diff options
Diffstat (limited to 'gnu/packages/patches')
8 files changed, 79 insertions, 690 deletions
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch deleted file mode 100644 index 1f3cb028d4..0000000000 --- a/gnu/packages/patches/flex-CVE-2016-6354.patch +++ /dev/null @@ -1,30 +0,0 @@ -Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354 -https://security-tracker.debian.org/tracker/CVE-2016-6354 - -Patch copied from upstream source repository: -https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466 - -From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001 -From: Will Estes <westes575@gmail.com> -Date: Sat, 27 Feb 2016 11:56:05 -0500 -Subject: [PATCH] Fixed incorrect integer type - ---- - src/flex.skl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/flex.skl b/src/flex.skl -index 36a526a..64f853d 100644 ---- a/src/flex.skl -+++ b/src/flex.skl -@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer() - - else - { -- yy_size_t num_to_read = -+ int num_to_read = - YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; - - while ( num_to_read <= 0 ) diff --git a/gnu/packages/patches/gcc-libiberty-printf-decl.patch b/gnu/packages/patches/gcc-libiberty-printf-decl.patch new file mode 100644 index 0000000000..a612c9e00e --- /dev/null +++ b/gnu/packages/patches/gcc-libiberty-printf-decl.patch @@ -0,0 +1,28 @@ +This patch makes the exeception specifier of libiberty's 'asprintf' +and 'vasprintf' declarations match those of glibc to work around the +problem described at <https://gcc.gnu.org/ml/gcc-help/2016-04/msg00039.html>. + +The problem in part stems from the fact that libiberty is configured +without _GNU_SOURCE (thus, it sets HAVE_DECL_ASPRINTF to 0), whereas libcc1 +is configured and built with _GNU_SOURCE, hence the conflicting declarations. + +--- gcc-5.3.0/include/libiberty.h 2016-04-23 22:45:46.262709079 +0200 ++++ gcc-5.3.0/include/libiberty.h 2016-04-23 22:45:37.110635439 +0200 +@@ -625,7 +625,7 @@ extern int pwait (int, int *, int); + /* Like sprintf but provides a pointer to malloc'd storage, which must + be freed by the caller. */ + +-extern int asprintf (char **, const char *, ...) ATTRIBUTE_PRINTF_2; ++extern int asprintf (char **, const char *, ...) __THROWNL ATTRIBUTE_PRINTF_2; + #endif + + /* Like asprintf but allocates memory without fail. This works like +@@ -637,7 +637,7 @@ extern char *xasprintf (const char *, .. + /* Like vsprintf but provides a pointer to malloc'd storage, which + must be freed by the caller. */ + +-extern int vasprintf (char **, const char *, va_list) ATTRIBUTE_PRINTF(2,0); ++extern int vasprintf (char **, const char *, va_list) __THROWNL ATTRIBUTE_PRINTF(2,0); + #endif + + /* Like vasprintf but allocates memory without fail. This works like diff --git a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch b/gnu/packages/patches/libarchive-7zip-heap-overflow.patch deleted file mode 100644 index bef628f0a8..0000000000 --- a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch +++ /dev/null @@ -1,77 +0,0 @@ -Fix buffer overflow reading 7Zip files: - -https://github.com/libarchive/libarchive/issues/761 - -Patch copied from upstream repository: - -https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126 - -From 7f17c791dcfd8c0416e2cd2485b19410e47ef126 Mon Sep 17 00:00:00 2001 -From: Tim Kientzle <kientzle@acm.org> -Date: Sun, 18 Sep 2016 18:14:58 -0700 -Subject: [PATCH] Issue 761: Heap overflow reading corrupted 7Zip files - -The sample file that demonstrated this had multiple 'EmptyStream' -attributes. The first one ended up being used to calculate -certain statistics, then was overwritten by the second which -was incompatible with those statistics. - -The fix here is to reject any header with multiple EmptyStream -attributes. While here, also reject headers with multiple -EmptyFile, AntiFile, Name, or Attributes markers. ---- - libarchive/archive_read_support_format_7zip.