From: Daniel Sabogal <dsabogalcc@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Subject: [alpine-aports] [PATCH v2] main/tar: fix for CVE-2016-6321
Date: Tue,  1 Nov 2016 10:54:37 -0400
Message-Id: <20161101145437.11018-1-dsabogalcc@gmail.com>
Precedence: list

Upstream patch without the changes to the NEWS file.
---
v2 keeps the commit header for CVE-2016-6321.patch

 main/tar/APKBUILD            |  6 +++++-
 main/tar/CVE-2016-6321.patch | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 main/tar/CVE-2016-6321.patch

diff --git a/main/tar/APKBUILD b/main/tar/APKBUILD
index ac9a9b4..2a935ca 100644
--- a/main/tar/APKBUILD
+++ b/main/tar/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=tar
 pkgver=1.29
-pkgrel=0
+pkgrel=1
 pkgdesc="Utility used to store, backup, and transport files"
 url="http://www.gnu.org"
 arch="all"
@@ -11,6 +11,7 @@ install=""
 makedepends=""
 subpackages="$pkgname-doc"
 source="ftp://ftp.gnu.org/gnu/tar/$pkgname-$pkgver.tar.xz
+	CVE-2016-6321.patch
 	ignore-apk-tools-checksums.patch"
 
 _builddir="$srcdir/$pkgname-$pkgver"
@@ -49,8 +50,11 @@ package() {
 }
 
 md5sums="a1802fec550baaeecff6c381629653ef  tar-1.29.tar.xz
+7a8c4416b6f8e325d78155b56fdec62b  CVE-2016-6321.patch
 2c4c807811c4ba827f4510dc2a2f8460  ignore-apk-tools-checksums.patch"
 sha256sums="402dcfd0022fd7a1f2c5611f5c61af1cd84910a760a44a688e18ddbff4e9f024  tar-1.29.tar.xz
+d951145580cf4c15b2c0b4f9e71bf00a3ef180bd1b9e61482ca667af85b0d27e  CVE-2016-6321.patch
 4f6330e37e0540f8731256a65fd8ff6de475cf9e3ec9d0245b9dd21d7546713d  ignore-apk-tools-checksums.patch"
 sha512sums="7249689176bd9e4e842e1e363c3f5867d9d4db9ec082ba59805047091e89de22a67153a366c23bdc1e53a3fb154df1c19a5bc1fa88267333724c5bc11bd27329  tar-1.29.tar.xz
+dd3802066a36e8f59d927e6cce013dfdfa194413f1795a007be0894057e8eadce79d17d24c8b49ac89fd11b7e6a32a84c89bbd58ef9f5471a66e023a4060d7e7  CVE-2016-6321.patch
 9cde0f1509328bc5fe2cb46642b53c7681c548cf28a2fb83eda7e9374c9c0ad27a0cd55b9c0cc93951def58dafa55ee71cace5493ddcb7966ee94dc5f1099739  ignore-apk-tools-checksums.patch"
diff --git a/main/tar/CVE-2016-6321.patch b/main/tar/CVE-2016-6321.patch
new file mode 100644
index 0000000..d2f5a07
--- /dev/null
+++ b/main/tar/CVE-2016-6321.patch
@@ -0,0 +1,37 @@
+From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
+Date: Sat, 29 Oct 2016 21:04:40 -0700
+Subject: [PATCH] When extracting, skip ".." members
+
+* NEWS: Document this.
+* src/extract.c (extract_archive): Skip members whose names
+contain "..".
+---
+ src/extract.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/extract.c b/src/extract.c
+index f982433..7904148 100644
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++		      && contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++    ERROR ((0, 0, _("%s: Member name contains '..'"),
++	    quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++      || skip_dotdot_name
+       || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+     {
-- 
2.10.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---