Update to 4.8.28 to fix CVE-2021-36370

2022-07-20 11:10:28 +08:00 · 2022-07-20 11:10:28 +08:00 · f931f52dec
commit f931f52dec
parent 93637c8f85
8 changed files with 212 additions and 18 deletions
--- a/4.8.28.tar.gz
+++ b/4.8.28.tar.gz
--- a/Ticket-4374-fix-file-sort-by-version.patch
+++ b/Ticket-4374-fix-file-sort-by-version.patch
@ -0,0 +1,31 @@
+From db109be8a28f1556495979ee7d1967e982cca6fd Mon Sep 17 00:00:00 2001
+From: Andrew Borodin <aborodin@vmail.ru>
+Date: Mon, 23 May 2022 20:52:30 +0300
+Subject: [PATCH] Ticket #4374: fix file sort by version.
+
+Signed-off-by: Andrew Borodin <aborodin@vmail.ru>
+---
+ src/filemanager/dir.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/filemanager/dir.c b/src/filemanager/dir.c
+index 5862da6f9c..65a80cf12f 100644
+--- a/src/filemanager/dir.c
+++ b/src/filemanager/dir.c
+@@ -358,7 +358,15 @@ sort_vers (file_entry_t * a, file_entry_t * b)
+     int bd = MY_ISDIR (b);
+ 
+     if (ad == bd || panels_options.mix_all_files)
+-        return filevercmp (a->fname->str, b->fname->str) * reverse;
+    {
+        int result;
+
+        result = filevercmp (a->fname->str, b->fname->str);
+        if (result != 0)
+            return result * reverse;
+
+        return sort_name (a, b);
+    }
+ 
+     return bd - ad;
+ }
--- a/mc-4.8.21.tar.xz
+++ b/mc-4.8.21.tar.xz
--- a/mc-default_setup.patch
+++ b/mc-default_setup.patch
@ -0,0 +1,13 @@
+--- mc-4.8.23.orig/src/setup.c	2019-06-16 18:49:31.000000000 +0100
+++ mc-4.8.23/src/setup.c	2019-07-06 13:13:22.792243501 +0100
+@@ -138,8 +138,8 @@
+     .fast_reload_msg_shown = FALSE,
+     .mark_moves_down = TRUE,
+     .reverse_files_only = TRUE,
+-    .auto_save_setup = FALSE,
+-    .navigate_with_arrows = FALSE,
+    .auto_save_setup = TRUE,
+    .navigate_with_arrows = TRUE,
+     .scroll_pages = TRUE,
+     .scroll_center = FALSE,
+     .mouse_move_pages = TRUE,
--- a/mc-python3.patch
+++ b/mc-python3.patch
@ -0,0 +1,70 @@
+diff -up mc-4.8.24/src/vfs/extfs/helpers/uc1541.python3 mc-4.8.24/src/vfs/extfs/helpers/uc1541
+--- mc-4.8.24/src/vfs/extfs/helpers/uc1541.python3	2020-01-20 14:40:30.637996501 +0100
+++ mc-4.8.24/src/vfs/extfs/helpers/uc1541	2020-01-20 14:37:55.253442507 +0100
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
+#!/usr/bin/env python3
+ """
+ UC1541 Virtual filesystem
+ 
+--- a/src/vfs/extfs/helpers/s3+.in	(original)
+++ b/src/vfs/extfs/helpers/s3+.in	(refactored)
+@@ -153,16 +153,16 @@
+ 	Propagates exception safely.
+ 	"""
+ 	from threading import Thread
+-	import Queue
+	import queue
+ 
+ 	items = list(iterable)
+ 	nitems = len(items)
+ 	if nitems < 2:
+-		return map(fun, items)
+		return list(map(fun, items))
+ 
+ 	# Create and fill input queue
+-	input = Queue.Queue()
+-	output = Queue.Queue()
+	input = queue.Queue()
+	output = queue.Queue()
+ 
+ 	for i,item in enumerate(items):
+ 		input.put( (i,item) )
+@@ -181,7 +181,7 @@
+ 						output.put( (i,result) )
+ 					except:
+ 						output.put( (None,sys.exc_info()) )
+-				except Queue.Empty:
+				except queue.Empty:
+ 					return
+ 
+ 	# Start threads
+@@ -196,8 +196,8 @@
+ 		try:
+ 			i,res = output.get()
+ 			if i == None:
+-				raise res[0],res[1],res[2]
+-		except Queue.Empty:
+				raise res[0](res[1]).with_traceback(res[2])
+		except queue.Empty:
+ 			break
+ 		ret.append(res)
+ 
+@@ -241,7 +241,7 @@
+ 		b = s3.get_bucket(name, validate=False)
+ 		b.get_location() # just to raise an exception on error
