 3/7] Support major/minor device numbers over 127 (bz#450109)
 diff --git a/src/copyin.c b/src/copyin.c
-index b29f348..1142d6a 100644
+index cde911e..12bd27c 100644
 --- a/src/copyin.c
 +++ b/src/copyin.c
-@@ -1123,15 +1123,15 @@ read_in_binary (struct cpio_file_stat *file_hdr,
+@@ -1196,15 +1196,15 @@ read_in_binary (struct cpio_file_stat *file_hdr,
       swab_array ((char *) short_hdr, 13);
     }
@ -25,4 +25,4 @@ index b29f348..1142d6a 100644
 +  file_hdr->c_rdev_min = minor ((unsigned short)short_hdr->c_rdev);
   file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16
                       | short_hdr->c_mtimes[1];
-   file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16
+ 
--- a/SOURCES/cpio-2.9-exitCode.patch
+++ b/SOURCES/cpio-2.9-exitCode.patch
@ -0,0 +1,18 @@
 From: Peter Vrabec <pvrabec@redhat.com>
 Date: Mon, 14 Sep 2015 09:31:08 +0200
 Subject: [PATCH 2/7] set exit code to 1 when cpio fails to store file > 4GB
 (#183224)
 diff --git a/src/copyout.c b/src/copyout.c
 index 1f0987a..dcae449 100644
 --- a/src/copyout.c
 +++ b/src/copyout.c
@@ -287,7 +287,7 @@ to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase)
 static void
 field_width_error (const char *filename, const char *fieldname)
 {
 -  error (0, 0, _("%s: field width not sufficient for storing %s"),
 +  error (1, 0, _("%s: field width not sufficient for storing %s"),
 	 filename, fieldname);
 }
--- a/SPECS/cpio.spec
+++ b/SPECS/cpio.spec
@ -1,10 +1,10 @@
 Summary: A GNU archiving program
 Name: cpio
-Version: 2.13
+Version: 2.12
-Release: 16%{?dist}
+Release: 11%{?dist}
 License: GPLv3+
-URL: https://www.gnu.org/software/cpio/
+URL: http://www.gnu.org/software/cpio/
-Source: https://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2
+Source: ftp://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2
 # help2man generated manual page distributed only in RHEL/Fedora
 Source1: cpio.1
@ -15,11 +15,11 @@ Patch1: cpio-2.9-rh.patch
 # fix warn_if_file_changed() and set exit code to 1 when cpio fails to store
 # file > 4GB (#183224)
 # http://lists.gnu.org/archive/html/bug-cpio/2006-11/msg00000.html
-Patch2: cpio-2.13-exitCode.patch
+Patch2: cpio-2.9-exitCode.patch
 # Support major/minor device numbers over 127 (bz#450109)
 # http://lists.gnu.org/archive/html/bug-cpio/2008-07/msg00000.html
-Patch3: cpio-2.13-dev_number.patch
+Patch3: cpio-2.9-dev_number.patch
 # Define default remote shell as /usr/bin/ssh (#452904)
 Patch4: cpio-2.9.90-defaultremoteshell.patch
@ -36,24 +36,18 @@ Patch7: cpio-2.10-longnames-split.patch
 # Cpio does Sum32 checksum, not CRC (downstream)
 Patch8: cpio-2.11-crc-fips-nit.patch
 # Fix multiple definition of `program_name'
 Patch9: cpio-2.13-mutiple-definition.patch
 # Revert fix for CVE-2015-1197 (#1797163)
 # reverts upstream commit 45b0ee2b4
 Patch10: cpio-2.13-revert-CVE-2015-1197-fix.patch
 # Extract: retain times for symlinks
-# downstream patch (#1486364)
+# downstream patch (#1487673)
 # https://www.mail-archive.com/bug-cpio@gnu.org/msg00605.html
-Patch11: cpio-2.11-retain-symlink-times.patch
+Patch9: cpio-2.11-retain-symlink-times.patch
-# Properly drop priviledges for remote command
+# Fixed improper input validation when writing tar header fields
-# http://git.savannah.gnu.org/cgit/paxutils.git/commit/?id=d247e3c2809a37b6d0c3067251d96bb7f12555e7
+# upstream patch (#1766223)
-Patch12: cpio-2.13-reset-gid-uid.patch
+# https://cement.retrofitta.se/tmp/cpio-tar.patch
 Patch10: cpio-2.12-improper-input-validation.patch
 # Fixed integer overflow in ds_fgetstr()
-# upstream patch (#1992512)
+# upstream patch (#1992511)
 # https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
 # https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dfc801c44a93bed7b3951905b188823d6a0432c8
 # https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=236684f6deb3178043fe72a8e2faca538fa2aae1
@ -62,14 +56,13 @@ Patch12: cpio-2.13-reset-gid-uid.patch
 # https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7dd8ba91d8b6a2640e6c01c3e3a4234828646f23
 # https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=684b7ac5767e676cda78c161aeb7fe7b45a07529
 # https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=b1c85839bf1381f749dd45bf6a5a38924e3315a0
-Patch13: cpio-2.13-CVE-2021-38185.patch
+Patch11: cpio-2.13-CVE-2021-38185.patch
 Provides: bundled(gnulib)
 Provides: bundled(paxutils)
 Provides: /bin/cpio
 BuildRequires: gcc
 BuildRequires: texinfo, autoconf, automake, gettext, gettext-devel, rmt
 BuildRequires: make
 %description
 GNU cpio copies files into or out of a cpio or tar archive.  Archives
@ -94,12 +87,12 @@ Install cpio if you need a program to manage file archives.
