backport-CVE-2020-36241.patch

@@ -0,0 +1,101 @@
+diff -Naur gnome-autoar-0.2.4.old/gnome-autoar/autoar-extractor.c gnome-autoar-0.2.4/gnome-autoar/autoar-extractor.c
+--- gnome-autoar-0.2.4.old/gnome-autoar/autoar-extractor.c	2019-03-09 00:53:15.000000000 +0800
++++ gnome-autoar-0.2.4/gnome-autoar/autoar-extractor.c	2021-03-18 22:01:20.838393707 +0800
+@@ -881,32 +881,67 @@
+   return prefix;
+ }
+ 
++static gboolean
++is_valid_filename (GFile *file, GFile *destination)
++{
++  g_autoptr (GFile) parent = NULL;
++  g_autoptr (GFileInfo) info = NULL;
++
++  if (g_file_equal (file, destination))
++    return TRUE;
++
++  if (!g_file_has_prefix (file, destination))
++    return FALSE;
++
++  /* Resolve symbolic link ancestors to confirm file is actually inside destination. */
++  parent = g_file_get_parent (file);
++  info = g_file_query_info (parent,
++                            G_FILE_ATTRIBUTE_STANDARD_IS_SYMLINK ","
++                            G_FILE_ATTRIBUTE_STANDARD_SYMLINK_TARGET,
++                            G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
++                            NULL,
++                            NULL);
++  if (info == NULL)
++    return FALSE;
++
++  if (g_file_info_get_is_symlink (info)) {
++    g_autoptr (GFile) cwd = NULL;
++    const gchar *target;
++
++    target = g_file_info_get_symlink_target (info);
++    if (g_path_is_absolute (target))
++      return FALSE;
++
++    cwd = g_file_get_parent (parent);
++    g_object_unref (parent);
++    parent = g_file_resolve_relative_path (cwd, target);
++  }
++
++  /* Climb up the path to resolve every symbolic link ancestor found */
++  return is_valid_filename (parent, destination);
++}
++
+ static GFile*
+ autoar_extractor_do_sanitize_pathname (AutoarExtractor *self,
+                                        const char      *pathname_bytes)
+ {
+   GFile *extracted_filename;
+   gboolean valid_filename;
+-  g_autofree char *sanitized_pathname;
++  g_autofree char *sanitized_pathname = NULL;
+   g_autofree char *utf8_pathname;
+ 
+   utf8_pathname = autoar_common_get_utf8_pathname (pathname_bytes);
+   extracted_filename = g_file_get_child (self->destination_dir,
+                                          utf8_pathname ?  utf8_pathname : pathname_bytes);
+ 
+-  valid_filename =
+-    g_file_equal (extracted_filename, self->destination_dir) ||
+-    g_file_has_prefix (extracted_filename, self->destination_dir);
+-
++  valid_filename = is_valid_filename (extracted_filename, self->destination_dir);
+   if (!valid_filename) {
+-    g_autofree char *basename;
+-
+-    basename = g_file_get_basename (extracted_filename);
+-
++    g_warning ("autoar_extractor_do_sanitize_pathname: %s is outside of the destination dir",
++                g_file_peek_path (extracted_filename));
++				
+     g_object_unref (extracted_filename);
+ 
+-    extracted_filename = g_file_get_child (self->destination_dir,
+-                                           basename);
++    return NULL;
+   }
+ 
+   if (self->prefix != NULL && self->new_prefix != NULL) {
+@@ -1862,10 +1897,17 @@
+ 
+     extracted_filename =
+       autoar_extractor_do_sanitize_pathname (self, pathname);
+-
++    if (extracted_filename == NULL) {
++      archive_read_data_skip (a);
++      continue;
++    }
+     if (hardlink != NULL) {
+       hardlink_filename =
+         autoar_extractor_do_sanitize_pathname (self, hardlink);
++        if (hardlink_filename == NULL) {
++          archive_read_data_skip (a);
++          continue;
++        }
+     }
+ 
+     /* Attempt to solve any name conflict before doing any operations */

gnome-autoar.spec

@@ -1,14 +1,15 @@
 Name:           gnome-autoar
-Version:        0.4.4
+Version:        0.2.4
-Release:        1
+Release:        2
 Summary:        Creating and extracting archives
 License:        LGPLv2+
-URL:            https://gitlab.gnome.org/GNOME/gnome-autoar
+URL:            https://git.gnome.org/browse/gnome-autoar
-Source0:        https://download.gnome.org/sources/%{name}/0.4/%{name}-%{version}.tar.xz
+Source0:        https://download.gnome.org/sources/gnome-autoar/0.2/gnome-autoar-%{version}.tar.xz
 
-BuildRequires:  gcc vala pkgconfig(gio-2.0) pkgconfig(glib-2.0) pkgconfig(gobject-2.0)
+Patch6000:      backport-CVE-2020-36241.patch 
+
+BuildRequires:  gcc vala pkgconfig(gio-2.0) pkgconfig(glib-2.0) pkgconfig(gobject-2.0) gdb
 BuildRequires:  pkgconfig(gobject-introspection-1.0) pkgconfig(gtk+-3.0) pkgconfig(libarchive)
-BuildRequires:  meson gtk-doc
 
 %description
 Automatic archives creating and extracting library.
@@ -21,25 +22,20 @@ Requires:  %{name} = %{version}-%{release}
 development header files, libraries for programs using the gnome-autoar library.
 
 %prep
-%autosetup -p1
+%autosetup -n %{name}-%{version} -p1
 
 %build
-%meson -Dvapi=true \
+%configure --disable-static
-       -Dgtk_doc=true \
+%make_build
-       -Dtests=true \
-       %{nil}
-
-%meson_build
 
 %install
-%meson_install
+%make_install
 %delete_la
 
 %check
-%meson_test
+make check
 
 %files
-%doc NEWS
 %license COPYING
 %{_libdir}/girepository-1.0/*.typelib
 %{_libdir}/libgnome-autoar-0.so.0*
@@ -52,28 +48,8 @@ development header files, libraries for programs using the gnome-autoar library.
 %{_datadir}/gir-1.0/*.gir
 %{_datadir}/gtk-doc/
 %{_datadir}/vala/vapi/*.vapi
-%{_datadir}/vala/vapi/gnome-autoar-0.deps
-%{_datadir}/vala/vapi/gnome-autoar-gtk-0.deps
 
 %changelog
-* Wed Nov 22 2023 lwg <liweiganga@uniontech.com> - 0.4.4-1
-- update to version 0.4.4
-
-* Wed May 18 2022 lwg <liweiganga@uniontech.com> - 0.4.3-2
-- fix spec changelog date
-
-* Mon Mar 28 2022 lin zhang <lin.zhang@turbolinux.com.cn> - 0.4.3-1
-- Upgrade to 0.4.3
-
-* Tue Jul 20 2021 liuyumeng <liuyumeng5@huawei.com> - 0.2.4-4
-- delete gdb in buildrequires
-
-* Wed Apr 14 2021 Dehui Fan <fandehui1@huawei.com> - 0.2.4-3
-- Type: CVE
-- ID:   CVE-2021-28650 
-- SUG:  NA
-- DESC: fix CVE-2021-28650, remove CVE-2020-36241 
-
 * Fri Mar 19 2021 Dehui Fan <fandehui1@huawei.com> - 0.2.4-2
 Type: CVE
 ID:   CVE-2020-36241

gnome-autoar.yaml

@@ -1,4 +1,4 @@
 version_control: gitlab.gnome
 src_repo: gnome-autoar
 tag_prefix: ^v
-separator: .
+seperator: .