- security bump. numerous bugs in xheader.c ; CVE-2006-0300 ; bug 123038

Package-Manager: portage-2.1_pre4-r1
author: Ned Ludd <solar@gentoo.org> 2006-03-07 19:51:33 +0000
committer: Ned Ludd <solar@gentoo.org> 2006-03-07 19:51:33 +0000
commit: 4b47cf28129ad1445c42a523f6aff80561fa22eb (patch)
tree: 547ed42aa763072fb4f7e07d70029c0acae69c22 /app-arch
parent: Forgot to fix the Makefile for PPC (for the --without-java fix) (diff)
download: historical-4b47cf28129ad1445c42a523f6aff80561fa22eb.tar.gz
historical-4b47cf28129ad1445c42a523f6aff80561fa22eb.tar.bz2
historical-4b47cf28129ad1445c42a523f6aff80561fa22eb.zip
5 files changed, 245 insertions, 13 deletions
diff --git a/app-arch/tar/ChangeLog b/app-arch/tar/ChangeLog
index e69e15d19d85..2670c498bdc3 100644
--- a/app-arch/tar/ChangeLog
+++ b/app-arch/tar/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for app-arch/tar
-# Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/ChangeLog,v 1.52 2005/08/12 08:39:38 flameeyes Exp $
+# Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/ChangeLog,v 1.53 2006/03/07 19:51:33 solar Exp $
+
+*tar-1.15.1-r1 (07 Mar 2006)
+
+  07 Mar 2006; <solar@gentoo.org> +files/tar-CVE-2006-0300.patch,
+  +tar-1.15.1-r1.ebuild:
+  - security bump. numerous bugs in xheader.c ; CVE-2006-0300 ; bug 123038
 
   12 Aug 2005; Diego Pettenò <flameeyes@gentoo.org> tar-1.15.1.ebuild:
   Remove the charset.alias file (created on non-GNU systems, useless here).
diff --git a/app-arch/tar/Manifest b/app-arch/tar/Manifest
index f4aad89fb1a1..bf7ad9c3b73e 100644
--- a/app-arch/tar/Manifest
+++ b/app-arch/tar/Manifest
@@ -1,23 +1,48 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
-MD5 9f329eaebb848a7d0232c5127b9d2773 ChangeLog 10668
+MD5 54bf1cb038dd112051ba1ad9d99fc007 ChangeLog 10861
+RMD160 28863e6e413d8abb6116bfb747385d634ef26fe4 ChangeLog 10861
+SHA256 36025e2bdab5929fa470851fece27a9bfb628b51e9338221757ecd34da874fde ChangeLog 10861
 MD5 a1433bcc25f8f63d8ee96bddbf877962 files/1.15.1-flex-arg.patch 519
+RMD160 7859cef187a2bb7a85ee74d310d8d9f9e25e411b files/1.15.1-flex-arg.patch 519
+SHA256 c594e45633cf45306060c6fa2649a1033b8955e8d86bca349dadbd686c505f93 files/1.15.1-flex-arg.patch 519
 MD5 9873b609521d574ae1f98d1c092c80e4 files/append.at 1065
+RMD160 2c4875d13e7fe7f324fceaa5de8f7f9778cb7e07 files/append.at 1065
+SHA256 4cfab61e61427e091b4409d39cfc41cd24db7b1948134a9fe49916711ab45d6f files/append.at 1065
 MD5 e7c9ac5824e453f73a56032123c46f97 files/digest-tar-1.14 62
+RMD160 d2936a138d8c8fe281af93627228a5ac49db4d29 files/digest-tar-1.14 62
+SHA256 bbcbb622679d81a979d5f122ffd634b67926510d169c0372c4d1b029c7e397c9 files/digest-tar-1.14 62
 MD5 1ce0c7df0ad9ec0c279340132692d7d4 files/digest-tar-1.15.1 64
+RMD160 32d50b7ec775afe42658cd9c8259ff47388c975d files/digest-tar-1.15.1 64
+SHA256 fc1114fb23b853b92ed91903c0a26e482b84194414732a74ccba050a17121a9b files/digest-tar-1.15.1 64
+MD5 f7a21f9f5928613f14747b9af765414f files/digest-tar-1.15.1-r1 238
+RMD160 f3ddee28290c332c2f47deb49c798a117bcbcb60 files/digest-tar-1.15.1-r1 238
+SHA256 eea23c8236851bf6a88f8c709db6bd7a4ba13c77bb454702bee6d9d494c5c8e6 files/digest-tar-1.15.1-r1 238
 MD5 6c645ac1da5d382a9f7ca85729b7e9e9 files/tar-1.15.1-dont-abort-long-names.patch 1586
