Accepting request 446474 from home:vitezslav_cizek:branches:Base:System

- update tar-1.29-extract_pathname_bypass.patch to the upstream one that fixes POINTYFEATHER issue but it doesn't limit append or create operations as the initial patch did [bsc#1012633] [CVE-2016-6321] OBS-URL: https://build.opensuse.org/request/show/446474 OBS-URL: https://build.opensuse.org/package/show/Base:System/tar?expand=0&rev=75
2016-12-16 07:58:32 +00:00 · 2016-12-16 07:58:32 +00:00 · 2e036aa0fa
commit 2e036aa0fa
parent 885805a010
3 changed files with 41 additions and 27 deletions
--- a/tar-1.29-extract_pathname_bypass.patch
+++ b/tar-1.29-extract_pathname_bypass.patch
@ -1,29 +1,35 @@
-Index: lib/paxnames.c
+From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
+Date: Sat, 29 Oct 2016 21:04:40 -0700
+Subject: When extracting, skip ".." members
+
+* NEWS: Document this.
+* src/extract.c (extract_archive): Skip members whose names
+contain "..".
+---
+
+Index: tar-1.29/src/extract.c
 ===================================================================
--- lib/paxnames.c.orig
-+++ lib/paxnames.c
-@@ -18,6 +18,7 @@
- #include <system.h>
- #include <hash.h>
- #include <paxlib.h>
-+#include <quotearg.h>
+--- tar-1.29.orig/src/extract.c	2016-01-20 10:26:32.000000000 +0100
+++ tar-1.29/src/extract.c	2016-12-15 18:11:56.752575954 +0100
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
+  bool skip_dotdot_name;
 
- 
- /* Hash tables of strings.  */
-@@ -114,7 +115,15 @@ safer_name_suffix (char const *file_name
-       for (p = file_name + prefix_len; *p; )
- 	{
-           if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
-	    prefix_len = p + 2 - file_name;
-+            {
-+	      static char const *const diagnostic[] =
-+	      {
-+		N_("%s: Member name contains '..'"),
-+		N_("%s: Hard link target contains '..'")
-+	      };
-+	      FATAL_ERROR ((0, 0, _(diagnostic[link_target]),
-+	                    quotearg_colon (file_name)));
-+	    }
+   fatal_exit_hook = extract_finish;
 
- 	  do
- 	    {
+   set_next_block_after (current_header);
+ 
+  skip_dotdot_name = (!absolute_names_option
+		      && contains_dot_dot (current_stat_info.orig_file_name));
+  if (skip_dotdot_name)
+    ERROR ((0, 0, _("%s: Member name contains '..'"),
+	    quotearg_colon (current_stat_info.orig_file_name)));
+
+   if (!current_stat_info.file_name[0]
+      || skip_dotdot_name
+       || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+     {
--- a/tar.changes
+++ b/tar.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Dec 15 17:05:04 UTC 2016 - vcizek@suse.com
+
+- update tar-1.29-extract_pathname_bypass.patch to the upstream
+  one that fixes POINTYFEATHER issue but it doesn't limit append or
+  create operations as the initial patch did [bsc#1012633]
+  [CVE-2016-6321]
+
 -------------------------------------------------------------------
 Tue Nov  8 17:50:44 UTC 2016 - kstreitova@suse.com

--- a/tar.spec
+++ b/tar.spec
@ -99,7 +99,7 @@ Upstream testsuite for the package
 #%patch12 -p1
 %patch20 -p1
 %patch21 -p1
-%patch22 -p0
+%patch22 -p1

 %build
 %define my_cflags -W -Wall -Wpointer-arith -Wstrict-prototypes -Wformat-security -Wno-unused-parameter -fPIE