diff --git a/fix-extract-over-links.patch b/fix-extract-over-links.patch new file mode 100644 index 0000000..f3d24ff --- /dev/null +++ b/fix-extract-over-links.patch @@ -0,0 +1,23 @@ +--- a/libarchive/archive_write_disk_posix.c.orig 2016-12-02 13:13:57.433550535 +0000 ++++ a/libarchive/archive_write_disk_posix.c 2016-12-02 13:16:36.770020356 +0000 +@@ -2051,12 +2051,14 @@ create_filesystem_object(struct archive_ + /* EPERM is more appropriate than error_number for our callers */ + return (EPERM); + } +- r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags); +- if (r != ARCHIVE_OK) { +- archive_set_error(&a->archive, error_number, "%s", error_string.s); +- free(linkname_copy); +- /* EPERM is more appropriate than error_number for our callers */ +- return (EPERM); ++ if (a->flags & ARCHIVE_EXTRACT_SECURE_SYMLINKS) { ++ r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags); ++ if (r != ARCHIVE_OK) { ++ archive_set_error(&a->archive, error_number, "%s", error_string.s); ++ free(linkname_copy); ++ /* EPERM is more appropriate than error_number for our callers */ ++ return (EPERM); ++ } + } + free(linkname_copy); + r = link(linkname, a->name) ? errno : 0; diff --git a/libarchive.changes b/libarchive.changes index b4aff5d..97655c5 100644 --- a/libarchive.changes +++ b/libarchive.changes @@ -1,14 +1,21 @@ +------------------------------------------------------------------- +Fri Dec 2 13:37:54 UTC 2016 - adrian@suse.com + +- fix extracting over symlinks: fix-extract-over-links.patch + the problem is solved upstream different, but git master + is too different atm. + ------------------------------------------------------------------- Wed Oct 26 09:27:32 UTC 2016 - adrian@suse.com - update to version 3.2.2 Unspecified security fixes, but at least: - * CVE-2016-8687.patch: bsc#1005070 - * CVE-2016-8689.patch: bsc#1005072 - * CVE-2016-8688.patch: bsc#1005076 - * CVE-2016-5844.patch: bsc#986566, upstream issue 717 - * CVE-2016-6250.patch: bsc#989980, upstream issue 711 - * CVE-2016-5418.patch: bsc#998677, upstream issues 744, 745 and 746 + * CVE-2016-8687 + * CVE-2016-8689 + * CVE-2016-8688 + * CVE-2016-5844 + * CVE-2016-6250 + * CVE-2016-5418 - obsoletes fix-build.patch ------------------------------------------------------------------- diff --git a/libarchive.spec b/libarchive.spec index 3858f82..0f8d645 100644 --- a/libarchive.spec +++ b/libarchive.spec @@ -41,6 +41,8 @@ Group: Productivity/Archiving/Compression Url: http://www.libarchive.org/ Source0: http://www.libarchive.org/downloads/libarchive-%{version}.tar.gz Source1: baselibs.conf +# PATCH-FIX-OPENSUSE the problem is solved upstream different, but git master is too different atm. +Patch0: fix-extract-over-links.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libacl-devel BuildRequires: libbz2-devel @@ -55,7 +57,7 @@ BuildRequires: libxml2-devel BuildRequires: pkg-config BuildRequires: xz-devel BuildRequires: zlib-devel -Patch0: libarchive-openssl.patch +Patch1: libarchive-openssl.patch %description Libarchive is a programming library that can create and read several @@ -162,8 +164,9 @@ static library for libarchive %prep %setup -q +%patch0 -p1 %if %{with openssl} -%patch0 -p0 +%patch1 -p0 %endif %build