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c -index 1dfe52b..c0a536c 100644 ---- a/libarchive/archive_read_support_format_7zip.c -+++ b/libarchive/archive_read_support_format_7zip.c -@@ -2431,6 +2431,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - - switch (type) { - case kEmptyStream: -+ if (h->emptyStreamBools != NULL) -+ return (-1); - h->emptyStreamBools = calloc((size_t)zip->numFiles, - sizeof(*h->emptyStreamBools)); - if (h->emptyStreamBools == NULL) -@@ -2451,6 +2453,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - return (-1); - break; - } -+ if (h->emptyFileBools != NULL) -+ return (-1); - h->emptyFileBools = calloc(empty_streams, - sizeof(*h->emptyFileBools)); - if (h->emptyFileBools == NULL) -@@ -2465,6 +2469,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - return (-1); - break; - } -+ if (h->antiBools != NULL) -+ return (-1); - h->antiBools = calloc(empty_streams, - sizeof(*h->antiBools)); - if (h->antiBools == NULL) -@@ -2491,6 +2497,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - if ((ll & 1) || ll < zip->numFiles * 4) - return (-1); - -+ if (zip->entry_names != NULL) -+ return (-1); - zip->entry_names = malloc(ll); - if (zip->entry_names == NULL) - return (-1); -@@ -2543,6 +2551,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h, - if ((p = header_bytes(a, 2)) == NULL) - return (-1); - allAreDefined = *p; -+ if (h->attrBools != NULL) -+ return (-1); - h->attrBools = calloc((size_t)zip->numFiles, - sizeof(*h->attrBools)); - if (h->attrBools == NULL) --- -2.10.0 - diff --git a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch b/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch deleted file mode 100644 index bce63d5e4e..0000000000 --- a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch +++ /dev/null @@ -1,445 +0,0 @@ -This patch fixes two bugs that allow attackers to overwrite or change -the permissions of arbitrary files: - -https://github.com/libarchive/libarchive/issues/745 -https://github.com/libarchive/libarchive/issues/746 - -Patch copied from upstream repository: - -https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9 - -From dfd6b54ce33960e420fb206d8872fb759b577ad9 Mon Sep 17 00:00:00 2001 -From: Tim Kientzle <kientzle@acm.org> -Date: Sun, 11 Sep 2016 13:21:57 -0700 -Subject: [PATCH] Fixes for Issue #745 and Issue #746 from Doran Moppert. - ---- - libarchive/archive_write_disk_posix.c | 294 ++++++++++++++++++++++++++-------- - 1 file changed, 227 insertions(+), 67 deletions(-) - -diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c -index 8f0421e..abe1a86 100644 ---- a/libarchive/archive_write_disk_posix.c -+++ b/libarchive/archive_write_disk_posix.c -@@ -326,12 +326,14 @@ struct archive_write_disk { - - #define HFS_BLOCKS(s) ((s) >> 12) - -+static int check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags); - static int check_symlinks(struct archive_write_disk *); - static int create_filesystem_object(struct archive_write_disk *); - static struct fixup_entry *current_fixup(struct archive_write_disk *, const char *pathname); - #if defined(HAVE_FCHDIR) && defined(PATH_MAX) - static void edit_deep_directories(struct archive_write_disk *ad); - #endif -+static int cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags); - static int cleanup_pathname(struct archive_write_disk *); - static int create_dir(struct archive_write_disk *, char *); - static int create_parent_dir(struct archive_write_disk *, char *); -@@ -2014,6 +2016,10 @@ create_filesystem_object(struct archive_write_disk *a) - const char *linkname; - mode_t final_mode, mode; - int r; -+ /* these for check_symlinks_fsobj */ -+ char *linkname_copy; /* non-const copy of linkname */ -+ struct archive_string error_string; -+ int error_number; - - /* We