diff options
| author |   Ian Delaney <idella4@gentoo.org> | 2015-07-21 05:36:23 +0000 |
|---|---|---|
| committer | Ian Delaney <idella4@gentoo.org> | 2015-07-21 05:36:23 +0000 |
| commit | bfd108c535e7a523464ba2aada3d06e7e26ed174 (patch) | |
| tree | bc78da11f6088395d3d7ae22db0a2d25b4d300a7 /dev-libs | |
| parent | set proxy maintainer under the proxy-maintainers herd (diff) | |
| download | gentoo-2-bfd108c535e7a523464ba2aada3d06e7e26ed174.tar.gz gentoo-2-bfd108c535e7a523464ba2aada3d06e7e26ed174.tar.bz2 gentoo-2-bfd108c535e7a523464ba2aada3d06e7e26ed174.zip | |
revbump; sec. patch from Bug 487686, sourced, prepared and runtested by proxy maintainer
(Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
Diffstat (limited to 'dev-libs')
| -rw-r--r-- | dev-libs/libtar/ChangeLog | 9 | ||||
| -rw-r--r-- | dev-libs/libtar/files/CVE-2013-4420.patch | 94 | ||||
| -rw-r--r-- | dev-libs/libtar/libtar-1.2.20-r3.ebuild | 56 |
3 files changed, 158 insertions, 1 deletions
diff --git a/dev-libs/libtar/ChangeLog b/dev-libs/libtar/ChangeLog index 54b3b26dc7b7..241efd4e0ef6 100644 --- a/dev-libs/libtar/ChangeLog +++ b/dev-libs/libtar/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for dev-libs/libtar # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/libtar/ChangeLog,v 1.39 2015/07/21 05:13:18 idella4 Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-libs/libtar/ChangeLog,v 1.40 2015/07/21 05:36:23 idella4 Exp $ + +*libtar-1.2.20-r3 (21 Jul 2015) + + 21 Jul 2015; Ian Delaney <idella4@gentoo.org> +files/CVE-2013-4420.patch, + +libtar-1.2.20-r3.ebuild: + revbump; sec. patch from Bug 487686, sourced, prepared and runtested by proxy + maintainer 21 Jul 2015; Ian Delaney <idella4@gentoo.org> metadata.xml: set proxy maintainer under the proxy-maintainers herd diff --git a/dev-libs/libtar/files/CVE-2013-4420.patch b/dev-libs/libtar/files/CVE-2013-4420.patch new file mode 100644 index 000000000000..d6e24860c929 --- /dev/null +++ b/dev-libs/libtar/files/CVE-2013-4420.patch @@ -0,0 +1,94 @@ +--- a/libtar/lib/decode.c 2013-10-09 09:59:44.000000000 -0700 ++++ b/libtar/lib/decode.c 2015-07-20 20:57:58.331945962 -0700 +@@ -21,24 +21,55 @@ + # include <string.h> + #endif + ++char * ++safer_name_suffix (char const *file_name) ++{ ++ char const *p, *t; ++ p = t = file_name; ++ while (*p) ++ { ++ if (p[0] == '.' && p[0] == p[1] && p[2] == '/') ++ { ++ p += 3; ++ t = p; ++ } ++ /* advance pointer past the next slash */ ++ while (*p && (p++)[0] != '/'); ++ } ++ ++ if (!*t) ++ { ++ t = "."; ++ } ++ ++ if (t != file_name) ++ { ++ /* TODO: warn somehow that the path was modified */ ++ } ++ return (char*)t; ++} ++ + + /* determine full path name */ + char * + th_get_pathname(TAR *t) + { + static TLS_THREAD char filename[MAXPATHLEN]; ++ char *safer_name; + + if (t->th_buf.gnu_longname) +- return t->th_buf.gnu_longname; ++ return safer_name_suffix(t->th_buf.gnu_longname); ++ ++ safer_name = safer_name_suffix(t->th_buf.name); + + if (t->th_buf.prefix[0] != '\0') + { + snprintf(filename, sizeof(filename), "%.155s/%.100s", +- t->th_buf.prefix, t->th_buf.name); ++ t->th_buf.prefix, safer_name); + return filename; + } + +- snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name); ++ snprintf(filename, sizeof(filename), "%.100s", safer_name); + return filename; + } + +--- a/libtar/lib/extract.c 2013-10-09 09:59:44.000000000 -0700 ++++ b/libtar/lib/extract.c 2015-07-20 21:00:16.560956122 -0700 +@@ -305,7 +305,7 @@ + linktgt = &lnp[strlen(lnp) + 1]; + } + else +- linktgt = th_get_linkname(t); ++ linktgt = safer_name_suffix(th_get_linkname(t)); + + #ifdef DEBUG + printf(" ==> extracting: %s (link to %s)\n", filename, linktgt); +@@ -343,9 +343,9 @@ + + #ifdef DEBUG + printf(" ==> extracting: %s (symlink to %s)\n", +- filename, th_get_linkname(t)); ++ filename, safer_name_suffix(th_get_linkname(t))); + #endif +- if (symlink(th_get_linkname(t), filename) == -1) ++ if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1) + { + #ifdef DEBUG + perror("symlink()"); +--- a/libtar/lib/internal.h 2013-10-09 09:59:44.000000000 -0700 ++++ b/libtar/lib/internal.h 2015-07-20 21:00:51.258958673 -0700 +@@ -15,6 +15,7 @@ + + #include <libtar.h> + ++char* safer_name_suffix(char const*); + #ifdef TLS + #define TLS_THREAD TLS + #else diff --git a/dev-libs/libtar/libtar-1.2.20-r3.ebuild b/dev-libs/libtar/libtar-1.2.20-r3.ebuild new file mode 100644 index 000000000000..cca29185389e --- /dev/null +++ b/dev-libs/libtar/libtar-1.2.20-r3.ebuild @@ -0,0 +1,56 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/libtar/libtar-1.2.20-r3.ebuild,v 1.1 2015/07/21 05:36:23 idella4 Exp $ + +EAPI=5 + +AUTOTOOLS_AUTORECONF=1 +inherit autotools-utils + +DESCRIPTION="C library for manipulating tar archives" +HOMEPAGE="http://www.feep.net/libtar/ http://repo.or.cz/w/libtar.git/" +SRC_URI="http://dev.gentoo.org/~pinkbyte/distfiles/snapshots/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~amd64-linux ~x86-linux ~ppc-macos" +IUSE="static-libs zlib" + +RDEPEND="zlib? ( sys-libs/zlib ) + !zlib? ( app-arch/gzip )" +DEPEND="${RDEPEND}" + +S="${WORKDIR}/${PN}" + +PATCHES=( + "${FILESDIR}"/${PN}-1.2.11-free.patch + "${FILESDIR}"/${PN}-1.2.11-impl-dec.patch + "${FILESDIR}"/CVE-2013-4420.patch +) + +src_prepare() { + sed -i \ + -e '/INSTALL_PROGRAM/s:-s::' \ + {doc,lib{,tar}}/Makefile.in || die + + autotools-utils_src_prepare +} + +src_configure() { + local myeconfargs=( + --disable-encap + --disable-epkg-install + $(use_with zlib) + ) + + autotools-utils_src_configure +} + +src_install() { + autotools-utils_src_install + + dodoc ChangeLog* README TODO + newdoc compat/README README.compat + newdoc compat/TODO TODO.compat + newdoc listhash/TODO TODO.listhash +} |