Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-arch/cpio
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2005-06-17 04:34:35 +0000
committerMike Frysinger <vapier@gentoo.org>2005-06-17 04:34:35 +0000
commit34c0ec2cc458ea65041e0c7738765e4aef53278f (patch)
tree56346ef3c1d2f64ee2a6d93beea23da97e8c7253 /app-arch/cpio
parentfixed evolution-2 compability for #91899 (diff)
downloadhistorical-34c0ec2cc458ea65041e0c7738765e4aef53278f.tar.gz
historical-34c0ec2cc458ea65041e0c7738765e4aef53278f.tar.bz2
historical-34c0ec2cc458ea65041e0c7738765e4aef53278f.zip
Add patch from Fedora to address directory traversal issues #90619.
Package-Manager: portage-2.0.51.22-r1
Diffstat (limited to 'app-arch/cpio')
-rw-r--r--app-arch/cpio/ChangeLog8
-rw-r--r--app-arch/cpio/Manifest5
-rw-r--r--app-arch/cpio/cpio-2.6-r4.ebuild48
-rw-r--r--app-arch/cpio/files/cpio-2.6-dirTraversal.patch199
-rw-r--r--app-arch/cpio/files/digest-cpio-2.6-r41
5 files changed, 259 insertions, 2 deletions
diff --git a/app-arch/cpio/ChangeLog b/app-arch/cpio/ChangeLog
index f76c22442fcb..ebedb6094eca 100644
--- a/app-arch/cpio/ChangeLog
+++ b/app-arch/cpio/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for app-arch/cpio
# Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-arch/cpio/ChangeLog,v 1.28 2005/05/04 08:23:02 kloeri Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-arch/cpio/ChangeLog,v 1.29 2005/06/17 04:34:35 vapier Exp $
+
+*cpio-2.6-r4 (17 Jun 2005)
+
+ 17 Jun 2005; Mike Frysinger <vapier@gentoo.org>
+ +files/cpio-2.6-dirTraversal.patch, +cpio-2.6-r4.ebuild:
+ Add patch from Fedora to address directory traversal issues #90619.
04 May 2005; Bryan Østergaard <kloeri@gentoo.org> cpio-2.6-r3.ebuild:
Stable on alpha + ia64, bug 90619.
diff --git a/app-arch/cpio/Manifest b/app-arch/cpio/Manifest
index 5029d1b0fb35..15e364ec0e2b 100644
--- a/app-arch/cpio/Manifest
+++ b/app-arch/cpio/Manifest
@@ -1,7 +1,8 @@
-MD5 6cfb646c7b7a38452cbc6ba9884f1d84 ChangeLog 5518
+MD5 8a8899218a3d4aaa3c2c82774c65cdd8 ChangeLog 5726
MD5 e55fdc50aad5d87ac28cc3317fc750d8 cpio-2.6-r3.ebuild 1367
MD5 9a09f8d531c582e78977dbfd96edc1f2 metadata.xml 164
MD5 f70830cbd6b8132c9595fd7f13d0cc66 cpio-2.6-r2.ebuild 1117
+MD5 16fc5ba7b8856a351560a6006c8adfc0 cpio-2.6-r4.ebuild 1432
MD5 e5b0619beac9b1fe4490c3424e903f1f files/2.6-umask.patch 1382
MD5 898f15e2e1a554916e69e9397f130e81 files/digest-cpio-2.6-r3 61
MD5 ae93625090241de60fb662d4dd0153dc files/2.6-lstat.patch 843
@@ -10,3 +11,5 @@ MD5 898f15e2e1a554916e69e9397f130e81 files/digest-cpio-2.6-r2 61
MD5 7894f923500cbeeb0b36117e08049b5d files/2.6-rili-big-files.patch 2709
MD5 c1efb6f13ac85b99cf4f468083101b53 files/cpio-2.6-gcc4-tests.patch 542
MD5 08647cfda931b161030477956f57b03b files/cpio-2.6-chmodRaceC.patch 4153
+MD5 898f15e2e1a554916e69e9397f130e81 files/digest-cpio-2.6-r4 61
+MD5 ad27a9309017220fb814c7877fd52cb1 files/cpio-2.6-dirTraversal.patch 6673
diff --git a/app-arch/cpio/cpio-2.6-r4.ebuild b/app-arch/cpio/cpio-2.6-r4.ebuild
new file mode 100644
