mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-21 08:42:23 +00:00
Code Issues Releases Activity

Security update to 2.13:

Browse Source 
* Fix CVE-2015-1197
* Fix CVE-2016-2037
* Fix CVE-2019-14866
* Remove --extract-over-symlinks option again, which was part of an earlier
  third-party fix for CVE-2015-1197.

Security:	f59af308-07f3-11ea-8c56-f8b156b6dcc8
This commit is contained in:
Christian Weisgerber 2019-11-15 22:47:25 +00:00
parent e7ea6c1e1b
commit a2a0136a06
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=517705
13 changed files with 47 additions and 170 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
archivers/gcpio/Makefile
View File

@ -1,8 +1,7 @@
# $FreeBSD$
PORTNAME= cpio
PORTVERSION= 2.12
PORTREVISION= 1
PORTVERSION= 2.13
CATEGORIES= archivers
MASTER_SITES= GNU
PKGNAMEPREFIX= g
@ -12,6 +11,8 @@ COMMENT= GNU cpio copies files to and from archives
LICENSE= GPLv3
TEST_DEPENDS= autom4te:devel/autoconf
USES= cpe tar:bzip2
CPE_VENDOR= gnu

5
archivers/gcpio/distinfo
View File

@ -1,2 +1,3 @@
SHA256 (cpio-2.12.tar.bz2) = 70998c5816ace8407c8b101c9ba1ffd3ebbecba1f5031046893307580ec1296e
SIZE (cpio-2.12.tar.bz2) = 1258605
TIMESTAMP = 1573685109
SHA256 (cpio-2.13.tar.bz2) = eab5bdc5ae1df285c59f2a4f140a98fc33678a0bf61bdba67d9436ae26b46f6d
SIZE (cpio-2.13.tar.bz2) = 1354559

11
archivers/gcpio/files/patch-doc_cpio.1
View File

@ -1,8 +1,8 @@
--- doc/cpio.1.orig 2015-09-12 10:57:30 UTC
--- doc/cpio.1.orig 2018-06-21 07:12:05 UTC
+++ doc/cpio.1
@@ -15,9 +15,9 @@
.\" along with GNU cpio. If not, see <http://www.gnu.org/licenses/>.
.TH CPIO 1 "December 1, 2014" "CPIO" "GNU CPIO"
.TH CPIO 1 "June 21, 2018" "CPIO" "GNU CPIO"
.SH NAME
-cpio \- copy files to and from archives
+gcpio \- copy files to and from archives
@ -21,11 +21,8 @@
{\fB\-i\fR|\fB\-\-extract\fR} [\fB\-bcdfmnrtsuvBSV\fR] [\fB\-C\fR \fIBYTES\fR]
[\fB\-E\fR \fIFILE\fR] [\fB\-H\fR \fIFORMAT\fR]
[\fB\-M\fR \fIMESSAGE\fR] [\fB\-R\fR [\fIUSER\fR][\fB:.\fR][\fIGROUP\fR]]
@@ -50,9 +50,10 @@ cpio \- copy files to and from archives
[\fB\-\-force\-local\fR] [\fB\-\-no\-absolute\-filenames\fR] [\fB\-\-sparse\fR]
[\fB\-\-only\-verify\-crc\fR] [\fB\-\-to\-stdout\fR] [\fB\-\-quiet\fR]
@@ -52,7 +52,7 @@ cpio \- copy files to and from archives
[\fB\-\-rsh\-command=\fICOMMAND\fR]
+[\fB\-\-extract\-over\-symlinks\fR]
[\fIpattern\fR...] [\fB<\fR \fIarchive\fR]
-.B cpio
@ -33,7 +30,7 @@
{\fB\-p\fR|\fB\-\-pass\-through\fR} [\fB\-0adlmuvLV\fR]
[\fB\-R\fR [\fIUSER\fR][\fB:.\fR][\fIGROUP\fR]]
[\fB\-\-null\fR] [\fB\-\-reset\-access\-time\fR]
@@ -63,7 +64,7 @@ cpio \- copy files to and from archives
@@ -63,7 +63,7 @@ cpio \- copy files to and from archives
[\fB\-\-no\-preserve\-owner\fR] [\fB\-\-sparse\fR]
\fIdestination-directory\fR \fB<\fR \fIname-list\fR

