From 444f4ae8534e4d2a06914f1c7d858b7794e2b040 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Tue, 17 Aug 2021 14:27:21 +0200 Subject: [PATCH 1/1] up to 4.8.27 (fixes CVE-2021-36370) --- ebook-ext.patch | 8 +- mc.spec | 18 ++--- zip.patch | 195 ------------------------------------------------ 3 files changed, 12 insertions(+), 209 deletions(-) delete mode 100644 zip.patch diff --git a/ebook-ext.patch b/ebook-ext.patch index 32bd588..4186e74 100644 --- a/ebook-ext.patch +++ b/ebook-ext.patch @@ -3,9 +3,9 @@ @@ -657,7 +657,7 @@ Open=@EXTHELPERSDIR@/doc.sh open comic - # Epub & mobi --regex/i/\.(epub|mobi)$ + # Epup, mobi, fb2 +-regex/i/\.(epub|mobi|fb2)$ +regex/i/\.(epub|mobi|lrf|lrs|azw[123]?|pobi|lit|fb2)$ - Open=@EXTHELPERSDIR@/doc.sh open epub - View=%view{ascii} @EXTHELPERSDIR@/doc.sh view epub + Open=@EXTHELPERSDIR@/doc.sh open ebook + View=%view{ascii} @EXTHELPERSDIR@/doc.sh view ebook diff --git a/mc.spec b/mc.spec index 7fe2622..3619df5 100644 --- a/mc.spec +++ b/mc.spec @@ -18,13 +18,13 @@ Summary(tr.UTF-8): Midnight Commander görsel kabuğu Summary(uk.UTF-8): Диспетчер файлів Midnight Commander Summary(zh_CN.UTF-8): 一个方便实用的文件管理器和虚拟Shell Name: mc -Version: 4.8.26 -Release: 2 +Version: 4.8.27 +Release: 1 Epoch: 1 License: GPL v3+ Group: Applications/Shells Source0: http://ftp.midnight-commander.org/%{name}-%{version}.tar.xz -# Source0-md5: 3c1f77b71dba1f4eeeedc4276627fed7 +# Source0-md5: e51cd40a897d9aa01af251d191637ca4 Source3: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2 # Source3-md5: 17d7b574e1b85ad6f8ddceda9e841f19 Source7: %{name}.desktop @@ -34,18 +34,17 @@ Patch3: %{name}-noperl-vfs.patch # at now syntax highligthing for PLD-update-TODO and CVSROOT/users Patch4: %{name}-pld-developerfriendly.patch Patch5: ebook-ext.patch -Patch6: zip.patch URL: http://www.midnight-commander.org/ -BuildRequires: autoconf >= 2.60 -BuildRequires: automake >= 1.5 +BuildRequires: autoconf >= 2.64 +BuildRequires: automake >= 1:1.12 %{?with_ext2undel:BuildRequires: e2fsprogs-devel} BuildRequires: file -BuildRequires: gettext-tools >= 0.18.1 +BuildRequires: gettext-tools >= 0.21 BuildRequires: glib2-devel >= 1:2.30.0 %ifnarch s390 s390x BuildRequires: gpm-devel %endif -BuildRequires: libssh2-devel >= 1.2.5 +BuildRequires: libssh2-devel >= 1.2.8 BuildRequires: libtool >= 2:2 BuildRequires: pam-devel BuildRequires: pcre-devel @@ -59,7 +58,7 @@ BuildRequires: tar >= 1:1.22 BuildRequires: xz Requires: file Requires: glib2 >= 1:2.30.0 -Requires: libssh2 >= 1.2.5 +Requires: libssh2 >= 1.2.8 Requires: pam >= 0.77.3 Requires: sed Requires: setup >= 2.4.6-2 @@ -168,7 +167,6 @@ tar, zip ve RPM dosyalarının içeriklerini gösterebilmesidir. %{!?with_perl_vfs:%patch3 -p1} %patch4 -p1 %patch5 -p1 -%patch6 -p1 %{__rm} po/stamp-po diff --git a/zip.patch b/zip.patch deleted file mode 100644 index dfbc4f5..0000000 --- a/zip.patch +++ /dev/null @@ -1,195 +0,0 @@ -From 1ed638d66cf803f69ac12ee80a72d217f2146e43 Mon Sep 17 00:00:00 