Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package xar for openSUSE:Factory checked in 
at 2026-06-22 17:38:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xar (Old)
 and      /work/SRC/openSUSE:Factory/.xar.new.1956 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "xar"

Mon Jun 22 17:38:46 2026 rev:13 rq:1361014 version:1.8.0.0.503

Changes:
--------
--- /work/SRC/openSUSE:Factory/xar/xar.changes  2026-06-02 16:10:16.981709108 
+0200
+++ /work/SRC/openSUSE:Factory/.xar.new.1956/xar.changes        2026-06-22 
17:38:49.893506596 +0200
@@ -1,0 +2,25 @@
+Mon Jun 22 07:33:44 UTC 2026 - Martin Pluskal <[email protected]>
+
+- Switch to the maintained Apple xar lineage (build 503, versioned
+  1.8.0.0.503): the mackyle 1.6.1 fork this package tracked has been
+  dead since 2012, and Debian, Fedora and Gentoo all moved to Apple's
+  xar (apple-oss-distributions/xar). This resolves the long-standing
+  NULL-pointer dereferences in xar_get_path() and xar_unserialize()
+  when parsing malformed archives:
+  * CVE-2017-11124 (boo#1047875)
+  * CVE-2017-11125 (boo#1047874)
+  * CVE-2018-17093 (boo#1108595)
+  * CVE-2018-17094 (boo#1108596)
+- Drop the obsolete mackyle-fork patches: ext2.patch,
+  openssl-checks.patch, xar-fix-prototype.patch
+- Add the Gentoo-tracked Linux build patch set for the Apple lineage:
+  xar-1.6.1-ext2.patch, xar-1.8-safe_dirname.patch,
+  xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch,
+  xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch,
+  xar-1.8.0.0.487-variable-sized-object.patch,
+  xar-1.8.0.0.498-impl-decls.patch
+- Add xar-1.8.0.0.503-linux-F_GETPATH.patch: resolve an fd's path via
+  /proc/self/fd on Linux, where the macOS-only F_GETPATH fcntl used by
+  the new xar_fdopen_digest_verify() is unavailable
+
+-------------------------------------------------------------------

Old:
----
  ext2.patch
  openssl-checks.patch
  xar-1.6.1.tar.gz
  xar-fix-prototype.patch

New:
----
  xar-1.6.1-ext2.patch
  xar-1.8-arm-ppc.patch
  xar-1.8-openssl-1.1.patch
  xar-1.8-safe_dirname.patch
  xar-1.8.0.0.452-linux.patch
  xar-1.8.0.0.487-non-darwin.patch
  xar-1.8.0.0.487-variable-sized-object.patch
  xar-1.8.0.0.498-impl-decls.patch
  xar-1.8.0.0.503-linux-F_GETPATH.patch
  xar-503.tar.gz

----------(Old B)----------
  Old:  * CVE-2018-17094 (boo#1108596)
- Drop the obsolete mackyle-fork patches: ext2.patch,
  openssl-checks.patch, xar-fix-prototype.patch
  Old:- Drop the obsolete mackyle-fork patches: ext2.patch,
  openssl-checks.patch, xar-fix-prototype.patch
- Add the Gentoo-tracked Linux build patch set for the Apple lineage:
  Old:- Drop the obsolete mackyle-fork patches: ext2.patch,
  openssl-checks.patch, xar-fix-prototype.patch
- Add the Gentoo-tracked Linux build patch set for the Apple lineage:
----------(Old E)----------

