Compare commits

..

No commits in common. "c9-beta" and "c8" have entirely different histories.
c9-beta ... c8

12 changed files with 952 additions and 403 deletions

View File

@ -1 +1 @@
4dcefc0e1bc36b11506a354768d82b15e3fe6bb8 SOURCES/cpio-2.13.tar.bz2
60358408c76db354f6716724c4bcbcb6e18ab642 SOURCES/cpio-2.12.tar.bz2

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/cpio-2.13.tar.bz2
SOURCES/cpio-2.12.tar.bz2

View File

@ -1,6 +1,6 @@
From 8bce60df53f93c9cbfb18274c6700c143a0092c6 Mon Sep 17 00:00:00 2001
From 7a4094d382e74aaed0a0b8356dc24d64952852f9 Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Fri, 3 Jul 2020 13:00:18 +0200
Date: Fri, 3 Jul 2020 12:32:58 +0200
Subject: [PATCH] Extract: retain times for symlinks
Original report by Pat Riehecky at
@ -17,14 +17,14 @@ symlinks.
---
src/copyin.c | 5 ++---
src/copypass.c | 2 ++
src/util.c | 8 +++++---
3 files changed, 9 insertions(+), 6 deletions(-)
src/util.c | 6 ++++--
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/copyin.c b/src/copyin.c
index bf3b0a8..93b006a 100644
index 183b5b5..267ed4b 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -615,9 +615,7 @@ copyin_device (struct cpio_file_stat* file_hdr)
@@ -639,9 +639,7 @@ copyin_device (struct cpio_file_stat* file_hdr)
/* chown may have turned off some permissions we wanted. */
if (chmod (file_hdr->c_name, file_hdr->c_mode) < 0)
chmod_error_details (file_hdr->c_name, file_hdr->c_mode);
@ -35,7 +35,7 @@ index bf3b0a8..93b006a 100644
}
static void
@@ -668,6 +666,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
@@ -692,6 +690,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
&& errno != EPERM)
chown_error_details (file_hdr->c_name, uid, gid);
}
@ -44,10 +44,10 @@ index bf3b0a8..93b006a 100644
}
diff --git a/src/copypass.c b/src/copypass.c
index dc13b5b..a5f9b7b 100644
index c5a9899..b4e7169 100644
--- a/src/copypass.c
+++ b/src/copypass.c
@@ -306,6 +306,8 @@ process_copy_pass ()
@@ -317,6 +317,8 @@ process_copy_pass ()
&& errno != EPERM)
chown_error_details (output_name.ds_string, uid, gid);
}
@ -57,20 +57,18 @@ index dc13b5b..a5f9b7b 100644
}
#endif
diff --git a/src/util.c b/src/util.c
index 4421b20..0e8d88c 100644
index 6ff6032..11f9c30 100644
--- a/src/util.c
+++ b/src/util.c
@@ -1230,8 +1230,7 @@ set_perms (int fd, struct cpio_file_stat *header)
/* chown may have turned off some permissions we wanted. */
if (fchmod_or_chmod (fd, header->c_name, header->c_mode) < 0)
chmod_error_details (header->c_name, header->c_mode);
@@ -1389,7 +1389,6 @@ set_perms (int fd, struct cpio_file_stat *header)
we have to refer to it using name+ instead of name. */
file_hdr->c_name [cdf_char] = '+';
#endif
- if (retain_time_flag)
- set_file_times (fd, header->c_name, header->c_mtime, header->c_mtime);
+ set_file_times (fd, header->c_name, header->c_mtime, header->c_mtime);
set_file_times (fd, header->c_name, header->c_mtime, header->c_mtime);
}
void
@@ -1239,6 +1238,8 @@ set_file_times (int fd,
@@ -1398,6 +1397,8 @@ set_file_times (int fd,
const char *name, unsigned long atime, unsigned long mtime)
{
struct timespec ts[2];
@ -79,7 +77,7 @@ index 4421b20..0e8d88c 100644
memset (&ts, 0, sizeof ts);
@@ -1247,7 +1248,8 @@ set_file_times (int fd,
@@ -1406,7 +1407,8 @@ set_file_times (int fd,
/* Silently ignore EROFS because reading the file won't have upset its
timestamp if it's on a read-only filesystem. */

