diff options
author | Roy Marples <uberlord@gentoo.org> | 2007-08-22 09:09:15 +0000 |
---|---|---|
committer | Roy Marples <uberlord@gentoo.org> | 2007-08-22 09:09:15 +0000 |
commit | 979383e215cb854fd2f11cf6382601e818e2a2f6 (patch) | |
tree | eeb9438779ac957740eff877c06913882c389745 /app-arch | |
parent | Prefer 1.5 over 1.4 (diff) | |
download | gentoo-2-979383e215cb854fd2f11cf6382601e818e2a2f6.tar.gz gentoo-2-979383e215cb854fd2f11cf6382601e818e2a2f6.tar.bz2 gentoo-2-979383e215cb854fd2f11cf6382601e818e2a2f6.zip |
Patch to fix a directory traversal vulnerability, #189682
thanks to Robert Buchholz.
(Portage version: 2.1.3.6)
Diffstat (limited to 'app-arch')
-rw-r--r-- | app-arch/tar/ChangeLog | 11 | ||||
-rw-r--r-- | app-arch/tar/files/digest-tar-1.17-r1 | 3 | ||||
-rw-r--r-- | app-arch/tar/files/digest-tar-1.18-r2 | 3 | ||||
-rw-r--r-- | app-arch/tar/files/tar-1.15.1-alt-contains-dot-dot.patch | 20 | ||||
-rw-r--r-- | app-arch/tar/tar-1.17-r1.ebuild | 70 | ||||
-rw-r--r-- | app-arch/tar/tar-1.18-r2.ebuild | 69 |
6 files changed, 175 insertions, 1 deletions
diff --git a/app-arch/tar/ChangeLog b/app-arch/tar/ChangeLog index 9c3e85962a94..19b40f009783 100644 --- a/app-arch/tar/ChangeLog +++ b/app-arch/tar/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for app-arch/tar # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/ChangeLog,v 1.108 2007/08/21 17:40:39 jer Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/ChangeLog,v 1.109 2007/08/22 09:09:15 uberlord Exp $ + +*tar-1.18-r2 (22 Aug 2007) +*tar-1.17-r1 (22 Aug 2007) + + 22 Aug 2007; Roy Marples <uberlord@gentoo.org> + +files/tar-1.15.1-alt-contains-dot-dot.patch, +tar-1.17-r1.ebuild, + +tar-1.18-r2.ebuild: + Patch to fix a directory traversal vulnerability, #189682 + thanks to Robert Buchholz. 21 Aug 2007; Jeroen Roovers <jer@gentoo.org> tar-1.18-r1.ebuild: Stable for HPPA too. diff --git a/app-arch/tar/files/digest-tar-1.17-r1 b/app-arch/tar/files/digest-tar-1.17-r1 new file mode 100644 index 000000000000..71e71f65d601 --- /dev/null +++ b/app-arch/tar/files/digest-tar-1.17-r1 @@ -0,0 +1,3 @@ +MD5 c6c4f1c075dbf0f75c29737faa58f290 tar-1.17.tar.bz2 1882911 +RMD160 f4671e909c1ff8fac531d438b50a4a197049bc45 tar-1.17.tar.bz2 1882911 +SHA256 19f9021dda51a16295e4706e80870e71f87107675e51c176a491eba0fc4ca492 tar-1.17.tar.bz2 1882911 diff --git a/app-arch/tar/files/digest-tar-1.18-r2 b/app-arch/tar/files/digest-tar-1.18-r2 new file mode 100644 index 000000000000..1e3df17e14e6 --- /dev/null +++ b/app-arch/tar/files/digest-tar-1.18-r2 @@ -0,0 +1,3 @@ +MD5 70170208d7c1bb9ab40120579434b6a3 tar-1.18.tar.bz2 1877207 +RMD160 129e1a53ed3b580f5efc582622a90fdfc9d105f5 tar-1.18.tar.bz2 1877207 +SHA256 44944ee0427c8e0d8dbaa0b8f900073a7456819610cc521c53630c3eb117cf5e tar-1.18.tar.bz2 1877207 diff --git a/app-arch/tar/files/tar-1.15.1-alt-contains-dot-dot.patch b/app-arch/tar/files/tar-1.15.1-alt-contains-dot-dot.patch new file mode 100644 index 000000000000..27b2c955f02f --- /dev/null +++ b/app-arch/tar/files/tar-1.15.1-alt-contains-dot-dot.patch @@ -0,0 +1,20 @@ +2005-05-15 Dmitry V. Levin <ldv@altlinux.org> + + * src/names.c (contains_dot_dot): Fix ".." detection. + Previous edition fails to recognize "foo//.." case. + +--- tar-1.15.1/src/names.c.orig 2004-09-06 11:30:54 +0000 ++++ tar-1.15.1/src/names.c 2005-05-15 13:21:13 +0000 +@@ -1152,11 +1152,10 @@ contains_dot_dot (char const *name) + if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2])) + return 1; + +- do ++ while (! ISSLASH (*p)) + { + if (! *p++) + return 0; + } +- while (! ISSLASH (*p)); + } + } diff --git a/app-arch/tar/tar-1.17-r1.ebuild