Accepting request 282506 from home:AndreasStieger:branches:devel:tools

patch 2.7.3 [boo#913678] [CVE-2015-1196]

OBS-URL: https://build.opensuse.org/request/show/282506
OBS-URL: https://build.opensuse.org/package/show/devel:tools/patch?expand=0&rev=44

error-report-crash.patch

@@ -1,98 +0,0 @@
-From 291ec175812b7ba291d124e4cf2fbf9efec590c8 Mon Sep 17 00:00:00 2001
-From: Andreas Gruenbacher <agruen@linbit.com>
-Date: Thu, 4 Oct 2012 12:33:09 +0200
-Subject: [PATCH] Initialize data structures early enough
-
-* src/patch.c (main): Initialize data structures early enough, before error
-paths can access them.
-* tests/bad-usage: Test bad command line usage.
-* tests/Makefile.am (TESTS): Add bad-usage here.
----
- src/patch.c       |  8 ++++----
- tests/Makefile.am |  1 +
- tests/bad-usage   | 18 ++++++++++++++++++
- 3 files changed, 23 insertions(+), 4 deletions(-)
- create mode 100644 tests/bad-usage
-
-Index: patch-2.7.1/src/patch.c
-===================================================================
---- patch-2.7.1.orig/src/patch.c
-+++ patch-2.7.1/src/patch.c
-@@ -150,6 +150,10 @@ main (int argc, char **argv)
-     else if ((version_control = getenv ("VERSION_CONTROL")))
-       version_control_context = "$VERSION_CONTROL";
- 
-+    init_backup_hash_table ();
-+    init_files_to_delete ();
-+    init_files_to_output ();
-+
-     /* parse switches */
-     Argc = argc;
-     Argv = argv;
-@@ -162,10 +166,6 @@ main (int argc, char **argv)
-     if (make_backups | backup_if_mismatch)
-       backup_type = get_version (version_control_context, version_control);
- 
--    init_backup_hash_table ();
--    init_files_to_delete ();
--    init_files_to_output ();
--
-     init_output (&outstate);
-     if (outfile)
-       outstate.ofp = open_outfile (outfile);
-Index: patch-2.7.1/tests/Makefile.am
-===================================================================
---- patch-2.7.1.orig/tests/Makefile.am
-+++ patch-2.7.1/tests/Makefile.am
-@@ -20,6 +20,7 @@ TESTS = \
- 	asymmetric-hunks \
- 	backup-prefix-suffix \
- 	bad-filenames \
-+	bad-usage \
- 	concat-git-diff \
- 	copy-rename \
- 	corrupt-reject-files \
-Index: patch-2.7.1/tests/Makefile.in
-===================================================================
---- patch-2.7.1.orig/tests/Makefile.in
-+++ patch-2.7.1/tests/Makefile.in
-@@ -1075,6 +1075,7 @@ TESTS = \
- 	asymmetric-hunks \
- 	backup-prefix-suffix \
- 	bad-filenames \
-+	bad-usage \
- 	concat-git-diff \
- 	copy-rename \
- 	corrupt-reject-files \
-@@ -1294,6 +1295,8 @@ backup-prefix-suffix.log: backup-prefix-
- 	@p='backup-prefix-suffix'; $(am__check_pre) $(LOG_COMPILE) "$$tst" $(am__check_post)
- bad-filenames.log: bad-filenames
- 	@p='bad-filenames'; $(am__check_pre) $(LOG_COMPILE) "$$tst" $(am__check_post)
-+bad-usage.log: bad-usage
-+	@p='bad-usage'; $(am__check_pre) $(LOG_COMPILE) "$$tst" $(am__check_post)
- concat-git-diff.log: concat-git-diff
- 	@p='concat-git-diff'; $(am__check_pre) $(LOG_COMPILE) "$$tst" $(am__check_post)
- copy-rename.log: copy-rename
-Index: patch-2.7.1/tests/bad-usage
-===================================================================
---- /dev/null
-+++ patch-2.7.1/tests/bad-usage
-@@ -0,0 +1,18 @@
-+# Copyright (C) 2009, 2011-2012 Free Software Foundation, Inc.
-+#
-+# Copying and distribution of this file, with or without modification,
-+# in any medium, are permitted without royalty provided the copyright
-+# notice and this notice are preserved.
-+
-+. $srcdir/test-lib.sh
-+
-+require_cat
-+use_local_patch
-+use_tmpdir
-+
-+# ==============================================================
-+
-+check 'patch -px || echo "status: $?"' <<EOF
-+$PATCH: **** strip count x is not a number
-+status: 2
-+EOF

