* [PR PATCH] tar: remove CVE patch.
@ 2021-04-25 5:07 ericonr
2021-04-25 5:07 ` [PR PATCH] [Updated] " ericonr
2021-04-26 19:21 ` [PR PATCH] [Merged]: tar: remove outdated " ericonr
0 siblings, 2 replies; 3+ messages in thread
From: ericonr @ 2021-04-25 5:07 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1979 bytes --]
There is a new pull request by ericonr against master on the void-packages repository
https://github.com/ericonr/void-packages tar
https://github.com/void-linux/void-packages/pull/30482
tar: remove CVE patch.
Patch was added d95a0b07065a6cde65cfb94e5581024696883610, apparently
based on the one discussed in [1], but using ERROR instead of
FATAL_ERROR. However, per [2], this was fixed in another way, though
upstream seems to not consider it worthy of a CVE.
[1] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00014.html
[2] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00016.html
<!-- Mark items with [x] where applicable -->
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!--
#### Does it build and run successfully?
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
- [ ] aarch64-musl
- [ ] armv7l
- [ ] armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/30482.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-tar-30482.patch --]
[-- Type: text/x-diff, Size: 2246 bytes --]
From ac4b66486cdc3172d221df682dce7296c5baa3fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Nogueira?= <erico.erc@gmail.com>
Date: Sun, 25 Apr 2021 02:03:14 -0300
Subject: [PATCH] tar: remove CVE patch.
Patch was added d95a0b07065a6cde65cfb94e5581024696883610, apparently
based on the one discussed in [1], but using ERROR instead of
FATAL_ERROR. However, per [2], this was fixed in another way, though
upstream seems to not consider it worthy of a CVE.
[1] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00014.html
[2] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00016.html
---
| 27 -------------------
srcpkgs/tar/template | 2 +-
2 files changed, 1 insertion(+), 28 deletions(-)
delete mode 100644 srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch
diff --git a/srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch b/srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch
deleted file mode 100644
index cf0c3725b9b8..000000000000
--- a/srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- lib/paxnames.c.orig 2016-04-06 00:04:47.314860045 +0300
-+++ lib/paxnames.c 2016-04-06 02:08:44.962297881 +0300
-@@ -18,6 +18,7 @@
- #include <system.h>
- #include <hash.h>
- #include <paxlib.h>
-+#include <quotearg.h>
-
- \f
- /* Hash tables of strings. */
-@@ -114,7 +115,15 @@
- for (p = file_name + prefix_len; *p; )
- {
- if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
-- prefix_len = p + 2 - file_name;
-+ {
-+ static char const *const diagnostic[] =
-+ {
-+ N_("%s: Member name contains '..'"),
-+ N_("%s: Hard link target contains '..'")
-+ };
-+ ERROR ((0, 0, _(diagnostic[link_target]),
-+ quotearg_colon (file_name)));
-+ }
-
- do
- {
diff --git a/srcpkgs/tar/template b/srcpkgs/tar/template
index 2ac475c035a2..c18acdba1120 100644
--- a/srcpkgs/tar/template
+++ b/srcpkgs/tar/template
@@ -1,7 +1,7 @@
# Template file for 'tar'
pkgname=tar
version=1.34
-revision=1
+revision=2
build_style=gnu-configure
configure_args="gl_cv_struct_dirent_d_ino=yes"
makedepends="acl-devel"
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PR PATCH] [Updated] tar: remove CVE patch.
2021-04-25 5:07 [PR PATCH] tar: remove CVE patch ericonr
@ 2021-04-25 5:07 ` ericonr
2021-04-26 19:21 ` [PR PATCH] [Merged]: tar: remove outdated " ericonr
1 sibling, 0 replies; 3+ messages in thread
From: ericonr @ 2021-04-25 5:07 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1984 bytes --]
There is an updated pull request by ericonr against master on the void-packages repository
https://github.com/ericonr/void-packages tar
https://github.com/void-linux/void-packages/pull/30482
tar: remove CVE patch.
Patch was added d95a0b07065a6cde65cfb94e5581024696883610, apparently
based on the one discussed in [1], but using ERROR instead of
FATAL_ERROR. However, per [2], this was fixed in another way, though
upstream seems to not consider it worthy of a CVE.
