From: ericonr <ericonr@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] tar: remove CVE patch.
Date: Sun, 25 Apr 2021 07:07:22 +0200 [thread overview]
Message-ID: <20210425050722.rVxy8tPgcitoxjb76ViMfSo_rNNwbCBN618_ZNDiGIU@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-30482@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 1984 bytes --]
There is an updated pull request by ericonr against master on the void-packages repository
https://github.com/ericonr/void-packages tar
https://github.com/void-linux/void-packages/pull/30482
tar: remove CVE patch.
Patch was added d95a0b07065a6cde65cfb94e5581024696883610, apparently
based on the one discussed in [1], but using ERROR instead of
FATAL_ERROR. However, per [2], this was fixed in another way, though
upstream seems to not consider it worthy of a CVE.
[1] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00014.html
[2] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00016.html
<!-- Mark items with [x] where applicable -->
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!--
#### Does it build and run successfully?
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
- [ ] aarch64-musl
- [ ] armv7l
- [ ] armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/30482.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-tar-30482.patch --]
[-- Type: text/x-diff, Size: 2255 bytes --]
From ca085da0b1ebc6498fd9076b42970b6f68979667 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Nogueira?= <erico.erc@gmail.com>
Date: Sun, 25 Apr 2021 02:03:14 -0300
Subject: [PATCH] tar: remove outdated CVE patch.
Patch was added d95a0b07065a6cde65cfb94e5581024696883610, apparently
based on the one discussed in [1], but using ERROR instead of
FATAL_ERROR. However, per [2], this was fixed in another way, though
upstream seems to not consider it worthy of a CVE.
[1] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00014.html
[2] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00016.html
---
| 27 -------------------
srcpkgs/tar/template | 2 +-
2 files changed, 1 insertion(+), 28 deletions(-)
delete mode 100644 srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch
diff --git a/srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch b/srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch
deleted file mode 100644
index cf0c3725b9b8..000000000000
--- a/srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- lib/paxnames.c.orig 2016-04-06 00:04:47.314860045 +0300
-+++ lib/paxnames.c 2016-04-06 02:08:44.962297881 +0300
-@@ -18,6 +18,7 @@
- #include <system.h>
- #include <hash.h>
- #include <paxlib.h>
-+#include <quotearg.h>
-
- \f
- /* Hash tables of strings. */
-@@ -114,7 +115,15 @@
- for (p = file_name + prefix_len; *p; )
- {
- if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
-- prefix_len = p + 2 - file_name;
-+ {
-+ static char const *const diagnostic[] =
-+ {
-+ N_("%s: Member name contains '..'"),
-+ N_("%s: Hard link target contains '..'")
-+ };
-+ ERROR ((0, 0, _(diagnostic[link_target]),
-+ quotearg_colon (file_name)));
-+ }
-
- do
- {
diff --git a/srcpkgs/tar/template b/srcpkgs/tar/template
index 2ac475c035a2..c18acdba1120 100644
--- a/srcpkgs/tar/template
+++ b/srcpkgs/tar/template
@@ -1,7 +1,7 @@
# Template file for 'tar'
pkgname=tar
version=1.34
-revision=1
+revision=2
build_style=gnu-configure
configure_args="gl_cv_struct_dirent_d_ino=yes"
makedepends="acl-devel"
next prev parent reply other threads:[~2021-04-25 5:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-25 5:07 [PR PATCH] " ericonr
2021-04-25 5:07 ` ericonr [this message]
2021-04-26 19:21 ` [PR PATCH] [Merged]: tar: remove outdated " ericonr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210425050722.rVxy8tPgcitoxjb76ViMfSo_rNNwbCBN618_ZNDiGIU@z \
--to=ericonr@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).