Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package xar for openSUSE:Factory checked in at 2026-06-22 17:38:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xar (Old) and /work/SRC/openSUSE:Factory/.xar.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xar" Mon Jun 22 17:38:46 2026 rev:13 rq:1361014 version:1.8.0.0.503 Changes: -------- --- /work/SRC/openSUSE:Factory/xar/xar.changes 2026-06-02 16:10:16.981709108 +0200 +++ /work/SRC/openSUSE:Factory/.xar.new.1956/xar.changes 2026-06-22 17:38:49.893506596 +0200 @@ -1,0 +2,25 @@ +Mon Jun 22 07:33:44 UTC 2026 - Martin Pluskal <[email protected]> + +- Switch to the maintained Apple xar lineage (build 503, versioned + 1.8.0.0.503): the mackyle 1.6.1 fork this package tracked has been + dead since 2012, and Debian, Fedora and Gentoo all moved to Apple's + xar (apple-oss-distributions/xar). This resolves the long-standing + NULL-pointer dereferences in xar_get_path() and xar_unserialize() + when parsing malformed archives: + * CVE-2017-11124 (boo#1047875) + * CVE-2017-11125 (boo#1047874) + * CVE-2018-17093 (boo#1108595) + * CVE-2018-17094 (boo#1108596) +- Drop the obsolete mackyle-fork patches: ext2.patch, + openssl-checks.patch, xar-fix-prototype.patch +- Add the Gentoo-tracked Linux build patch set for the Apple lineage: + xar-1.6.1-ext2.patch, xar-1.8-safe_dirname.patch, + xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch, + xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch, + xar-1.8.0.0.487-variable-sized-object.patch, + xar-1.8.0.0.498-impl-decls.patch +- Add xar-1.8.0.0.503-linux-F_GETPATH.patch: resolve an fd's path via + /proc/self/fd on Linux, where the macOS-only F_GETPATH fcntl used by + the new xar_fdopen_digest_verify() is unavailable + +------------------------------------------------------------------- Old: ---- ext2.patch openssl-checks.patch xar-1.6.1.tar.gz xar-fix-prototype.patch New: ---- xar-1.6.1-ext2.patch xar-1.8-arm-ppc.patch xar-1.8-openssl-1.1.patch xar-1.8-safe_dirname.patch xar-1.8.0.0.452-linux.patch xar-1.8.0.0.487-non-darwin.patch xar-1.8.0.0.487-variable-sized-object.patch xar-1.8.0.0.498-impl-decls.patch xar-1.8.0.0.503-linux-F_GETPATH.patch xar-503.tar.gz ----------(Old B)---------- Old: * CVE-2018-17094 (boo#1108596) - Drop the obsolete mackyle-fork patches: ext2.patch, openssl-checks.patch, xar-fix-prototype.patch Old:- Drop the obsolete mackyle-fork patches: ext2.patch, openssl-checks.patch, xar-fix-prototype.patch - Add the Gentoo-tracked Linux build patch set for the Apple lineage: Old:- Drop the obsolete mackyle-fork patches: ext2.patch, openssl-checks.patch, xar-fix-prototype.patch - Add the Gentoo-tracked Linux build patch set for the Apple lineage: ----------(Old E)---------- ----------(New B)---------- New:- Add the Gentoo-tracked Linux build patch set for the Apple lineage: xar-1.6.1-ext2.patch, xar-1.8-safe_dirname.patch, xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch, New: xar-1.6.1-ext2.patch, xar-1.8-safe_dirname.patch, xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch, xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch, New: xar-1.6.1-ext2.patch, xar-1.8-safe_dirname.patch, xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch, xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch, New:- Add