From cf1cc63e6cf93f6fd396ccd0211a3d7a6981eeb97e0d96cc4710c0b9760bbd49 Mon Sep 17 00:00:00 2001 From: Danilo Spinella Date: Mon, 5 Feb 2024 10:02:57 +0000 Subject: [PATCH] Accepting request 1144160 from home:dspinella:branches:Archiving - Update to 2.15: * Fix the operation of --no-absolute-filenames --make-directories. * Restore access and modification times of symlinks in copy-in and copy-pass modes. - Remove fix-operation-no-absolute-filenames.patch * Rewrite the fix for CVE-2015-1197 - Fix CVE-2023-7207, path traversal vulnerability, bsc#1218571 OBS-URL: https://build.opensuse.org/request/show/1144160 OBS-URL: https://build.opensuse.org/package/show/Archiving/cpio?expand=0&rev=94 --- cpio-2.14.tar.bz2 | 3 --- cpio-2.14.tar.bz2.sig | Bin 95 -> 0 bytes cpio-2.15.tar.bz2 | 3 +++ cpio-2.15.tar.bz2.sig | Bin 0 -> 95 bytes cpio.changes | 12 ++++++++- cpio.spec | 7 ++--- fix-operation-no-absolute-filenames.patch | 31 ---------------------- 7 files changed, 16 insertions(+), 40 deletions(-) delete mode 100644 cpio-2.14.tar.bz2 delete mode 100644 cpio-2.14.tar.bz2.sig create mode 100644 cpio-2.15.tar.bz2 create mode 100644 cpio-2.15.tar.bz2.sig delete mode 100644 fix-operation-no-absolute-filenames.patch diff --git a/cpio-2.14.tar.bz2 b/cpio-2.14.tar.bz2 deleted file mode 100644 index b5e418e..0000000 --- a/cpio-2.14.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fcdc15d60f7267a6fc7efcd6b9db7b6c8966c4f2fbbb964c24d41336fd3f2c12 -size 1521004 diff --git a/cpio-2.14.tar.bz2.sig b/cpio-2.14.tar.bz2.sig deleted file mode 100644 index 8fff0195e1716d4ef842a285386c156024592a93e8911e0c181a296cba204b41..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 95 zcmeB(WnmCxVvrS6WHE|QrATz(f}IFw8Su v)go#*KjHSZb>SH+LS|pzd(3bV!~7IuyPw{*PNkX0woSOW^KjP}jaw`L0BI(9 literal 0 HcmV?d00001 diff --git a/cpio.changes b/cpio.changes index 814423a..8146905 100644 --- a/cpio.changes +++ b/cpio.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Feb 5 09:22:10 UTC 2024 - Danilo Spinella + +- Update to 2.15: + * Fix the operation of --no-absolute-filenames --make-directories. + * Restore access and modification times of symlinks in copy-in and + copy-pass modes. +- Remove fix-operation-no-absolute-filenames.patch + ------------------------------------------------------------------- Mon Jul 10 14:52:48 UTC 2023 - Danilo Spinella @@ -18,7 +27,7 @@ Fri Jun 23 13:02:55 UTC 2023 - Danilo Spinella * Fix cpio header verification. * Fix handling of device numbers on copy out. * Fix calculation of CRC in copy-out mode. - * Rewrite the fix for CVE-2015-1197. + * Rewrite the fix for CVE-2015-1197 * Fix combination of --create --append --directory. * Fix appending to archives bigger than 2G. - Refresh patches: @@ -31,6 +40,7 @@ Fri Jun 23 13:02:55 UTC 2023 - Danilo Spinella * fix-CVE-2021-38185.patch * fix-CVE-2021-38185_2.patch * fix-CVE-2021-38185_3.patch +- Fix CVE-2023-7207, path traversal vulnerability, bsc#1218571 ------------------------------------------------------------------- Tue Dec 27 10:29:29 UTC 2022 - Ludwig Nussel diff --git a/cpio.spec b/cpio.spec index 9f6ed3d..5d6636f 100644 --- a/cpio.spec +++ b/cpio.spec @@ -1,7 +1,7 @@ # # spec file for package cpio # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: cpio -Version: 2.14 +Version: 2.15 Release: 0 Summary: A Backup and Archiving Utility License: GPL-3.0-only @@ -41,8 +41,6 @@ Patch20: cpio-close_files_after_copy.patch Patch21: cpio-pattern-file-sigsegv.patch Patch23: paxutils-rtapelib_mtget.patch Patch25: cpio-fix_truncation_check.patch -# PATCH-FIX-UPSTREAM -Patch26: fix-operation-no-absolute-filenames.patch BuildRequires: autoconf >= 2.71 BuildRequires: automake #Requires(post): %{xinstall_info_prereq} @@ -83,7 +81,6 @@ This package includes the 'mt', a local tape drive control program. %patch21 -p1 %patch23 -p1 %patch25 -p1 -%patch26 -p1 %build gettextize -f --no-changelog diff --git a/fix-operation-no-absolute-filenames.patch b/fix-operation-no-absolute-filenames.patch deleted file mode 100644 index 9d91f40..0000000 --- a/fix-operation-no-absolute-filenames.patch +++ /dev/null @@ -1,31 +0,0 @@ -From e3cc782c610729de7622a274e532817c18262a9d Mon Sep 17 00:00:00 2001 -From: Sergey Poznyakoff -Date: Thu, 18 May 2023 09:00:12 +0300 -Subject: Fix operation of --no-absolute-filenames --make-directories - -* src/copyin.c (symlink_placeholder): Try to create leading -directories if unable to create placeholder. ---- - src/copyin.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/copyin.c b/src/copyin.c -index 1e4921f..08df12c 100644 ---- a/src/copyin.c -+++ b/src/copyin.c -@@ -668,6 +668,12 @@ symlink_placeholder (char *oldpath, char *newpath, struct cpio_file_stat *file_s - struct delayed_link *p; - size_t newlen = strlen (newpath); - -+ if (fd < 0 && create_dir_flag) -+ { -+ create_all_directories (newpath); -+ fd = open (newpath, O_WRONLY | O_CREAT | O_EXCL, 0); -+ } -+ - if (fd < 0) - { - open_error (newpath); --- -cgit v1.1 -