testing/tar
SHA256
3
0
Fork 0
forked from pool/tar
Code Pull Requests Activity

Accepting request 439592 from Base:System

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/439592
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tar?expand=0&rev=60
This commit is contained in:
Dominique Leuenberger 2016-11-13 21:50:05 +00:00 committed by Git OBS Bridge
commit f11a88dc4a
3 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
tar-1.29-extract_pathname_bypass.patch Normal file
View File

@ -0,0 +1,29 @@
Index: lib/paxnames.c
===================================================================
--- lib/paxnames.c.orig
+++ lib/paxnames.c
@@ -18,6 +18,7 @@
#include <system.h>
#include <hash.h>
#include <paxlib.h>
+#include <quotearg.h>
/* Hash tables of strings. */
@@ -114,7 +115,15 @@ safer_name_suffix (char const *file_name
for (p = file_name + prefix_len; *p; )
{
if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
- prefix_len = p + 2 - file_name;
+ {
+ static char const *const diagnostic[] =
+ {
+ N_("%s: Member name contains '..'"),
+ N_("%s: Hard link target contains '..'")
+ };
+ FATAL_ERROR ((0, 0, _(diagnostic[link_target]),
+ quotearg_colon (file_name)));
+ }
do
{

9
tar.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Tue Nov 8 17:50:44 UTC 2016 - kstreitova@suse.com
- add tar-1.29-extract_pathname_bypass.patch to fix POINTYFEATHER
vulnerability - GNU tar archiver can be tricked into extracting
files and directories in the given destination, regardless of the
path name(s) specified on the command line [bsc#1007188]
[CVE-2016-6321]
------------------------------------------------------------------- -------------------------------------------------------------------
Sat May 28 19:06:33 UTC 2016 - astieger@suse.com Sat May 28 19:06:33 UTC 2016 - astieger@suse.com

3
tar.spec
View File

@ -47,6 +47,8 @@ Patch20: add_readme-tests.patch
# add return values to the backup scripts for better results monitoring. # add return values to the backup scripts for better results monitoring.
# https://savannah.gnu.org/patch/?8953 # https://savannah.gnu.org/patch/?8953
Patch21: add-return-values-to-backup-scripts.patch Patch21: add-return-values-to-backup-scripts.patch
# PATCH-FIX-UPSTREAM bnc#1007188 CVE-2016-6321 kstreitova@suse.com -- fix POINTYFEATHER vulnerability
Patch22: tar-1.29-extract_pathname_bypass.patch
%if 0%{?suse_version} >= %min_suse_ver %if 0%{?suse_version} >= %min_suse_ver
BuildRequires: automake BuildRequires: automake
BuildRequires: help2man BuildRequires: help2man
@ -97,6 +99,7 @@ Upstream testsuite for the package
#%patch12 -p1 #%patch12 -p1
%patch20 -p1 %patch20 -p1
%patch21 -p1 %patch21 -p1
%patch22 -p0
%build %build
%define my_cflags -W -Wall -Wpointer-arith -Wstrict-prototypes -Wformat-security -Wno-unused-parameter -fPIE %define my_cflags -W -Wall -Wpointer-arith -Wstrict-prototypes -Wformat-security -Wno-unused-parameter -fPIE