index 000000000000..c7efdddd98b6
--- /dev/null
+++ b/app-arch/cpio/cpio-2.6-r4.ebuild
@@ -0,0 +1,48 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/cpio/cpio-2.6-r4.ebuild,v 1.1 2005/06/17 04:34:35 vapier Exp $
+
+inherit eutils
+
+DESCRIPTION="A file archival tool which can also read and write tar files"
+HOMEPAGE="http://www.gnu.org/software/cpio/cpio.html"
+SRC_URI="mirror://gnu/cpio/${P}.tar.bz2"
+
+LICENSE="GPL-2 LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~ppc-macos ~s390 ~sh ~sparc ~x86"
+IUSE="nls"
+
+DEPEND=""
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+ epatch "${FILESDIR}"/${PV}-rili-big-files.patch #68520
+ epatch "${FILESDIR}"/${PV}-isnumber.patch #74929
+ epatch "${FILESDIR}"/${PV}-umask.patch #79844
+ epatch "${FILESDIR}"/${PV}-lstat.patch #80246
+ epatch "${FILESDIR}"/${P}-chmodRaceC.patch #90619
+ epatch "${FILESDIR}"/${P}-gcc4-tests.patch #89123
+ epatch "${FILESDIR}"/${P}-dirTraversal.patch #90619
+}
+
+src_compile() {
+ # The configure script has a useless check for gethostname in
+ # libnsl ... but cpio doesn't utilize the lib/func anywhere,
+ # so let's force the lib to not be detected
+ ac_cv_lib_nsl_gethostname=no \
+ econf \
+ $(use_enable nls) \
+ --bindir=/bin \
+ --with-rmt=/usr/sbin/rmt \
+ || die
+ emake || die
+}
+
+src_install() {
+ make install DESTDIR="${D}" || die
+ dodoc ChangeLog NEWS README INSTALL
+ rm -f "${D}"/usr/share/man/man1/mt.1
+ rmdir "${D}"/usr/libexec
+}
diff --git a/app-arch/cpio/files/cpio-2.6-dirTraversal.patch b/app-arch/cpio/files/cpio-2.6-dirTraversal.patch
new file mode 100644
index 000000000000..c1b75d71bfb5
--- /dev/null
+++ b/app-arch/cpio/files/cpio-2.6-dirTraversal.patch
@@ -0,0 +1,199 @@
+* Tue May 17 2005 Peter Vrabec <pvrabec@redhat.com> 2.6-7
+- fix #156314 (CAN-2005-1229) cpio directory traversal issue
+
+http://bugs.gentoo.org/show_bug.cgi?id=90619
+http://www.securityfocus.com/archive/1/396429/2005-04-18/2005-04-24/0
+
+--- cpio-2.6/doc/cpio.1
++++ cpio-2.6/doc/cpio.1
+@@ -20,7 +20,7 @@
+ [\-\-unconditional] [\-\-verbose] [\-\-block-size=blocks] [\-\-swap-halfwords]
+ [\-\-io-size=bytes] [\-\-pattern-file=file] [\-\-format=format]
+ [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message]
+-[\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse]
++[\-\-force\-local] [\-\-absolute\-filenames] [\-\-sparse]
+ [\-\-only\-verify\-crc] [\-\-quiet] [\-\-rsh-command=command] [\-\-help]
+ [\-\-version] [pattern...] [< archive]
+
+--- cpio-2.6/doc/cpio.info
++++ cpio-2.6/doc/cpio.info
+@@ -203,7 +203,7 @@
+ [--swap-halfwords] [--io-size=bytes] [--pattern-file=file]
+ [--format=format] [--owner=[user][:.][group]]
+ [--no-preserve-owner] [--message=message] [--help] [--version]
+- [-no-absolute-filenames] [--sparse] [-only-verify-crc] [-quiet]
++ [--absolute-filenames] [--sparse] [-only-verify-crc] [-quiet]
+ [--rsh-command=command] [pattern...] [< archive]
+
+ 
+@@ -359,9 +359,9 @@
+ Show numeric UID and GID instead of translating them into names
+ when using the `--verbose option'.