----------(New B)----------
  New:- Add the Gentoo-tracked Linux build patch set for the Apple lineage:
  xar-1.6.1-ext2.patch, xar-1.8-safe_dirname.patch,
  xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch,
  New:  xar-1.6.1-ext2.patch, xar-1.8-safe_dirname.patch,
  xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch,
  xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch,
  New:  xar-1.6.1-ext2.patch, xar-1.8-safe_dirname.patch,
  xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch,
  xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch,
  New:- Add the Gentoo-tracked Linux build patch set for the Apple lineage:
  xar-1.6.1-ext2.patch, xar-1.8-safe_dirname.patch,
  xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch,
  New:  xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch,
  xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch,
  xar-1.8.0.0.487-variable-sized-object.patch,
  New:  xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch,
  xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch,
  xar-1.8.0.0.487-variable-sized-object.patch,
  New:  xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch,
  xar-1.8.0.0.487-variable-sized-object.patch,
  xar-1.8.0.0.498-impl-decls.patch
  New:  xar-1.8.0.0.487-variable-sized-object.patch,
  xar-1.8.0.0.498-impl-decls.patch
- Add xar-1.8.0.0.503-linux-F_GETPATH.patch: resolve an fd's path via
  New:  xar-1.8.0.0.498-impl-decls.patch
- Add xar-1.8.0.0.503-linux-F_GETPATH.patch: resolve an fd's path via
  /proc/self/fd on Linux, where the macOS-only F_GETPATH fcntl used by
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ xar.spec ++++++
--- /var/tmp/diff_new_pack.Lxrqr0/_old  2026-06-22 17:38:51.181551635 +0200
+++ /var/tmp/diff_new_pack.Lxrqr0/_new  2026-06-22 17:38:51.185551776 +0200
@@ -16,20 +16,36 @@
 #
 
 
+# Apple xar build number (the actual upstream now that mackyle's fork is dead)
+%define apple 503
 %define sover 1
 Name:           xar
-Version:        1.6.1
+Version:        1.8.0.0.%{apple}
 Release:        0
 Summary:        Extensible Archive Format Tools
 License:        BSD-3-Clause
-URL:            https://mackyle.github.io/xar/
-Source:         
https://github.com/mackyle/xar/archive/%{name}-%{version}.tar.gz
-# PATCH-FIX-UPSTREAM ext2.patch gh#mackyle/xar#10
-Patch0:         ext2.patch
-Patch1:         openssl-checks.patch
-Patch2:         xar-fix-prototype.patch
+URL:            https://github.com/apple-oss-distributions/xar
+Source:         
https://github.com/apple-oss-distributions/xar/archive/%{name}-%{apple}.tar.gz#/%{name}-%{apple}.tar.gz
+# Linux-build patch set, tracked by Gentoo (app-arch/xar) for the Apple 
lineage:
+# PATCH-FIX-OPENSUSE ext2.patch — build the ext2 attribute support against 
e2fsprogs
+Patch0:         xar-1.6.1-ext2.patch
+# PATCH-FIX-OPENSUSE safe_dirname — provide a non-Darwin safe_dirname
+Patch1:         xar-1.8-safe_dirname.patch
+# PATCH-FIX-OPENSUSE build on arm/ppc
+Patch2:         xar-1.8-arm-ppc.patch
+# PATCH-FIX-OPENSUSE build against OpenSSL 1.1+
+Patch3:         xar-1.8-openssl-1.1.patch
+# PATCH-FIX-OPENSUSE Linux portability
+Patch4:         xar-1.8.0.0.452-linux.patch
+# PATCH-FIX-OPENSUSE drop remaining Darwin-only bits
+Patch5:         xar-1.8.0.0.487-non-darwin.patch
+# PATCH-FIX-OPENSUSE fix a variable-sized object
+Patch6:         xar-1.8.0.0.487-variable-sized-object.patch
+# PATCH-FIX-OPENSUSE add missing implicit declarations
+Patch7:         xar-1.8.0.0.498-impl-decls.patch
+# PATCH-FIX-OPENSUSE resolve an fd's path via /proc/self/fd where macOS 
F_GETPATH is unavailable
+Patch8:         xar-1.8.0.0.503-linux-F_GETPATH.patch
 BuildRequires:  autoconf
-BuildRequires:  automake
 BuildRequires:  e2fsprogs-devel
 BuildRequires:  gcc
 BuildRequires:  make
@@ -78,14 +94,32 @@
 table of content's rich meta-data.
 