 autoreconf -fi
 export CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -pedantic -fno-strict-aliasing -Wall $CFLAGS"
 %configure --with-rmt="%{_sysconfdir}/rmt"
-%make_build
+make %{?_smp_mflags}
 (cd po && make update-gmo)
 %install
-%make_install
+make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
 rm -f $RPM_BUILD_ROOT%{_libexecdir}/rmt
 rm -f $RPM_BUILD_ROOT%{_infodir}/dir
@ -119,77 +112,24 @@ make check || {
 %files -f %{name}.lang
 %doc AUTHORS ChangeLog NEWS README THANKS TODO
 %{!?_licensedir:%global license %%doc}
 %license COPYING
 %{_bindir}/*
 %{_mandir}/man*/*
 %{_infodir}/*.info*
 %changelog
-* Thu Aug 26 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-16
+* Mon Sep 20 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.12-11
- Fixed CVE-2021-38185 (#1992512)
+- Fixed CVE-2021-38185 (#1992511)
-* Thu Aug 19 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-15
+* Thu Jan 21 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.12-10
- Revert patch for CVE-2021-38185 (#1992512)
+- Fixed improper input validation when writing tar header fields (#1766223)
-* Mon Aug 16 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-14
+* Mon Jun 15 2020 Ondrej Dubaj <odubaj@redhat.com> - 2.12-9
- Minor fix for CVE-2021-38185 (#1992512)
+- Extract: retain times for symlinks (#1487673)
-* Mon Aug 16 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-13
+* Tue Jul 17 2018 Pavel Raiskup <praiskup@redhat.com> - 2.12-8
- Fixed CVE-2021-38185 (#1992512)
+- cleanup, sync with rawhide
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.13-12
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.13-11
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Thu Feb 18 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-10
 - Properly drop priviledges for remote command
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.13-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.13-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 2.13-7
 - Use make macros
 - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 * Mon Jun 15 2020 Ondrej Dubaj <odubaj@redhat.com> - 2.13-6
 - Extract: retain times for symlinks (#1486364)
 * Tue Apr 07 2020 Ondrej Dubaj <odubaj@redhat.com> - 2.13-5.1
 - Release bump due to testing of gating
 * Wed Feb 05 2020 Petr Kubat <pkubat@redhat.com> - 2.13-4
 - Revert fix for CVE-2015-1197 as it causes shutdown issues (#1797163)
 * Thu Jan 30 2020 Than Ngo <than@redhat.com> - 2.13-3
 - Fix multiple definition of program_name
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.13-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Wed Nov 06 2019 Pavel Raiskup <praiskup@redhat.com> - 2.13-1
 - new upstream release, per release notes
  https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html
 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-12
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Tue Feb 19 2019 Pavel Raiskup <praiskup@redhat.com> - 2.12-11
 - admit that we bundle paxutils project
 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Wed Apr 11 2018 Pavel Raiskup <praiskup@redhat.com> - 2.12-8
 - spring spec cleanup
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
`@ -1 +1 @@`
	`4dcefc0e1bc36b11506a354768d82b15e3fe6bb8 SOURCES/cpio-2.13.tar.bz2`	`60358408c76db354f6716724c4bcbcb6e18ab642 SOURCES/cpio-2.12.tar.bz2`
`@ -1 +1 @@`
	`SOURCES/cpio-2.13.tar.bz2`	`SOURCES/cpio-2.12.tar.bz2`