packages/cpio
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!11 revert fix CVE-2015-1197 because it causes shutdowm problems

Browse Source 
From: @liquor1
Reviewed-by: @hanxinke
Signed-off-by: @hanxinke
This commit is contained in:
openeuler-ci-bot 2020-11-27 14:39:52 +08:00 committed by Gitee
commit 450a4d54fd
2 changed files with 118 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cpio.spec
View File

@ -1,6 +1,6 @@
Name: cpio Name: cpio
Version: 2.13 Version: 2.13
Release: 2 Release: 3
Summary: A GNU archiving program Summary: A GNU archiving program
License: GPLv3+ License: GPLv3+
@ -16,6 +16,7 @@ Patch5: cpio-2.10-longnames-split.patch
Patch6: cpio-2.11-crc-fips-nit.patch Patch6: cpio-2.11-crc-fips-nit.patch
Patch7: add-option-to-add-metadata-in-copy-out-mode.patch Patch7: add-option-to-add-metadata-in-copy-out-mode.patch
Patch8: Fix-use-after-free-and-return-appropriate-error.patch Patch8: Fix-use-after-free-and-return-appropriate-error.patch
Patch9: revert-CVE-2015-1197.patch
Provides: bundled(gnulib) Provides: bundled(gnulib)
Provides: /bin/cpio Provides: /bin/cpio
@ -32,6 +33,7 @@ tape, or a pipe.
%autosetup -n %{name}-%{version} -p1 %autosetup -n %{name}-%{version} -p1
%build %build
autoreconf -fi
%configure --with-rmt="%{_sysconfdir}/rmt" %configure --with-rmt="%{_sysconfdir}/rmt"
%make_build %make_build
@ -57,6 +59,12 @@ make check
%{_datadir}/man/man1/%{name}.1.gz %{_datadir}/man/man1/%{name}.1.gz
%changelog %changelog
* Thu Nov 26 2020 Liquor <lirui130@huawei.com> - 2.13-3
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:revert fix CVE-2015-1197 because it causes shutdowm problems
* Wed Aug 12 2020 Liquor <lirui130@huawei.com> - 2.13-2 * Wed Aug 12 2020 Liquor <lirui130@huawei.com> - 2.13-2
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA

109
revert-CVE-2015-1197.patch Normal file
View File

@ -0,0 +1,109 @@
From 250cae97153b438f5644e5d96814a7f5cb8c80e5 Mon Sep 17 00:00:00 2001
From: Liquor <lirui130@huawei.com>
Date: Thu, 26 Nov 2020 19:13:13 +0800
Subject: [PATCH] revert "CVE-2015-1197"
reason:https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html
---
src/copyin.c | 5 ++---
tests/CVE-2015-1197.at | 43 ------------------------------------------
tests/Makefile.am | 1 -
tests/testsuite.at | 1 -
4 files changed, 2 insertions(+), 48 deletions(-)
delete mode 100644 tests/CVE-2015-1197.at
diff --git a/src/copyin.c b/src/copyin.c
index de31636..bf3b0a8 100644
--- a/src/copyin.c
+++ b/src/copyin.c
@@ -645,14 +645,13 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
link_name = xstrdup (file_hdr->c_tar_linkname);
}
- cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false);
-
res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
file_hdr->c_mode);
if (res < 0 && create_dir_flag)
{
create_all_directories (file_hdr->c_name);
- res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode);
+ res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
+ file_hdr->c_mode);
}
if (res < 0)
{
diff --git a/tests/CVE-2015-1197.at b/tests/CVE-2015-1197.at
deleted file mode 100644
index 6079af7..0000000
--- a/tests/CVE-2015-1197.at
+++ /dev/null
@@ -1,43 +0,0 @@
-# Process this file with autom4te to create testsuite. -*- Autotest -*-
-# Copyright (C) 2009-2019 Free Software Foundation, Inc.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3, or (at your option)
-# any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)])
-AT_CHECK([
-tempdir=$(pwd)/tmp
-mkdir $tempdir
-touch $tempdir/file
-ln -s $tempdir dir
-AT_DATA([filelist],
-[dir
-dir/file
-])
-ln -s /tmp dir
-touch /tmp/file
-cpio -o < filelist > test.cpio
-rm dir /tmp/file
-cpio --no-absolute-filenames -iv < test.cpio
-],
-[2],
-[],
-[1 block
-cpio: Removing leading `/' from hard link targets
-dir
-cpio: dir/file: Cannot open: No such file or directory
-dir/file
-1 block
-])
-AT_CLEANUP
-
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 65bf470..a71c057 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -56,7 +56,6 @@ TESTSUITE_AT = \
symlink-to-stdout.at\
version.at\
big-block-size.at\
- CVE-2015-1197.at\
CVE-2019-14866.at
TESTSUITE = $(srcdir)/testsuite
diff --git a/tests/testsuite.at b/tests/testsuite.at
index aa56bb9..58ed1d2 100644
--- a/tests/testsuite.at
+++ b/tests/testsuite.at
@@ -44,5 +44,4 @@ m4_include([setstat04.at])
m4_include([setstat05.at])
m4_include([big-block-size.at])
-m4_include([CVE-2015-1197.at])
m4_include([CVE-2019-14866.at])
--
2.27.0