From c3d4c8676d98767e52d09cfdbb671cd9a8326a6b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jan=20R=C4=99korajski?= Date: Mon, 13 Apr 2020 23:08:55 +0200 Subject: [PATCH] - revert fix for CVE-2015-1197 as it causes shutdown issues - rel 3 revert suggested as a workaround by upstream: https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html --- cpio.spec | 4 +- revert-CVE-2015-1197-fix.patch | 91 ++++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 revert-CVE-2015-1197-fix.patch diff --git a/cpio.spec b/cpio.spec index db68ff6..23f781e 100644 --- a/cpio.spec +++ b/cpio.spec @@ -9,7 +9,7 @@ Summary(tr.UTF-8): GNU cpio arşivleme programı Summary(uk.UTF-8): Архівна програма GNU Name: cpio Version: 2.13 -Release: 2 +Release: 3 License: GPL v3+ Group: Applications/Archiving Source0: https://ftp.gnu.org/gnu/cpio/%{name}-%{version}.tar.bz2 @@ -18,6 +18,7 @@ Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-ma # Source1-md5: 027552f4053477462a09fadc162a5e65 Patch0: %{name}-info.patch Patch1: %{name}-ifdef.patch +Patch2: revert-CVE-2015-1197-fix.patch URL: http://www.gnu.org/software/cpio/ BuildRequires: autoconf >= 2.63 BuildRequires: automake >= 1:1.11.1 @@ -104,6 +105,7 @@ cpio копіює файли в або з архіву cpio або tar, який %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build %{__gettextize} diff --git a/revert-CVE-2015-1197-fix.patch b/revert-CVE-2015-1197-fix.patch new file mode 100644 index 0000000..1106ac7 --- /dev/null +++ b/revert-CVE-2015-1197-fix.patch @@ -0,0 +1,91 @@ +revert fix for CVE-2015-1197 as it causes shutdown issues + +revert suggested as a workaround by upstream: +https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html + +--- b/src/copyin.c ++++ a/src/copyin.c +@@ -645,14 +645,13 @@ + link_name = xstrdup (file_hdr->c_tar_linkname); + } + +- cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false); +- + res = UMASKED_SYMLINK (link_name, file_hdr->c_name, + file_hdr->c_mode); + if (res < 0 && create_dir_flag) + { + create_all_directories (file_hdr->c_name); ++ res = UMASKED_SYMLINK (link_name, file_hdr->c_name, ++ file_hdr->c_mode); +- res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode); + } + if (res < 0) + { +--- b/tests/CVE-2015-1197.at ++++ /dev/null +@@ -1,43 +0,0 @@ +-# Process this file with autom4te to create testsuite. -*- Autotest -*- +-# Copyright (C) 2009-2019 Free Software Foundation, Inc. +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; either version 3, or (at your option) +-# any later version. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program. If not, see . +- +-AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)]) +-AT_CHECK([ +-tempdir=$(pwd)/tmp +-mkdir $tempdir +-touch $tempdir/file +-ln -s $tempdir dir +-AT_DATA([filelist], +-[dir +-dir/file +-]) +-ln -s /tmp dir +-touch /tmp/file +-cpio -o < filelist > test.cpio +-rm dir /tmp/file +-cpio --no-absolute-filenames -iv < test.cpio +-], +-[2], +-[], +-[1 block +-cpio: Removing leading `/' from hard link targets +-dir +-cpio: dir/file: Cannot open: No such file or directory +-dir/file +-1 block +-]) +-AT_CLEANUP +- +--- b/tests/Makefile.am ++++ a/tests/Makefile.am +@@ -56,9 +56,8 @@ + symlink-long.at\ + symlink-to-stdout.at\ + version.at\ + big-block-size.at\ +- CVE-2015-1197.at\ + CVE-2019-14866.at + + TESTSUITE = $(srcdir)/testsuite + +--- b/tests/testsuite.at ++++ a/tests/testsuite.at +@@ -43,6 +43,5 @@ + m4_include([setstat04.at]) + m4_include([setstat05.at]) + m4_include([big-block-size.at]) + +-m4_include([CVE-2015-1197.at]) + m4_include([CVE-2019-14866.at]) -- 2.44.0