+RMD160 3c13978030c20830996fd56ddeb3f95024c23530 files/tar-1.15.1-dont-abort-long-names.patch 1586
+SHA256 049132675793b924a581fcf025c449bff03b29b754f1eda85cbf30a0b962daa7 files/tar-1.15.1-dont-abort-long-names.patch 1586
 MD5 971970980dc4f15a093acfe810dae560 files/tar-1.15.1-gcc4-test.patch 637
+RMD160 d68855cb453cf5372c127976348725e4f948ab52 files/tar-1.15.1-gcc4-test.patch 637
+SHA256 5934d530e51e17c9f7ee8d82149f8a5ec56f3ba45a68a4434360a23c750eb5bf files/tar-1.15.1-gcc4-test.patch 637
 MD5 71aa7eea494a25b07f4ea14a7f8a7a99 files/tar-1.15.1-less-verbose-newer.patch 770
+RMD160 a133fef0ae9fedc44e79f9c44ebf47a8e53b58e6 files/tar-1.15.1-less-verbose-newer.patch 770
+SHA256 2247c879862ced954d20b77adca5bfd18519da0bee67ea946fe3a047c28b167e files/tar-1.15.1-less-verbose-newer.patch 770
 MD5 c6222f8e6644e897361b0426c753fc8d files/tar-1.15.1-lseek.patch 5270
+RMD160 5f9b369b4c6bb0160c6cc4fe37af83d9cc1e016f files/tar-1.15.1-lseek.patch 5270
+SHA256 a633c41829595a7f31d25cd0711d473bb79c3bf552a6fd6f13f8758d3342b8ba files/tar-1.15.1-lseek.patch 5270
+MD5 2e0f6c79abe0ead888d78dfeca151ff0 files/tar-CVE-2006-0300.patch 3677
+RMD160 924b5e6aa64df7cb6ba3314ae114b12e26db3210 files/tar-CVE-2006-0300.patch 3677
+SHA256 1eb197a54ef561c2e5589663bf7cc75dbb641907dec295210003bfe990699e90 files/tar-CVE-2006-0300.patch 3677
 MD5 faf9e0ee102b11c24ce1645ec3847643 files/tar.1 12886
+RMD160 cf5d4b864a562a11725811c6378840aa2d9bcfd5 files/tar.1 12886
+SHA256 e283a0a341baae4a5ed7b5149aa2bb13111ccea2184fb3fe968a82f6fd5c4f95 files/tar.1 12886
 MD5 9a09f8d531c582e78977dbfd96edc1f2 metadata.xml 164
+RMD160 f43cbec30b7074319087c9acffdb9354b17b0db3 metadata.xml 164
+SHA256 f5f2891f2a4791cd31350bb2bb572131ad7235cd0eeb124c9912c187ac10ce92 metadata.xml 164
 MD5 d4f800ee8a2c5ddd00931249e680def8 tar-1.14.ebuild 1329
+RMD160 9d88370eb3cf5cabf303d5a6d17fb9bc40c5db13 tar-1.14.ebuild 1329
+SHA256 1c5fe7d0433f9bfb5a3f874a1e3fd7dd74aae5a24908e893ba450c0e9537c2d8 tar-1.14.ebuild 1329
+MD5 ba39e2f968d18574021faa02b3ae9740 tar-1.15.1-r1.ebuild 2106
+RMD160 51b17c91312d8b8bf0db544e9a135a4b21c61406 tar-1.15.1-r1.ebuild 2106
+SHA256 d3e25f386ebb0c8f3abdbdc3fec1ab7ea2d1c878d184d76dd49b9b4c60fee455 tar-1.15.1-r1.ebuild 2106
 MD5 e9fe7de46eb4b1aa489fc8a619e1f042 tar-1.15.1.ebuild 2046
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.2 (GNU/Linux)
-
-iD8DBQFDhWG2gIKl8Uu19MoRAsZ9AJ9XpYnum84eZd6owo/l2yACFijj0gCfcARl
-s+GuDqzm8pc2acQFDnij4Sk=
-=6IQL
------END PGP SIGNATURE-----
+RMD160 e346fdab686eed6297d588eaa6da5985719961db tar-1.15.1.ebuild 2046
+SHA256 84970c0f467e30f4fa034c923e570a59441927909c0bb4c198bf3ea5b7580e99 tar-1.15.1.ebuild 2046
diff --git a/app-arch/tar/files/digest-tar-1.15.1-r1 b/app-arch/tar/files/digest-tar-1.15.1-r1
new file mode 100644
index 000000000000..e268145cd501
--- /dev/null
+++ b/app-arch/tar/files/digest-tar-1.15.1-r1
@@ -0,0 +1,3 @@
+MD5 57da3c38f8e06589699548a34d5a5d07 tar-1.15.1.tar.bz2 1611489
+RMD160 8de6b53b67294a942faec7638fb2cb2b4cccdac1 tar-1.15.1.tar.bz2 1611489
+SHA256 cc9a67d0bcdd6fd9f454893537799f98a4fd96e49e693e5b75b0604b9e3d2267 tar-1.15.1.tar.bz2 1611489
diff --git a/app-arch/tar/files/tar-CVE-2006-0300.patch b/app-arch/tar/files/tar-CVE-2006-0300.patch
new file mode 100644
index 000000000000..679f81898540
--- /dev/null
+++ b/app-arch/tar/files/tar-CVE-2006-0300.patch
