~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[alpine-aports] [PATCH] main/tar: fix for CVE-2016-6321

Daniel Sabogal <dsabogalcc@gmail.com>
Details
Message ID
<20161101032352.16175-1-dsabogalcc@gmail.com>
Sender timestamp
1477970632
DKIM signature
missing
Download raw message
7 years ago
Patch: +30 -1 
Patch from upstream with NEWS update removed.
---
 main/tar/APKBUILD            |  6 +++++-
 main/tar/CVE-2016-6321.patch | 25 +++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 main/tar/CVE-2016-6321.patch

diff --git a/main/tar/APKBUILD b/main/tar/APKBUILD
index ac9a9b4..fcb4c45 100644
--- a/main/tar/APKBUILD
+++ b/main/tar/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=tar
pkgver=1.29
pkgrel=0
pkgrel=1
pkgdesc="Utility used to store, backup, and transport files"
url="http://www.gnu.org"
arch="all"
@@ -11,6 +11,7 @@ install=""
makedepends=""
subpackages="$pkgname-doc"
source="ftp://ftp.gnu.org/gnu/tar/$pkgname-$pkgver.tar.xz
	CVE-2016-6321.patch
	ignore-apk-tools-checksums.patch"

_builddir="$srcdir/$pkgname-$pkgver"
@@ -49,8 +50,11 @@ package() {
}

md5sums="a1802fec550baaeecff6c381629653ef  tar-1.29.tar.xz
21f9b5b3642b5476bd972189c33d06ca  CVE-2016-6321.patch
2c4c807811c4ba827f4510dc2a2f8460  ignore-apk-tools-checksums.patch"
sha256sums="402dcfd0022fd7a1f2c5611f5c61af1cd84910a760a44a688e18ddbff4e9f024  tar-1.29.tar.xz
0b117302bce6b62b9a89a2b73603fb8ec9d0d0c57a261320d7831ae6c89d7f76  CVE-2016-6321.patch
4f6330e37e0540f8731256a65fd8ff6de475cf9e3ec9d0245b9dd21d7546713d  ignore-apk-tools-checksums.patch"
sha512sums="7249689176bd9e4e842e1e363c3f5867d9d4db9ec082ba59805047091e89de22a67153a366c23bdc1e53a3fb154df1c19a5bc1fa88267333724c5bc11bd27329  tar-1.29.tar.xz
fad29eaa045f834a4ff9a0e1fdc1564457c9b3ccc4fbd75df100928b1bf434c5055a3064f024c576a3f8508513a2b3d179dc64fe9d1b5518f3799e2235ccaf3e  CVE-2016-6321.patch
9cde0f1509328bc5fe2cb46642b53c7681c548cf28a2fb83eda7e9374c9c0ad27a0cd55b9c0cc93951def58dafa55ee71cace5493ddcb7966ee94dc5f1099739  ignore-apk-tools-checksums.patch"
diff --git a/main/tar/CVE-2016-6321.patch b/main/tar/CVE-2016-6321.patch
new file mode 100644
index 0000000..de0787d
--- /dev/null
+++ b/main/tar/CVE-2016-6321.patch
@@ -0,0 +1,25 @@
diff --git a/src/extract.c b/src/extract.c
index f982433..7904148 100644
--- a/src/extract.c
+++ b/src/extract.c
@@ -1629,12 +1629,20 @@ extract_archive (void)
 {
   char typeflag;
   tar_extractor_t fun;
+  bool skip_dotdot_name;
 
   fatal_exit_hook = extract_finish;
 
   set_next_block_after (current_header);
 
+  skip_dotdot_name = (!absolute_names_option
+		      && contains_dot_dot (current_stat_info.orig_file_name));
+  if (skip_dotdot_name)
+    ERROR ((0, 0, _("%s: Member name contains '..'"),
+	    quotearg_colon (current_stat_info.orig_file_name)));
+
   if (!current_stat_info.file_name[0]
+      || skip_dotdot_name
       || (interactive_option
 	  && !confirm ("extract", current_stat_info.file_name)))
     {
-- 
2.10.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)