- Add upstream patch:

* cp could read from freed memory and could even make corrupt copies.
    This could happen with a very fragmented and sparse input file,
    on GNU/Linux file systems supporting fiemap extent scanning.
    This bug also affects mv when it resorts to copying, and install.
    [bug introduced in coreutils-8.11]

OBS-URL: https://build.opensuse.org/package/show/Base:System/coreutils?expand=0&rev=160

coreutils-cp-corrupt-fragmented-sparse.patch

@@ -0,0 +1,99 @@
+commit 64aef5fb9afecc023a6e719da161dbbf450908b8
+Author: Jim Meyering <jim@meyering.net>
+Date:   Tue Oct 16 17:43:49 2012 +0200
+
+    cp: avoid data-corrupting free-memory-read
+
+    NEWS entry:
+    cp could read from freed memory and could even make corrupt copies.
+    This could happen with a very fragmented and sparse input file,
+    on GNU/Linux file systems supporting fiemap extent scanning.
+    This bug also affects mv when it resorts to copying, and install.
+    [bug introduced in coreutils-8.11]
+
+    * src/extent-scan.c (extent_scan_read): Reset our last_ei
+    pointer whenever the parent buffer might have just been freed.
+    * tests/cp/fiemap-extent-FMR.sh: New test.
+    * tests/local.mk (all_tests): Add it.
+    * NEWS (Bug fixes): Mention it.
+    Reported by Mike Gerth in http://bugs.gnu.org/12656, and with
+    help from Alan Curry.  Bug introduced in commit v8.10-60-g18f5a85.
+
+Index: src/extent-scan.c
+===================================================================
+--- src/extent-scan.c.orig
++++ src/extent-scan.c
+@@ -89,7 +89,7 @@ extern bool
+ extent_scan_read (struct extent_scan *scan)
+ {
+   unsigned int si = 0;
+-  struct extent_info *last_ei IF_LINT ( = scan->ext_info);
++  struct extent_info *last_ei = scan->ext_info;
+ 
+   while (true)
+     {
+@@ -127,8 +127,14 @@ extent_scan_read (struct extent_scan *sc
+ 
+       assert (scan->ei_count <= SIZE_MAX - fiemap->fm_mapped_extents);
+       scan->ei_count += fiemap->fm_mapped_extents;
+-      scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count,
+-                                  sizeof (struct extent_info));
++      {
++        /* last_ei points into a buffer that may be freed via xnrealloc.
++           Record its offset and adjust after allocation.  */
++        size_t prev_idx = last_ei - scan->ext_info;
++        scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count,
++                                    sizeof (struct extent_info));
++        last_ei = scan->ext_info + prev_idx;
++      }
+ 
+       unsigned int i = 0;
+       for (i = 0; i < fiemap->fm_mapped_extents; i++)
+Index: tests/cp/fiemap-FMR
+===================================================================
+--- /dev/null
++++ tests/cp/fiemap-FMR
+@@ -0,0 +1,31 @@
++#!/bin/sh
++# Trigger a free-memory read bug in cp from coreutils-[8.11..8.19]
++
++# Copyright (C) 2012 Free Software Foundation, Inc.
++
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++. "${srcdir=.}/init.sh"; path_prepend_ ./src
++print_ver_ cp
++
++require_valgrind_
++require_perl_
++: ${PERL=perl}
++
++$PERL -e 'for (1..600) { sysseek (*STDOUT, 4096, 1)' \
++  -e '&& syswrite (*STDOUT, "a" x 1024) or die "$!"}' > j || fail=1
++valgrind --quiet --error-exitcode=3 cp j j2 || fail=1
++cmp j j2 || fail=1
++
++Exit $fail
+Index: tests/Makefile.am
+===================================================================
+--- tests/Makefile.am.orig
++++ tests/Makefile.am
+@@ -342,6 +342,7 @@ TESTS =						\
+   cp/existing-perm-race				\
+   cp/fail-perm					\
+   cp/fiemap-empty                               \
++  cp/fiemap-FMR                                 \
+   cp/fiemap-perf                                \
+   cp/fiemap-2                                   \
+   cp/file-perm-race				\

coreutils.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Sun Oct 28 20:31:28 UTC 2012 - mail@bernhard-voelker.de
+
+- Add upstream patch:
+
+  * cp could read from freed memory and could even make corrupt copies.
+    This could happen with a very fragmented and sparse input file,
+    on GNU/Linux file systems supporting fiemap extent scanning.
+    This bug also affects mv when it resorts to copying, and install.
+    [bug introduced in coreutils-8.11]
+
 -------------------------------------------------------------------
 Fri Sep 21 11:55:12 UTC 2012 - froh@suse.com
 

coreutils.spec

@@ -76,6 +76,7 @@ Patch33:        coreutils-8.9-singlethreaded-sort.patch
 Patch34:        coreutils-acl-nofollow.patch
 Patch36:        coreutils-basename_documentation.patch
 Patch37:        coreutils-bnc#697897-setsid.patch
+Patch38:        coreutils-cp-corrupt-fragmented-sparse.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 # this will create a cycle, broken up randomly - coreutils is just too core to have other
 # prerequires
@@ -119,6 +120,7 @@ uname unexpand uniq unlink uptime users vdir wc who whoami yes
 %patch34
 %patch36
 %patch37
+%patch38
 
 xz -dc %{S:4} >po/de.po