+ 		return b
+-	except boto.exception.S3ResponseError, e:
+	except boto.exception.S3ResponseError as e:
+ 		# Seems this is the only proper way to switch to the bucket's region.
+ 		# Requesting of the default region for "?location" does not work unfortunately.
+ 		m = re.search(r'<Region>(.*?)</Region>', e.body)
+@@ -340,7 +340,7 @@
+ 	expr = re.compile(r'^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})\.\d{3}Z$')
+ 	def convDate(awsdatetime):
+ 		m = expr.match(awsdatetime)
+-		ye,mo,da,ho,mi,se = map(int,m.groups())
+		ye,mo,da,ho,mi,se = list(map(int,m.groups()))
+ 
+ 		dt = datetime.datetime(ye,mo,da,ho,mi,se, tzinfo=pytz.utc)
+ 		return dt.astimezone(tz).strftime('%m-%d-%Y %H:%M')
--- a/mc-spec.syntax.patch
+++ b/mc-spec.syntax.patch
@ -0,0 +1,54 @@
+--- mc-4.8.23/misc/syntax/spec.syntax~	2019-06-16 18:49:31.000000000 +0100
+++ mc-4.8.23/misc/syntax/spec.syntax	2019-04-18 06:02:53.000000000 +0100
+@@ -5,25 +5,24 @@
+     keyword whole Build\{Aa\}rch: green
+     keyword whole Build\{Cc\}onflicts: green
+     keyword whole Build\{Pp\}re\{Rr\}eq: green
+-    keyword whole Build\{Rr\}oot: green
+    keyword whole Build\{Rr\}oot: blue
+     keyword whole Build\{Rr\}equires: green
+     keyword whole Conflicts: green
+-    keyword whole Copyright: white
+    keyword whole Copyright: blue
+     keyword whole Description: green
+-    keyword whole Distribution: green
+-    keyword whole Doc\{Dd\}ir: green
+    keyword whole Distribution: blue
+    keyword whole Doc\{Dd\}ir: blue
+     keyword whole Epoch: green
+-    keyword whole Enhances: green
+     keyword whole Exclude\{Aa\}rch: green
+     keyword whole Exclusive\{Aa\}rch: green
+     keyword whole Exclusive\{Oo\}\{Ss\}: green
+-    keyword whole Group: green
+    keyword whole Group: blue
+     keyword whole Icon: green
+     keyword whole License: green
+     keyword whole Name: green
+     keyword whole NoSource\[0123456789\]: green
+     keyword whole Obsoletes: green
+-    keyword whole Packager: green
+    keyword whole Packager: blue
+     keyword whole Patch\[0123456789\]: green
+     keyword whole Prefix: green
+     keyword whole Pre\{Rr\}eq: green
+@@ -37,8 +36,8 @@
+     keyword whole Source\[0123456789\]: green
+     keyword whole Suggests: green
+     keyword whole Summary: green
+-    keyword whole Supplements: green
+-    keyword whole Vendor: green
+    keyword whole VCS: green
+    keyword whole Vendor: blue
+     keyword whole Version: green
+     keyword whole U\{Rr\}\{Ll\}: green
+ 
+@@ -92,7 +91,7 @@
+     keyword whole PATCH\[0123456789\] cyan
+     keyword whole SOURCE\[0123456789\] cyan
+ 
+-context Group( ): green
+context Group( ): blue
+     keyword whole af yellow
+     keyword whole az yellow
+     keyword whole bg yellow
--- a/mc-tmpdir.patch
+++ b/mc-tmpdir.patch
@ -1,3 +1,13 @@
+diff -up mc-4.8.24/contrib/mc-wrapper.sh.in.tmpdir mc-4.8.24/contrib/mc-wrapper.sh.in
+--- mc-4.8.24/contrib/mc-wrapper.sh.in.tmpdir	2020-01-27 09:17:46.815515791 +0100
+++ mc-4.8.24/contrib/mc-wrapper.sh.in	2020-01-27 09:18:01.430712110 +0100
+@@ -1,5 +1,5 @@
+ MC_USER=`whoami`
+-MC_PWD_FILE="${TMPDIR-/tmp}/mc-$MC_USER/mc.pwd.$$"
+MC_PWD_FILE="${TMPDIR-/var/tmp}/mc-$MC_USER/mc.pwd.$$"
+ @bindir@/mc -P "$MC_PWD_FILE" "$@"
+ 
+ if test -r "$MC_PWD_FILE"; then
 --- mc-4.8.21/lib/global.h~
 +++ mc-4.8.21/lib/global.h
@@ -131,7 +131,7 @@
@ -20,12 +30,3 @@
 endif
 
