From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1500222-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 5C90515864F
	for <garchives@archives.gentoo.org>; Sat, 25 Mar 2023 03:33:00 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 72EE6E08C3;
	Sat, 25 Mar 2023 03:32:59 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 43853E08AD
	for <gentoo-commits@lists.gentoo.org>; Sat, 25 Mar 2023 03:32:59 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 146F234103C
	for <gentoo-commits@lists.gentoo.org>; Sat, 25 Mar 2023 03:32:58 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 837C68E5
	for <gentoo-commits@lists.gentoo.org>; Sat, 25 Mar 2023 03:32:56 +0000 (UTC)
From: "Sam James" <sam@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" <sam@gentoo.org>
Message-ID: <1679715153.3d066acd267ec8028a79f4d085614245190f2a8a.sam@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: app-arch/tar/files/, app-arch/tar/
X-VCS-Repository: repo/gentoo
X-VCS-Files: app-arch/tar/files/tar-1.34-fix-cve-2022-48303.patch app-arch/tar/tar-1.34-r3.ebuild
X-VCS-Directories: app-arch/tar/ app-arch/tar/files/
X-VCS-Committer: sam
X-VCS-Committer-Name: Sam James
X-VCS-Revision: 3d066acd267ec8028a79f4d085614245190f2a8a
X-VCS-Branch: master
Date: Sat, 25 Mar 2023 03:32:56 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 105817e0-fb8c-4cc8-a53e-ebe6bb0739d8
X-Archives-Hash: ddbfeda3a8d9df40bfc207480f7650e8

commit:     3d066acd267ec8028a79f4d085614245190f2a8a
Author:     Nobel Barakat <nobelbarakat <AT> google <DOT> com>
AuthorDate: Fri Feb 24 22:48:47 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Mar 25 03:32:33 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d066acd

app-arch/tar: Adding a patch to fix CVE-2022-48303

This patch is cherry-picked from the upstream gnu/tar repository
which fixes a heap buffer overflow issue in the utility. This fix is
needed to resolve CVE-2022-48303.

Bug: https://bugs.gentoo.org/898176
Signed-off-by: Nobel Barakat <nobelbarakat <AT> google.com>
Closes: https://github.com/gentoo/gentoo/pull/29776
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../tar/files/tar-1.34-fix-cve-2022-48303.patch    | 32 ++++++++
 app-arch/tar/tar-1.34-r3.ebuild                    | 94 ++++++++++++++++++++++
 2 files changed, 126 insertions(+)

diff --git a/app-arch/tar/files/tar-1.34-fix-cve-2022-48303.patch b/app-arch/tar/files/tar-1.34-fix-cve-2022-48303.patch
new file mode 100644
index 000000000000..7ef604b52378
--- /dev/null
+++ b/app-arch/tar/files/tar-1.34-fix-cve-2022-48303.patch
@@ -0,0 +1,32 @@
+Gentoo Bug: https://bugs.gentoo.org/898176
+Upstream Commit Link: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
+
+From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 11 Feb 2023 11:57:39 +0200
+Subject: [PATCH] Fix boundary checking in base-256 decoder
+
+* src/list.c (from_header): Base-256 encoding is at least 2 bytes
+long.
+---
+ src/list.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425..86bcfdd1 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
+ 	  where++;
+ 	}
+     }
+-  else if (*where == '\200' /* positive base-256 */
+-	   || *where == '\377' /* negative base-256 */)
++  else if (where <= lim - 2
++	   && (*where == '\200' /* positive base-256 */
++	       || *where == '\377' /* negative base-256 */))
+     {
+       /* Parse base-256 output.  A nonnegative number N is
+ 	 represented as (256**DIGS)/2 + N; a negative number -N is
+--
+2.39.2.637.g21b0678d19-goog

diff --git a/app-arch/tar/tar-1.34-r3.ebuild b/app-arch/tar/tar-1.34-r3.ebuild
new file mode 100644
index 000000000000..abf8af8f3d94
--- /dev/null
+++ b/app-arch/tar/tar-1.34-r3.ebuild
@@ -0,0 +1,94 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/tar.asc
+inherit verify-sig
+
+DESCRIPTION="Use this to make tarballs :)"
+HOMEPAGE="https://www.gnu.org/software/tar/"
+SRC_URI="mirror://gnu/tar/${P}.tar.xz
+	https://alpha.gnu.org/gnu/tar/${P}.tar.xz"
+SRC_URI+=" verify-sig? (
+		mirror://gnu/tar/${P}.tar.xz.sig
+		https://alpha.gnu.org/gnu/tar/${P}.tar.xz.sig
+	)"
+
+LICENSE="GPL-3+"
+SLOT="0"
+if [[ -z "$(ver_cut 3)" ]] || [[ "$(ver_cut 3)" -lt 90 ]] ; then
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+fi
+IUSE="acl minimal nls selinux xattr"
+
+RDEPEND="
+	acl? ( virtual/acl )
+	selinux? ( sys-libs/libselinux )
+"
+DEPEND="${RDEPEND}
+	xattr? ( elibc_glibc? ( sys-apps/attr ) )
+"
+BDEPEND="
+	nls? ( sys-devel/gettext )
+	verify-sig? ( sec-keys/openpgp-keys-tar )
+"
+PDEPEND="
+	app-alternatives/tar
+"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-fix-cve-2022-48303.patch
+)
+
+src_configure() {
+	local myeconfargs=(
+		--bindir="${EPREFIX}"/bin
+		--enable-backup-scripts
+		--libexecdir="${EPREFIX}"/usr/sbin
+		$(use_with acl posix-acls)
+		$(use_enable nls)
+		$(use_with selinux)
+		$(use_with xattr xattrs)
+
+		# autoconf looks for gtar before tar (in configure scripts), hence
+		# in Prefix it is important that it is there, otherwise, a gtar from
+		# the host system (FreeBSD, Solaris, Darwin) will be found instead
+		# of the Prefix provided (GNU) tar
+		--program-prefix=g
+	)
+
+	FORCE_UNSAFE_CONFIGURE=1 econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+
+	# a nasty yet required piece of baggage
+	exeinto /etc
+	doexe "${FILESDIR}"/rmt
+
+	mv "${ED}"/usr/sbin/{gbackup,backup-tar} || die
+	mv "${ED}"/usr/sbin/{grestore,restore-tar} || die
+	mv "${ED}"/usr/sbin/{g,}backup.sh || die
+	mv "${ED}"/usr/sbin/{g,}dump-remind || die
+
+	if use minimal ; then
+		find "${ED}"/etc "${ED}"/*bin/ "${ED}"/usr/*bin/ \
+			-type f -a '!' -name gtar \
+			-delete || die
+	fi
+
+	if ! use minimal; then
+		dosym grmt /usr/sbin/rmt
+	fi
+	dosym grmt.8 /usr/share/man/man8/rmt.8
+}
+
+pkg_postinst() {
+	# ensure to preserve the symlink before app-alternatives/tar
+	# is installed
+	if [[ ! -h ${EROOT}/bin/tar ]]; then
+		ln -s gtar "${EROOT}/bin/tar" || die
+	fi
+}