@@ -0,0 +1,121 @@
+--- src/xheader.c.orig	2004-09-06 06:31:14.000000000 -0500
++++ src/xheader.c	2006-02-08 16:59:46.000000000 -0500
+@@ -783,6 +783,32 @@ code_num (uintmax_t value, char const *k
+   xheader_print (xhdr, keyword, sbuf);
+ }
+ 
++static bool
++decode_num (uintmax_t *num, char const *arg, uintmax_t maxval,
++        char const *keyword)
++{
++  uintmax_t u;
++  char *arg_lim;
++
++  if (! (ISDIGIT (*arg)
++     && (errno = 0, u = strtoumax (arg, &arg_lim, 10), !*arg_lim)))
++    {
++      ERROR ((0, 0, _("Malformed extended header: invalid %s=%s"),
++          keyword, arg));
++      return false;
++    }
++
++  if (! (u <= maxval && errno != ERANGE))
++    {
++      ERROR ((0, 0, _("Extended header %s=%s is out of range"),
++        keyword, arg));
++      return false;
++    }
++
++  *num = u;
++  return true;
++}
++
+ static void
+ dummy_coder (struct tar_stat_info const *st __attribute__ ((unused)),
+ 	     char const *keyword __attribute__ ((unused)),
+@@ -821,7 +847,7 @@ static void
+ gid_decoder (struct tar_stat_info *st, char const *arg)
+ {
+   uintmax_t u;
+-  if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
++  if (decode_num (&u, arg, TYPE_MAXIMUM (gid_t), "gid"))
+     st->stat.st_gid = u;
+ }
+ 
+@@ -903,7 +929,7 @@ static void
+ size_decoder (struct tar_stat_info *st, char const *arg)
+ {
+   uintmax_t u;
+-  if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
++  if (decode_num (&u, arg, TYPE_MAXIMUM (off_t), "size"))
+     st->archive_file_size = st->stat.st_size = u;
+ }
+ 
+@@ -918,7 +944,7 @@ static void
+ uid_decoder (struct tar_stat_info *st, char const *arg)
+ {
+   uintmax_t u;
+-  if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
++  if (decode_num (&u, arg, TYPE_MAXIMUM (uid_t), "uid"))
+     st->stat.st_uid = u;
+ }
+ 
+@@ -946,7 +972,7 @@ static void
+ sparse_size_decoder (struct tar_stat_info *st, char const *arg)
+ {
+   uintmax_t u;
+-  if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
++  if (decode_num (&u, arg, TYPE_MAXIMUM (off_t), "GNU.sparse.size"))
+     st->stat.st_size = u;
+ }
+ 
+@@ -962,10 +988,10 @@ static void
+ sparse_numblocks_decoder (struct tar_stat_info *st, char const *arg)
+ {
+   uintmax_t u;
+-  if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
++  if (decode_num (&u, arg, SIZE_MAX, "GNU.sparse.numblocks"))
+     {
+       st->sparse_map_size = u;
+-      st->sparse_map = calloc(st->sparse_map_size, sizeof(st->sparse_map[0]));
++      st->sparse_map = xcalloc (u, sizeof st->sparse_map[0]);
+       st->sparse_map_avail = 0;
+     }
+ }
+@@ -982,8 +1008,14 @@ static void
+ sparse_offset_decoder (struct tar_stat_info *st, char const *arg)
+ {
+   uintmax_t u;
+-  if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
++  if (decode_num (&u, arg, TYPE_MAXIMUM (off_t), "GNU.sparse.offset"))
++    {
++      if (st->sparse_map_avail < st->sparse_map_size)
+     st->sparse_map[st->sparse_map_avail].offset = u;
++      else
++    ERROR ((0, 0, _("Malformed extended header: excess %s=%s"),
++        "GNU.sparse.offset", arg));
++    }
+ }
+ 
+ static void
+@@ -998,15 +1030,13 @@ static void
+ sparse_numbytes_decoder (struct tar_stat_info *st, char const *arg)
+ {
+   uintmax_t u;
+-  if (xstrtoumax (arg, NULL, 10, &u, "") == LONGINT_OK)