 %prep
-%setup -q -n %{name}-%{name}-%{version}
-%patch -P 0
-%patch -P 1 -p1
-%patch -P 2 -p1
+%setup -q -n %{name}-%{name}-%{apple}
+%patch -P 0 -p1 -d xar
+%patch -P 1 -p1 -d xar
+%patch -P 2 -p1 -d xar
+%patch -P 3 -p1 -d xar
+%patch -P 4 -p1 -d xar
+%patch -P 5 -p1 -d xar
+%patch -P 6 -p1 -d xar
+%patch -P 7 -p1 -d xar
+%patch -P 8 -p1 -d xar
+pushd xar
+# make the public headers reachable as <xar/...> and from src/ (they ship in 
lib/)
+mv lib/*.h include/
+ln -sf . include/xar
+# drop the macOS @RPATH@ and the CommonCrypto path (use OpenSSL on Linux)
+sed -i -e 's/@RPATH@//' src/Makefile.inc.in
+echo ".PRECIOUS: @objroot@src/%.o" >> src/Makefile.inc.in
+sed -i -e 's/__APPLE__/__NO_APPLE__/' include/archive.h lib/hash.c
+popd
 
 %build
 pushd xar
+# the shipped configure is stale vs the patched configure.ac -> regenerate
 ./autogen.sh --noconfigure
+export LIBS="$(pkg-config --libs openssl)"
+export CFLAGS="%{optflags} -Wno-unused-result"
 %configure --disable-static
 %make_build
 popd
@@ -100,18 +134,16 @@
 
 %files
 %license xar/LICENSE
-%doc xar/ChangeLog xar/NEWS
+%doc xar/ChangeLog
 %{_bindir}/xar
 %{_mandir}/man1/xar.1%{?ext_man}
 
 %files -n libxar%{sover}
 %license xar/LICENSE
-%doc xar/ChangeLog xar/NEWS
-%{_libdir}/libxar.so.%{sover}
+%{_libdir}/libxar.so.%{sover}*
 
 %files -n libxar-devel
 %license xar/LICENSE
-%doc xar/ChangeLog xar/NEWS
 %{_includedir}/xar
 %{_libdir}/libxar.so
 

++++++ xar-1.6.1-ext2.patch ++++++
--- a/lib/ext2.c.orig
+++ b/lib/ext2.c
@@ -139,8 +139,10 @@
        if(! (flags & ~EXT2_NOCOMPR_FL) )
                x_addprop(f, "NoCompBlock");
 #endif
+#ifdef EXT2_ECOMPR_FL
        if(! (flags & ~EXT2_ECOMPR_FL) )
                x_addprop(f, "CompError");
+#endif
        if(! (flags & ~EXT2_BTREE_FL) )
                x_addprop(f, "BTree");
        if(! (flags & ~EXT2_INDEX_FL) )
@@ -225,8 +227,10 @@
        if( e2prop_get(f, "NoCompBlock", (char **)&tmp) == 0 )
                flags |= EXT2_NOCOMPR_FL ;
 #endif
+#ifdef EXT2_ECOMPR_FL
        if( e2prop_get(f, "CompError", (char **)&tmp) == 0 )
                flags |= EXT2_ECOMPR_FL ;
+#endif
        if( e2prop_get(f, "BTree", (char **)&tmp) == 0 )
                flags |= EXT2_BTREE_FL ;
        if( e2prop_get(f, "HashIndexed", (char **)&tmp) == 0 )

++++++ xar-1.8-arm-ppc.patch ++++++
--- a/lib/archive.c
+++ b/lib/archive.c
@@ -387,7 +387,8 @@
                        return NULL;
                }
         