the Gentoo-tracked Linux build patch set for the Apple lineage: xar-1.6.1-ext2.patch, xar-1.8-safe_dirname.patch, xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch, New: xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch, xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch, xar-1.8.0.0.487-variable-sized-object.patch, New: xar-1.8-arm-ppc.patch, xar-1.8-openssl-1.1.patch, xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch, xar-1.8.0.0.487-variable-sized-object.patch, New: xar-1.8.0.0.452-linux.patch, xar-1.8.0.0.487-non-darwin.patch, xar-1.8.0.0.487-variable-sized-object.patch, xar-1.8.0.0.498-impl-decls.patch New: xar-1.8.0.0.487-variable-sized-object.patch, xar-1.8.0.0.498-impl-decls.patch - Add xar-1.8.0.0.503-linux-F_GETPATH.patch: resolve an fd's path via New: xar-1.8.0.0.498-impl-decls.patch - Add xar-1.8.0.0.503-linux-F_GETPATH.patch: resolve an fd's path via /proc/self/fd on Linux, where the macOS-only F_GETPATH fcntl used by ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xar.spec ++++++ --- /var/tmp/diff_new_pack.Lxrqr0/_old 2026-06-22 17:38:51.181551635 +0200 +++ /var/tmp/diff_new_pack.Lxrqr0/_new 2026-06-22 17:38:51.185551776 +0200 @@ -16,20 +16,36 @@ # +# Apple xar build number (the actual upstream now that mackyle's fork is dead) +%define apple 503 %define sover 1 Name: xar -Version: 1.6.1 +Version: 1.8.0.0.%{apple} Release: 0 Summary: Extensible Archive Format Tools License: BSD-3-Clause -URL: https://mackyle.github.io/xar/ -Source: https://github.com/mackyle/xar/archive/%{name}-%{version}.tar.gz -# PATCH-FIX-UPSTREAM ext2.patch gh#mackyle/xar#10 -Patch0: ext2.patch -Patch1: openssl-checks.patch -Patch2: xar-fix-prototype.patch +URL: https://github.com/apple-oss-distributions/xar +Source: https://github.com/apple-oss-distributions/xar/archive/%{name}-%{apple}.tar.gz#/%{name}-%{apple}.tar.gz +# Linux-build patch set, tracked by Gentoo (app-arch/xar) for the Apple lineage: +# PATCH-FIX-OPENSUSE ext2.patch — build the ext2 attribute support against e2fsprogs +Patch0: xar-1.6.1-ext2.patch +# PATCH-FIX-OPENSUSE safe_dirname — provide a non-Darwin safe_dirname +Patch1: xar-1.8-safe_dirname.patch +# PATCH-FIX-OPENSUSE build on arm/ppc +Patch2: xar-1.8-arm-ppc.patch +# PATCH-FIX-OPENSUSE build against OpenSSL 1.1+ +Patch3: xar-1.8-openssl-1.1.patch +# PATCH-FIX-OPENSUSE Linux portability +Patch4: xar-1.8.0.0.452-linux.patch +# PATCH-FIX-OPENSUSE drop remaining Darwin-only bits +Patch5: xar-1.8.0.0.487-non-darwin.patch +# PATCH-FIX-OPENSUSE fix a variable-sized object +Patch6: xar-1.8.0.0.487-variable-sized-object.patch +# PATCH-FIX-OPENSUSE add missing implicit declarations +Patch7: xar-1.8.0.0.498-impl-decls.patch +# PATCH-FIX-OPENSUSE resolve an fd's path via /proc/self/fd where macOS F_GETPATH is unavailable +Patch8: xar-1.8.0.0.503-linux-F_GETPATH.patch BuildRequires: autoconf -BuildRequires: automake BuildRequires: e2fsprogs-devel BuildRequires: gcc BuildRequires: make @@ -78,14 +94,32 @@ table of content's rich meta-data. %prep -%setup -q -n %{name}-%{name}-%{version} -%patch -P 0 -%patch -P 1 -p1 -%patch -P 2 -p1 +%setup -q -n %{name}-%{name}-%{apple} +%patch -P 0 -p1 -d xar +%patch -P 1 -p1 -d xar +%patch -P 2 -p1 -d xar +%patch -P 3 -p1 -d xar +%patch -P 4 -p1 -d xar +%patch -P 5 -p1 -d xar +%patch -P 6 -p1 -d xar +%patch -P 7 -p1 -d xar +%patch -P 8 -p1 -d xar +pushd xar +# make the public headers reachable as <xar/...