View File

@ -0,0 +1,154 @@
From: Thomas Habets <habets@google.com>
Subject: [PATCH] Check for size overflow in tar header fields.
This prevents surprising outputs being created, e.g. this cpio tar
output with more than one file:
tar cf suffix.tar AUTHORS
dd if=/dev/zero seek=16G bs=1 count=0 of=suffix.tar
echo suffix.tar | cpio -H tar -o | tar tvf -
-rw-r--r-- 1000/1000 0 2019-08-30 16:40 suffix.tar
-rw-r--r-- thomas/thomas 161 2019-08-30 16:40 AUTHORS
---
src/copyout.c | 3 +--
src/extern.h | 2 +-
src/tar.c | 45 ++++++++++++++++++++++++++++++++-------------
3 files changed, 34 insertions(+), 16 deletions(-)
diff --git a/src/copyout.c b/src/copyout.c
index dcae449..56416ba 100644
--- a/src/copyout.c
+++ b/src/copyout.c
@@ -552,8 +552,7 @@ write_out_header (struct cpio_file_stat *file_hdr, int out_des)
error (0, 0, _("%s: file name too long"), file_hdr->c_name);
return 1;
}
- write_out_tar_header (file_hdr, out_des); /* FIXME: No error checking */
- return 0;
+ return write_out_tar_header (file_hdr, out_des);
case arf_binary:
return write_out_binary_header (makedev (file_hdr->c_rdev_maj,
diff --git a/src/extern.h b/src/extern.h
index e27d662..47b477a 100644
--- a/src/extern.h
+++ b/src/extern.h
@@ -145,7 +145,7 @@ int make_path (char *argpath, uid_t owner, gid_t group,
const char *verbose_fmt_string);
/* tar.c */
-void write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des);
+int write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des);
int null_block (long *block, int size);
void read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des);
int otoa (char *s, unsigned long *n);
diff --git a/src/tar.c b/src/tar.c
index e2b5f45..53dc99a 100644
--- a/src/tar.c
+++ b/src/tar.c
@@ -93,8 +93,9 @@ stash_tar_filename (char *prefix, char *filename)
sprintf (where, "%*lo ", digits - 2, value);
except that sprintf fills in the trailing NUL and we don't. */
-static void
-to_oct (register long value, register int digits, register char *where)
+static int
+to_oct_or_error (register long value, register int digits, register char *where,
+ const char *filename, const char *fieldname)
{
--digits; /* Leave the trailing NUL slot alone. */
@@ -105,10 +106,17 @@ to_oct (register long value, register int digits, register char *where)
value >>= 3;
}
while (digits > 0 && value != 0);
+ if (value > 0)
+ {
+ error (1, 0, _("%s: field width not sufficient for storing %s"),
+ filename, fieldname);
+ return 1;
+ }
/* Add leading zeroes, if necessary. */
while (digits > 0)
where[--digits] = '0';
+ return 0;
}
@@ -139,7 +147,7 @@ tar_checksum (struct tar_header *tar_hdr)
/* Write out header FILE_HDR, including the file name, to file
descriptor OUT_DES. */
-void
+int
write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
{
int name_len;
@@ -168,11 +176,16 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
/* Ustar standard (POSIX.1-1988) requires the mode to contain only 3 octal
digits */
- to_oct (file_hdr->c_mode & MODE_ALL, 8, tar_hdr->mode);
- to_oct (file_hdr->c_uid, 8, tar_hdr->uid);
- to_oct (file_hdr->c_gid, 8, tar_hdr->gid);
- to_oct (file_hdr->c_filesize, 12, tar_hdr->size);
- to_oct (file_hdr->c_mtime, 12, tar_hdr->mtime);
+ if (to_oct_or_error (file_hdr->c_mode & MODE_ALL, 8, tar_hdr->mode, file_hdr->c_name, _("mode")))
+ return 1;
+ if (to_oct_or_error (file_hdr->c_uid, 8, tar_hdr->uid, file_hdr->c_name, _("uid")))
+ return 1;
+ if (to_oct_or_error (file_hdr->c_gid, 8, tar_hdr->gid, file_hdr->c_name, _("gid")))
+ return 1;
+ if (to_oct_or_error (file_hdr->c_filesize, 12, tar_hdr->size, file_hdr->c_name, _("file size")))
+ return 1;
+ if (to_oct_or_error (file_hdr->c_mtime, 12, tar_hdr->mtime, file_hdr->c_name, _("modification time")))
+ return 1;
switch (file_hdr->c_mode & CP_IFMT)
{
@@ -184,7 +197,8 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
TARLINKNAMESIZE);
tar_hdr->typeflag = LNKTYPE;
- to_oct (0, 12, tar_hdr->size);
+ if (to_oct_or_error (0, 12, tar_hdr->size, file_hdr->c_name, _("file size")))
+ return 1;
}
else
tar_hdr->typeflag = REGTYPE;
@@ -210,7 +224,8 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
than TARLINKNAMESIZE. */
strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
TARLINKNAMESIZE);
- to_oct (0, 12, tar_hdr->size);
+ if (to_oct_or_error (0, 12, tar_hdr->size, file_hdr->c_name, _("file size")))
+ return 1;
break;
#endif /* CP_IFLNK */
}
@@ -229,13 +244,17 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
if (name)
strcpy (tar_hdr->gname, name);
- to_oct (file_hdr->c_rdev_maj, 8, tar_hdr->devmajor);
- to_oct (file_hdr->c_rdev_min, 8, tar_hdr->devminor);
+ if (to_oct_or_error (file_hdr->c_rdev_maj, 8, tar_hdr->devmajor, file_hdr->c_name, _("rdev major")))
+ return 1;
+ if (to_oct_or_error (file_hdr->c_rdev_min, 8, tar_hdr->devminor, file_hdr->c_name, _("rdev minor")))
+ return 1;
}
- to_oct (tar_checksum (tar_hdr), 8, tar_hdr->chksum);
+ if (to_oct_or_error (tar_checksum (tar_hdr), 8, tar_hdr->chksum, file_hdr->c_name, _("checksum")))
+ return 1;
tape_buffered_write ((char *) &tar_rec, out_des, TARRECORDSIZE);
+ return 0;
}
/* Return nonzero iff all the bytes in BLOCK are NUL.
--
2.26.0

