diff options
| author |   Sam James <sam@gentoo.org> | 2022-10-18 20:11:52 +0100 |
|---|---|---|
| committer | Sam James <sam@gentoo.org> | 2022-10-18 20:12:00 +0100 |
| commit | a52ec56f85b11ee1faceddac7874666ad6d2b164 (patch) | |
| tree | 1174b565bd14d59bfc0d36da3c5e35ca271651e6 /app-arch/cpio | |
| parent | dev-java/gson: Stabilize 2.9.1 arm64, #877541 (diff) | |
| download | gentoo-a52ec56f85b11ee1faceddac7874666ad6d2b164.tar.gz gentoo-a52ec56f85b11ee1faceddac7874666ad6d2b164.tar.bz2 gentoo-a52ec56f85b11ee1faceddac7874666ad6d2b164.zip | |
app-arch/cpio: revert CVE-2015-1197 fix for --no-absolute-filenames
At least we can have the fix for CVE-2021-38185.
Bug: https://bugs.gentoo.org/699456
Bug: https://bugs.gentoo.org/807088
Closes: https://bugs.gentoo.org/700020
Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'app-arch/cpio')
| -rw-r--r-- | app-arch/cpio/cpio-2.13-r2.ebuild (renamed from app-arch/cpio/cpio-2.13-r1.ebuild) | 1 | ||||
| -rw-r--r-- | app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch | 47 |
2 files changed, 48 insertions, 0 deletions
diff --git a/app-arch/cpio/cpio-2.13-r1.ebuild b/app-arch/cpio/cpio-2.13-r2.ebuild index 6005349fe120..c3924649236b 100644 --- a/app-arch/cpio/cpio-2.13-r1.ebuild +++ b/app-arch/cpio/cpio-2.13-r2.ebuild @@ -19,6 +19,7 @@ PATCHES=( "${FILESDIR}"/${PN}-2.12-non-gnu-compilers.patch #275295 "${WORKDIR}"/${P}-CVE-2021-38185.patch "${FILESDIR}"/${PN}-2.13-sysmacros-glibc-2.26.patch + "${FILESDIR}"/${PN}-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch ) src_prepare() { diff --git a/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch b/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch new file mode 100644 index 000000000000..326489a54943 --- /dev/null +++ b/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch @@ -0,0 +1,47 @@ +https://sources.debian.org/patches/cpio/2.13%2Bdfsg-7.1/revert-CVE-2015-1197-handling.patch/ +https://bugs.gentoo.org/700020 + +From: Chris Lamb <lamby@debian.org> +Date: Sat, 1 Feb 2020 13:36:37 +0100 +Subject: Fix a regression in handling of CVE-2015-1197 & + --no-absolute-filenames. + +See: + + * https://bugs.debian.org/946267 + * https://bugs.debian.org/946469 + +This reverts (most of): https://git.savannah.gnu.org/cgit/cpio.git/diff/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca&id2=3177d660a4c62a6acb538b0f7c54ba423698889a +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -646,8 +646,6 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) + link_name = xstrdup (file_hdr->c_tar_linkname); + } + +- cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false); +- + res = UMASKED_SYMLINK (link_name, file_hdr->c_name, + file_hdr->c_mode); + if (res < 0 && create_dir_flag) +--- a/tests/testsuite ++++ b/tests/testsuite +@@ -2787,7 +2787,7 @@ read at_status <"$at_status_file" + #AT_START_14 + at_fn_group_banner 14 'CVE-2015-1197.at:17' \ + "CVE-2015-1197 (--no-absolute-filenames for symlinks)" "" +-at_xfail=no ++at_xfail=yes + ( + $as_echo "14. $at_setup_line: testing $at_desc ..." + $at_traceon + +--- a/tests/CVE-2015-1197.at ++++ b/tests/CVE-2015-1197.at +@@ -15,6 +15,7 @@ + # along with this program. If not, see <http://www.gnu.org/licenses/>. + + AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)]) ++AT_XFAIL_IF([true]) + AT_CHECK([ + tempdir=$(pwd)/tmp + mkdir $tempdir |