-               XAR(ret)->heap_offset = xar_get_heap_offset(ret) + offset;
+               XAR(ret)->heap_offset =
+                       XAR(ret)->toc_count + sizeof(xar_header_t) + offset;
                if( lseek(XAR(ret)->fd, XAR(ret)->heap_offset, SEEK_SET) == -1 
) {
                        xar_close(ret);
                        return NULL;
--- a/src/xar.c
+++ a/src/xar.c
@@ -783,7 +783,7 @@
 int main(int argc, char *argv[]) {
        int ret;
        char *filename = NULL;
-       char command = 0, c;
+       signed char command = 0, c;
        char **args;
        const char *tocfile = NULL;
        int arglen, i, err;

++++++ xar-1.8-openssl-1.1.patch ++++++
lib/hash.c: fix compilation with OpenSSL-1.1+

EVP_MD_CTX has become an anonymous struct now, so can't allocate size
for it anymore.

--- a/lib/hash.c        2015-06-09 03:22:07.000000000 +0000
+++ b/lib/hash.c        2019-01-01 14:37:01.487775958 +0000
@@ -102,7 +102,7 @@
 #ifdef __APPLE__
        CCDigestRef digest;
 #else
-       EVP_MD_CTX digest;
+       EVP_MD_CTX *digest;
        const EVP_MD *type;
 #endif
        unsigned int length;
@@ -123,7 +123,8 @@
 #else
        OpenSSL_add_all_digests();
        HASH_CTX(hash)->type = EVP_get_digestbyname(digest_name);
-       EVP_DigestInit(&HASH_CTX(hash)->digest, HASH_CTX(hash)->type);
+       HASH_CTX(hash)->digest = EVP_MD_CTX_create();
+       EVP_DigestInit(HASH_CTX(hash)->digest, HASH_CTX(hash)->type);
 #endif
        
        HASH_CTX(hash)->digest_name = strdup(digest_name);
@@ -143,7 +143,7 @@
 #ifdef __APPLE__
        CCDigestUpdate(HASH_CTX(hash)->digest, buffer, nbyte);
 #else
-       EVP_DigestUpdate(&HASH_CTX(hash)->digest, buffer, nbyte);
+       EVP_DigestUpdate(HASH_CTX(hash)->digest, buffer, nbyte);
 #endif
 }
 
@@ -160,7 +160,8 @@
        CCDigestFinal(HASH_CTX(hash)->digest, buffer);
        CCDigestDestroy(HASH_CTX(hash)->digest);
 #else
-       EVP_DigestFinal(&HASH_CTX(hash)->digest, buffer, 
&HASH_CTX(hash)->length);
+       EVP_DigestFinal(HASH_CTX(hash)->digest, buffer, 
&HASH_CTX(hash)->length);
+       EVP_MD_CTX_destroy(HASH_CTX(hash)->digest);
 #endif
        
        *nbyte = HASH_CTX(hash)->length;

++++++ xar-1.8-safe_dirname.patch ++++++
linuxattr: fix missing symbol safe_dirname

This one was probably missed when they did a global rename to xar_
prefixed variants.

--- a/lib/linuxattr.c
+++ b/lib/linuxattr.c
@@ -223,7 +223,7 @@
        if( statfs(file, &sfs) != 0 ) {
                char *tmp, *bname;
                tmp = strdup(file);
-               bname = safe_dirname(tmp);
+               bname = xar_safe_dirname(tmp);
                statfs(bname, &sfs);
                free(tmp);
                free(bname);

++++++ xar-1.8.0.0.452-linux.patch ++++++
--- a/configure.ac
+++ b/configure.ac
@@ -183,7 +183,7 @@
 
