~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[alpine-aports] [PATCH v3.2] main/tar: security upgrade - fixes #6400

Sergey Lukin <sergej.lukin@gmail.com>
Details
Message ID
<1481276560-25769-1-git-send-email-sergej.lukin@gmail.com>
Sender timestamp
1481276560
DKIM signature
missing
Download raw message
7 years ago
Patch: +42 -5 
CVE-2016-6321
---
 main/tar/APKBUILD                                  | 16 +++++++----
 ...CVE-2016-6321-tar-extract-pathname-bypass.patch | 31 ++++++++++++++++++++++
 2 files changed, 42 insertions(+), 5 deletions(-)
 create mode 100644 main/tar/CVE-2016-6321-tar-extract-pathname-bypass.patch

diff --git a/main/tar/APKBUILD b/main/tar/APKBUILD
index 229d0dd..4d9fd1d 100644
--- a/main/tar/APKBUILD
+++ b/main/tar/APKBUILD
@@ -1,7 +1,8 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
# Contributor: Sergey Lukin <sergej.lukin@gmail.com>
pkgname=tar
pkgver=1.28
pkgrel=0
pkgrel=1
pkgdesc="Utility used to store, backup, and transport files"
url="http://www.gnu.org"
arch="all"
@@ -9,7 +10,9 @@ license='GPL'
depends=
install=
makedepends=
source="ftp://ftp.gnu.org/gnu/tar/$pkgname-$pkgver.tar.xz"
source="ftp://ftp.gnu.org/gnu/tar/$pkgname-$pkgver.tar.xz
	CVE-2016-6321-tar-extract-pathname-bypass.patch
	"
subpackages="$pkgname-doc"

prepare() {
@@ -43,6 +46,9 @@ package() {
	ln -s /bin/tar "$pkgdir"/usr/bin/tar
}

md5sums="49b6306167724fe48f419a33a5beb857  tar-1.28.tar.xz"
sha256sums="64ee8d88ec1b47a0961033493f919d27218c41b580138fd6802327462aff22f2  tar-1.28.tar.xz"
sha512sums="0e590abb82ef0202a1f659012477c9ff30d035729b7df47c9c8604901fb0bcdd970386dbc9a6256df63cfd7e629617076fea6ce9735213218f69601daa76c486  tar-1.28.tar.xz"
md5sums="49b6306167724fe48f419a33a5beb857  tar-1.28.tar.xz
e95e674369d149424724386d57784d24  CVE-2016-6321-tar-extract-pathname-bypass.patch"
sha256sums="64ee8d88ec1b47a0961033493f919d27218c41b580138fd6802327462aff22f2  tar-1.28.tar.xz
5dd500073a91ca1b348730d1a8f8cd7f17ad93548c2569b2e7bdc2a4ef2c0e23  CVE-2016-6321-tar-extract-pathname-bypass.patch"
sha512sums="0e590abb82ef0202a1f659012477c9ff30d035729b7df47c9c8604901fb0bcdd970386dbc9a6256df63cfd7e629617076fea6ce9735213218f69601daa76c486  tar-1.28.tar.xz
5cef92ea304bd2449c0b4bc39054a4a83deb4d505a328e9920fb3fc4964a8dbf81b40b49848a47266b69dde6fa6bfa9ee9d0ab4f7676230530771cb1eb1b56b3  CVE-2016-6321-tar-extract-pathname-bypass.patch"
diff --git a/main/tar/CVE-2016-6321-tar-extract-pathname-bypass.patch b/main/tar/CVE-2016-6321-tar-extract-pathname-bypass.patch
new file mode 100644
index 0000000..874018c
--- /dev/null
+++ b/main/tar/CVE-2016-6321-tar-extract-pathname-bypass.patch
@@ -0,0 +1,31 @@
Fix for CVE-2016-6321
https://bugs.alpinelinux.org/issues/6400
https://sintonen.fi/advisories/tar-extract-pathname-bypass.patch

--- a/lib/paxnames.c
+++ b/lib/paxnames.c
@@ -18,6 +18,7 @@
 #include <system.h>
 #include <hash.h>
 #include <paxlib.h>
+#include <quotearg.h>
 
 
 /* Hash tables of strings.  */
@@ -114,7 +115,15 @@
       for (p = file_name + prefix_len; *p; )
 	{
           if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
-	    prefix_len = p + 2 - file_name;
+            {
+	      static char const *const diagnostic[] =
+	      {
+		N_("%s: Member name contains '..'"),
+		N_("%s: Hard link target contains '..'")
+	      };
+	      FATAL_ERROR ((0, 0, _(diagnostic[link_target]),
+	                    quotearg_colon (file_name)));
+	    }
 
 	  do
 	    {
-- 
2.4.11



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)