[gentoo-commits] repo/gentoo:master commit in: app-arch/tar/files/, app-arch/tar/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: app-arch/tar/files/, app-arch/tar/
Date: Tue, 20 Dec 2016 22:21:35 +0000 (UTC)	[thread overview]
Message-ID: <1482272468.fa002a1c28b0803731d5403108633a11e28126a8.vapier@gentoo> (raw)

commit:     fa002a1c28b0803731d5403108633a11e28126a8
Author:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Tue Dec 20 22:20:09 2016 +0000
Commit:     Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Tue Dec 20 22:21:08 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa002a1c

app-arch/tar: move to upstream patch for extract bypass #598334

The patch that we were using was from the security authors, not from
the upstream GNU tar project.  Turns out their patch breaks creation
of archives that use .. names too.  See https://crbug.com/674472#5.

 ...tar-1.29-extract-pathname-bypass-upstream.patch | 60 ++++++++++++++++
 app-arch/tar/tar-1.29-r2.ebuild                    | 80 ++++++++++++++++++++++
 2 files changed, 140 insertions(+)

diff --git a/app-arch/tar/files/tar-1.29-extract-pathname-bypass-upstream.patch b/app-arch/tar/files/tar-1.29-extract-pathname-bypass-upstream.patch
new file mode 100644
index 00000000..2030ca6
--- /dev/null
+++ b/app-arch/tar/files/tar-1.29-extract-pathname-bypass-upstream.patch
@@ -0,0 +1,60 @@
+https://bugs.gentoo.org/598334
+
+From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
+Date: Sat, 29 Oct 2016 21:04:40 -0700
+Subject: [PATCH] When extracting, skip ".." members
+
+* NEWS: Document this.
+* src/extract.c (extract_archive): Skip members whose names
+contain "..".
+---
+ NEWS          | 8 +++++++-
+ src/extract.c | 8 ++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,16 @@
+ GNU tar NEWS - User visible changes. 2016-05-16
+ Please send GNU tar bug reports to <bug-tar@gnu.org>
+ 
++
++\f
++version 1.29-r2+ Gentoo
++
++* Member names containing '..' components are now skipped when extracting.
++
++This fixes tar's behavior to match its documentation, and is a bit
++safer when extracting untrusted archives over old files (an unsafe
++practice that the tar manual has long recommended against).
++
+ \f
+ version 1.29 - Sergey Poznyakoff, 2016-05-16
+ 
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -1629,12 +1629,20 @@
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++		      && contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++    ERROR ((0, 0, _("%s: Member name contains '..'"),
++	    quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++      || skip_dotdot_name
+       || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+     {
+-- 
+2.11.0.rc2
+

diff --git a/app-arch/tar/tar-1.29-r2.ebuild b/app-arch/tar/tar-1.29-r2.ebuild
new file mode 100644
index 00000000..dc2ade4
--- /dev/null
+++ b/app-arch/tar/tar-1.29-r2.ebuild
@@ -0,0 +1,80 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+
+inherit flag-o-matic eutils
+
+DESCRIPTION="Use this to make tarballs :)"
+HOMEPAGE="https://www.gnu.org/software/tar/"
+SRC_URI="mirror://gnu/tar/${P}.tar.bz2
+	mirror://gnu-alpha/tar/${P}.tar.bz2"
+
+LICENSE="GPL-3+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="acl elibc_glibc minimal nls selinux static userland_GNU xattr"
+
+RDEPEND="acl? ( virtual/acl )
+	selinux? ( sys-libs/libselinux )"
+DEPEND="${RDEPEND}
+	nls? ( >=sys-devel/gettext-0.10.35 )
+	xattr? ( elibc_glibc? ( sys-apps/attr ) )"
+
+PATCHES=(
+	"${FILESDIR}/${P}-extract-pathname-bypass-upstream.patch" #598334
+)
+
+src_prepare() {
+	epatch "${PATCHES[@]}"
+	epatch_user
+
+	if ! use userland_GNU ; then
+		sed -i \
+			-e 's:/backup\.sh:/gbackup.sh:' \
+			scripts/{backup,dump-remind,restore}.in \
+			|| die "sed non-GNU"
+	fi
+}
+
+src_configure() {
+	use static && append-ldflags -static
+	FORCE_UNSAFE_CONFIGURE=1 \
+	econf \
+		--enable-backup-scripts \
+		--bindir="${EPREFIX}"/bin \
+		--libexecdir="${EPREFIX}"/usr/sbin \
+		$(usex userland_GNU "" "--program-prefix=g") \
+		$(use_with acl posix-acls) \
+		$(use_enable nls) \
+		$(use_with selinux) \
+		$(use_with xattr xattrs)
+}
+
+src_install() {
+	default
+
+	local p=$(usex userland_GNU "" "g")
+	if [[ -z ${p} ]] ; then
+		# a nasty yet required piece of baggage
+		exeinto /etc
+		doexe "${FILESDIR}"/rmt
+	fi
+
+	# autoconf looks for gtar before tar (in configure scripts), hence
+	# in Prefix it is important that it is there, otherwise, a gtar from
+	# the host system (FreeBSD, Solaris, Darwin) will be found instead
+	# of the Prefix provided (GNU) tar
+	if use prefix ; then
+		dosym tar /bin/gtar
+	fi
+
+	mv "${ED}"/usr/sbin/${p}backup{,-tar} || die
+	mv "${ED}"/usr/sbin/${p}restore{,-tar} || die
+
+	if use minimal ; then
+		find "${ED}"/etc "${ED}"/*bin/ "${ED}"/usr/*bin/ \
+			-type f -a '!' '(' -name tar -o -name ${p}tar ')' \
+			-delete || die
+	fi
+}

next             reply	other threads:[~2016-12-20 22:21 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-20 22:21 Mike Frysinger [this message]
  -- strict thread matches above, loose matches on Subject: below --
2023-03-25  3:32 [gentoo-commits] repo/gentoo:master commit in: app-arch/tar/files/, app-arch/tar/ Sam James
2020-12-23 10:11 Fabian Groffen
2019-04-08  6:57 Mikle Kolyada
2019-03-10 16:16 Mikle Kolyada
2018-07-16  6:45 Lars Wendler
2017-12-18 18:34 Thomas Deutschmann
2016-10-28 17:56 Patrick McLean
2016-05-16 21:08 Lars Wendler

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2030ca6 dfblob:dc2ade4 )
 OR (
bs:"[gentoo-commits] repo/gentoo:master commit in: app-arch/tar/files/, app-arch/tar/" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1482272468.fa002a1c28b0803731d5403108633a11e28126a8.vapier@gentoo \
    --to=vapier@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox