Accepting request 443195 from Archiving

1 OBS-URL: https://build.opensuse.org/request/show/443195 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libarchive?expand=0&rev=27
2016-12-04 14:06:30 +00:00 · 2016-12-04 14:06:30 +00:00 · 5da3a6b45b
commit 5da3a6b45b
parent 88ebe4fb99 9e4730ab62
3 changed files with 41 additions and 8 deletions
--- a/fix-extract-over-links.patch
+++ b/fix-extract-over-links.patch
@ -0,0 +1,23 @@
+--- a/libarchive/archive_write_disk_posix.c.orig	2016-12-02 13:13:57.433550535 +0000
+++ a/libarchive/archive_write_disk_posix.c	2016-12-02 13:16:36.770020356 +0000
+@@ -2051,12 +2051,14 @@ create_filesystem_object(struct archive_
+ 			/* EPERM is more appropriate than error_number for our callers */
+ 			return (EPERM);
+ 		}
+-		r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags);
+-		if (r != ARCHIVE_OK) {
+-			archive_set_error(&a->archive, error_number, "%s", error_string.s);
+-			free(linkname_copy);
+-			/* EPERM is more appropriate than error_number for our callers */
+-			return (EPERM);
+		if (a->flags & ARCHIVE_EXTRACT_SECURE_SYMLINKS) {
+			r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags);
+			if (r != ARCHIVE_OK) {
+				archive_set_error(&a->archive, error_number, "%s", error_string.s);
+				free(linkname_copy);
+				/* EPERM is more appropriate than error_number for our callers */
+				return (EPERM);
+			}
+ 		}
+ 		free(linkname_copy);
+ 		r = link(linkname, a->name) ? errno : 0;
--- a/libarchive.changes
+++ b/libarchive.changes
@ -1,14 +1,21 @@
+-------------------------------------------------------------------
+Fri Dec  2 13:37:54 UTC 2016 - adrian@suse.com
+
+- fix extracting over symlinks: fix-extract-over-links.patch
+  the problem is solved upstream different, but git master
+  is too different atm.
+
 -------------------------------------------------------------------
 Wed Oct 26 09:27:32 UTC 2016 - adrian@suse.com

 - update to version 3.2.2
  Unspecified security fixes, but at least:
-  * CVE-2016-8687.patch: bsc#1005070
-  * CVE-2016-8689.patch: bsc#1005072
-  * CVE-2016-8688.patch: bsc#1005076
-  * CVE-2016-5844.patch: bsc#986566, upstream issue 717
-  * CVE-2016-6250.patch: bsc#989980, upstream issue 711
-  * CVE-2016-5418.patch: bsc#998677, upstream issues 744, 745 and 746
+  * CVE-2016-8687
+  * CVE-2016-8689
+  * CVE-2016-8688
+  * CVE-2016-5844
+  * CVE-2016-6250
+  * CVE-2016-5418
 - obsoletes fix-build.patch

 -------------------------------------------------------------------
--- a/libarchive.spec
+++ b/libarchive.spec
@ -41,6 +41,8 @@ Group:          Productivity/Archiving/Compression
 Url:            http://www.libarchive.org/
 Source0:        http://www.libarchive.org/downloads/libarchive-%{version}.tar.gz
 Source1:        baselibs.conf
+# PATCH-FIX-OPENSUSE the problem is solved upstream different, but git master is too different atm.
+Patch0:         fix-extract-over-links.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  libacl-devel
 BuildRequires:  libbz2-devel
@ -55,7 +57,7 @@ BuildRequires:  libxml2-devel
 BuildRequires:  pkg-config
 BuildRequires:  xz-devel
 BuildRequires:  zlib-devel
-Patch0:         libarchive-openssl.patch
+Patch1:         libarchive-openssl.patch

 %description
 Libarchive is a programming library that can create and read several
@ -162,8 +164,9 @@ static library for libarchive

 %prep
 %setup -q
+%patch0 -p1
 %if %{with openssl}
-%patch0 -p0
+%patch1 -p0
 %endif

 %build