summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoy Marples <uberlord@gentoo.org>2007-08-22 09:09:15 +0000
committerRoy Marples <uberlord@gentoo.org>2007-08-22 09:09:15 +0000
commit979383e215cb854fd2f11cf6382601e818e2a2f6 (patch)
treeeeb9438779ac957740eff877c06913882c389745 /app-arch
parentPrefer 1.5 over 1.4 (diff)
downloadgentoo-2-979383e215cb854fd2f11cf6382601e818e2a2f6.tar.gz
gentoo-2-979383e215cb854fd2f11cf6382601e818e2a2f6.tar.bz2
gentoo-2-979383e215cb854fd2f11cf6382601e818e2a2f6.zip
Patch to fix a directory traversal vulnerability, #189682
thanks to Robert Buchholz. (Portage version: 2.1.3.6)
Diffstat (limited to 'app-arch')
-rw-r--r--app-arch/tar/ChangeLog11
-rw-r--r--app-arch/tar/files/digest-tar-1.17-r13
-rw-r--r--app-arch/tar/files/digest-tar-1.18-r23
-rw-r--r--app-arch/tar/files/tar-1.15.1-alt-contains-dot-dot.patch20
-rw-r--r--app-arch/tar/tar-1.17-r1.ebuild70
-rw-r--r--app-arch/tar/tar-1.18-r2.ebuild69
6 files changed, 175 insertions, 1 deletions
diff --git a/app-arch/tar/ChangeLog b/app-arch/tar/ChangeLog
index 9c3e85962a94..19b40f009783 100644
--- a/app-arch/tar/ChangeLog
+++ b/app-arch/tar/ChangeLog
@@ -1,6 +1,15 @@
# ChangeLog for app-arch/tar
# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/ChangeLog,v 1.108 2007/08/21 17:40:39 jer Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/ChangeLog,v 1.109 2007/08/22 09:09:15 uberlord Exp $
+
+*tar-1.18-r2 (22 Aug 2007)
+*tar-1.17-r1 (22 Aug 2007)
+
+ 22 Aug 2007; Roy Marples <uberlord@gentoo.org>
+ +files/tar-1.15.1-alt-contains-dot-dot.patch, +tar-1.17-r1.ebuild,
+ +tar-1.18-r2.ebuild:
+ Patch to fix a directory traversal vulnerability, #189682
+ thanks to Robert Buchholz.
21 Aug 2007; Jeroen Roovers <jer@gentoo.org> tar-1.18-r1.ebuild:
Stable for HPPA too.
diff --git a/app-arch/tar/files/digest-tar-1.17-r1 b/app-arch/tar/files/digest-tar-1.17-r1
new file mode 100644
index 000000000000..71e71f65d601
--- /dev/null
+++ b/app-arch/tar/files/digest-tar-1.17-r1
@@ -0,0 +1,3 @@
+MD5 c6c4f1c075dbf0f75c29737faa58f290 tar-1.17.tar.bz2 1882911
+RMD160 f4671e909c1ff8fac531d438b50a4a197049bc45 tar-1.17.tar.bz2 1882911
+SHA256 19f9021dda51a16295e4706e80870e71f87107675e51c176a491eba0fc4ca492 tar-1.17.tar.bz2 1882911
diff --git a/app-arch/tar/files/digest-tar-1.18-r2 b/app-arch/tar/files/digest-tar-1.18-r2
new file mode 100644
index 000000000000..1e3df17e14e6
--- /dev/null
+++ b/app-arch/tar/files/digest-tar-1.18-r2
@@ -0,0 +1,3 @@
+MD5 70170208d7c1bb9ab40120579434b6a3 tar-1.18.tar.bz2 1877207
+RMD160 129e1a53ed3b580f5efc582622a90fdfc9d105f5 tar-1.18.tar.bz2 1877207
+SHA256 44944ee0427c8e0d8dbaa0b8f900073a7456819610cc521c53630c3eb117cf5e tar-1.18.tar.bz2 1877207
diff --git a/app-arch/tar/files/tar-1.15.1-alt-contains-dot-dot.patch b/app-arch/tar/files/tar-1.15.1-alt-contains-dot-dot.patch
new file mode 100644
index 000000000000..27b2c955f02f
--- /dev/null
+++ b/app-arch/tar/files/tar-1.15.1-alt-contains-dot-dot.patch
@@ -0,0 +1,20 @@
+2005-05-15 Dmitry V. Levin <ldv@altlinux.org>
+
+ * src/names.c (contains_dot_dot): Fix ".." detection.
+ Previous edition fails to recognize "foo//.." case.