patch-2.7.1.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:aae676de9e95051f425af4507fcc9a019941a2a1f78405e7dbd40bccf786aa11
-size 800515

patch-2.7.3.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:02f6246736de92785d9c76c0ecab1121a516e52bfeb40c749a68ca4709e4487d
+size 811416

patch-2.7.3.tar.bz2.sig

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAABAgAGBQJUwWXSAAoJEMTJJ81dGzbXddEP/1teuYcysAFblAyfTr1JiEzi
+Eo7v2T/E8RaEfkViSD5fX/wKVvAHBxm0xytN5DGztoyN/YBsP5jD34oFBioq77ik
+wXs+EVPOiPkeKmOObHQ8oh4tOVkA+duzOYrtfz1xrAbbG8wKpH+VziKczmsSp/bw
+JwET4w3r6tvQfANunRlhTvGVBgXrlPd2X14SzIYtYDnHF4pjLd9s2GYimlhChWFI
+GV/60bmj1Esoc7upTgR7PzShGYQm0WfiODFwdSCD6qowLnyUjzwuB6YzJVfuR5be
+30L0sbGWzXj2mVRCWbgiqUYoZ4aupE3EGwiCdcHWZ3LTKRSjXhiwkzh2Fqa20s98
+5NjmHVinl1k6yE/7w9rHZr/A5I08IiDAeJe4R+JGpQuDw+g7ooOTCdNZH6waBRv1
+f2jyi4lV3O3+b1T3lU9YTKiN8QovE2AjBTXGDhjpbz553q1rmb0068kMW+BmX2Sv
+fY5YLf+nS1DXAGuGfNZ2nwD8aH88uIREHI+gmmA1lCXJ8pipbmpcN7P1E3kXdG/8
+hiJ/pA1nuZEWCdmuP0d91Z6dhHYsasWXmv9cGVA6q8chtRAToXA/jiqb+nBPIwON
+JGm1rPi+8P3Bsp/Ix74B1JmfjUzqgqUxFxQIPSSlmoGp5ThkRmTXg0MTQFuXU1iU
+QyqhcXwFlXi279/qmhyO
+=ykie
+-----END PGP SIGNATURE-----

patch.changes

@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Fri Jan 23 00:58:35 UTC 2015 - andreas.stieger@gmx.de
+
+- patch 2.7.3
+  Contains a security fix for a directory traversal flaw when
+  handling git-style patches. This could allow an attacker to
+  overwrite arbitrary files by applying a specially crafted patch.
+  [boo#913678] [CVE-2015-1196]
+  + With git-style patches, symlinks that point outside the working
+    directory will no longer be created (CVE-2015-1196).
+  + When a file isn't being deleted because the file contents don't
+    match the patch, the resulting message is now "Not deleting
+    file ... as content differs from patch" instead of "File ...
+    is not empty after patch; not deleting".
+  + Function names in hunks (from diff -p) are now preserved in
+    reject files
+    This change was previously added as a patch. [boo#904519]
+- Version 2.7.2 differed from the above only slightly.
+- packaging changes:
+  + Verify source signatures
+  + Removed patches now upstream:
+    * error-report-crash.patch
+    * reject-print-function-01-drop-useless-test.patch
+    * reject-print-function-02-handle-unified-format.patch
+  + run spec-cleaner
+
 -------------------------------------------------------------------
 Mon Nov 10 11:37:03 CET 2014 - jdelvare@suse.de
 

patch.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package patch
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,55 +16,43 @@
 #
 
 
-Url:            http://ftp.gnu.org/gnu/patch/
-
 Name:           patch
-# See bnc#662957. The fix for CVE-2010-4651 breaks the way interdiff was
+Version:        2.7.3
-# invoking patch, so interdiff had to be fixed too.
-Conflicts:      patchutils < 0.3.2
-Version:        2.7.1
 Release:        0
 Summary:        GNU patch
 License:        GPL-3.0+
 Group:          Productivity/Text/Utilities
-Source:         http://ftp.gnu.org/gnu/patch/patch-%version.tar.bz2
+Url:            http://ftp.gnu.org/gnu/patch/
-Patch:          error-report-crash.patch
+Source:         http://ftp.gnu.org/gnu/patch/%{name}-%{version}.tar.bz2
-Patch1:         reject-print-function-01-drop-useless-test.patch
+Source2:        http://ftp.gnu.org/gnu/patch/%{name}-%{version}.tar.bz2.sig
-Patch2:         reject-print-function-02-handle-unified-format.patch
+Source3:        http://savannah.gnu.org/project/memberlist-gpgkeys.php?group=patch&download=1#/patch.keyring
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+# See bnc#662957. The fix for CVE-2010-4651 breaks the way interdiff was
+# invoking patch, so interdiff had to be fixed too.
+Conflicts:      patchutils < 0.3.2
 
 %description
 The GNU patch program is used to apply diffs between original and
 changed files (generated by the diff command) to the original files.
 
