Date: Sunday, March 5, 2023 @ 18:08:31 Author: seblu Revision: 470261
upgpkg: tar 1.34-2 - fix FS#77523 - fix CVE-2022-48303 Added: tar/trunk/01-fix-cve-2022-48303.patch Modified: tar/trunk/PKGBUILD -----------------------------+ 01-fix-cve-2022-48303.patch | 31 +++++++++++++++++++++++++++++++ PKGBUILD | 11 +++++++---- 2 files changed, 38 insertions(+), 4 deletions(-) Added: 01-fix-cve-2022-48303.patch =================================================================== --- 01-fix-cve-2022-48303.patch (rev 0) +++ 01-fix-cve-2022-48303.patch 2023-03-05 18:08:31 UTC (rev 470261) @@ -0,0 +1,31 @@ +From 1d530107a24d71e798727d7f0afa0833473d1074 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <[email protected]> +Date: Wed, 11 Jan 2023 08:55:58 +0100 +Subject: [PATCH] Fix savannah bug #62387 + +* src/list.c (from_header): Check for the end of field after leading byte + (0x80 or 0xff) of base-256 encoded header value +--- + src/list.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/list.c b/src/list.c +index 9fafc425..bf41b581 100644 +--- a/src/list.c ++++ b/src/list.c +@@ -895,6 +895,12 @@ from_header (char const *where0, size_t digs, char const *type, + << (CHAR_BIT * sizeof (uintmax_t) + - LG_256 - (LG_256 - 2))); + value = (*where++ & ((1 << (LG_256 - 2)) - 1)) - signbit; ++ if (where == lim) ++ { ++ if (type && !silent) ++ ERROR ((0, 0, _("Archive base-256 value is invalid"))); ++ return -1; ++ } + for (;;) + { + value = (value << LG_256) + (unsigned char) *where++; +-- +2.38.1 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2023-03-05 17:20:25 UTC (rev 470260) +++ PKGBUILD 2023-03-05 18:08:31 UTC (rev 470261) @@ -4,17 +4,20 @@ pkgname=tar pkgver=1.34 -pkgrel=1 +pkgrel=2 pkgdesc='Utility used to store, backup, and transport files' arch=('x86_64') url='https://www.gnu.org/software/tar/' license=('GPL3') -depends=('glibc' 'acl' 'attr') +depends=('glibc' 'acl') +checkdepends=('attr') options=('!emptydirs') validpgpkeys=('325F650C4C2B6AD58807327A3602B07F55D0C732') # Sergey Poznyakoff -source=("https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz"{,.sig}) +source=("https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz"{,.sig} + '01-fix-cve-2022-48303.patch') sha256sums=('63bebd26879c5e1eea4352f0d03c991f966aeb3ddeb3c7445c902568d5411d28' - 'SKIP') + 'SKIP' + 'f31bbde67ab1117b07441395c99aced81d038bf0c8a89810bd751a3cc21acfbd') prepare() { cd $pkgname-$pkgver