++  if (decode_num (&u, arg, SIZE_MAX, "GNU.sparse.numbytes"))
+     {
+       if (st->sparse_map_avail == st->sparse_map_size)
+-	{
+-	  st->sparse_map_size *= 2;
+-	  st->sparse_map = xrealloc (st->sparse_map,
+-				     st->sparse_map_size
+-				     * sizeof st->sparse_map[0]);
+-	}
++        st->sparse_map = x2nrealloc (st->sparse_map,
++                                    &st->sparse_map_size,
++                                    sizeof st->sparse_map[0]);
++
+       st->sparse_map[st->sparse_map_avail++].numbytes = u;
+     }
+ }
diff --git a/app-arch/tar/tar-1.15.1-r1.ebuild b/app-arch/tar/tar-1.15.1-r1.ebuild
new file mode 100644
index 000000000000..66eaadf6f026
--- /dev/null
+++ b/app-arch/tar/tar-1.15.1-r1.ebuild
@@ -0,0 +1,77 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/tar-1.15.1-r1.ebuild,v 1.1 2006/03/07 19:51:33 solar Exp $
+
+inherit flag-o-matic eutils
+
+DESCRIPTION="Use this to make tarballs :)"
+HOMEPAGE="http://www.gnu.org/software/tar/"
+SRC_URI="http://ftp.gnu.org/gnu/tar/${P}.tar.bz2
+	http://alpha.gnu.org/gnu/tar/${P}.tar.bz2
+	mirror://gnu/tar/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="nls static build bzip2"
+
+RDEPEND="app-arch/gzip
+	bzip2? ( app-arch/bzip2 )"
+DEPEND="${RDEPEND}
+	nls? ( >=sys-devel/gettext-0.10.35 )"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+	epatch "${FILESDIR}"/${PV}-flex-arg.patch
+	epatch "${FILESDIR}"/${P}-gcc4-test.patch #88214
+	epatch "${FILESDIR}"/${P}-dont-abort-long-names.patch #87540
+	epatch "${FILESDIR}"/${P}-less-verbose-newer.patch #86467
+	epatch "${FILESDIR}"/${P}-lseek.patch
+	epatch "${FILESDIR}"/${PN}-CVE-2006-0300.patch
+
+	cp "${FILESDIR}"/append.at tests/
+
+	if ! use userland_GNU ; then
+		sed -i \
+			-e 's:/backup\.sh:/gbackup.sh:' \
+			scripts/{backup,dump-remind,restore}.in \
+			|| die "sed non-GNU"
+	fi
+}
+
+src_compile() {
+	local myconf
+	use static && append-ldflags -static
+	use userland_GNU || myconf="--program-prefix=g"
+	# Work around bug in sandbox #67051
+	gl_cv_func_chown_follows_symlink=yes \
+	econf \
+		--enable-backup-scripts \
+		--bindir=/bin \
+		--libexecdir=/usr/sbin \
+		$(use_enable nls) \
+		${myconf} || die
+	emake || die "emake failed"
+}
+
+src_install() {
+	make DESTDIR="${D}" install || die "make install failed"
+	# a nasty yet required symlink
+	local p=""
+	use userland_GNU || p=g
+	dodir /etc
+	dosym /usr/sbin/${p}rmt /etc/${p}rmt
+	if use build ; then
+		rm -r "${D}"/usr
+	else
+		dodir /usr/bin
+		dosym /bin/${p}tar /usr/bin/${p}tar
+		dodoc AUTHORS ChangeLog* NEWS README* PORTS THANKS
+		newman "${FILESDIR}"/tar.1 ${p}tar.1
+		mv "${D}"/usr/sbin/${p}backup{,-tar}
+		mv "${D}"/usr/sbin/${p}restore{,-tar}
+	fi
+
+	rm -f ${D}/usr/$(get_libdir)/charset.alias
+}
author	Ned Ludd <solar@gentoo.org>	2006-03-07 19:51:33 +0000
committer	Ned Ludd <solar@gentoo.org>	2006-03-07 19:51:33 +0000
commit	4b47cf28129ad1445c42a523f6aff80561fa22eb (patch)
tree	547ed42aa763072fb4f7e07d70029c0acae69c22 /app-arch
parent	Forgot to fix the Makefile for PPC (for the --without-java fix) (diff)
download	historical-4b47cf28129ad1445c42a523f6aff80561fa22eb.tar.gz historical-4b47cf28129ad1445c42a523f6aff80561fa22eb.tar.bz2 historical-4b47cf28129ad1445c42a523f6aff80561fa22eb.zip