X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-wj0-f195.google.com (mail-wj0-f195.google.com [209.85.210.195]) by lists.alpinelinux.org (Postfix) with ESMTP id 3E2A45C453F for ; Tue, 6 Dec 2016 09:26:21 +0000 (GMT) Received: by mail-wj0-f195.google.com with SMTP id kp2so42722527wjc.0 for ; Tue, 06 Dec 2016 01:26:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=txTymln2ZMg+D4PkuI0zONqJz2fHGE4y5Chj97HKYas=; b=tzOK4KMgAYeELIqYrSomIKu7xGUdbwdOROcWTQ9Pb48GV08/geU3S7BD31yIYK3iq6 VRbtBVFCKTyV3fonJ6/37SF7NJ4S1YnjgdyCIF58yGt1B7NNHEazaUR9EsT7qYrF6ig6 Dj3mHrPHoGUOCFYvpE84Mcmx45YmOBNgCwHicnNSQkG2pmWwHoEXPHB8JmpFCboT1+Bs ycXgGZxgr5uLPUQ438pqm4Dmq260aEzER1sizcUfcue90gC323aknqZb7HCbVR1CTiza SbNkF59vAVljTLKX0a+6JlACUl0gpsoZXS/mMWqe9A1Mm1XjKmMD0VT8cOQol0aUv/ZY a1wA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=txTymln2ZMg+D4PkuI0zONqJz2fHGE4y5Chj97HKYas=; b=dS07R0KYnRVZDCEArz50YnwsZLqmq6FCWxlDuJVSg0AsGTA1NWaT7Pmt10p4S/gtLm Ae+rD4kwp456vGP+4ZU2e8bFZZxnFit5wYhO3yAaBwQi8fsY1udYppTSFhcWLat8VS34 KRz4OrBkJyJH7oKgg80yxIShBBgkSuQ411JZnxbzotrxieraa3C1+Vle/+4wf2fOzhPW nZx/JyMXDuPL5o94YqCXqvN3rCDwoQL1teoy6zn43+l7B6LNHFcyHYUVmtGfzQlnWMHI /zRBPxh1IMtvdIh6sOtvTCgG/AzlD3zil4AXp66d7aZZfoLuEZksKsMeYYX0CRkbgyS/ VQJQ== X-Gm-Message-State: AKaTC03U/ub31n5tX1oPBA7/fQpRS+kYmavA2tmZIlHLJhhuVqaUKmjh2daOupWBGk0p/w== X-Received: by 10.25.104.20 with SMTP id d20mr19011084lfc.59.1481008442634; Mon, 05 Dec 2016 23:14:02 -0800 (PST) Received: from v3-3.util.wtbts.net ([83.145.235.199]) by smtp.gmail.com with ESMTPSA id r204sm3638261lfr.19.2016.12.05.23.14.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 05 Dec 2016 23:14:01 -0800 (PST) From: Sergey Lukin To: alpine-aports@lists.alpinelinux.org Cc: Sergey Lukin Subject: [alpine-aports] [PATCH v3.3] main/tar: security upgrade - CVE-2016-6321 - fixes #6399 Date: Tue, 6 Dec 2016 07:13:53 +0000 Message-Id: <1481008433-12832-1-git-send-email-sergej.lukin@gmail.com> X-Mailer: git-send-email 2.6.6 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: --- main/tar/APKBUILD | 14 +++++++---- ...tar-extract-pathname-bypass-CVE-2016-6321.patch | 27 ++++++++++++++++++++++ 2 files changed, 36 insertions(+), 5 deletions(-) create mode 100644 main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch diff --git a/main/tar/APKBUILD b/main/tar/APKBUILD index be41c1a..30fc230 100644 --- a/main/tar/APKBUILD +++ b/main/tar/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Carlo Landmeter pkgname=tar pkgver=1.28 -pkgrel=1 +pkgrel=2 pkgdesc="Utility used to store, backup, and transport files" url="http://www.gnu.org" arch="all" @@ -11,7 +11,8 @@ install= makedepends= source="ftp://ftp.gnu.org/gnu/tar/$pkgname-$pkgver.tar.xz ignore-apk-tools-checksums.patch - " + tar-extract-pathname-bypass-CVE-2016-6321.patch + " subpackages="$pkgname-doc" _builddir="$srcdir/$pkgname-$pkgver" @@ -49,8 +50,11 @@ package() { } md5sums="49b6306167724fe48f419a33a5beb857 tar-1.28.tar.xz -2c4c807811c4ba827f4510dc2a2f8460 ignore-apk-tools-checksums.patch" +2c4c807811c4ba827f4510dc2a2f8460 ignore-apk-tools-checksums.patch +b5998fb9f5308f0e9bcf92550bc58a79 tar-extract-pathname-bypass-CVE-2016-6321.patch" sha256sums="64ee8d88ec1b47a0961033493f919d27218c41b580138fd6802327462aff22f2 tar-1.28.tar.xz -4f6330e37e0540f8731256a65fd8ff6de475cf9e3ec9d0245b9dd21d7546713d ignore-apk-tools-checksums.patch" +4f6330e37e0540f8731256a65fd8ff6de475cf9e3ec9d0245b9dd21d7546713d ignore-apk-tools-checksums.patch +0fceab91f9f5a0669dbdc0642db17bfb9e892aacbfc73d5ec950a6a4d93d274f tar-extract-pathname-bypass-CVE-2016-6321.patch" sha512sums="0e590abb82ef0202a1f659012477c9ff30d035729b7df47c9c8604901fb0bcdd970386dbc9a6256df63cfd7e629617076fea6ce9735213218f69601daa76c486 tar-1.28.tar.xz -9cde0f1509328bc5fe2cb46642b53c7681c548cf28a2fb83eda7e9374c9c0ad27a0cd55b9c0cc93951def58dafa55ee71cace5493ddcb7966ee94dc5f1099739 ignore-apk-tools-checksums.patch" +9cde0f1509328bc5fe2cb46642b53c7681c548cf28a2fb83eda7e9374c9c0ad27a0cd55b9c0cc93951def58dafa55ee71cace5493ddcb7966ee94dc5f1099739 ignore-apk-tools-checksums.patch +abcbcf78b49980ad71476ab1960bf38717e85f73daeba312dcf91816096284387ea39949dc9ff981c02b6f6fd0a3bf6cb6d74133834af3cd61906b4daa06cc9f tar-extract-pathname-bypass-CVE-2016-6321.patch" diff --git a/main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch b/main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch new file mode 100644 index 0000000..36ab4ac --- /dev/null +++ b/main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch @@ -0,0 +1,27 @@ +--- a/lib/paxnames.c ++++ b/lib/paxnames.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + + /* Hash tables of strings. */ +@@ -114,7 +115,15 @@ + for (p = file_name + prefix_len; *p; ) + { + if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2])) +- prefix_len = p + 2 - file_name; ++ { ++ static char const *const diagnostic[] = ++ { ++ N_("%s: Member name contains '..'"), ++ N_("%s: Hard link target contains '..'") ++ }; ++ FATAL_ERROR ((0, 0, _(diagnostic[link_target]), ++ quotearg_colon (file_name))); ++ } + + do + { -- 2.6.6 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---