4
archivers/gcpio/files/patch-gnu_Makefile.in
View File

@ -1,6 +1,6 @@
--- gnu/Makefile.in.orig 2015-09-12 11:11:14 UTC
--- gnu/Makefile.in.orig 2019-11-06 07:29:32 UTC
+++ gnu/Makefile.in
@@ -2077,7 +2077,7 @@ inttypes.h: inttypes.in.h $(top_builddir
@@ -2129,7 +2129,7 @@ inttypes.h: inttypes.in.h $(top_builddir)/config.statu
# avoid installing it.
all-local: charset.alias ref-add.sed ref-del.sed

10
archivers/gcpio/files/patch-po_Makefile.in.in
View File

@ -1,10 +0,0 @@
--- po/Makefile.in.in.orig 2015-09-12 10:51:46 UTC
+++ po/Makefile.in.in
@@ -80,6 +80,7 @@ CATALOGS = @CATALOGS@
POFILESDEPS_ = $(srcdir)/$(DOMAIN).pot
POFILESDEPS_yes = $(POFILESDEPS_)
POFILESDEPS_no =
+PO_DEPENDS_ON_POT =
POFILESDEPS = $(POFILESDEPS_$(PO_DEPENDS_ON_POT))
DISTFILESDEPS_ = update-po

78
archivers/gcpio/files/patch-src_copyin.c
View File

@ -1,78 +0,0 @@
--- src/copyin.c.orig 2015-09-12 10:57:30 UTC
+++ src/copyin.c
@@ -695,6 +695,51 @@ copyin_link (struct cpio_file_stat *file
free (link_name);
}
+
+static int
+path_contains_symlink(char *path)
+{
+ struct stat st;
+ char *slash;
+ char *nextslash;
+
+ /* we got NULL pointer or empty string */
+ if (!path || !*path) {
+ return false;
+ }
+
+ slash = path;
+
+ while ((nextslash = strchr(slash + 1, '/')) != NULL) {
+ slash = nextslash;
+ *slash = '\0';
+
+ if (lstat(path, &st) != 0) {
+ if (errno == ELOOP) {
+ /* ELOOP - too many symlinks */
+ *slash = '/';
+ return true;
+ } else if (errno == ENOMEM) {
+ /* No memory for lstat - terminate */
+ xalloc_die();
+ } else {
+ /* cannot lstat path - give up */
+ *slash = '/';
+ return false;
+ }
+ }
+
+ if (S_ISLNK(st.st_mode)) {
+ *slash = '/';
+ return true;
+ }
+
+ *slash = '/';
+ }
+
+ return false;
+}
+
static void
copyin_file (struct cpio_file_stat *file_hdr, int in_file_des)
{
@@ -1468,6 +1513,23 @@ process_copy_in ()
{
/* Copy the input file into the directory structure. */
+ /* Can we write files over symlinks? */
+ if (!extract_over_symlinks)
+ {
+ if (path_contains_symlink(file_hdr.c_name))
+ {
+ /* skip the file */
+ /*
+ fprintf(stderr, "Can't write over symlinks. Skipping %s\n", file_hdr.c_name);
+ tape_toss_input (in_file_des, file_hdr.c_filesize);
+ tape_skip_padding (in_file_des, file_hdr.c_filesize);
+ continue;
+ */
+ /* terminate */
+ error (PAXEXIT_FAILURE, 0, _("Can't write over symlinks: %s\n"), file_hdr.c_name);
+ }
+ }
+
/* Do we need to rename the file? */
if (rename_flag || rename_batch_file)
{

10
archivers/gcpio/files/patch-src_extern.h
View File

@ -1,10 +0,0 @@
--- src/extern.h.orig 2015-09-12 10:57:30 UTC
+++ src/extern.h
@@ -96,6 +96,7 @@ extern char input_is_special;
extern char output_is_special;
extern char input_is_seekable;
extern char output_is_seekable;
+extern bool extract_over_symlinks;
extern int (*xstat) ();
extern void (*copy_function) ();
extern char *change_directory_option;

12
archivers/gcpio/files/patch-src_global.c
View File

@ -1,12 +0,0 @@
--- src/global.c.orig 2015-09-12 10:57:30 UTC
+++ src/global.c
@@ -187,6 +187,9 @@ bool to_stdout_option = false;
/* The name this program was run with. */
char *program_name;
+/* Extract files over symbolic links */
+bool extract_over_symlinks;
+
/* A pointer to either lstat or stat, depending on whether
dereferencing of symlinks is done for input files. */
int (*xstat) ();

