Accepting request 833764 from home:dirkmueller:branches:Archiving

- add cpio-revert-CVE-2015-1197-fix.patch as recommended by upstream
  to fix https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html

OBS-URL: https://build.opensuse.org/request/show/833764
OBS-URL: https://build.opensuse.org/package/show/Archiving/cpio?expand=0&rev=82

cpio-revert-CVE-2015-1197-fix.patch

@@ -0,0 +1,91 @@
+revert fix for CVE-2015-1197 as it causes shutdown issues
+
+revert suggested as a workaround by upstream:
+https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html
+
+--- b/src/copyin.c
++++ a/src/copyin.c
+@@ -645,14 +645,13 @@
+       link_name = xstrdup (file_hdr->c_tar_linkname);
+     }
+ 
+-  cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false);
+-  
+   res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
+ 			 file_hdr->c_mode);
+   if (res < 0 && create_dir_flag)
+     {
+       create_all_directories (file_hdr->c_name);
++      res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
++			     file_hdr->c_mode);
+-      res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode);
+     }
+   if (res < 0)
+     {
+--- b/tests/CVE-2015-1197.at
++++ /dev/null
+@@ -1,43 +0,0 @@
+-# Process this file with autom4te to create testsuite.  -*- Autotest -*-
+-# Copyright (C) 2009-2019 Free Software Foundation, Inc.
+-#
+-# This program is free software; you can redistribute it and/or modify
+-# it under the terms of the GNU General Public License as published by
+-# the Free Software Foundation; either version 3, or (at your option)
+-# any later version.
+-#
+-# This program is distributed in the hope that it will be useful,
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-# GNU General Public License for more details.
+-#
+-# You should have received a copy of the GNU General Public License
+-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+-
+-AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)])
+-AT_CHECK([
+-tempdir=$(pwd)/tmp
+-mkdir $tempdir
+-touch $tempdir/file
+-ln -s $tempdir dir
+-AT_DATA([filelist],
+-[dir
+-dir/file
+-])
+-ln -s /tmp dir
+-touch /tmp/file
+-cpio -o < filelist > test.cpio
+-rm dir /tmp/file
+-cpio --no-absolute-filenames -iv < test.cpio
+-],
+-[2],
+-[],
+-[1 block
+-cpio: Removing leading `/' from hard link targets
+-dir
+-cpio: dir/file: Cannot open: No such file or directory
+-dir/file
+-1 block
+-])
+-AT_CLEANUP
+-
+--- b/tests/Makefile.am
++++ a/tests/Makefile.am
+@@ -56,9 +56,8 @@
+  symlink-long.at\
+  symlink-to-stdout.at\
+  version.at\
+  big-block-size.at\
+- CVE-2015-1197.at\
+  CVE-2019-14866.at
+ 
+ TESTSUITE = $(srcdir)/testsuite
+
+--- b/tests/testsuite.at
++++ a/tests/testsuite.at
+@@ -43,6 +43,5 @@
+ m4_include([setstat04.at])
+ m4_include([setstat05.at])
+ m4_include([big-block-size.at])
+
+-m4_include([CVE-2015-1197.at])
+ m4_include([CVE-2019-14866.at])

cpio.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Sep 11 11:45:35 UTC 2020 - Dirk Mueller <dmueller@suse.com>
+
+- add cpio-revert-CVE-2015-1197-fix.patch as recommended by upstream
+  to fix https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html 
+
 -------------------------------------------------------------------
 Sat Aug 15 16:18:46 UTC 2020 - Dirk Mueller <dmueller@suse.com>
 

cpio.spec

@@ -40,6 +40,8 @@ Patch18:        cpio-default_tape_dev.patch
 Patch20:        cpio-close_files_after_copy.patch
 Patch21:        cpio-pattern-file-sigsegv.patch
 Patch23:        paxutils-rtapelib_mtget.patch
+# see https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html
+Patch24:        cpio-revert-CVE-2015-1197-fix.patch
 Patch25:        cpio-fix_truncation_check.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -80,6 +82,7 @@ This package includes the 'mt', a local tape drive control program.
 ###
 %patch21 -p1
 %patch23 -p1
+%patch24 -p1
 %patch25 -p1
 
 %build