[1] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00014.html
[2] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00016.html
<!-- Mark items with [x] where applicable -->
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!--
#### Does it build and run successfully?
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
- [ ] aarch64-musl
- [ ] armv7l
- [ ] armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/30482.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-tar-30482.patch --]
[-- Type: text/x-diff, Size: 2255 bytes --]
From ca085da0b1ebc6498fd9076b42970b6f68979667 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Nogueira?= <erico.erc@gmail.com>
Date: Sun, 25 Apr 2021 02:03:14 -0300
Subject: [PATCH] tar: remove outdated CVE patch.
Patch was added d95a0b07065a6cde65cfb94e5581024696883610, apparently
based on the one discussed in [1], but using ERROR instead of
FATAL_ERROR. However, per [2], this was fixed in another way, though
upstream seems to not consider it worthy of a CVE.
[1] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00014.html
[2] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00016.html
---
| 27 -------------------
srcpkgs/tar/template | 2 +-
2 files changed, 1 insertion(+), 28 deletions(-)
delete mode 100644 srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch
diff --git a/srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch b/srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch
deleted file mode 100644
index cf0c3725b9b8..000000000000
--- a/srcpkgs/tar/patches/tar-1.29-extract-pathname-bypass.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- lib/paxnames.c.orig 2016-04-06 00:04:47.314860045 +0300
-+++ lib/paxnames.c 2016-04-06 02:08:44.962297881 +0300
-@@ -18,6 +18,7 @@
- #include <system.h>
- #include <hash.h>
- #include <paxlib.h>
-+#include <quotearg.h>
-
- \f
- /* Hash tables of strings. */
-@@ -114,7 +115,15 @@
- for (p = file_name + prefix_len; *p; )
- {
- if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
-- prefix_len = p + 2 - file_name;
-+ {
-+ static char const *const diagnostic[] =
-+ {
-+ N_("%s: Member name contains '..'"),
-+ N_("%s: Hard link target contains '..'")
-+ };
-+ ERROR ((0, 0, _(diagnostic[link_target]),
-+ quotearg_colon (file_name)));
-+ }
-
- do
- {
diff --git a/srcpkgs/tar/template b/srcpkgs/tar/template
index 2ac475c035a2..c18acdba1120 100644
--- a/srcpkgs/tar/template
+++ b/srcpkgs/tar/template
@@ -1,7 +1,7 @@
# Template file for 'tar'
pkgname=tar
version=1.34
-revision=1
+revision=2
build_style=gnu-configure
configure_args="gl_cv_struct_dirent_d_ino=yes"
makedepends="acl-devel"
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PR PATCH] [Merged]: tar: remove outdated CVE patch.
2021-04-25 5:07 [PR PATCH] tar: remove CVE patch ericonr
2021-04-25 5:07 ` [PR PATCH] [Updated] " ericonr
@ 2021-04-26 19:21 ` ericonr
1 sibling, 0 replies; 3+ messages in thread
From: ericonr @ 2021-04-26 19:21 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1841 bytes --]
There's a merged pull request on the void-packages repository
tar: remove outdated CVE patch.
https://github.com/void-linux/void-packages/pull/30482
Description:
Patch was added d95a0b07065a6cde65cfb94e5581024696883610, apparently
based on the one discussed in [1], but using ERROR instead of
FATAL_ERROR. However, per [2], this was fixed in another way, though
upstream seems to not consider it worthy of a CVE.
[1] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00014.html
[2] https://lists.gnu.org/archive/html/bug-tar/2016-10/msg00016.html
<!-- Mark items with [x] where applicable -->
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!--
#### Does it build and run successfully?
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
- [ ] aarch64-musl
- [ ] armv7l
- [ ] armv6l-musl
-->
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-26 19:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-25 5:07 [PR PATCH] tar: remove CVE patch ericonr
2021-04-25 5:07 ` [PR PATCH] [Updated] " ericonr
2021-04-26 19:21 ` [PR PATCH] [Merged]: tar: remove outdated " ericonr
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).