b/app-arch/tar/tar-1.17-r1.ebuild new file mode 100644 index 000000000000..cf3b0f99f5a3 --- /dev/null +++ b/app-arch/tar/tar-1.17-r1.ebuild @@ -0,0 +1,70 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/tar-1.17-r1.ebuild,v 1.1 2007/08/22 09:09:15 uberlord Exp $ + +inherit flag-o-matic eutils + +DESCRIPTION="Use this to make tarballs :)" +HOMEPAGE="http://www.gnu.org/software/tar/" +SRC_URI="http://ftp.gnu.org/gnu/tar/${P}.tar.bz2 + ftp://alpha.gnu.org/gnu/tar/${P}.tar.bz2 + mirror://gnu/tar/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd" +IUSE="nls static" + +RDEPEND="" +DEPEND="${RDEPEND} + nls? ( >=sys-devel/gettext-0.10.35 )" + +src_unpack() { + unpack ${A} + cd "${S}" + + epatch "${FILESDIR}"/${PN}-1.15.1-alt-contains-dot-dot.patch #189682 + epatch "${FILESDIR}"/${P}-exclude-test.patch + + if ! use userland_GNU ; then + sed -i \ + -e 's:/backup\.sh:/gbackup.sh:' \ + scripts/{backup,dump-remind,restore}.in \ + || die "sed non-GNU" + fi +} + +src_compile() { + local myconf + use static && append-ldflags -static + use userland_GNU || myconf="--program-prefix=g" + # Work around bug in sandbox #67051 + gl_cv_func_chown_follows_symlink=yes \ + econf \ + --enable-backup-scripts \ + --bindir=/bin \ + --libexecdir=/usr/sbin \ + $(use_enable nls) \ + ${myconf} || die + emake || die "emake failed" +} + +src_install() { + local p="" + use userland_GNU || p=g + + emake DESTDIR="${D}" install || die "make install failed" + + if [[ -z ${p} ]] ; then + # a nasty yet required piece of baggage + exeinto /etc + doexe "${FILESDIR}"/rmt || die + fi + + dodoc AUTHORS ChangeLog* NEWS README* PORTS THANKS + newman "${FILESDIR}"/tar.1 ${p}tar.1 + mv "${D}"/usr/sbin/${p}backup{,-tar} + mv "${D}"/usr/sbin/${p}restore{,-tar} + + rm -f "${D}"/usr/$(get_libdir)/charset.alias +} diff --git a/app-arch/tar/tar-1.18-r2.ebuild b/app-arch/tar/tar-1.18-r2.ebuild new file mode 100644 index 000000000000..36a90babc142 --- /dev/null +++ b/app-arch/tar/tar-1.18-r2.ebuild @@ -0,0 +1,69 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/tar-1.18-r2.ebuild,v 1.1 2007/08/22 09:09:15 uberlord Exp $ + +inherit flag-o-matic eutils + +DESCRIPTION="Use this to make tarballs :)" +HOMEPAGE="http://www.gnu.org/software/tar/" +SRC_URI="http://ftp.gnu.org/gnu/tar/${P}.tar.bz2 + ftp://alpha.gnu.org/gnu/tar/${P}.tar.bz2 + mirror://gnu/tar/${P}.tar.bz2" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd" +IUSE="nls static" + +RDEPEND="" +DEPEND="${RDEPEND} + nls? ( >=sys-devel/gettext-0.10.35 )" + +src_unpack() { + unpack ${A} + cd "${S}" + + epatch "${FILESDIR}"/${PN}-1.15.1-alt-contains-dot-dot.patch #189682 + + if ! use userland_GNU ; then + sed -i \ + -e 's:/backup\.sh:/gbackup.sh:' \ + scripts/{backup,dump-remind,restore}.in \ + || die "sed non-GNU" + fi +} + +src_compile() { + local myconf + use static && append-ldflags -static + use userland_GNU || myconf="--program-prefix=g" + # Work around bug in sandbox #67051 + gl_cv_func_chown_follows_symlink=yes \ + econf \ + --enable-backup-scripts \ + --bindir=/bin \ + --libexecdir=/usr/sbin \ + $(use_enable nls) \ + ${myconf} || die + emake || die "emake failed" +} + +src_install() { + local p="" + use userland_GNU || p=g + + emake DESTDIR="${D}" install || die "make install failed" + + if [[ -z ${p} ]] ; then + # a nasty yet required piece of baggage + exeinto /etc + doexe "${FILESDIR}"/rmt || die + fi + + dodoc AUTHORS ChangeLog* NEWS README* PORTS THANKS + newman "${FILESDIR}"/tar.1 ${p}tar.1 + mv "${D}"/usr/sbin/${p}backup{,-tar} + mv "${D}"/usr/sbin/${p}restore{,-tar} + + rm -f "${D}"/usr/$(get_libdir)/charset.alias +} |