testing/tar
SHA256
3
0
Fork 0
forked from pool/tar
Code Pull Requests Activity

Accepting request 446602 from Base:System

Browse Source 
- update tar-1.29-extract_pathname_bypass.patch to the upstream
  one that fixes POINTYFEATHER issue but it doesn't limit append or
  create operations as the initial patch did [bsc#1012633]
  [CVE-2016-6321] (forwarded request 446474 from vitezslav_cizek)

OBS-URL: https://build.opensuse.org/request/show/446602
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tar?expand=0&rev=61
This commit is contained in:
Ludwig Nussel 2016-12-22 14:45:34 +00:00 committed by Git OBS Bridge
commit 69bb52fbed
3 changed files with 41 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
tar-1.29-extract_pathname_bypass.patch
View File

@ -1,29 +1,35 @@
Index: lib/paxnames.c From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
Date: Sat, 29 Oct 2016 21:04:40 -0700
Subject: When extracting, skip ".." members
* NEWS: Document this.
* src/extract.c (extract_archive): Skip members whose names
contain "..".
---
Index: tar-1.29/src/extract.c
=================================================================== ===================================================================
--- lib/paxnames.c.orig --- tar-1.29.orig/src/extract.c 2016-01-20 10:26:32.000000000 +0100
+++ lib/paxnames.c +++ tar-1.29/src/extract.c 2016-12-15 18:11:56.752575954 +0100
@@ -18,6 +18,7 @@ @@ -1629,12 +1629,20 @@ extract_archive (void)
#include <system.h> {
#include <hash.h> char typeflag;
#include <paxlib.h> tar_extractor_t fun;
+#include <quotearg.h> + bool skip_dotdot_name;
fatal_exit_hook = extract_finish;
/* Hash tables of strings. */
@@ -114,7 +115,15 @@ safer_name_suffix (char const *file_name
for (p = file_name + prefix_len; *p; )
{
if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
- prefix_len = p + 2 - file_name;
+ {
+ static char const *const diagnostic[] =
+ {
+ N_("%s: Member name contains '..'"),
+ N_("%s: Hard link target contains '..'")
+ };
+ FATAL_ERROR ((0, 0, _(diagnostic[link_target]),
+ quotearg_colon (file_name)));
+ }
do set_next_block_after (current_header);
{
+ skip_dotdot_name = (!absolute_names_option
+ && contains_dot_dot (current_stat_info.orig_file_name));
+ if (skip_dotdot_name)
+ ERROR ((0, 0, _("%s: Member name contains '..'"),
+ quotearg_colon (current_stat_info.orig_file_name)));
+
if (!current_stat_info.file_name[0]
+ || skip_dotdot_name
|| (interactive_option
&& !confirm ("extract", current_stat_info.file_name)))
{

8
tar.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Dec 15 17:05:04 UTC 2016 - vcizek@suse.com
- update tar-1.29-extract_pathname_bypass.patch to the upstream
one that fixes POINTYFEATHER issue but it doesn't limit append or
create operations as the initial patch did [bsc#1012633]
[CVE-2016-6321]
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Nov 8 17:50:44 UTC 2016 - kstreitova@suse.com Tue Nov 8 17:50:44 UTC 2016 - kstreitova@suse.com

2
tar.spec
View File

@ -99,7 +99,7 @@ Upstream testsuite for the package
#%patch12 -p1 #%patch12 -p1
%patch20 -p1 %patch20 -p1
%patch21 -p1 %patch21 -p1
%patch22 -p0 %patch22 -p1
%build %build
%define my_cflags -W -Wall -Wpointer-arith -Wstrict-prototypes -Wformat-security -Wno-unused-parameter -fPIE %define my_cflags -W -Wall -Wpointer-arith -Wstrict-prototypes -Wformat-security -Wno-unused-parameter -fPIE