From bb9888004962170410b5f8f00a0cbfb7aec71097 Mon Sep 17 00:00:00 2001 From: Fredrik Rinnestam Date: Tue, 13 Feb 2018 00:11:55 +0100 Subject: [PATCH 1/2] cpio: added patch for CVE-2017-7516. Closes FS#1573 Report and patch from Lee (thanks!) --- cpio/.md5sum | 1 + cpio/.signature | 5 +++-- cpio/CVE-2017-7516.patch | 12 ++++++++++++ cpio/Pkgfile | 6 ++++-- 4 files changed, 20 insertions(+), 4 deletions(-) create mode 100644 cpio/CVE-2017-7516.patch diff --git a/cpio/.md5sum b/cpio/.md5sum index c087492d..dccd7d8d 100644 --- a/cpio/.md5sum +++ b/cpio/.md5sum @@ -1 +1,2 @@ +c45d7e0ab5109dc26c8bca7d593e2624 CVE-2017-7516.patch 93eea9f07c0058c097891c73e4955456 cpio-2.12.tar.bz2 diff --git a/cpio/.signature b/cpio/.signature index cc2c75f9..a6c43afd 100644 --- a/cpio/.signature +++ b/cpio/.signature @@ -1,5 +1,6 @@ untrusted comment: verify with /etc/ports/core.pub -RWRJc1FUaeVeqsrY8VOofGawyitEznnklayOnTQil4r0n4a5rZW8mp6gJDxk9F9RmjsBcsUXxgEcrJaRoIxSDLHgT3E2FpZpOwA= -SHA256 (Pkgfile) = b2951e2caa40ccef2923f69c90b1c119ae06cd92bf40df48d98676c46b234080 +RWRJc1FUaeVeqkRVNaDIKJMoDe/Jh69kKy4ow1rZErb45aghcXR7jJADvsDsZS3ZAnPH5jxAEdEOSOWRILmgkU+Aed5jDL/iZAo= +SHA256 (Pkgfile) = ee5f0427d665184287623c2cdbc55f3e83cccb9e55695a57c38f50c82ce8a136 SHA256 (.footprint) = 26cfb1dd44c5356afcdba7aa054685d535b15b4ab96897ad7bd24a6c9a14b9fe SHA256 (cpio-2.12.tar.bz2) = 70998c5816ace8407c8b101c9ba1ffd3ebbecba1f5031046893307580ec1296e +SHA256 (CVE-2017-7516.patch) = 8f65ddc3cd60b1bef5032b1a4bc53f17f1c01f1b2d11c4809f3fd29dd9f3a3fa diff --git a/cpio/CVE-2017-7516.patch b/cpio/CVE-2017-7516.patch new file mode 100644 index 00000000..cb17a306 --- /dev/null +++ b/cpio/CVE-2017-7516.patch @@ -0,0 +1,12 @@ +diff --git a/src/copyin.c b/src/copyin.c +index ba887ae..38ca70e 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -645,6 +645,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) + link_name = xstrdup (file_hdr->c_tar_linkname); + } + ++ cpio_safer_name_suffix (link_name, false, !no_abs_paths_flag, false); + res = UMASKED_SYMLINK (link_name, file_hdr->c_name, + file_hdr->c_mode); + if (res < 0 && create_dir_flag) diff --git a/cpio/Pkgfile b/cpio/Pkgfile index 2095a012..275aff0a 100644 --- a/cpio/Pkgfile +++ b/cpio/Pkgfile @@ -4,11 +4,13 @@ name=cpio version=2.12 -release=1 -source=(http://ftpmirror.gnu.org/gnu/$name/$name-$version.tar.bz2) +release=2 +source=(http://ftpmirror.gnu.org/gnu/$name/$name-$version.tar.bz2 \ + CVE-2017-7516.patch) build() { cd $name-$version + patch -p1 -i $SRC/CVE-2017-7516.patch ./configure --prefix=/usr \ --disable-nls make From 7f8398caf85d0a0d37c4cd77fd399e841ba00ea3 Mon Sep 17 00:00:00 2001 From: Fredrik Rinnestam Date: Wed, 14 Feb 2018 17:20:47 +0100 Subject: [PATCH 2/2] pkgutils: updated to 5.40.7 --- pkgutils/.md5sum | 2 +- pkgutils/.signature | 6 +++--- pkgutils/Pkgfile | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgutils/.md5sum b/pkgutils/.md5sum index 25889f1d..bb5206f7 100644 --- a/pkgutils/.md5sum +++ b/pkgutils/.md5sum @@ -1 +1 @@ -451af98d3c02add9e4ae2a5362cc2e5d pkgutils-5.40.6.tar.xz +526c897cb2ba8f1659545608fe629cab pkgutils-5.40.7.tar.xz diff --git a/pkgutils/.signature b/pkgutils/.signature index 7769d622..f2df90f9 100644 --- a/pkgutils/.signature +++ b/pkgutils/.signature @@ -1,5 +1,5 @@ untrusted comment: verify with /etc/ports/core.pub -RWRJc1FUaeVeqiBVYcQEKebjW5C3sNYaGiyNjKwImziDWWnqdCwtGbgS6YRJP85A0WMYDkOM6NUTpeH7YtQjm1uK7+W8QLRXtQY= -SHA256 (Pkgfile) = f7cd11013d290eab4ade5adeb8585a1da8343c64d976aeb1e8ea805ce91d78af +RWRJc1FUaeVeqqlQj7XN/l45xBoFqizvx3Tz+3bhTzPSU327iHrIiJTIl2xTpn1Wimhqa1PivCEn1t63Fne4DmCBu8arevcfugY= +SHA256 (Pkgfile) = 278a4ea635ecfe281ed1f2b0b9522fba1ab76daf20c0e1c77d5f198cd4d8f5df SHA256 (.footprint) = e7d863393a07a29b512a2b627a65f731d8896bf0ee75cf430a9b1423716ae437 -SHA256 (pkgutils-5.40.6.tar.xz) = df4bde49c772380c9fceedfa6f5a6869cc46db6626de02723075c2479e14eed9 +SHA256 (pkgutils-5.40.7.tar.xz) = ee9e3e7258983ffabe5959736e8f029c02b0ea1037b2bb588a88daafcda0fafc diff --git a/pkgutils/Pkgfile b/pkgutils/Pkgfile index 65a46ef2..ed3a35d2 100644 --- a/pkgutils/Pkgfile +++ b/pkgutils/Pkgfile @@ -4,7 +4,7 @@ # Depends on: libarchive name=pkgutils -version=5.40.6 +version=5.40.7 release=1 source=(http://crux.nu/files/$name-$version.tar.xz)