Hello community, here is the log from the commit of package libarchive for openSUSE:Factory checked in at 2016-12-04 15:06:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libarchive (Old) and /work/SRC/openSUSE:Factory/.libarchive.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libarchive" Changes: -------- --- /work/SRC/openSUSE:Factory/libarchive/libarchive.changes 2016-11-02 12:28:22.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libarchive.new/libarchive.changes 2016-12-04 15:06:31.000000000 +0100 @@ -1,0 +2,7 @@ +Fri Dec 2 13:37:54 UTC 2016 - adr...@suse.com + +- fix extracting over symlinks: fix-extract-over-links.patch + the problem is solved upstream different, but git master + is too different atm. + +------------------------------------------------------------------- @@ -6,6 +13,6 @@ - * CVE-2016-8687.patch: bsc#1005070 - * CVE-2016-8689.patch: bsc#1005072 - * CVE-2016-8688.patch: bsc#1005076 - * CVE-2016-5844.patch: bsc#986566, upstream issue 717 - * CVE-2016-6250.patch: bsc#989980, upstream issue 711 - * CVE-2016-5418.patch: bsc#998677, upstream issues 744, 745 and 746 + * CVE-2016-8687 + * CVE-2016-8689 + * CVE-2016-8688 + * CVE-2016-5844 + * CVE-2016-6250 + * CVE-2016-5418 New: ---- fix-extract-over-links.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libarchive.spec ++++++ --- /var/tmp/diff_new_pack.Xdts2V/_old 2016-12-04 15:06:32.000000000 +0100 +++ /var/tmp/diff_new_pack.Xdts2V/_new 2016-12-04 15:06:32.000000000 +0100 @@ -41,6 +41,8 @@ Url: http://www.libarchive.org/ Source0: http://www.libarchive.org/downloads/libarchive-%{version}.tar.gz Source1: baselibs.conf +# PATCH-FIX-OPENSUSE the problem is solved upstream different, but git master is too different atm. +Patch0: fix-extract-over-links.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libacl-devel BuildRequires: libbz2-devel @@ -55,7 +57,7 @@ BuildRequires: pkg-config BuildRequires: xz-devel BuildRequires: zlib-devel -Patch0: libarchive-openssl.patch +Patch1: libarchive-openssl.patch %description Libarchive is a programming library that can create and read several @@ -162,8 +164,9 @@ %prep %setup -q +%patch0 -p1 %if %{with openssl} -%patch0 -p0 +%patch1 -p0 %endif %build ++++++ fix-extract-over-links.patch ++++++ --- a/libarchive/archive_write_disk_posix.c.orig 2016-12-02 13:13:57.433550535 +0000 +++ a/libarchive/archive_write_disk_posix.c 2016-12-02 13:16:36.770020356 +0000 @@ -2051,12 +2051,14 @@ create_filesystem_object(struct archive_ /* EPERM is more appropriate than error_number for our callers */ return (EPERM); } - r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags); - if (r != ARCHIVE_OK) { - archive_set_error(&a->archive, error_number, "%s", error_string.s); - free(linkname_copy); - /* EPERM is more appropriate than error_number for our callers */ - return (EPERM); + if (a->flags & ARCHIVE_EXTRACT_SECURE_SYMLINKS) { + r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags); + if (r != ARCHIVE_OK) { + archive_set_error(&a->archive, error_number, "%s", error_string.s); + free(linkname_copy); + /* EPERM is more appropriate than error_number for our callers */ + return (EPERM); + } } free(linkname_copy); r = link(linkname, a->name) ? errno : 0;