2001 -From: Andrew Borodin -Date: Tue, 16 Feb 2021 16:29:51 +0300 -Subject: [PATCH] Ticket #4180: fix zip handling. - -After 8857423e4ebb770b6f0ea3103abf5d35c85fcbe8 zip archives opened with -an error: - - file -L -z archive.zip: Bad system call - -This caused by using /usr/bin/file with -z option, because seccomp (a -security sandbox) doesn't allow it.. - -Solution: use -S option together with -z one. - -The file command accepts the -S option since 5.33. - -Signed-off-by: Andrew Borodin ---- - configure.ac | 66 +++++++++++++++++++++++++++++++++++-------- - src/filemanager/ext.c | 7 +++-- - src/setup.c | 2 ++ - 3 files changed, 60 insertions(+), 15 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 5f372dc3f5..f2351c99ad 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -115,23 +115,65 @@ fi - AC_SUBST(MANDOC) - AC_SUBST(MAN_FLAGS) - --dnl Check for -L option to file -+dnl Check for -z, -L, and -S options to file - AC_CHECK_PROG(HAVE_FILECMD, file, true, false) - if $HAVE_FILECMD; then -- AC_MSG_CHECKING([for -L option to file command]) -- AC_CACHE_VAL(mc_cv_filel, [ -- file -L . > /dev/null 2>&1 -- if test $? = 0; then -- mc_cv_filel=yes -+ dnl Don't use the file command if it doesn't accept the -z option -+ AC_MSG_CHECKING([for -z option to file command]) -+ AC_CACHE_VAL(mc_cv_file_z, [ -+ file -z . > /dev/null 2>&1 -+ if test $? = 0; then -+ mc_cv_file_z=yes -+ else -+ mc_cv_file_z=no -+ fi -+ ]) -+ AC_MSG_RESULT([$mc_cv_file_z]) -+ -+ if test x$mc_cv_file_z = xyes; then -+ AC_DEFINE(USE_FILE_CMD, 1, [Define if the file command accepts the -z option]) - else -- mc_cv_filel=no -+ AC_MSG_WARN([The file command doesn't accept the -z option and will not be used]) - fi -- ]) -- if test x$mc_cv_filel = xyes; then -- AC_DEFINE(FILE_L, 1, [Define if the file command accepts the -L option]) -+ -+ if test x$mc_cv_file_z = xyes; then -+ dnl file is used; check -L and -S options -+ -+ AC_MSG_CHECKING([for -L option to file command]) -+ AC_CACHE_VAL(mc_cv_file_L, [ -+ file -L . > /dev/null 2>&1 -+ if test $? = 0; then -+ mc_cv_file_L=yes -+ else -+ mc_cv_file_L=no -+ fi -+ ]) -+ AC_MSG_RESULT([$mc_cv_file_L]) -+ -+ if test x$mc_cv_file_L = xyes; then -+ AC_DEFINE(FILE_L, "-L ", [Define if the file command accepts the -L option]) -+ else -+ AC_DEFINE(FILE_L, "", [Define if the file command accepts the -L option]) -+ fi -+ -+ dnl The file command accepts the -S option since 5.33 -+ AC_MSG_CHECKING([for -S option to file command]) -+ AC_CACHE_VAL(mc_cv_file_S, [ -+ file -S . > /dev/null 2>&1 -+ if test $? = 0; then -+ mc_cv_file_S=yes -+ else -+ mc_cv_file_S=no -+ fi -+ ]) -+ AC_MSG_RESULT([$mc_cv_file_S]) -+ -+ if test x$mc_cv_file_S = xyes; then -+ AC_DEFINE(FILE_S, "-S ", [Define if file command accepts the -S option]) -+ else -+ AC_DEFINE(FILE_S, "", [Define if file command accepts the -S option]) -+ fi - fi -- filel=$mc_cv_filel -- AC_MSG_RESULT([$filel]) - fi - - dnl Only list browsers here that can be run in background (i.e. with `&') -diff --git a/src/filemanager/ext.c b/src/filemanager/ext.c -index 4e6f10c6c5..d6a09df7bb 100644 ---- a/src/filemanager/ext.c -+++ b/src/filemanager/ext.c -@@ -71,10 +71,11 @@ - - /*** file scope macro definitions ****************************************************************/ - --#ifdef FILE_L --#define FILE_CMD "file -L -z " -+#ifdef USE_FILE_CMD -+#define FILE_CMD "file -z " FILE_S FILE_L - #else --#define FILE_CMD "file -z " -+/* actually file is unused, but define some reasonable command */ -+#define FILE_CMD "file " - #endif - - /*** file scope type declarations ****************************************************************/ -diff --git a/src/setup.c b/src/setup.c -index 77c07649d5..2ef07f2569 100644 ---- a/src/setup.c -+++ b/src/setup.c -@@ -317,7 +317,9 @@ static const struct - { "old_esc_mode", &old_esc_mode }, - { "cd_symlinks", &mc_global.vfs.cd_symlinks }, - { "show_all_if_ambiguous", &mc_global.widget.show_all_if_ambiguous }, -+#ifdef USE_FILE_CMD - { "use_file_to_guess_type", &use_file_to_check_type }, -+#endif - { "alternate_plus_minus", &mc_global.tty.alternate_plus_minus }, - { "only_leading_plus_minus", &only_leading_plus_minus }, - { "show_output_starts_shell", &output_starts_shell }, -From 7881ed2fda7390d3821abd6864d0097fc818f0ac Mon Sep 17 00:00:00 2001 -From: Andrew Borodin -Date: Sat, 23 Jan 2021 21:10:04 +0300 -Subject: [PATCH] Ticket #4180: fix handling of zip archives. - -After 8857423e4ebb770b6f0ea3103abf5d35c85fcbe8 due to -using "file -z", zip archves w/o ".zip" file name extension -(i.e. "ff_ext.xpi", a Firefox extension) aren't handled -as zip archives. - -misc/mc.ext.in: fix regular expression for zip format. - -Signed-off-by: Andrew Borodin ---- - misc/mc.ext.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/misc/mc.ext.in b/misc/mc.ext.in -index e9b475cde4..2da4635d1e 100644 ---- a/misc/mc.ext.in -+++ b/misc/mc.ext.in -@@ -751,7 +751,7 @@ shell/i/.zip - View=%view{ascii} @EXTHELPERSDIR@/archive.sh view zip - - # zip --type/i/^zip\ archive -+type/\(Zip archive - Open=%cd %p/uzip:// - View=%view{ascii} @EXTHELPERSDIR@/archive.sh view zip - -From 0e023f0dd9ca18a2bab8df6d25ed3c7d9dcbd2d1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Piotrek=20=C5=BBygie=C5=82o?= - -Date: Thu, 25 Mar 2021 16:59:19 +0100 -Subject: [PATCH] Ticket #4223: fix recognition of JAR files as ZIP archives - -Similar to 7881ed2 that solved ticket #4180. - -Signed-off-by: Andrew Borodin ---- - misc/mc.ext.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/misc/mc.ext.in b/misc/mc.ext.in -index 75f95fc743..f93d8bf229 100644 ---- a/misc/mc.ext.in -+++ b/misc/mc.ext.in -@@ -386,7 +386,7 @@ type/\(Zip archive - View=%view{ascii} @EXTHELPERSDIR@/archive.sh view zip - - # jar(zip) --type/i/^Java\ (Jar\ file|archive)\ data\ \((zip|JAR)\) -+type/i/\(Java\ (Jar\ file|archive)\ data\ \((zip|JAR)\) - Open=%cd %p/uzip:// - View=%view{ascii} @EXTHELPERSDIR@/archive.sh view zip - -- 2.44.0