> and from src/ (they ship in lib/) +mv lib/*.h include/ +ln -sf . include/xar +# drop the macOS @RPATH@ and the CommonCrypto path (use OpenSSL on Linux) +sed -i -e 's/@RPATH@//' src/Makefile.inc.in +echo ".PRECIOUS: @objroot@src/%.o" >> src/Makefile.inc.in +sed -i -e 's/__APPLE__/__NO_APPLE__/' include/archive.h lib/hash.c +popd %build pushd xar +# the shipped configure is stale vs the patched configure.ac -> regenerate ./autogen.sh --noconfigure +export LIBS="$(pkg-config --libs openssl)" +export CFLAGS="%{optflags} -Wno-unused-result" %configure --disable-static %make_build popd @@ -100,18 +134,16 @@ %files %license xar/LICENSE -%doc xar/ChangeLog xar/NEWS +%doc xar/ChangeLog %{_bindir}/xar %{_mandir}/man1/xar.1%{?ext_man} %files -n libxar%{sover} %license xar/LICENSE -%doc xar/ChangeLog xar/NEWS -%{_libdir}/libxar.so.%{sover} +%{_libdir}/libxar.so.%{sover}* %files -n libxar-devel %license xar/LICENSE -%doc xar/ChangeLog xar/NEWS %{_includedir}/xar %{_libdir}/libxar.so ++++++ xar-1.6.1-ext2.patch ++++++ --- a/lib/ext2.c.orig +++ b/lib/ext2.c @@ -139,8 +139,10 @@ if(! (flags & ~EXT2_NOCOMPR_FL) ) x_addprop(f, "NoCompBlock"); #endif +#ifdef EXT2_ECOMPR_FL if(! (flags & ~EXT2_ECOMPR_FL) ) x_addprop(f, "CompError"); +#endif if(! (flags & ~EXT2_BTREE_FL) ) x_addprop(f, "BTree"); if(! (flags & ~EXT2_INDEX_FL) ) @@ -225,8 +227,10 @@ if( e2prop_get(f, "NoCompBlock", (char **)&tmp) == 0 ) flags |= EXT2_NOCOMPR_FL ; #endif +#ifdef EXT2_ECOMPR_FL if( e2prop_get(f, "CompError", (char **)&tmp) == 0 ) flags |= EXT2_ECOMPR_FL ; +#endif if( e2prop_get(f, "BTree", (char **)&tmp) == 0 ) flags |= EXT2_BTREE_FL ; if( e2prop_get(f, "HashIndexed", (char **)&tmp) == 0 ) ++++++ xar-1.8-arm-ppc.patch ++++++ --- a/lib/archive.c +++ b/lib/archive.c @@ -387,7 +387,8 @@ return NULL; } - XAR(ret)->heap_offset = xar_get_heap_offset(ret) + offset; + XAR(ret)->heap_offset = + XAR(ret)->toc_count + sizeof(xar_header_t) + offset; if( lseek(XAR(ret)->fd, XAR(ret)->heap_offset, SEEK_SET) == -1 ) { xar_close(ret); return NULL; --- a/src/xar.c +++ a/src/xar.c @@ -783,7 +783,7 @@ int main(int argc, char *argv[]) { int ret; char *filename = NULL; - char command = 0, c; + signed char command = 0, c; char **args; const char *tocfile = NULL; int arglen, i, err; ++++++ xar-1.8-openssl-1.1.patch ++++++ lib/hash.c: fix compilation with OpenSSL-1.1+ EVP_MD_CTX has become an anonymous struct now, so can't allocate size for it anymore. --- a/lib/hash.c 2015-06-09 03:22:07.000000000 +0000 +++ b/lib/hash.c 2019-01-01 14:37:01.487775958 +0000 @@ -102,7 +102,7 @@ #ifdef __APPLE__ CCDigestRef digest; #else - EVP_MD_CTX digest; + EVP_MD_CTX *digest; const EVP_MD *type; #endif unsigned int length; @@ -123,7 +123,8 @@ #else OpenSSL_add_all_digests(); HASH_CTX(hash)->type = EVP_get_digestbyname(digest_name); - EVP_DigestInit(&HASH_CTX(hash)->digest, HASH_CTX(hash)->type); + HASH_CTX(hash)->digest = EVP_MD_CTX_create(); + EVP_DigestInit(HASH_CTX(hash)->digest, HASH_CTX(hash)->type); #endif HASH_CTX(hash)->digest_name = strdup(digest_name); @@ -143,7 +143,7 @@ #ifdef __APPLE__ CCDigestUpdate(HASH_CTX(hash)->digest, buffer, nbyte); #else - EVP_DigestUpdate(&HASH_CTX(hash)->digest, buffer, nbyte); + EVP_DigestUpdate(HASH_CTX(hash)->digest, buffer, nbyte); #endif } @@ -160,7 +160,8 @@ CCDigestFinal(HASH_CTX(hash)->digest, buffer); CCDigestDestroy(HASH_CTX(hash)->digest); #else - EVP_DigestFinal(&HASH_CTX(hash)->digest, buffer, &HASH_CTX(hash)->length); + EVP_DigestFinal(HASH_CTX(hash)->digest, buffer, &HASH_CTX(hash)->length); + EVP_MD_CTX_destroy(HASH_CTX(hash)->digest); #endif *nbyte = HASH_CTX(hash)->length; ++++++ xar-1.8-safe_dirname.patch ++++++ linuxattr: fix missing symbol safe_dirname This one was probably missed when they did a global rename to xar_ prefixed variants. --- a/lib/linuxattr.c +++ b/lib/linuxattr.c @@ -223,7 +223,7 @@ if( statfs(file, &sfs) != 0 ) { char *tmp, *bname; tmp = strdup(file); - bname = safe_dirname(tmp); + bname = xar_safe_dirname(tmp); statfs(bname, &sfs); free(tmp); free(bname); ++++++ xar-1.8.0.0.452-linux.patch ++++++ --- a/configure.ac +++ b/configure.ac @@ -183,7 +183,7 @@ AC_TRY_COMPILE([#include <sys/types.h> #include <sys/acl.h>], [acl_t a], [AC_DEFINE([HAVE_SYS_ACL_H],[1], [define if you have sys/acl.h and it has a working acl_t type])]) -AC_CHECK_HEADERS(ext2fs/ext2_fs.h sys/statfs.h sys/xattr.h sys/param.h sys/extattr.h libutil.h) +AC_CHECK_HEADERS(ext2fs/ext2_fs.h sys/statfs.h sys/vfs.h sys/xattr.h sys/param.h sys/extattr.h libutil.h) AC_CHECK_FUNCS(lgetxattr) AC_CHECK_FUNCS(lsetxattr) AC_CHECK_FUNCS(getxattr) @@ -199,7 +199,22 @@ AC_CHECK_MEMBERS([struct statfs.f_fstypename],,,[#include <sys/types.h> #include <sys/param.h> -#include <sys/mount.h>]) +#include <sys/mount.h> +#ifdef HAVE_SYS_VFS_H +#include <sys/vfs.h> +#endif]) +AC_CHECK_MEMBERS([struct statfs.f_iosize],,,[#include <sys/types.h> +#include <sys/param.h> +#include <sys/mount.h> +#ifdef HAVE_SYS_VFS_H +#include <sys/vfs.h> +#endif]) +AC_CHECK_MEMBERS([struct statfs.f_bsize],,,[#include <sys/types.h> +#include <sys/param.h> +#include <sys/mount.h> +#ifdef HAVE_SYS_VFS_H +#include <sys/vfs.h> +#endif]) AC_CHECK_MEMBERS([struct statvfs.f_fstypename],,,[#include <sys/statvfs.h>]) AC_CHECK_MEMBERS([struct stat.st_flags]) --- a/lib/util.c +++ b/lib/util.c @@ -35,6 +35,8 @@ * Christopher Ryan <[email protected]> */ +#include "config.h" + #include <stdio.h> #include <stdint.h> #include <sys/types.h> @@ -40,6 +40,9 @@ #include <sys/types.h> #include <sys/mount.h> #include <sys/param.h> +#ifdef HAVE_SYS_VFS_H +# include <sys/vfs.h> +#endif #include <arpa/inet.h> #include <string.h> #include <unistd.h> @@ -467,6 +467,14 @@ return tmp; } +#ifndef HAVE_STRUCT_STATFS_F_IOSIZE +# ifdef HAVE_STRUCT_STATFS_F_BSIZE +# define f_iosize f_bsize +# else +# error need a field to get optimal transfer block size +# endif +#endif + size_t xar_optimal_io_size_at_path(const char *path) { // Start at 1MiB @@ -491,6 +491,7 @@ fs_iosize = optimal_rsize; } +#ifdef MNT_LOCAL // If we're a remote filesystem, never let us go below the optimal size above of 1MiB // NFS is horrible and lies that the optimal