https://sources.debian.org/patches/cpio/2.13%2Bdfsg-7.1/revert-CVE-2015-1197-handling.patch/ https://bugs.gentoo.org/700020 From: Chris Lamb Date: Sat, 1 Feb 2020 13:36:37 +0100 Subject: Fix a regression in handling of CVE-2015-1197 & --no-absolute-filenames. See: * https://bugs.debian.org/946267 * https://bugs.debian.org/946469 This reverts (most of): https://git.savannah.gnu.org/cgit/cpio.git/diff/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca&id2=3177d660a4c62a6acb538b0f7c54ba423698889a --- a/src/copyin.c +++ b/src/copyin.c @@ -646,8 +646,6 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) link_name = xstrdup (file_hdr->c_tar_linkname); } - cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false); - res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode); if (res < 0 && create_dir_flag) --- a/tests/testsuite +++ b/tests/testsuite @@ -2787,7 +2787,7 @@ read at_status <"$at_status_file" #AT_START_14 at_fn_group_banner 14 'CVE-2015-1197.at:17' \ "CVE-2015-1197 (--no-absolute-filenames for symlinks)" "" -at_xfail=no +at_xfail=yes ( $as_echo "14. $at_setup_line: testing $at_desc ..." $at_traceon --- a/tests/CVE-2015-1197.at +++ b/tests/CVE-2015-1197.at @@ -15,6 +15,7 @@ # along with this program. If not, see . AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)]) +AT_XFAIL_IF([true]) AT_CHECK([ tempdir=$(pwd)/tmp mkdir $tempdir