+
+-`--no-absolute-filenames'
+- Create all files relative to the current directory in copy-in
+- mode, even if they have an absolute file name in the archive.
++`--absolute-filenames'
++ Do not strip leading file name components that contain ".."
++ and leading slashes from file names in copy-in mode
+
+ `--no-preserve-owner'
+ Do not change the ownership of the files; leave them owned by the
+--- cpio-2.6/src/main.c
++++ cpio-2.6/src/main.c
+@@ -41,6 +41,7 @@
+
+ enum cpio_options {
+ NO_ABSOLUTE_FILENAMES_OPTION=256,
++ ABSOLUTE_FILENAMES_OPTION,
+ NO_PRESERVE_OWNER_OPTION,
+ ONLY_VERIFY_CRC_OPTION,
+ RENAME_BATCH_FILE_OPTION,
+@@ -134,6 +135,8 @@
+ N_("In copy-in mode, read additional patterns specifying filenames to extract or list from FILE"), 210},
+ {"no-absolute-filenames", NO_ABSOLUTE_FILENAMES_OPTION, 0, 0,
+ N_("Create all files relative to the current directory"), 210},
++ {"absolute-filenames", ABSOLUTE_FILENAMES_OPTION, 0, 0,
++ N_("do not strip leading file name components that contain \"..\" and leading slashes from file names"), 210},
+ {"only-verify-crc", ONLY_VERIFY_CRC_OPTION, 0, 0,
+ N_("When reading a CRC format archive in copy-in mode, only verify the CRC's of each file in the archive, don't actually extract the files"), 210},
+ {"rename", 'r', 0, 0,
+@@ -393,7 +396,11 @@
+ break;
+
+ case NO_ABSOLUTE_FILENAMES_OPTION: /* --no-absolute-filenames */
+- no_abs_paths_flag = true;
++ abs_paths_flag = false;
++ break;
++
++ case ABSOLUTE_FILENAMES_OPTION: /* --absolute-filenames */
++ abs_paths_flag = true;
+ break;
+
+ case NO_PRESERVE_OWNER_OPTION: /* --no-preserve-owner */
+@@ -632,7 +639,7 @@
+ _("--append is used but no archive file name is given (use -F or -O options")));
+
+ CHECK_USAGE(rename_batch_file, "--rename-batch-file", "--create");
+- CHECK_USAGE(no_abs_paths_flag, "--no-absolute-pathnames", "--create");
++ CHECK_USAGE(abs_paths_flag, "--absolute-pathnames", "--create");
+ CHECK_USAGE(input_archive_name, "-I", "--create");
+ if (archive_name && output_archive_name)
+ USAGE_ERROR ((0, 0, _("Both -O and -F are used in copy-out mode")));
+@@ -659,7 +666,7 @@
+ CHECK_USAGE(rename_flag, "--rename", "--pass-through");
+ CHECK_USAGE(append_flag, "--append", "--pass-through");
+ CHECK_USAGE(rename_batch_file, "--rename-batch-file", "--pass-through");
+- CHECK_USAGE(no_abs_paths_flag, "--no-absolute-pathnames",
++ CHECK_USAGE(abs_paths_flag, "--absolute-pathnames",
+ "--pass-through");
+ CHECK_USAGE(to_stdout_option, "--to-stdout", "--pass-through");
+
+--- cpio-2.6/src/copyin.c
++++ cpio-2.6/src/copyin.c
+@@ -25,6 +25,7 @@
+ #include "dstring.h"
+ #include "extern.h"
+ #include "defer.h"
++#include "dirname.h"