File diff suppressed because it is too large Load Diff

View File

@ -1,39 +0,0 @@
Subject: [PATCH 2/7] set exit code to 1 when cpio fails to store file > 4GB
(#183224)
diff --git a/src/copyout.c b/src/copyout.c
index 8b0beb6..4b7336b 100644
--- a/src/copyout.c
+++ b/src/copyout.c
@@ -290,7 +290,7 @@ field_width_error (const char *filename, const char *fieldname,
{
char valbuf[UINTMAX_STRSIZE_BOUND + 1];
char maxbuf[UINTMAX_STRSIZE_BOUND + 1];
- error (0, 0, _("%s: value %s %s out of allowed range 0..%s"),
+ error (1, 0, _("%s: value %s %s out of allowed range 0..%s"),
filename, fieldname,
STRINGIFY_BIGINT (value, valbuf),
STRINGIFY_BIGINT (MAX_VAL_WITH_DIGITS (width - nul, LG_8),
diff --git a/tests/CVE-2019-14866.at b/tests/CVE-2019-14866.at
index e877b39..50ad60b 100644
--- a/tests/CVE-2019-14866.at
+++ b/tests/CVE-2019-14866.at
@@ -30,6 +30,5 @@ fi
[0],
[],
[cpio: file: value size 17179869184 out of allowed range 0..8589934591
-2 blocks
])
AT_CLEANUP
diff --git a/tests/testsuite b/tests/testsuite
index b45c731..fd8454d 100755
--- a/tests/testsuite
+++ b/tests/testsuite
@@ -2885,7 +2885,6 @@ fi
at_status=$? at_failed=false
$at_check_filter
echo >>"$at_stderr"; $as_echo "cpio: file: value size 17179869184 out of allowed range 0..8589934591
-2 blocks
" | \
$at_diff - "$at_stderr" || at_failed=:
at_fn_diff_devnull "$at_stdout" || at_failed=:

View File

@ -1,13 +0,0 @@
diff -up cpio-2.13/src/global.c.me cpio-2.13/src/global.c
--- cpio-2.13/src/global.c.me 2020-01-30 17:17:42.015259283 +0100
+++ cpio-2.13/src/global.c 2020-01-30 17:24:12.680794025 +0100
@@ -184,9 +184,6 @@ unsigned int warn_option = 0;
/* Extract to standard output? */
bool to_stdout_option = false;
-/* The name this program was run with. */
-char *program_name;
-
/* A pointer to either lstat or stat, depending on whether
dereferencing of symlinks is done for input files. */
int (*xstat) ();

View File

@ -1,63 +0,0 @@
From 5913893d6f3de65b16e1ad294b88893305efb20f Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Thu, 18 Feb 2021 09:59:31 +0100
Subject: [PATCH] * lib/system.h (ERRNO_IS_EACCES): Remove. Not used anymore.
(sys_reset_uid_gid): Re-initialize supplementary groups when switching
privileges. Fix ordering of setgid and setuid calls.
---
lib/system.h | 32 +++++++++++++++++++++++++-------
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git a/lib/system.h b/lib/system.h
index 1c1a5d0..4fd3ce9 100644
--- a/lib/system.h
+++ b/lib/system.h
@@ -470,19 +470,37 @@ char *getenv ();
#if MSDOS
# include <process.h>
# define SET_BINARY_MODE(arc) setmode(arc, O_BINARY)
-# define ERRNO_IS_EACCES errno == EACCES
# define mkdir(file, mode) (mkdir) (file)
# define TTY_NAME "con"
# define sys_reset_uid_gid()
#else
# define SET_BINARY_MODE(arc)
-# define ERRNO_IS_EACCES 0
# define TTY_NAME "/dev/tty"
-# define sys_reset_uid_gid() \
- do { \
- if (! (setuid (getuid ()) == 0 && setgid (getgid ()) == 0)) \
- abort (); \
- } while (0)
+# include <paxlib.h>
+static inline void
+sys_reset_uid_gid (void)
+{
+ struct passwd *pw;
+ uid_t uid = getuid ();
+ gid_t gid = getgid ();
+
+ if ((pw = getpwuid (uid)) == NULL)
+ {
+ FATAL_ERROR ((0, errno, "%s(%lu)", "getpwuid", (unsigned long)uid));
+ }
+ if (initgroups (pw->pw_name, getgid ()))
+ {
+ FATAL_ERROR ((0, errno, "%s", "initgroups"));
+ }
+ if (gid != getegid () && setgid (gid) && errno != EPERM)
+ {
+ FATAL_ERROR ((0, errno, "%s", "setgid"));
+ }
+ if (uid != geteuid () && setuid (uid) && errno != EPERM)
+ {
+ FATAL_ERROR ((0, errno, "%s", "setuid"));
+ }
+}
#endif
#if XENIX
--
2.26.0

View File

@ -1,91 +0,0 @@
revert fix for CVE-2015-1197 as it causes shutdown issues
revert suggested as a workaround by upstream:
https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html
--- b/src/copyin.c
+++ a/src/copyin.c
@@ -645,14 +645,13 @@
link_name = xstrdup (file_hdr->c_tar_linkname);
}
- cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false);
-
res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
file_hdr->c_mode);
if (res < 0 && create_dir_flag)
{
create_all_directories (file_hdr->c_name);
+ res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
+ file_hdr->c_mode);
- res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode);
}
if (res < 0)
{
--- b/tests/CVE-2015-1197.at
+++ /dev/null
@@ -1,43 +0,0 @@
-# Process this file with autom4te to create testsuite. -*- Autotest -*-
-# Copyright (C) 2009-2019 Free Software Foundation, Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)])
-AT_CHECK([
-tempdir=$(pwd)/tmp
-mkdir $tempdir
-touch $tempdir/file
-ln -s $tempdir dir
-AT_DATA([filelist],
-[dir
-dir/file
-])
-ln -s /tmp dir
-touch /tmp/file
-cpio -o < filelist > test.cpio
-rm dir /tmp/file
-cpio --no-absolute-filenames -iv < test.cpio
-],
-[2],
-[],
-[1 block
-cpio: Removing leading `/' from hard link targets
-dir
-cpio: dir/file: Cannot open: No such file or directory
-dir/file
-1 block
-])
-AT_CLEANUP
-
--- b/tests/Makefile.am
+++ a/tests/Makefile.am
@@ -56,9 +56,8 @@
symlink-long.at\
symlink-to-stdout.at\
version.at\
big-block-size.at\
- CVE-2015-1197.at\
CVE-2019-14866.at
TESTSUITE = $(srcdir)/testsuite
--- b/tests/testsuite.at
+++ a/tests/testsuite.at
@@ -43,6 +43,5 @@
m4_include([setstat04.at])
m4_include([setstat05.at])
m4_include([big-block-size.at])
-m4_include([CVE-2015-1197.at])
m4_include([CVE-2019-14866.at])