 AC_TRY_COMPILE([#include <sys/types.h> 
 #include <sys/acl.h>], [acl_t a], [AC_DEFINE([HAVE_SYS_ACL_H],[1], [define if 
you have sys/acl.h and it has a working acl_t type])])
-AC_CHECK_HEADERS(ext2fs/ext2_fs.h sys/statfs.h sys/xattr.h sys/param.h 
sys/extattr.h libutil.h)
+AC_CHECK_HEADERS(ext2fs/ext2_fs.h sys/statfs.h sys/vfs.h sys/xattr.h 
sys/param.h sys/extattr.h libutil.h)
 AC_CHECK_FUNCS(lgetxattr)
 AC_CHECK_FUNCS(lsetxattr)
 AC_CHECK_FUNCS(getxattr)
@@ -199,7 +199,22 @@
 
 AC_CHECK_MEMBERS([struct statfs.f_fstypename],,,[#include <sys/types.h>
 #include <sys/param.h>
-#include <sys/mount.h>])
+#include <sys/mount.h>
+#ifdef HAVE_SYS_VFS_H
+#include <sys/vfs.h>
+#endif])
+AC_CHECK_MEMBERS([struct statfs.f_iosize],,,[#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/mount.h>
+#ifdef HAVE_SYS_VFS_H
+#include <sys/vfs.h>
+#endif])
+AC_CHECK_MEMBERS([struct statfs.f_bsize],,,[#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/mount.h>
+#ifdef HAVE_SYS_VFS_H
+#include <sys/vfs.h>
+#endif])
 AC_CHECK_MEMBERS([struct statvfs.f_fstypename],,,[#include <sys/statvfs.h>])
 AC_CHECK_MEMBERS([struct stat.st_flags])
 
--- a/lib/util.c
+++ b/lib/util.c
@@ -35,6 +35,8 @@
  * Christopher Ryan <[email protected]>
 */
 
+#include "config.h"
+
 #include <stdio.h>
 #include <stdint.h>
 #include <sys/types.h>
@@ -40,6 +40,9 @@
 #include <sys/types.h>
 #include <sys/mount.h>
 #include <sys/param.h>
+#ifdef HAVE_SYS_VFS_H
+# include <sys/vfs.h>
+#endif
 #include <arpa/inet.h>
 #include <string.h>
 #include <unistd.h>
@@ -467,6 +467,14 @@
        return tmp;
 }
 
+#ifndef HAVE_STRUCT_STATFS_F_IOSIZE
+# ifdef HAVE_STRUCT_STATFS_F_BSIZE
+#  define f_iosize f_bsize
+# else
+#  error need a field to get optimal transfer block size
+# endif
+#endif
+
 size_t xar_optimal_io_size_at_path(const char *path)
 {
        // Start at 1MiB
@@ -491,6 +491,7 @@
                        fs_iosize = optimal_rsize;
                }
                
+#ifdef MNT_LOCAL
                // If we're a remote filesystem, never let us go below the 
optimal size above of 1MiB
                // NFS is horrible and lies that the optimal size is 512 bytes.
                // Whereas SMB in my testing returns 7MiBs (far more practicle)
@@ -503,6 +504,7 @@
                        }
                }
                else
+#endif
                {
                        optimal_rsize = fs_iosize;
                }
--- a/include/config.h.in
+++ b/include/config.h.in
@@ -1,4 +1,5 @@
 #undef HAVE_SYS_STATFS_H
+#undef HAVE_SYS_VFS_H
 #undef HAVE_SYS_XATTR_H
 #undef HAVE_SYS_EXTATTR_H
 #undef HAVE_SYS_PARAM_H
@@ -15,6 +15,8 @@
 #undef HAVE_STRUCT_STAT_ST_FLAGS
 #undef HAVE_STRUCT_STATVFS_F_FSTYPENAME
 #undef HAVE_STRUCT_STATFS_F_FSTYPENAME
+#undef HAVE_STRUCT_STATFS_F_IOSIZE
+#undef HAVE_STRUCT_STATFS_F_BSIZE
 #undef HAVE_SYS_ACL_H
 #undef HAVE_LIBUTIL_H
 #undef HAVE_LIBPTHREAD