+ #include <rmt.h>
+ #ifndef FNM_PATHNAME
+ #include <fnmatch.h>
+@@ -1349,6 +1350,53 @@
+ }
+ }
+
++/* Return a safer suffix of FILE_NAME, or "." if it has no safer
++ suffix. Check for fully specified file names and other atrocities. */
++
++static const char *
++safer_name_suffix (char const *file_name)
++{
++ char const *p;
++
++ /* Skip file system prefixes, leading file name components that contain
++ "..", and leading slashes. */
++
++ size_t prefix_len = FILE_SYSTEM_PREFIX_LEN (file_name);
++
++ for (p = file_name + prefix_len; *p;)
++ {
++ if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
++ prefix_len = p + 2 - file_name;
++
++ do
++ {
++ char c = *p++;
++ if (ISSLASH (c))
++ break;
++ }
++ while (*p);
++ }
++
++ for (p = file_name + prefix_len; ISSLASH (*p); p++)
++ continue;
++ prefix_len = p - file_name;
++
++ if (prefix_len)
++ {
++ char *prefix = alloca (prefix_len + 1);
++ memcpy (prefix, file_name, prefix_len);
++ prefix[prefix_len] = '\0';
++
++
++ error (0, 0, _("Removing leading `%s' from member names"), prefix);
++ }
++
++ if (!*p)
++ p = ".";
++
++ return p;
++}
++
+ /* Read the collection from standard input and create files
+ in the file system. */
+
+@@ -1459,18 +1507,11 @@
+
+ /* Do we have to ignore absolute paths, and if so, does the filename
+ have an absolute path? */
+- if (no_abs_paths_flag && file_hdr.c_name && file_hdr.c_name [0] == '/')
++ if (!abs_paths_flag && file_hdr.c_name && file_hdr.c_name [0])
+ {
+- char *p;
++ const char *p = safer_name_suffix (file_hdr.c_name);
+
+- p = file_hdr.c_name;
+- while (*p == '/')
+- ++p;
+- if (*p == '\0')
+- {
+- strcpy (file_hdr.c_name, ".");
+- }
+- else
++ if (p != file_hdr.c_name)
+ {
+ /* Debian hack: file_hrd.c_name is sometimes set to
+ point to static memory by code in tar.c. This
+--- cpio-2.6/src/extern.h
++++ cpio-2.6/src/extern.h
+@@ -46,7 +46,7 @@
+ extern int sparse_flag;
+ extern int quiet_flag;
+ extern int only_verify_crc_flag;
+-extern int no_abs_paths_flag;
++extern int abs_paths_flag;
+ extern unsigned int warn_option;
+
+ /* Values for warn_option */
+--- cpio-2.6/src/global.c
++++ cpio-2.6/src/global.c
+@@ -100,7 +100,7 @@
+ int only_verify_crc_flag = false;
+
+ /* If true, don't use any absolute paths, prefix them by `./'. */
+-int no_abs_paths_flag = false;
++int abs_paths_flag = false;
+
+ #ifdef DEBUG_CPIO
+ /* If true, print debugging information. */
diff --git a/app-arch/cpio/files/digest-cpio-2.6-r4 b/app-arch/cpio/files/digest-cpio-2.6-r4
new file mode 100644
index 000000000000..822d7f4e46f3
--- /dev/null
+++ b/app-arch/cpio/files/digest-cpio-2.6-r4
@@ -0,0 +1 @@
+MD5 25e0e8725bc60ed3460c9cde92752674 cpio-2.6.tar.bz2 448452