size is 512 bytes. // Whereas SMB in my testing returns 7MiBs (far more practicle) @@ -503,6 +504,7 @@ } } else +#endif { optimal_rsize = fs_iosize; } --- a/include/config.h.in +++ b/include/config.h.in @@ -1,4 +1,5 @@ #undef HAVE_SYS_STATFS_H +#undef HAVE_SYS_VFS_H #undef HAVE_SYS_XATTR_H #undef HAVE_SYS_EXTATTR_H #undef HAVE_SYS_PARAM_H @@ -15,6 +15,8 @@ #undef HAVE_STRUCT_STAT_ST_FLAGS #undef HAVE_STRUCT_STATVFS_F_FSTYPENAME #undef HAVE_STRUCT_STATFS_F_FSTYPENAME +#undef HAVE_STRUCT_STATFS_F_IOSIZE +#undef HAVE_STRUCT_STATFS_F_BSIZE #undef HAVE_SYS_ACL_H #undef HAVE_LIBUTIL_H #undef HAVE_LIBPTHREAD ++++++ xar-1.8.0.0.487-non-darwin.patch ++++++ don't do availability stuff on non-Darwin --- a/include/xar.h.in +++ b/include/xar.h.in @@ -52,6 +52,7 @@ #import <os/availability.h> #else #define API_DEPRECATED(...) +#define API_AVAILABLE(...) #endif #pragma pack(4) ++++++ xar-1.8.0.0.487-variable-sized-object.patch ++++++ GCC doesn't like this: filetree.c:744:9: error: variable-sized object may not be initialized Since there's nothing changing at runtime at all, just make the compiler see it's always going to be 1. --- a/lib/filetree.c +++ b/lib/filetree.c @@ -740,7 +740,7 @@ size_t fspath1_size = 0, fspath2_size = 0; size_t ns1_size = 0, ns2_size = 0; const struct __xar_file_t * child1 = NULL, * child2 = NULL; - const uint keys_to_ignore_count = 1; +#define keys_to_ignore_count 1 char * keys_to_ignore[keys_to_ignore_count] = { "id" }; // ID is allowed ot mismatch // If the two pointers match, call it the same. ++++++ xar-1.8.0.0.498-impl-decls.patch ++++++ include stdlib.h for free and strtol silence format warning --- a/lib/ext2.c +++ b/lib/ext2.c @@ -41,6 +41,7 @@ #include "asprintf.h" #endif #include <stdio.h> +#include <stdlib.h> #include <unistd.h> #include "xar.h" #include "arcmod.h" --- a/lib/ea.c +++ a/lib/ea.c @@ -67,7 +67,7 @@ xar_prop_setvalue(XAR_EA(ret)->prop, NULL); XAR_PROP(XAR_EA(ret)->prop)->attrs = xar_attr_new(); XAR_ATTR(XAR_PROP(XAR_EA(ret)->prop)->attrs)->key = strdup("id"); - asprintf((char **)&XAR_ATTR(XAR_PROP(XAR_EA(ret)->prop)->attrs)->value, "%lld", XAR_FILE(f)->nexteaid++); + asprintf((char **)&XAR_ATTR(XAR_PROP(XAR_EA(ret)->prop)->attrs)->value, PRId64, XAR_FILE(f)->nexteaid++); xar_prop_pset(f, XAR_EA(ret)->prop, "name", name); ++++++ xar-1.8.0.0.503-linux-F_GETPATH.patch ++++++ --- a/lib/archive.c +++ b/lib/archive.c @@ -507,10 +507,25 @@ // If there are hardlinks, the path we pick is the most recently opened by // the filesystem; which is effectively random. char path_buff[PATH_MAX]; +#ifdef F_GETPATH if (fcntl(fd, F_GETPATH, path_buff) < 0) { close(fd); return NULL; } +#else + /* Linux has no F_GETPATH; resolve the fd's path via /proc/self/fd. */ + { + char xar_fd_link[64]; + ssize_t xar_fd_len; + snprintf(xar_fd_link, sizeof(xar_fd_link), "/proc/self/fd/%d", fd); + xar_fd_len = readlink(xar_fd_link, path_buff, sizeof(path_buff) - 1); + if (xar_fd_len < 0) { + close(fd); + return NULL; + } + path_buff[xar_fd_len] = '\0'; + } +#endif // Don't trust the position of the descriptor we were given, reset it back to 0 if (lseek(fd, 0, SEEK_SET) != 0) { ++++++ xar-1.6.1.tar.gz -> xar-503.tar.gz ++++++ ++++ 33101 lines of diff (skipped)