++++++ xar-1.8.0.0.487-non-darwin.patch ++++++
don't do availability stuff on non-Darwin

--- a/include/xar.h.in
+++ b/include/xar.h.in
@@ -52,6 +52,7 @@
 #import <os/availability.h>
 #else
 #define API_DEPRECATED(...)
+#define API_AVAILABLE(...)
 #endif
 
 #pragma pack(4)

++++++ xar-1.8.0.0.487-variable-sized-object.patch ++++++
GCC doesn't like this:

filetree.c:744:9: error: variable-sized object may not be initialized

Since there's nothing changing at runtime at all, just make the compiler
see it's always going to be 1.

--- a/lib/filetree.c
+++ b/lib/filetree.c
@@ -740,7 +740,7 @@
        size_t fspath1_size = 0, fspath2_size = 0;
        size_t ns1_size = 0, ns2_size = 0;
        const struct __xar_file_t * child1 = NULL, * child2 = NULL;
-       const uint keys_to_ignore_count = 1;
+#define keys_to_ignore_count 1
        char * keys_to_ignore[keys_to_ignore_count] = { "id" }; // ID is 
allowed ot mismatch
        
        // If the two pointers match, call it the same.

++++++ xar-1.8.0.0.498-impl-decls.patch ++++++
include stdlib.h for free and strtol
silence format warning

--- a/lib/ext2.c
+++ b/lib/ext2.c
@@ -41,6 +41,7 @@
 #include "asprintf.h"
 #endif
 #include <stdio.h>
+#include <stdlib.h>
 #include <unistd.h>
 #include "xar.h"
 #include "arcmod.h"
--- a/lib/ea.c
+++ a/lib/ea.c
@@ -67,7 +67,7 @@
        xar_prop_setvalue(XAR_EA(ret)->prop, NULL);
        XAR_PROP(XAR_EA(ret)->prop)->attrs = xar_attr_new();
        XAR_ATTR(XAR_PROP(XAR_EA(ret)->prop)->attrs)->key = strdup("id");
-       asprintf((char **)&XAR_ATTR(XAR_PROP(XAR_EA(ret)->prop)->attrs)->value, 
"%lld", XAR_FILE(f)->nexteaid++);
+       asprintf((char **)&XAR_ATTR(XAR_PROP(XAR_EA(ret)->prop)->attrs)->value, 
PRId64, XAR_FILE(f)->nexteaid++);
 
        xar_prop_pset(f, XAR_EA(ret)->prop, "name", name);
        

++++++ xar-1.8.0.0.503-linux-F_GETPATH.patch ++++++
--- a/lib/archive.c
+++ b/lib/archive.c
@@ -507,10 +507,25 @@
        // If there are hardlinks, the path we pick is the most recently opened 
by
        // the filesystem; which is effectively random.
        char path_buff[PATH_MAX];
+#ifdef F_GETPATH
        if (fcntl(fd, F_GETPATH, path_buff) < 0) {
                close(fd);
                return NULL;
        }
+#else
+       /* Linux has no F_GETPATH; resolve the fd's path via /proc/self/fd. */
+       {
+               char xar_fd_link[64];
+               ssize_t xar_fd_len;
+               snprintf(xar_fd_link, sizeof(xar_fd_link), "/proc/self/fd/%d", 
fd);
+               xar_fd_len = readlink(xar_fd_link, path_buff, sizeof(path_buff) 
- 1);
+               if (xar_fd_len < 0) {
+                       close(fd);
+                       return NULL;
+               }
+               path_buff[xar_fd_len] = '\0';
+       }
+#endif
        
        // Don't trust the position of the descriptor we were given, reset it 
back to 0
        if (lseek(fd, 0, SEEK_SET) != 0) {

++++++ xar-1.6.1.tar.gz -> xar-503.tar.gz ++++++
++++ 33101 lines of diff (skipped)

Reply via email to