View File

@ -3,10 +3,10 @@ Date: Mon, 14 Sep 2015 09:37:15 +0200
Subject: [PATCH 3/7] Support major/minor device numbers over 127 (bz#450109)
diff --git a/src/copyin.c b/src/copyin.c
index b29f348..1142d6a 100644
index cde911e..12bd27c 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -1123,15 +1123,15 @@ read_in_binary (struct cpio_file_stat *file_hdr,
@@ -1196,15 +1196,15 @@ read_in_binary (struct cpio_file_stat *file_hdr,
swab_array ((char *) short_hdr, 13);
}
@ -25,4 +25,4 @@ index b29f348..1142d6a 100644
+ file_hdr->c_rdev_min = minor ((unsigned short)short_hdr->c_rdev);
file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16
| short_hdr->c_mtimes[1];
file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16

View File

@ -0,0 +1,18 @@
From: Peter Vrabec <pvrabec@redhat.com>
Date: Mon, 14 Sep 2015 09:31:08 +0200
Subject: [PATCH 2/7] set exit code to 1 when cpio fails to store file > 4GB
(#183224)
diff --git a/src/copyout.c b/src/copyout.c
index 1f0987a..dcae449 100644
--- a/src/copyout.c
+++ b/src/copyout.c
@@ -287,7 +287,7 @@ to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase)
static void
field_width_error (const char *filename, const char *fieldname)
{
- error (0, 0, _("%s: field width not sufficient for storing %s"),
+ error (1, 0, _("%s: field width not sufficient for storing %s"),
filename, fieldname);
}