identify hard/symlinks according to the link names. */ - /* Since link(2) and symlink(2) don't handle modes, we're done here. */ -@@ -2022,6 +2028,27 @@ create_filesystem_object(struct archive_write_disk *a) - #if !HAVE_LINK - return (EPERM); - #else -+ archive_string_init(&error_string); -+ linkname_copy = strdup(linkname); -+ if (linkname_copy == NULL) { -+ return (EPERM); -+ } -+ /* TODO: consider using the cleaned-up path as the link target? */ -+ r = cleanup_pathname_fsobj(linkname_copy, &error_number, &error_string, a->flags); -+ if (r != ARCHIVE_OK) { -+ archive_set_error(&a->archive, error_number, "%s", error_string.s); -+ free(linkname_copy); -+ /* EPERM is more appropriate than error_number for our callers */ -+ return (EPERM); -+ } -+ r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags); -+ if (r != ARCHIVE_OK) { -+ archive_set_error(&a->archive, error_number, "%s", error_string.s); -+ free(linkname_copy); -+ /* EPERM is more appropriate than error_number for our callers */ -+ return (EPERM); -+ } -+ free(linkname_copy); - r = link(linkname, a->name) ? errno : 0; - /* - * New cpio and pax formats allow hardlink entries -@@ -2362,115 +2389,228 @@ current_fixup(struct archive_write_disk *a, const char *pathname) - * recent paths. - */ - /* TODO: Extend this to support symlinks on Windows Vista and later. */ -+ -+/* -+ * Checks the given path to see if any elements along it are symlinks. Returns -+ * ARCHIVE_OK if there are none, otherwise puts an error in errmsg. -+ */ - static int --check_symlinks(struct archive_write_disk *a) -+check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags) - { - #if !defined(HAVE_LSTAT) - /* Platform doesn't have lstat, so we can't look for symlinks. */ - (void)a; /* UNUSED */ -+ (void)path; /* UNUSED */ -+ (void)error_number; /* UNUSED */ -+ (void)error_string; /* UNUSED */ -+ (void)flags; /* UNUSED */ - return (ARCHIVE_OK); - #else -- char *pn; -+ int res = ARCHIVE_OK; -+ char *tail; -+ char *head; -+ int last; - char c; - int r; - struct stat st; -+ int restore_pwd; -+ -+ /* Nothing to do here if name is empty */ -+ if(path[0] == '\0') -+ return (ARCHIVE_OK); - - /* - * Guard against symlink tricks. Reject any archive entry whose - * destination would be altered by a symlink. -+ * -+ * Walk the filename in chunks separated by '/'. For each segment: -+ * - if it doesn't exist, continue -+ * - if it's symlink, abort or remove it -+ * - if it's a directory and it's not the last chunk, cd into it -+ * As we go: -+ * head points to the current (relative) path -+ * tail points to the temporary \0 terminating the segment we're currently examining -+ * c holds what used to be in *tail -+ * last is 1 if this is the last tail - */ -- /* Whatever we checked last time doesn't need to be re-checked. */ -- pn = a->name; -- if (archive_strlen(&(a->path_safe)) > 0) { -- char *p = a->path_safe.s; -- while ((*pn != '\0') && (*p == *pn)) -- ++p, ++pn; -- } -+ restore_pwd = open(".", O_RDONLY | O_BINARY | O_CLOEXEC); -+ __archive_ensure_cloexec_flag(restore_pwd); -+ if (restore_pwd < 0) -+ return (ARCHIVE_FATAL); -+ head = path; -+ tail = path; -+ last = 0; -+ /* TODO: reintroduce a safe cache here? */ - /* Skip the root directory if the path is absolute. */ -- if(pn == a->name && pn[0] == '/') -- ++pn; -- c = pn[0]; -- /* Keep going until we've checked the entire name. */ -- while (pn[0] != '\0' && (pn[0] != '/' || pn[1] != '\0')) { -+ if(tail == path && tail[0] == '/') -+ ++tail; -+ /* Keep going until we've checked the entire name. -+ * head, tail, path all alias the same string, which is -+ * temporarily zeroed at tail, so be careful restoring the -+ * stashed (c=tail[0]) for error messages. -+ * Exiting the loop with break is okay; continue is not. -+ */ -+ while (!last) { -+ /* Skip the separator we just consumed, plus any adjacent ones */ -+ while (*tail == '/') -+ ++tail; - /* Skip the next path element. */ -- while (*pn != '\0' && *pn != '/') -- ++pn; -- c = pn[0]; -- pn[0] = '\0'; -+ while (*tail != '\0' && *tail != '/') -+ ++tail; -+ /* is this the last path component? */ -+ last = (tail[0] == '\0') || (tail[0] == '/' && tail[1] == '\0'); -+ /* temporarily truncate the string here */ -+ c = tail[0]; -+ tail[0] = '\0'; - /* Check that we haven't hit a symlink. */ -- r = lstat(a->name, &st); -+ r = lstat(head, &st); - if (r != 0) { -+ tail[0] = c; - /* We've hit a dir that doesn't exist; stop now. */ - if (errno == ENOENT) { - break; - } else { -- /* Note: This effectively disables deep directory -+ /* Treat any other error as fatal - best to be paranoid here -+ * Note: This effectively disables deep directory - * support when security checks are enabled. - * Otherwise, very long pathnames that trigger - * an error here could evade the sandbox. - * TODO: We could do better, but it would probably - * require merging the symlink checks with the - * deep-directory editing. */ -- return (ARCHIVE_FAILED); -+ if (error_number) *error_number = errno; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Could not stat %s", -+ path); -+ res = ARCHIVE_FAILED; -+ break; -+ } -+ } else if (S_ISDIR(st.st_mode)) { -+ if (!last) { -+ if (chdir(head) != 0) { -+ tail[0] = c; -+ if (error_number) *error_number = errno; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Could not chdir %s", -+ path); -+ res = (ARCHIVE_FATAL); -+ break; -+ } -+ /* Our view is now from inside this dir: */ -+ head = tail + 1; - } - } else if (S_ISLNK(st.st_mode)) { -- if (c == '\0') { -+ if (last) { - /* - * Last element is symlink; remove it - * so we can overwrite it with the - * item being extracted. - */ -- if (unlink(a->name)) { -- archive_set_error(&a->archive, errno, -- "Could not remove symlink %s", -- a->name); -- pn[0] = c; -- return (ARCHIVE_FAILED); -+ if (unlink(head)) { -+ tail[0] = c; -+ if (error_number) *error_number = errno; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Could not remove symlink %s", -+ path); -+ res = ARCHIVE_FAILED; -+ break; - } -- a->pst = NULL; - /* - * Even if we did remove it, a warning - * is in order. The warning is silly, - * though, if we're just replacing one - * symlink with another symlink. - */ -- if (!S_ISLNK(a->mode)) { -- archive_set_error(&a->archive, 0, -- "Removing symlink %s", -- a->name); -+ tail[0] = c; -+ /* FIXME: not sure how important this is to restore -+ if (!S_ISLNK(path)) { -+ if (error_number) *error_number = 0; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Removing symlink %s", -+ path); - } -+ */ - /* Symlink gone. No more problem! */ -- pn[0] = c; -- return (0); -- } else if (a->flags & ARCHIVE_EXTRACT_UNLINK) { -+ res = ARCHIVE_OK; -+ break; -+ } else if (flags & ARCHIVE_EXTRACT_UNLINK) { - /* User asked us to remove problems. */ -- if (unlink(a->name) != 0) { -- archive_set_error(&a->archive, 0, -- "Cannot remove intervening symlink %s", -- a->name); -- pn[0] = c; -- return (ARCHIVE_FAILED); -+ if (unlink(head) != 0) { -+ tail[0] = c; -+ if (error_number) *error_number = 0; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Cannot remove intervening symlink %s", -+ path); -+ res = ARCHIVE_FAILED; -+ break; - } -- a->pst = NULL; -+ tail[0] = c; - } else { -- archive_set_error(&a->archive, 0, -- "Cannot extract through symlink %s", -- a->name); -- pn[0] = c; -- return (ARCHIVE_FAILED); -+ tail[0] = c; -+ if (error_number) *error_number = 0; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Cannot extract through symlink %s", -+ path); -+ res = ARCHIVE_FAILED; -+ break; - } - } -- pn[0] = c; -- if (pn[0] != '\0') -- pn++; /* Advance to the next segment. */ -+ /* be sure to always maintain this */ -+ tail[0] = c; -+ if (tail[0] != '\0') -+ tail++; /* Advance to