Accepting request 439571 from home:kstreitova:branches:Base:System

- add tar-1.29-extract_pathname_bypass.patch to fix POINTYFEATHER vulnerability - GNU tar archiver can be tricked into extracting files and directories in the given destination, regardless of the path name(s) specified on the command line [bsc#1007188] [CVE-2016-6321] OBS-URL: https://build.opensuse.org/request/show/439571 OBS-URL: https://build.opensuse.org/package/show/Base:System/tar?expand=0&rev=73
2016-11-10 22:20:00 +00:00 · 2016-11-10 22:20:00 +00:00 · 885805a010
commit 885805a010
parent ecfd71c5af
3 changed files with 41 additions and 0 deletions
--- a/tar-1.29-extract_pathname_bypass.patch
+++ b/tar-1.29-extract_pathname_bypass.patch
@ -0,0 +1,29 @@
+Index: lib/paxnames.c
+===================================================================
+--- lib/paxnames.c.orig
+++ lib/paxnames.c
+@@ -18,6 +18,7 @@
+ #include <system.h>
+ #include <hash.h>
+ #include <paxlib.h>
+#include <quotearg.h>
+ 
+ 
+ /* Hash tables of strings.  */
+@@ -114,7 +115,15 @@ safer_name_suffix (char const *file_name
+       for (p = file_name + prefix_len; *p; )
+ 	{
+           if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
+-	    prefix_len = p + 2 - file_name;
+            {
+	      static char const *const diagnostic[] =
+	      {
+		N_("%s: Member name contains '..'"),
+		N_("%s: Hard link target contains '..'")
+	      };
+	      FATAL_ERROR ((0, 0, _(diagnostic[link_target]),
+	                    quotearg_colon (file_name)));
+	    }
+ 
+ 	  do
+ 	    {
--- a/tar.changes
+++ b/tar.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Nov  8 17:50:44 UTC 2016 - kstreitova@suse.com
+
+- add tar-1.29-extract_pathname_bypass.patch to fix POINTYFEATHER
+  vulnerability - GNU tar archiver can be tricked into extracting 
+  files and directories in the given destination, regardless of the 
+  path name(s) specified on the command line [bsc#1007188] 
+  [CVE-2016-6321] 
+
 -------------------------------------------------------------------
 Sat May 28 19:06:33 UTC 2016 - astieger@suse.com

--- a/tar.spec
+++ b/tar.spec
@ -47,6 +47,8 @@ Patch20:        add_readme-tests.patch
 # add return values to the backup scripts for better results monitoring.
 # https://savannah.gnu.org/patch/?8953
 Patch21:        add-return-values-to-backup-scripts.patch
+# PATCH-FIX-UPSTREAM bnc#1007188 CVE-2016-6321 kstreitova@suse.com -- fix POINTYFEATHER vulnerability
+Patch22:        tar-1.29-extract_pathname_bypass.patch
 %if 0%{?suse_version} >= %min_suse_ver
 BuildRequires:  automake
 BuildRequires:  help2man
@ -97,6 +99,7 @@ Upstream testsuite for the package
 #%patch12 -p1
 %patch20 -p1
 %patch21 -p1
+%patch22 -p0

 %build
 %define my_cflags -W -Wall -Wpointer-arith -Wstrict-prototypes -Wformat-security -Wno-unused-parameter -fPIE