 @bindir@/mc -P "$MC_PWD_FILE" $*
--- mc-4.8.22/contrib/mc-wrapper.sh.in~
-+++ mc-4.8.22/contrib/mc-wrapper.sh.in
-@@ -1,5 +1,5 @@
- MC_USER=`id | sed 's/[^(]*(//;s/).*//'`
-MC_PWD_FILE="${TMPDIR-/tmp}/mc-$MC_USER/mc.pwd.$$"
-+MC_PWD_FILE="${TMPDIR-/var/tmp}/mc-$MC_USER/mc.pwd.$$"
- @bindir@/mc -P "$MC_PWD_FILE" "$@"
- 
- if test -r "$MC_PWD_FILE"; then
--- a/mc.spec
+++ b/mc.spec
@ -1,16 +1,22 @@
 Name:		mc
 Summary:	a feature rich full-screen text mode application
-Version:	4.8.21
-Release:	3
+Version:	4.8.28
+Release:	1
 Epoch:		1
 License:	GPLv3+
 URL:		http://www.midnight-commander.org/
-Source0:	http://www.midnight-commander.org/downloads/mc-%{version}.tar.xz
+Source0:	https://github.com/MidnightCommander/mc/archive/%{version}.tar.gz

-Patch0:		mc-tmpdir.patch
+Patch0:		%{name}-spec.syntax.patch
+Patch1:		%{name}-python3.patch
+Patch2:		%{name}-default_setup.patch
+Patch3:		%{name}-tmpdir.patch
+# https://github.com/MidnightCommander/mc/commit/34d3726b79d35481e96f5fabe8e34e3439e6d9d9.patch
+Patch4:         Ticket-4374-fix-file-sort-by-version.patch

-BuildRequires:  gcc aspell-devel e2fsprogs-devel glib2-devel gpm-devel groff-base
+BuildRequires:  gcc e2fsprogs-devel glib2-devel gpm-devel groff-base
 BuildRequires:  libssh2-devel >= 1.2.5 perl-generators pkgconfig slang-devel
+BuildRequires:  make autoconf automake gettext-devel libtool python3-boto3

 %description
 GNU Midnight Commander is a visual file manager, licensed under GNU General Public
@ -23,18 +29,29 @@ Midnight Commander is based on versatile text interfaces, such as Ncurses or S-L
 which allows it to work on a regular console, inside an X Window terminal, over SSH
 connections and all kinds of remote shells.

+%package python
+Summary:	Midnight Commander s3+ and UC1541 EXTFS backend scripts
+BuildArch:	noarch
+Requires:	%{name} = %{epoch}:%{version}-%{release}
+Requires:	python3-boto3
+
+%description python
+Midnight Commander s3+ and UC1541 EXTFS backend scripts.
+
 %package_help

 %prep
-%autosetup -p1
+%autosetup -n %{name}-%{version} -p1

 %build
+sed -i "s,PREV_MC_VERSION=\"unknown\",PREV_MC_VERSION=\"%{version}\"," version.sh
+./autogen.sh
 %configure \
+        PYTHON=%{__python3} \
 	CFLAGS="%{optflags} -Wno-strict-aliasing" \
-	--enable-aspell \
 	--enable-vfs-sfs \
-	--enable-vfs-sftp \
-	--enable-vfs-smb \
+	--disable-vfs-sftp \
+	--disable-vfs-smb \
 	--enable-vfs-ftp \
 	--enable-charset \
 	--enable-largefile \
@ -61,12 +78,17 @@ install contrib/mc.{sh,csh} ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d
 %files -f %{name}.lang
 /etc/profile.d/*
 %dir %{_sysconfdir}/%{name}
+%{_sysconfdir}/%{name}/edit*
 %config(noreplace) %{_sysconfdir}/%{name}/*
 %{_bindir}/*
 %dir %{_libexecdir}/%{name}
 %attr(755,root,root) %{_libexecdir}/%{name}/cons.saver
 %{_libexecdir}/%{name}/*
 %{_datadir}/%{name}
+%exclude %{_libexecdir}/mc/extfs.d/{s3+,uc1541}
+
+%files python
+%{_libexecdir}/mc/extfs.d/{s3+,uc1541}

 %files help
 %{_mandir}/man1/*
@ -74,5 +96,8 @@ install contrib/mc.{sh,csh} ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d
 %doc doc/FAQ doc/NEWS doc/README

 %changelog
+* Wed Jul 20 2022 yaoxin <yaoxin30@h-partners.com> - 1:4.8.28-1
+- Update to 4.8.28 to fix CVE-2021-36370
+
 * Tue Nov 19 2019 caomeng<caomeng5@huawei.com> - 1:4.8.21-3
 - Package init