the next segment. */ - } -- pn[0] = c; -- /* We've checked and/or cleaned the whole path, so remember it. */ -- archive_strcpy(&a->path_safe, a->name); -- return (ARCHIVE_OK); -+ /* Catches loop exits via break */ -+ tail[0] = c; -+#ifdef HAVE_FCHDIR -+ /* If we changed directory above, restore it here. */ -+ if (restore_pwd >= 0) { -+ r = fchdir(restore_pwd); -+ if (r != 0) { -+ if(error_number) *error_number = errno; -+ if(error_string) -+ archive_string_sprintf(error_string, -+ "chdir() failure"); -+ } -+ close(restore_pwd); -+ restore_pwd = -1; -+ if (r != 0) { -+ res = (ARCHIVE_FATAL); -+ } -+ } -+#endif -+ /* TODO: reintroduce a safe cache here? */ -+ return res; - #endif - } - -+/* -+ * Check a->name for symlinks, returning ARCHIVE_OK if its clean, otherwise -+ * calls archive_set_error and returns ARCHIVE_{FATAL,FAILED} -+ */ -+static int -+check_symlinks(struct archive_write_disk *a) -+{ -+ struct archive_string error_string; -+ int error_number; -+ int rc; -+ archive_string_init(&error_string); -+ rc = check_symlinks_fsobj(a->name, &error_number, &error_string, a->flags); -+ if (rc != ARCHIVE_OK) { -+ archive_set_error(&a->archive, error_number, "%s", error_string.s); -+ } -+ archive_string_free(&error_string); -+ a->pst = NULL; /* to be safe */ -+ return rc; -+} -+ -+ - #if defined(__CYGWIN__) - /* - * 1. Convert a path separator from '\' to '/' . -@@ -2544,15 +2684,17 @@ cleanup_pathname_win(struct archive_write_disk *a) - * is set) if the path is absolute. - */ - static int --cleanup_pathname(struct archive_write_disk *a) -+cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags) - { - char *dest, *src; - char separator = '\0'; - -- dest = src = a->name; -+ dest = src = path; - if (*src == '\0') { -- archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, -- "Invalid empty pathname"); -+ if (error_number) *error_number = ARCHIVE_ERRNO_MISC; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Invalid empty pathname"); - return (ARCHIVE_FAILED); - } - -@@ -2561,9 +2703,11 @@ cleanup_pathname(struct archive_write_disk *a) - #endif - /* Skip leading '/'. */ - if (*src == '/') { -- if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) { -- archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, -- "Path is absolute"); -+ if (flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) { -+ if (error_number) *error_number = ARCHIVE_ERRNO_MISC; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Path is absolute"); - return (ARCHIVE_FAILED); - } - -@@ -2590,10 +2734,11 @@ cleanup_pathname(struct archive_write_disk *a) - } else if (src[1] == '.') { - if (src[2] == '/' || src[2] == '\0') { - /* Conditionally warn about '..' */ -- if (a->flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) { -- archive_set_error(&a->archive, -- ARCHIVE_ERRNO_MISC, -- "Path contains '..'"); -+ if (flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) { -+ if (error_number) *error_number = ARCHIVE_ERRNO_MISC; -+ if (error_string) -+ archive_string_sprintf(error_string, -+ "Path contains '..'"); - return (ARCHIVE_FAILED); - } - } -@@ -2624,7 +2769,7 @@ cleanup_pathname(struct archive_write_disk *a) - * We've just copied zero or more path elements, not including the - * final '/'. - */ -- if (dest == a->name) { -+ if (dest == path) { - /* - * Nothing got copied. The path must have been something - * like '.' or '/' or './' or '/././././/./'. -@@ -2639,6 +2784,21 @@ cleanup_pathname(struct archive_write_disk *a) - return (ARCHIVE_OK); - } - -+static int -+cleanup_pathname(struct archive_write_disk *a) -+{ -+ struct archive_string error_string; -+ int error_number; -+ int rc; -+ archive_string_init(&error_string); -+ rc = cleanup_pathname_fsobj(a->name, &error_number, &error_string, a->flags); -+ if (rc != ARCHIVE_OK) { -+ archive_set_error(&a->archive, error_number, "%s", error_string.s); -+ } -+ archive_string_free(&error_string); -+ return rc; -+} -+ - /* - * Create the parent directory of the specified path, assuming path - * is already in mutable storage. diff --git a/gnu/packages/patches/libarchive-fix-symlink-check.patch b/gnu/packages/patches/libarchive-fix-symlink-check.patch deleted file mode 100644 index f042c31a84..0000000000 --- a/gnu/packages/patches/libarchive-fix-symlink-check.patch +++ /dev/null @@ -1,60 +0,0 @@ -Make sure to check for symlinks even if the pathname is very long: - -https://github.com/libarchive/libarchive/issues/744 - -Patch copied from upstream repository: - -https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a - -From 1fa9c7bf90f0862036a99896b0501c381584451a Mon Sep 17 00:00:00 2001 -From: Tim Kientzle <kientzle@acm.org> -Date: Sun, 21 Aug 2016 17:11:45 -0700 -Subject: [PATCH] Issue #744 (part of Issue #743): Enforce sandbox with very - long pathnames - -Because check_symlinks is handled separately from the deep-directory -support, very long pathnames cause problems. Previously, the code -ignored most failures to lstat() a path component. In particular, -this led to check_symlinks always passing for very long paths, which -in turn provides a way to evade the symlink checks in the sandboxing -code. - -We now fail on unrecognized lstat() failures, which plugs this -hole at the cost of disabling deep directory support when the -user requests sandboxing. - -TODO: This probably cannot be completely fixed without -entirely reimplementing the deep directory support to -integrate the symlink checks. I want to reimplement the -deep directory hanlding someday anyway; openat() and -related system calls now provide a much cleaner way to -handle deep directories than the chdir approach used by this -code. ---- - libarchive/archive_write_disk_posix.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c -index 39ee3b6..8f0421e 100644 ---- a/libarchive/archive_write_disk_posix.c -+++ b/libarchive/archive_write_disk_posix.c -@@ -2401,8 +2401,18 @@ check_symlinks(struct archive_write_disk *a) - r = lstat(a->name, &st); - if (r != 0) { - /* We've hit a dir that doesn't exist; stop now. */ -- if (errno == ENOENT) -+ if (errno == ENOENT) { - break; -+ } else { -+ /* Note: This effectively disables deep directory -+ * support when security checks are enabled. -+ * Otherwise, very long pathnames that trigger -+ * an error here could evade the sandbox. -+ * TODO: We could do better, but it would probably -+ * require merging the symlink checks with the -+ * deep-directory editing. */ -+ return (ARCHIVE_FAILED); -+ } - } else if (S_ISLNK(st.st_mode)) { - if (c == '\0') { - /* diff --git a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch b/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch deleted file mode 100644 index 0e70ac90ce..0000000000 --- a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch +++ /dev/null @@ -1,44 +0,0 @@ -Fixes this buffer overflow: -https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a - -Patch copied from upstream source repository: -https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a - -From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001 -From: Tim Kientzle <kientzle@acm.org> -Date: Sun, 21 Aug 2016 10:51:43 -0700 -Subject: [PATCH] Issue #767: Buffer overflow printing a filename - -The safe_fprintf function attempts to ensure clean output for an -arbitrary sequence of bytes by doing a trial conversion of the -multibyte characters to wide characters -- if the resulting wide -character is printable then we pass through the corresponding bytes -unaltered, otherwise, we convert them to C-style ASCII escapes. - -The stack trace in Issue #767 suggest that the 20-byte buffer -was getting overflowed trying to format a non-printable multibyte -character. This should only happen