CVE-2016-6321
---
main/tar/APKBUILD | 5 ++--
...tar-extract-pathname-bypass-CVE-2016-6321.patch | 27 ++++++++++++++++++++++
2 files changed, 30 insertions(+), 2 deletions(-)
create mode 100644 main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch
diff --git a/main/tar/APKBUILD b/main/tar/APKBUILD
index be41c1a..3f60a60 100644
--- a/main/tar/APKBUILD
+++ b/main/tar/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=tar
pkgver=1.28
-pkgrel=1
+pkgrel=2
pkgdesc="Utility used to store, backup, and transport files"
url="http://www.gnu.org"
arch="all"
@@ -11,7 +11,8 @@ install=
makedepends=
source="ftp://ftp.gnu.org/gnu/tar/$pkgname-$pkgver.tar.xz
ignore-apk-tools-checksums.patch
- "
+ tar-extract-pathname-bypass-CVE-2016-6321.patch
+ "
subpackages="$pkgname-doc"
_builddir="$srcdir/$pkgname-$pkgver"
diff --git a/main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch b/main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch
new file mode 100644
index 0000000..36ab4ac
--- /dev/null
+++ b/main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch
@@ -0,0 +1,27 @@
+--- a/lib/paxnames.c
++++ b/lib/paxnames.c
+@@ -18,6 +18,7 @@
+ #include <system.h>
+ #include <hash.h>
+ #include <paxlib.h>
++#include <quotearg.h>
+
+
+ /* Hash tables of strings. */
+@@ -114,7 +115,15 @@
+ for (p = file_name + prefix_len; *p; )
+ {
+ if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
+- prefix_len = p + 2 - file_name;
++ {
++ static char const *const diagnostic[] =
++ {
++ N_("%s: Member name contains '..'"),
++ N_("%s: Hard link target contains '..'")
++ };
++ FATAL_ERROR ((0, 0, _(diagnostic[link_target]),
++ quotearg_colon (file_name)));
++ }
+
+ do
+ {
--
2.6.6
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---