-
-
-Authors:
---------
-    Larry Wall
-    Paul Eggert
-
 %prep
 %setup -q
-%patch -p1
-%patch1 -p1
-%patch2 -p1
 
 %build
-export CFLAGS="$RPM_OPT_FLAGS -Wall -O2 -pipe"
+export CFLAGS="%{optflags} -Wall -O2 -pipe"
-%configure --prefix=%{_prefix}
+%configure
 make %{?_smp_mflags} %{verbose:V=1};
 
 %check
-make check %{verbose:V=1}
+make %{?_smp_mflags} check %{verbose:V=1}
 
 %install
-make install DESTDIR=$RPM_BUILD_ROOT %{verbose:V=1}
+make install DESTDIR=%{buildroot} %{verbose:V=1}
 
 %files
 %defattr(-,root,root)
-%doc NEWS README 
+%doc NEWS README
-/usr/bin/patch
+%{_bindir}/patch
 %doc %{_mandir}/man1/patch.1.gz
 
 %changelog

reject-print-function-01-drop-useless-test.patch

@@ -1,22 +0,0 @@
-From: Jean Delvare <jdelvare@suse.de>
-Subject: Drop useless test in another_hunk()
-Upstream: Committed (65193f1cc1bf38bdd63d1f3087b0d7e16ad3f082)
-
-This test will always succeed so it is either broken or useless. The
-equivalent code path for context patches doesn't have this test so I
-suppose it's OK to just remove it.
----
- src/pch.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/src/pch.c
-+++ b/src/pch.c
-@@ -1651,7 +1651,7 @@ another_hunk (enum diff difftype, bool r
- 	if (*s == ' ') s++;
- 	if (*s++ != '@')
- 	    malformed ();
--	if (*s++ == '@' && *s == ' ' && *s != '\0')
-+	if (*s++ == '@' && *s == ' ')
- 	  {
- 	    p_c_function = s;
- 	    while (*s != '\n')

reject-print-function-02-handle-unified-format.patch

@@ -1,51 +0,0 @@
-From: Steven Rostedt <rostedt@goodmis.org>
-Subject: Preserve function names in reject files
-Upstream: Committed (a2f4bfe0f3f54181a8f1077cde9ebef0b4f891c0)
-References: bnc#904519
-
-* src/patch.c (main): Preserve function names in reject files.
-* tests/reject-format: Update the test case. 
----
- src/patch.c         |    3 ++-
- tests/reject-format |    4 ++--
- 2 files changed, 4 insertions(+), 3 deletions(-)
-
---- a/src/patch.c
-+++ b/src/patch.c
-@@ -1237,6 +1237,7 @@ abort_hunk_unified (bool header, bool re
-   lin old = 1;
-   lin lastline = pch_ptrn_lines ();
-   lin new = lastline + 1;
-+  char const *c_function = pch_c_function();
- 
-   if (header)
-     {
-@@ -1251,7 +1252,7 @@ abort_hunk_unified (bool header, bool re
-   print_unidiff_range (rejfp, pch_first () + out_offset, lastline);
-   fprintf (rejfp, " +");
-   print_unidiff_range (rejfp, pch_newfirst () + out_offset, pch_repl_lines ());
--  fprintf (rejfp, " @@\n");
-+  fprintf (rejfp, " @@%s\n", c_function ? c_function : "");
- 
-   while (pch_char (new) == '=' || pch_char (new) == '\n')
-     new++;
---- a/tests/reject-format
-+++ b/tests/reject-format
-@@ -79,7 +79,7 @@ check 'cat f.rej' <<EOF
- Index: f
- --- f.orig
- +++ f
--@@ -2,6 +2,6 @@
-+@@ -2,6 +2,6 @@ a() {
-  2
-  3
-  $preserve_trailing_blank
-@@ -102,7 +102,7 @@ EOF
- check 'cat f.rej' <<EOF
- --- f.orig
- +++ f
--@@ -2,6 +2,6 @@
-+@@ -2,6 +2,6 @@ a() {
-  2
-  3
-  $preserve_trailing_blank