[gentoo-commits] repo/gentoo:master commit in: app-arch/cpio/files/, app-arch/cpio/

["Sam James" <sam@gentoo.org>]

commit:     a52ec56f85b11ee1faceddac7874666ad6d2b164
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 18 19:11:52 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Oct 18 19:12:00 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a52ec56f

app-arch/cpio: revert CVE-2015-1197 fix for --no-absolute-filenames

At least we can have the fix for CVE-2021-38185.

Bug: https://bugs.gentoo.org/699456
Bug: https://bugs.gentoo.org/807088
Closes: https://bugs.gentoo.org/700020
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../{cpio-2.13-r1.ebuild => cpio-2.13-r2.ebuild}   |  1 +
 ...e-filenames-revert-CVE-2015-1197-handling.patch | 47 ++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/app-arch/cpio/cpio-2.13-r1.ebuild b/app-arch/cpio/cpio-2.13-r2.ebuild
similarity index 92%
rename from app-arch/cpio/cpio-2.13-r1.ebuild
rename to app-arch/cpio/cpio-2.13-r2.ebuild
index 6005349fe120..c3924649236b 100644
--- a/app-arch/cpio/cpio-2.13-r1.ebuild
+++ b/app-arch/cpio/cpio-2.13-r2.ebuild
@@ -19,6 +19,7 @@ PATCHES=(
 	"${FILESDIR}"/${PN}-2.12-non-gnu-compilers.patch #275295
 	"${WORKDIR}"/${P}-CVE-2021-38185.patch
 	"${FILESDIR}"/${PN}-2.13-sysmacros-glibc-2.26.patch
+	"${FILESDIR}"/${PN}-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch
 )
 
 src_prepare() {

diff --git a/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch b/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch
new file mode 100644
index 000000000000..326489a54943
--- /dev/null
+++ b/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch
@@ -0,0 +1,47 @@
+https://sources.debian.org/patches/cpio/2.13%2Bdfsg-7.1/revert-CVE-2015-1197-handling.patch/
+https://bugs.gentoo.org/700020
+
+From: Chris Lamb <lamby@debian.org>
+Date: Sat, 1 Feb 2020 13:36:37 +0100
+Subject: Fix a regression in handling of CVE-2015-1197 &
+ --no-absolute-filenames.
+
+See:
+
+  * https://bugs.debian.org/946267
+  * https://bugs.debian.org/946469
+
+This reverts (most of): https://git.savannah.gnu.org/cgit/cpio.git/diff/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca&id2=3177d660a4c62a6acb538b0f7c54ba423698889a
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -646,8 +646,6 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
+       link_name = xstrdup (file_hdr->c_tar_linkname);
+     }
+ 
+-  cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false);
+-  
+   res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
+ 			 file_hdr->c_mode);
+   if (res < 0 && create_dir_flag)
+--- a/tests/testsuite
++++ b/tests/testsuite
+@@ -2787,7 +2787,7 @@ read at_status <"$at_status_file"
+ #AT_START_14
+ at_fn_group_banner 14 'CVE-2015-1197.at:17' \
+   "CVE-2015-1197 (--no-absolute-filenames for symlinks)" ""
+-at_xfail=no
++at_xfail=yes
+ (
+   $as_echo "14. $at_setup_line: testing $at_desc ..."
+   $at_traceon
+
+--- a/tests/CVE-2015-1197.at
++++ b/tests/CVE-2015-1197.at
+@@ -15,6 +15,7 @@
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ 
+ AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)])
++AT_XFAIL_IF([true])
+ AT_CHECK([
+ tempdir=$(pwd)/tmp
+ mkdir $tempdir