X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-wj0-f196.google.com (mail-wj0-f196.google.com [209.85.210.196]) by lists.alpinelinux.org (Postfix) with ESMTP id 884905C4571 for ; Fri, 9 Dec 2016 09:54:11 +0000 (GMT) Received: by mail-wj0-f196.google.com with SMTP id he10so1600239wjc.2 for ; Fri, 09 Dec 2016 01:54:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=e1kHChzBvc70X98H1rmb0OlZmxKwLjCyON0c+qILzaQ=; b=DzwE0boMKkVhF9CgXDUOz9r8GBfirQOfuMrHj2lz6Dt8uGzGP7/s1bRCJoqOVB/jin o7GUuoqIf+QDqgMLskB0yr79EYODexW/fJ0RDXtmNCZazuSeVDqRoVjpjGfgmDQULOOY EzgMbkSJ9n5lFm9A46ICGpbUvPcq3hVfeCaEjRYgmCwBeJKWP/va9vAD944baBs47mKH XHWU2E0/Fk2S+6VpVj5S/Q6dxU7jN+VjTKWSyWdDNzdjC/Hi2vvKkiT5jxW5CYVPwGEB Ygy7+4mcOurPWPbo1oyupOtH7kNGMftcRRi/qraGsLuXTgK5eZ5sSVbmqERmRCFKqXEr R3Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=e1kHChzBvc70X98H1rmb0OlZmxKwLjCyON0c+qILzaQ=; b=fLe0Lwi78GWxtrjLGt1NNcSW8JIArpVQs+5xeWo/Ffe6KP7H4AeGvi8rQK24rXxs4p 5E/EBEK9HxKSHwl4Kijo+LoQsosfc2/PHbVUY1i6J5ikKfA7OZbUq8m5vDZRpWjqklSA 2DACIpRinUhBogTYQAStFOC1EMuwHy1/SvAOyLVMdE7Jvd3qKKbuA360YQCzm6QMeSNu 1SWATcyyLdIKgwVbyRh7U2IvQ/jlDpTkFKMHeQVTqEDje7JN0gL+rvFEbkDWUhs6rFwv 1+XyvOij9NN+Z8ObIMmvw7Jg7mQrXhYLj0+5SGrhT784uD36fpr55tj5XQpDt6FIf+5a Tjyw== X-Gm-Message-State: AKaTC00lvfIeaDolIdqsYjjhmQnYYN3lPOuw8obIzPGR2D3Zu0BxbGSxXOMsKZhyKBtE8g== X-Received: by 10.46.9.194 with SMTP id 185mr32328527ljj.3.1481276568104; Fri, 09 Dec 2016 01:42:48 -0800 (PST) Received: from v3-2.util.wtbts.net ([83.145.235.199]) by smtp.gmail.com with ESMTPSA id k94sm6398665lfi.5.2016.12.09.01.42.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 09 Dec 2016 01:42:46 -0800 (PST) From: Sergey Lukin To: alpine-aports@lists.alpinelinux.org Cc: Sergey Lukin Subject: [alpine-aports] [PATCH v3.2] main/tar: security upgrade - fixes #6400 Date: Fri, 9 Dec 2016 09:42:40 +0000 Message-Id: <1481276560-25769-1-git-send-email-sergej.lukin@gmail.com> X-Mailer: git-send-email 2.4.11 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: CVE-2016-6321 --- main/tar/APKBUILD | 16 +++++++---- ...CVE-2016-6321-tar-extract-pathname-bypass.patch | 31 ++++++++++++++++++++++ 2 files changed, 42 insertions(+), 5 deletions(-) create mode 100644 main/tar/CVE-2016-6321-tar-extract-pathname-bypass.patch diff --git a/main/tar/APKBUILD b/main/tar/APKBUILD index 229d0dd..4d9fd1d 100644 --- a/main/tar/APKBUILD +++ b/main/tar/APKBUILD @@ -1,7 +1,8 @@ # Maintainer: Carlo Landmeter +# Contributor: Sergey Lukin pkgname=tar pkgver=1.28 -pkgrel=0 +pkgrel=1 pkgdesc="Utility used to store, backup, and transport files" url="http://www.gnu.org" arch="all" @@ -9,7 +10,9 @@ license='GPL' depends= install= makedepends= -source="ftp://ftp.gnu.org/gnu/tar/$pkgname-$pkgver.tar.xz" +source="ftp://ftp.gnu.org/gnu/tar/$pkgname-$pkgver.tar.xz + CVE-2016-6321-tar-extract-pathname-bypass.patch + " subpackages="$pkgname-doc" prepare() { @@ -43,6 +46,9 @@ package() { ln -s /bin/tar "$pkgdir"/usr/bin/tar } -md5sums="49b6306167724fe48f419a33a5beb857 tar-1.28.tar.xz" -sha256sums="64ee8d88ec1b47a0961033493f919d27218c41b580138fd6802327462aff22f2 tar-1.28.tar.xz" -sha512sums="0e590abb82ef0202a1f659012477c9ff30d035729b7df47c9c8604901fb0bcdd970386dbc9a6256df63cfd7e629617076fea6ce9735213218f69601daa76c486 tar-1.28.tar.xz" +md5sums="49b6306167724fe48f419a33a5beb857 tar-1.28.tar.xz +e95e674369d149424724386d57784d24 CVE-2016-6321-tar-extract-pathname-bypass.patch" +sha256sums="64ee8d88ec1b47a0961033493f919d27218c41b580138fd6802327462aff22f2 tar-1.28.tar.xz +5dd500073a91ca1b348730d1a8f8cd7f17ad93548c2569b2e7bdc2a4ef2c0e23 CVE-2016-6321-tar-extract-pathname-bypass.patch" +sha512sums="0e590abb82ef0202a1f659012477c9ff30d035729b7df47c9c8604901fb0bcdd970386dbc9a6256df63cfd7e629617076fea6ce9735213218f69601daa76c486 tar-1.28.tar.xz +5cef92ea304bd2449c0b4bc39054a4a83deb4d505a328e9920fb3fc4964a8dbf81b40b49848a47266b69dde6fa6bfa9ee9d0ab4f7676230530771cb1eb1b56b3 CVE-2016-6321-tar-extract-pathname-bypass.patch" diff --git a/main/tar/CVE-2016-6321-tar-extract-pathname-bypass.patch b/main/tar/CVE-2016-6321-tar-extract-pathname-bypass.patch new file mode 100644 index 0000000..874018c --- /dev/null +++ b/main/tar/CVE-2016-6321-tar-extract-pathname-bypass.patch @@ -0,0 +1,31 @@ +Fix for CVE-2016-6321 +https://bugs.alpinelinux.org/issues/6400 +https://sintonen.fi/advisories/tar-extract-pathname-bypass.patch + +--- a/lib/paxnames.c ++++ b/lib/paxnames.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + + /* Hash tables of strings. */ +@@ -114,7 +115,15 @@ + for (p = file_name + prefix_len; *p; ) + { + if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2])) +- prefix_len = p + 2 - file_name; ++ { ++ static char const *const diagnostic[] = ++ { ++ N_("%s: Member name contains '..'"), ++ N_("%s: Hard link target contains '..'") ++ }; ++ FATAL_ERROR ((0, 0, _(diagnostic[link_target]), ++ quotearg_colon (file_name))); ++ } + + do + { -- 2.4.11 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---