all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
blob 9e6ee653d18cee163e041bdae3192a439189872d 1515 bytes (raw)
name: gnu/packages/patches/tar-CVE-2016-6321.patch 	 # note: path name is non-authoritative(*)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
Fix CVE-2016-6321:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
https://security-tracker.debian.org/tracker/CVE-2016-6321

Patches copied from upstream source repository
(with modification to NEWS removed since it hunks out to a reject file):

http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d

From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
Date: Sat, 29 Oct 2016 21:04:40 -0700
Subject: [PATCH] When extracting, skip ".." members

* NEWS: Document this.
* src/extract.c (extract_archive): Skip members whose names
contain "..".
---
 NEWS          | 8 +++++++-
 src/extract.c | 8 ++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/extract.c b/src/extract.c
index f982433..7904148 100644
--- a/src/extract.c
+++ b/src/extract.c
@@ -1629,12 +1629,20 @@ extract_archive (void)
 {
   char typeflag;
   tar_extractor_t fun;
+  bool skip_dotdot_name;
 
   fatal_exit_hook = extract_finish;
 
   set_next_block_after (current_header);
 
+  skip_dotdot_name = (!absolute_names_option
+		      && contains_dot_dot (current_stat_info.orig_file_name));
+  if (skip_dotdot_name)
+    ERROR ((0, 0, _("%s: Member name contains '..'"),
+	    quotearg_colon (current_stat_info.orig_file_name)));
+
   if (!current_stat_info.file_name[0]
+      || skip_dotdot_name
       || (interactive_option
 	  && !confirm ("extract", current_stat_info.file_name)))
     {
-- 
2.11.0


debug log:

solving 9e6ee653d ...
found 9e6ee653d in https://yhetil.org/guix/87tw9km9ht.fsf@gmail.com/ ||
	https://yhetil.org/guix/87h95kplte.fsf@gmail.com/

applying [1/1] https://yhetil.org/guix/87tw9km9ht.fsf@gmail.com/
diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch
new file mode 100644
index 000000000..9e6ee653d

1:39: trailing whitespace.
 
1:41: trailing whitespace.
 
1:43: trailing whitespace.
 
1:53: space before tab in indent.
 	  && !confirm ("extract", current_stat_info.file_name)))
1:55: trailing whitespace.
-- 
Checking patch gnu/packages/patches/tar-CVE-2016-6321.patch...
Applied patch gnu/packages/patches/tar-CVE-2016-6321.patch cleanly.
warning: squelched 1 whitespace error
warning: 6 lines add whitespace errors.

skipping https://yhetil.org/guix/87h95kplte.fsf@gmail.com/ for 9e6ee653d
index at:
100644 9e6ee653d18cee163e041bdae3192a439189872d	gnu/packages/patches/tar-CVE-2016-6321.patch

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.