+
+--- tar-1.15.1/src/names.c.orig 2004-09-06 11:30:54 +0000
++++ tar-1.15.1/src/names.c 2005-05-15 13:21:13 +0000
+@@ -1152,11 +1152,10 @@ contains_dot_dot (char const *name)
+ if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
+ return 1;
+
+- do
++ while (! ISSLASH (*p))
+ {
+ if (! *p++)
+ return 0;
+ }
+- while (! ISSLASH (*p));
+ }
+ }
diff --git a/app-arch/tar/tar-1.17-r1.ebuild b/app-arch/tar/tar-1.17-r1.ebuild
new file mode 100644
index 000000000000..cf3b0f99f5a3
--- /dev/null
+++ b/app-arch/tar/tar-1.17-r1.ebuild
@@ -0,0 +1,70 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/tar-1.17-r1.ebuild,v 1.1 2007/08/22 09:09:15 uberlord Exp $
+
+inherit flag-o-matic eutils
+
+DESCRIPTION="Use this to make tarballs :)"
+HOMEPAGE="http://www.gnu.org/software/tar/"
+SRC_URI="http://ftp.gnu.org/gnu/tar/${P}.tar.bz2
+ ftp://alpha.gnu.org/gnu/tar/${P}.tar.bz2
+ mirror://gnu/tar/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="nls static"
+
+RDEPEND=""
+DEPEND="${RDEPEND}
+ nls? ( >=sys-devel/gettext-0.10.35 )"
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+
+ epatch "${FILESDIR}"/${PN}-1.15.1-alt-contains-dot-dot.patch #189682
+ epatch "${FILESDIR}"/${P}-exclude-test.patch
+
+ if ! use userland_GNU ; then
+ sed -i \
+ -e 's:/backup\.sh:/gbackup.sh:' \
+ scripts/{backup,dump-remind,restore}.in \
+ || die "sed non-GNU"
+ fi
+}
+
+src_compile() {
+ local myconf
+ use static && append-ldflags -static
+ use userland_GNU || myconf="--program-prefix=g"
+ # Work around bug in sandbox #67051
+ gl_cv_func_chown_follows_symlink=yes \
+ econf \
+ --enable-backup-scripts \
+ --bindir=/bin \
+ --libexecdir=/usr/sbin \
+ $(use_enable nls) \
+ ${myconf} || die
+ emake || die "emake failed"
+}
+
+src_install() {
+ local p=""
+ use userland_GNU || p=g
+
+ emake DESTDIR="${D}" install || die "make install failed"
+
+ if [[ -z ${p} ]] ; then
+ # a nasty yet required piece of baggage
+ exeinto /etc
+ doexe "${FILESDIR}"/rmt || die
+ fi
+
+ dodoc AUTHORS ChangeLog* NEWS README* PORTS THANKS
+ newman "${FILESDIR}"/tar.1 ${p}tar.1
+ mv "${D}"/usr/sbin/${p}backup{,-tar}
+ mv "${D}"/usr/sbin/${p}restore{,-tar}
+
+ rm -f "${D}"/usr/$(get_libdir)/charset.alias
+}
diff --git a/app-arch/tar/tar-1.18-r2.ebuild b/app-arch/tar/tar-1.18-r2.ebuild
new file mode 100644
index 000000000000..36a90babc142
--- /dev/null
+++ b/app-arch/tar/tar-1.18-r2.ebuild
@@ -0,0 +1,69 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/tar-1.18-r2.ebuild,v 1.1 2007/08/22 09:09:15 uberlord Exp $
+
+inherit flag-o-matic eutils
+
+DESCRIPTION="Use this to make tarballs :)"
+HOMEPAGE="http://www.gnu.org/software/tar/"
+SRC_URI="http://ftp.gnu.org/gnu/tar/${P}.tar.bz2
+ ftp://alpha.gnu.org/gnu/tar/${P}.tar.bz2
+ mirror://gnu/tar/${P}.tar.bz2"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="nls static"
+
+RDEPEND=""
+DEPEND="${RDEPEND}
+ nls? ( >=sys-devel/gettext-0.10.35 )"
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+
+ epatch "${FILESDIR}"/${PN}-1.15.1-alt-contains-dot-dot.patch #189682
+
+ if ! use userland_GNU ; then
+ sed -i \
+ -e 's:/backup\.sh:/gbackup.sh:' \
+ scripts/{backup,dump-remind,restore}.in \
+ || die "sed non-GNU"
+ fi
+}
+
+src_compile() {
+ local myconf
+ use static && append-ldflags -static
+ use userland_GNU || myconf="--program-prefix=g"
+ # Work around bug in sandbox #67051
+ gl_cv_func_chown_follows_symlink=yes \
+ econf \
+ --enable-backup-scripts \
+ --bindir=/bin \
+ --libexecdir=/usr/sbin \
+ $(use_enable nls) \
+ ${myconf} || die
+ emake || die "emake failed"
+}
+
+src_install() {
+ local p=""
+ use userland_GNU || p=g
+
+ emake DESTDIR="${D}" install || die "make install failed"
+
+ if [[ -z ${p} ]] ; then
+ # a nasty yet required piece of baggage
+ exeinto /etc
+ doexe "${FILESDIR}"/rmt || die
+ fi
+
+ dodoc AUTHORS ChangeLog* NEWS README* PORTS THANKS
+ newman "${FILESDIR}"/tar.1 ${p}tar.1
+ mv "${D}"/usr/sbin/${p}backup{,-tar}
+ mv "${D}"/usr/sbin/${p}restore{,-tar}
+
+ rm -f "${D}"/usr/$(get_libdir)/charset.alias
+}