if there is a valid multibyte -character of more than 5 bytes that was unprintable. (Each byte -would get expanded to a four-charcter octal-style escape of the form -"\123" resulting in >20 characters for the >5 byte multibyte character.) - -I've not been able to reproduce this, but have expanded the conversion -buffer to 128 bytes on the belief that no multibyte character set -has a single character of more than 32 bytes. ---- - tar/util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tar/util.c b/tar/util.c -index 9ff22f2..2b4aebe 100644 ---- a/tar/util.c -+++ b/tar/util.c -@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...) - } - - /* If our output buffer is full, dump it and keep going. */ -- if (i > (sizeof(outbuff) - 20)) { -+ if (i > (sizeof(outbuff) - 128)) { - outbuff[i] = '\0'; - fprintf(f, "%s", outbuff); - i = 0; diff --git a/gnu/packages/patches/sed-hurd-path-max.patch b/gnu/packages/patches/sed-hurd-path-max.patch deleted file mode 100644 index 5226cba4cb..0000000000 --- a/gnu/packages/patches/sed-hurd-path-max.patch +++ /dev/null @@ -1,34 +0,0 @@ -7bb8d35d0330161a5af5341471d0c183a067e8c2 -Author: Jose E. Marchesi <jemarch@gnu.org> -Date: Sun Oct 6 14:43:38 2013 +0200 - - Set PATH_MAX to some constant in case it is not defined in system - headers. - - 2013-10-06 Jose E. Marchesi <jemarch@gnu.org> - - * basicdefs.h (PATH_MAX): Defined to some constant in case it is - not defined by system headers. - * sed/utils.c: Do not include pathmax.h anymore. - * bootstrap.conf (gnulib_modules): Do not use the gnulib module - pathmax. - -diff --git a/basicdefs.h b/basicdefs.h -index 0d28a97..09f5beb 100644 ---- a/basicdefs.h -+++ b/basicdefs.h -@@ -40,6 +41,13 @@ typedef unsigned long countT; - #define obstack_chunk_alloc ck_malloc - #define obstack_chunk_free free - -+/* MAX_PATH is not defined in some platforms, most notably GNU/Hurd. -+ In that case we define it here to some constant. Note however that -+ this relies in the fact that sed does reallocation if a buffer -+ needs to be larger than PATH_MAX. */ -+#ifndef PATH_MAX -+# define PATH_MAX 200 -+#endif - - /* handle misdesigned <ctype.h> macros (snarfed from lib/regex.c) */ - /* Jim Meyering writes: - diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch new file mode 100644 index 0000000000..b79be9bc94 --- /dev/null +++ b/gnu/packages/patches/tar-CVE-2016-6321.patch @@ -0,0 +1,51 @@ +Fix CVE-2016-6321: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321 +https://security-tracker.debian.org/tracker/CVE-2016-6321 + +Patch adapted from upstream source repository (the changes to 'NEWS' +don't apply to the Tar 1.29 release tarball). + +http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d + +From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001 +From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU> +Date: Sat, 29 Oct 2016 21:04:40 -0700 +Subject: [PATCH] When extracting, skip ".." members + +* NEWS: Document this. +* src/extract.c (extract_archive): Skip members whose names +contain "..". +--- + NEWS | 8 +++++++- + src/extract.c | 8 ++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/extract.c b/src/extract.c +index f982433..7904148 100644 +--- a/src/extract.c ++++ b/src/extract.c +@@ -1629,12 +1629,20 @@ extract_archive (void) + { + char typeflag; + tar_extractor_t fun; ++ bool skip_dotdot_name; + + fatal_exit_hook = extract_finish; + + set_next_block_after (current_header); + ++ skip_dotdot_name = (!absolute_names_option ++ && contains_dot_dot (current_stat_info.orig_file_name)); ++ if (skip_dotdot_name) ++ ERROR ((0, 0, _("%s: Member name contains '..'"), ++ quotearg_colon (current_stat_info.orig_file_name))); ++ + if (!current_stat_info.file_name[0] ++ || skip_dotdot_name + || (interactive_option + && !confirm ("extract", current_stat_info.file_name))) + { +-- +2.11.0 + |