32
archivers/gcpio/files/patch-src_main.c
View File

@ -1,32 +0,0 @@
--- src/main.c.orig 2015-09-12 10:57:30 UTC
+++ src/main.c
@@ -61,7 +61,8 @@ enum cpio_options {
TO_STDOUT_OPTION,
RENUMBER_INODES_OPTION,
IGNORE_DEVNO_OPTION,
- DEVICE_INDEPENDENT_OPTION
+ DEVICE_INDEPENDENT_OPTION,
+ EXTRACT_OVER_SYMLINKS
};
const char *program_authors[] =
@@ -243,6 +244,8 @@ static struct argp_option options[] = {
N_("Create leading directories where needed"), GRID+1 },
{"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0,
N_("Do not change the ownership of the files"), GRID+1 },
+ {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0,
+ N_("Force writing over symbolic links"), GRID+1 },
{"unconditional", 'u', NULL, 0,
N_("Replace all files unconditionally"), GRID+1 },
{"sparse", SPARSE_OPTION, NULL, 0,
@@ -432,6 +435,10 @@ crc newc odc bin ustar tar (all-caps als
no_chown_flag = true;
break;
+ case EXTRACT_OVER_SYMLINKS: /* --extract-over-symlinks */
+ extract_over_symlinks = true;
+ break;
+
case 'o': /* Copy-out mode. */
if (copy_function != 0)
USAGE_ERROR ((0, 0, _("Mode already defined")));

23
archivers/gcpio/files/patch-src_util.c Normal file
View File

@ -0,0 +1,23 @@
https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=df55fb19be545e22d023950263ed5d0756edf81e
--- src/util.c.orig 2019-11-03 15:07:23 UTC
+++ src/util.c
@@ -1140,8 +1140,16 @@ stat_to_cpio (struct cpio_file_stat *hdr, struct stat
hdr->c_nlink = st->st_nlink;
hdr->c_uid = CPIO_UID (st->st_uid);
hdr->c_gid = CPIO_GID (st->st_gid);
- hdr->c_rdev_maj = major (st->st_rdev);
- hdr->c_rdev_min = minor (st->st_rdev);
+ if (S_ISBLK (st->st_mode) || S_ISCHR (st->st_mode))
+ {
+ hdr->c_rdev_maj = major (st->st_rdev);
+ hdr->c_rdev_min = minor (st->st_rdev);
+ }
+ else
+ {
+ hdr->c_rdev_maj = 0;
+ hdr->c_rdev_min = 0;
+ }
hdr->c_mtime = st->st_mtime;
hdr->c_filesize = st->st_size;
hdr->c_chksum = 0;

11
archivers/gcpio/files/patch-tests_symlink-bad-length.at Normal file
View File

@ -0,0 +1,11 @@
--- tests/symlink-bad-length.at.orig 2019-11-13 23:07:23 UTC
+++ tests/symlink-bad-length.at
@@ -44,7 +44,7 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# but that could hurt backward compatibility.
AT_CHECK([
-base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
+b64decode -r ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
TZ=UTC cpio -ntv < ARCHIVE 2>stderr
cat stderr | grep -v \
-e 'stored filename length is out of range' \

15
archivers/gcpio/files/patch-tests_symlink-long.at
View File

@ -1,15 +0,0 @@
--- tests/symlink-long.at.orig 2015-09-12 10:57:30 UTC
+++ tests/symlink-long.at
@@ -27,9 +27,11 @@ AT_CHECK([
# len(dirname) > READBUFSIZE
dirname=
-for i in {1..52}; do
+i=1
+while test $i -le 52; do
dirname="xxxxxxxxx/$dirname"
mkdir "$dirname"
+ i=`expr $i + 1`
done
ln -s "$dirname" x || AT_SKIP_TEST

1
archivers/gcpio/pkg-plist
View File

@ -15,6 +15,7 @@ man/man1/gcpio.1.gz
%%NLS%%share/locale/ko/LC_MESSAGES/cpio.mo
%%NLS%%share/locale/nl/LC_MESSAGES/cpio.mo
%%NLS%%share/locale/pl/LC_MESSAGES/cpio.mo
%%NLS%%share/locale/pt/LC_MESSAGES/cpio.mo
%%NLS%%share/locale/pt_BR/LC_MESSAGES/cpio.mo
%%NLS%%share/locale/ro/LC_MESSAGES/cpio.mo
%%NLS%%share/locale/ru/LC_MESSAGES/cpio.mo