X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-wm0-f68.google.com (mail-wm0-f68.google.com [74.125.82.68]) by lists.alpinelinux.org (Postfix) with ESMTP id 69E1A5C4533 for ; Tue, 6 Dec 2016 09:49:38 +0000 (GMT) Received: by mail-wm0-f68.google.com with SMTP id u144so20288102wmu.0 for ; Tue, 06 Dec 2016 01:49:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=EK9eZqKeAAy2nyrSSYedbmImUPkVr5D67H/NqA9/dYM=; b=H4agGlWGGVXwX8VHroeKB9UYF/WiNIFRMft3IGKyPqTdoody1oWuihC0BDPyRC4CAH vaflfG55f9ZcrXq6KFzyHUPr5yLgfmtoz/ZNpIyV4NgffskBeVxHZ2NeVDIs6OnJETNL xCr39gQdUCTkCf35KCVA2mA3gemNughhE0YXYhMEKGWyB/woJJ6qczrenO+CyNIuUiyh NdlQOZwLKQJBipKk2wpDRUn8iazAfcGC73IgXGKztvU+Uq4uW8klf24Gj1Wr/W9mGI6V +sM/b492noaZGTJcGP+jKhajZ9g7xI9NXe+WeOhHkaoyK/NRV1GkkIK7TIh2UQXMVpxQ Bx8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=EK9eZqKeAAy2nyrSSYedbmImUPkVr5D67H/NqA9/dYM=; b=J/CmPLxJ8Aj+cuhVEK4End8D/fI5NH8Hwqazq6oVQ8Fkmsi1PhcRUEdnDBkqt+eXPB ViD0NXRgWrGtatC8che7ScFnsaUJvfieoVrhypcHvewb+l92wJZLWorAx3vsPZTXTEWs hnyNJ1RPzBeMndp3bM4tNpnU50DQvO0i3gLaI8l+hVO8PxgLYCemp2DhisRzemLlwyFE i2q084LsNEnsacKpcnS9HH8ocSodL+2wwhsNNtFaEBiEK06vwpLk4Ag0UfODNSgDF36z bP4b8yRlQNk766sTebqoQsjKisKcfMdDCnmZbu0VXnCFppxYSVSBW+UCS5thp1CJP4y6 oO3g== X-Gm-Message-State: AKaTC02cXpNDW0AWxV5016HgC+XviwihU/pPNUU4vqori8FS7Jmknr2T2B2Lt+kSN9a0Iw== X-Received: by 10.46.9.129 with SMTP id 123mr23632316ljj.20.1481013964494; Tue, 06 Dec 2016 00:46:04 -0800 (PST) Received: from v3-3.util.wtbts.net ([83.145.235.199]) by smtp.gmail.com with ESMTPSA id 23sm3710815ljf.48.2016.12.06.00.46.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 06 Dec 2016 00:46:03 -0800 (PST) From: Sergey Lukin To: alpine-aports@lists.alpinelinux.org Cc: Sergey Lukin Subject: [alpine-aports] [PATCH v3.3] main/tar: security upgrade - fixes #6399 Date: Tue, 6 Dec 2016 08:45:56 +0000 Message-Id: <1481013956-92-1-git-send-email-sergej.lukin@gmail.com> X-Mailer: git-send-email 2.6.6 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: CVE-2016-6321 --- main/tar/APKBUILD | 5 ++-- ...tar-extract-pathname-bypass-CVE-2016-6321.patch | 27 ++++++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch diff --git a/main/tar/APKBUILD b/main/tar/APKBUILD index be41c1a..3f60a60 100644 --- a/main/tar/APKBUILD +++ b/main/tar/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Carlo Landmeter pkgname=tar pkgver=1.28 -pkgrel=1 +pkgrel=2 pkgdesc="Utility used to store, backup, and transport files" url="http://www.gnu.org" arch="all" @@ -11,7 +11,8 @@ install= makedepends= source="ftp://ftp.gnu.org/gnu/tar/$pkgname-$pkgver.tar.xz ignore-apk-tools-checksums.patch - " + tar-extract-pathname-bypass-CVE-2016-6321.patch + " subpackages="$pkgname-doc" _builddir="$srcdir/$pkgname-$pkgver" diff --git a/main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch b/main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch new file mode 100644 index 0000000..36ab4ac --- /dev/null +++ b/main/tar/tar-extract-pathname-bypass-CVE-2016-6321.patch @@ -0,0 +1,27 @@ +--- a/lib/paxnames.c ++++ b/lib/paxnames.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + + /* Hash tables of strings. */ +@@ -114,7 +115,15 @@ + for (p = file_name + prefix_len; *p; ) + { + if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2])) +- prefix_len = p + 2 - file_name; ++ { ++ static char const *const diagnostic[] = ++ { ++ N_("%s: Member name contains '..'"), ++ N_("%s: Hard link target contains '..'") ++ }; ++ FATAL_ERROR ((0, 0, _(diagnostic[link_target]), ++ quotearg_colon (file_name))); ++ } + + do + { -- 2.6.6 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---