View File

@ -1,10 +1,10 @@
Summary: A GNU archiving program
Name: cpio
Version: 2.13
Release: 16%{?dist}
Version: 2.12
Release: 11%{?dist}
License: GPLv3+
URL: https://www.gnu.org/software/cpio/
Source: https://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2
URL: http://www.gnu.org/software/cpio/
Source: ftp://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2
# help2man generated manual page distributed only in RHEL/Fedora
Source1: cpio.1
@ -15,11 +15,11 @@ Patch1: cpio-2.9-rh.patch
# fix warn_if_file_changed() and set exit code to 1 when cpio fails to store
# file > 4GB (#183224)
# http://lists.gnu.org/archive/html/bug-cpio/2006-11/msg00000.html
Patch2: cpio-2.13-exitCode.patch
Patch2: cpio-2.9-exitCode.patch
# Support major/minor device numbers over 127 (bz#450109)
# http://lists.gnu.org/archive/html/bug-cpio/2008-07/msg00000.html
Patch3: cpio-2.13-dev_number.patch
Patch3: cpio-2.9-dev_number.patch
# Define default remote shell as /usr/bin/ssh (#452904)
Patch4: cpio-2.9.90-defaultremoteshell.patch
@ -36,24 +36,18 @@ Patch7: cpio-2.10-longnames-split.patch
# Cpio does Sum32 checksum, not CRC (downstream)
Patch8: cpio-2.11-crc-fips-nit.patch
# Fix multiple definition of `program_name'
Patch9: cpio-2.13-mutiple-definition.patch
# Revert fix for CVE-2015-1197 (#1797163)
# reverts upstream commit 45b0ee2b4
Patch10: cpio-2.13-revert-CVE-2015-1197-fix.patch
# Extract: retain times for symlinks
# downstream patch (#1486364)
# downstream patch (#1487673)
# https://www.mail-archive.com/bug-cpio@gnu.org/msg00605.html
Patch11: cpio-2.11-retain-symlink-times.patch
Patch9: cpio-2.11-retain-symlink-times.patch
# Properly drop priviledges for remote command
# http://git.savannah.gnu.org/cgit/paxutils.git/commit/?id=d247e3c2809a37b6d0c3067251d96bb7f12555e7
Patch12: cpio-2.13-reset-gid-uid.patch
# Fixed improper input validation when writing tar header fields
# upstream patch (#1766223)
# https://cement.retrofitta.se/tmp/cpio-tar.patch
Patch10: cpio-2.12-improper-input-validation.patch
# Fixed integer overflow in ds_fgetstr()
# upstream patch (#1992512)
# upstream patch (#1992511)
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dfc801c44a93bed7b3951905b188823d6a0432c8
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=236684f6deb3178043fe72a8e2faca538fa2aae1
@ -62,14 +56,13 @@ Patch12: cpio-2.13-reset-gid-uid.patch
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7dd8ba91d8b6a2640e6c01c3e3a4234828646f23
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=684b7ac5767e676cda78c161aeb7fe7b45a07529
# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=b1c85839bf1381f749dd45bf6a5a38924e3315a0
Patch13: cpio-2.13-CVE-2021-38185.patch
Patch11: cpio-2.13-CVE-2021-38185.patch
Provides: bundled(gnulib)
Provides: bundled(paxutils)
Provides: /bin/cpio
BuildRequires: gcc
BuildRequires: texinfo, autoconf, automake, gettext, gettext-devel, rmt
BuildRequires: make
%description
GNU cpio copies files into or out of a cpio or tar archive. Archives
@ -94,12 +87,12 @@ Install cpio if you need a program to manage file archives.
autoreconf -fi
export CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -pedantic -fno-strict-aliasing -Wall $CFLAGS"
%configure --with-rmt="%{_sysconfdir}/rmt"
%make_build
make %{?_smp_mflags}
(cd po && make update-gmo)
%install
%make_install
make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
rm -f $RPM_BUILD_ROOT%{_libexecdir}/rmt
rm -f $RPM_BUILD_ROOT%{_infodir}/dir
@ -119,77 +112,24 @@ make check || {
%files -f %{name}.lang
%doc AUTHORS ChangeLog NEWS README THANKS TODO
%{!?_licensedir:%global license %%doc}
%license COPYING
%{_bindir}/*
%{_mandir}/man*/*
%{_infodir}/*.info*
%changelog
* Thu Aug 26 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-16
- Fixed CVE-2021-38185 (#1992512)
* Mon Sep 20 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.12-11
- Fixed CVE-2021-38185 (#1992511)
* Thu Aug 19 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-15
- Revert patch for CVE-2021-38185 (#1992512)
* Thu Jan 21 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.12-10
- Fixed improper input validation when writing tar header fields (#1766223)
* Mon Aug 16 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-14
- Minor fix for CVE-2021-38185 (#1992512)
* Mon Jun 15 2020 Ondrej Dubaj <odubaj@redhat.com> - 2.12-9
- Extract: retain times for symlinks (#1487673)
* Mon Aug 16 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-13
- Fixed CVE-2021-38185 (#1992512)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.13-12
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.13-11
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Feb 18 2021 Ondrej Dubaj <odubaj@redhat.com> - 2.13-10
- Properly drop priviledges for remote command
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.13-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.13-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 2.13-7
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Mon Jun 15 2020 Ondrej Dubaj <odubaj@redhat.com> - 2.13-6
- Extract: retain times for symlinks (#1486364)
* Tue Apr 07 2020 Ondrej Dubaj <odubaj@redhat.com> - 2.13-5.1
- Release bump due to testing of gating
* Wed Feb 05 2020 Petr Kubat <pkubat@redhat.com> - 2.13-4
- Revert fix for CVE-2015-1197 as it causes shutdown issues (#1797163)
* Thu Jan 30 2020 Than Ngo <than@redhat.com> - 2.13-3
- Fix multiple definition of program_name
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.13-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Nov 06 2019 Pavel Raiskup <praiskup@redhat.com> - 2.13-1
- new upstream release, per release notes
https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Tue Feb 19 2019 Pavel Raiskup <praiskup@redhat.com> - 2.12-11
- admit that we bundle paxutils project
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Apr 11 2018 Pavel Raiskup <praiskup@redhat.com> - 2.12-8
- spring spec cleanup
* Tue Jul 17 2018 Pavel Raiskup <praiskup@redhat.com> - 2.12-8
- cleanup, sync with rawhide
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild