[packages/cpio] - revert fix for CVE-2015-1197 as it causes shutdown issues - rel 3
baggins
baggins at pld-linux.org
Mon Apr 13 23:09:31 CEST 2020
commit c3d4c8676d98767e52d09cfdbb671cd9a8326a6b
Author: Jan Rękorajski <baggins at pld-linux.org>
Date: Mon Apr 13 23:08:55 2020 +0200
- revert fix for CVE-2015-1197 as it causes shutdown issues
- rel 3
revert suggested as a workaround by upstream:
https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html
cpio.spec | 4 +-
revert-CVE-2015-1197-fix.patch | 91 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 94 insertions(+), 1 deletion(-)
---
diff --git a/cpio.spec b/cpio.spec
index db68ff6..23f781e 100644
--- a/cpio.spec
+++ b/cpio.spec
@@ -9,7 +9,7 @@ Summary(tr.UTF-8): GNU cpio arşivleme programı
Summary(uk.UTF-8): Архівна програма GNU
Name: cpio
Version: 2.13
-Release: 2
+Release: 3
License: GPL v3+
Group: Applications/Archiving
Source0: https://ftp.gnu.org/gnu/cpio/%{name}-%{version}.tar.bz2
@@ -18,6 +18,7 @@ Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-ma
# Source1-md5: 027552f4053477462a09fadc162a5e65
Patch0: %{name}-info.patch
Patch1: %{name}-ifdef.patch
+Patch2: revert-CVE-2015-1197-fix.patch
URL: http://www.gnu.org/software/cpio/
BuildRequires: autoconf >= 2.63
BuildRequires: automake >= 1:1.11.1
@@ -104,6 +105,7 @@ cpio копіює файли в або з архіву cpio або tar, який
%setup -q
%patch0 -p1
%patch1 -p1
+%patch2 -p1
%build
%{__gettextize}
diff --git a/revert-CVE-2015-1197-fix.patch b/revert-CVE-2015-1197-fix.patch
new file mode 100644
index 0000000..1106ac7
--- /dev/null
+++ b/revert-CVE-2015-1197-fix.patch
@@ -0,0 +1,91 @@
+revert fix for CVE-2015-1197 as it causes shutdown issues
+
+revert suggested as a workaround by upstream:
+https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html
+
+--- b/src/copyin.c
++++ a/src/copyin.c
+@@ -645,14 +645,13 @@
+ link_name = xstrdup (file_hdr->c_tar_linkname);
+ }
+
+- cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false);
+-
+ res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
+ file_hdr->c_mode);
+ if (res < 0 && create_dir_flag)
+ {
+ create_all_directories (file_hdr->c_name);
++ res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
++ file_hdr->c_mode);
+- res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode);
+ }
+ if (res < 0)
+ {
+--- b/tests/CVE-2015-1197.at
++++ /dev/null
+@@ -1,43 +0,0 @@
+-# Process this file with autom4te to create testsuite. -*- Autotest -*-
+-# Copyright (C) 2009-2019 Free Software Foundation, Inc.
+-#
+-# This program is free software; you can redistribute it and/or modify
+-# it under the terms of the GNU General Public License as published by
+-# the Free Software Foundation; either version 3, or (at your option)
+-# any later version.
+-#
+-# This program is distributed in the hope that it will be useful,
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-# GNU General Public License for more details.
+-#
+-# You should have received a copy of the GNU General Public License
+-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+-
+-AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)])
+-AT_CHECK([
+-tempdir=$(pwd)/tmp
+-mkdir $tempdir
+-touch $tempdir/file
+-ln -s $tempdir dir
+-AT_DATA([filelist],
+-[dir
+-dir/file
+-])
+-ln -s /tmp dir
+-touch /tmp/file
+-cpio -o < filelist > test.cpio
+-rm dir /tmp/file
+-cpio --no-absolute-filenames -iv < test.cpio
+-],
+-[2],
+-[],
+-[1 block
+-cpio: Removing leading `/' from hard link targets
+-dir
+-cpio: dir/file: Cannot open: No such file or directory
+-dir/file
+-1 block
+-])
+-AT_CLEANUP
+-
+--- b/tests/Makefile.am
++++ a/tests/Makefile.am
+@@ -56,9 +56,8 @@
+ symlink-long.at\
+ symlink-to-stdout.at\
+ version.at\
+ big-block-size.at\
+- CVE-2015-1197.at\
+ CVE-2019-14866.at
+
+ TESTSUITE = $(srcdir)/testsuite
+
+--- b/tests/testsuite.at
++++ a/tests/testsuite.at
+@@ -43,6 +43,5 @@
+ m4_include([setstat04.at])
+ m4_include([setstat05.at])
+ m4_include([big-block-size.at])
+
+-m4_include([CVE-2015-1197.at])
+ m4_include([CVE-2019-14866.at])
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/cpio.git/commitdiff/c3d4c8676d98767e52d09cfdbb671cd9a8326a6b
More information about the pld-cvs-commit
mailing list