[145935] trunk/dports/archivers/cpio
cal at macports.org
cal at macports.org
Sun Feb 21 09:52:59 PST 2016
Revision: 145935
https://trac.macports.org/changeset/145935
Author: cal at macports.org
Date: 2016-02-21 09:52:59 -0800 (Sun, 21 Feb 2016)
Log Message:
-----------
cpio: 2.12, fix CVE-2016-2037, ignoring maintainer
Update cpio to 2.12 and apply a patch to fix CVE-2016-2037. See
https://security-tracker.debian.org/tracker/CVE-2016-2037
for more information and
https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html
for a patch.
Additionally, drop a patch that's no longer required with 2.12.
Ignoring maintainer because this is a security update.
Modified Paths:
--------------
trunk/dports/archivers/cpio/Portfile
Added Paths:
-----------
trunk/dports/archivers/cpio/files/cve-2016-2037.patch
Modified: trunk/dports/archivers/cpio/Portfile
===================================================================
--- trunk/dports/archivers/cpio/Portfile 2016-02-21 17:31:44 UTC (rev 145934)
+++ trunk/dports/archivers/cpio/Portfile 2016-02-21 17:52:59 UTC (rev 145935)
@@ -3,8 +3,11 @@
PortSystem 1.0
name cpio
-version 2.11
-revision 2
+version 2.12
+revision 0
+checksums rmd160 156e7852db0f83e35fc02c007a1fb21e4a3393d6 \
+ sha256 70998c5816ace8407c8b101c9ba1ffd3ebbecba1f5031046893307580ec1296e
+
categories archivers
platforms darwin
maintainers mww
@@ -16,14 +19,11 @@
homepage http://www.gnu.org/software/cpio/cpio.html
master_sites gnu
-checksums md5 20fc912915c629e809f80b96b2e75d7d \
- sha1 6f1934b0079dc1e85ddff89cabdf01adb3a74abb \
- rmd160 52507b8ba556dca888ce1179cfda10f9549ea9ab
use_bzip2 yes
depends_lib port:gettext port:libiconv
-patchfiles patch-src-filetypes.h.diff
+patchfiles cve-2016-2037.patch
configure.args --program-prefix=gnu \
--mandir=${prefix}/share/man \
Added: trunk/dports/archivers/cpio/files/cve-2016-2037.patch
===================================================================
--- trunk/dports/archivers/cpio/files/cve-2016-2037.patch (rev 0)
+++ trunk/dports/archivers/cpio/files/cve-2016-2037.patch 2016-02-21 17:52:59 UTC (rev 145935)
@@ -0,0 +1,44 @@
+Other calls to cpio_safer_name_suffix seem to be safe.
+
+* src/copyin.c (process_copy_in): Make sure that file_hdr.c_name
+has at least two bytes allocated.
+* src/util.c (cpio_safer_name_suffix): Document that use of this
+function requires to be careful.
+
+Upstream-Status: Submitted [https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html]
+---
+ src/copyin.c | 2 ++
+ src/util.c | 5 ++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/copyin.c b/src/copyin.c
+index cde911e..032d35f 100644
+--- ./src/copyin.c
++++ ./src/copyin.c
+@@ -1385,6 +1385,8 @@ process_copy_in ()
+ break;
+ }
+
++ if (file_hdr.c_namesize <= 1)
++ file_hdr.c_name = xrealloc(file_hdr.c_name, 2);
+ cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag,
+ false);
+
+diff --git a/src/util.c b/src/util.c
+index 6ff6032..2763ac1 100644
+--- ./src/util.c
++++ ./src/util.c
+@@ -1411,7 +1411,10 @@ set_file_times (int fd,
+ }
+
+ /* Do we have to ignore absolute paths, and if so, does the filename
+- have an absolute path? */
++ have an absolute path?
++ Before calling this function make sure that the allocated NAME buffer has
++ capacity at least 2 bytes to allow us to store the "." string inside. */
++
+ void
+ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+ bool strip_leading_dots)
+--
+2.5.0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-changes/attachments/20160221/fea3669e/attachment.html>
More information about the macports-changes
mailing list