Hello community, here is the log from the commit of package cpio for openSUSE:Factory checked in at 2017-05-10 20:31:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cpio (Old) and /work/SRC/openSUSE:Factory/.cpio.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cpio" Wed May 10 20:31:36 2017 rev:54 rq:487331 version:2.12 Changes: -------- --- /work/SRC/openSUSE:Factory/cpio/cpio.changes 2016-03-14 09:56:31.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.cpio.new/cpio.changes 2017-05-10 20:31:38.310672952 +0200 @@ -1,0 +2,30 @@ +Tue Apr 11 10:06:17 UTC 2017 - [email protected] + +- modify cpio-2.12-out_of_bounds_write.patch to fix a regression + causing cpio to crash for tar and ustar archive types + [bsc#1028410] + +------------------------------------------------------------------- +Mon Mar 27 11:13:08 UTC 2017 - [email protected] + +- Use macro for configure and make install +- Use update-alternatives according to current documentation +- Enable testsuite + +------------------------------------------------------------------- +Fri Mar 24 13:28:00 UTC 2017 - [email protected] + +- Enable mt building +- Separated cpio-mt subpackge +- Change recommend to own mt subpackge +- Remove cpio-mt.patch - those features available in original mt-st package +- Switch to use alternatives system for mt +- Disable rmt building: this binary fully identical to rmt from tar +- Change default rmt dir to /usr/bin + +------------------------------------------------------------------- +Thu Mar 23 15:14:25 UTC 2017 - [email protected] + +- cleanup with spec-cleaner + +------------------------------------------------------------------- Old: ---- cpio-mt.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cpio.spec ++++++ --- /var/tmp/diff_new_pack.RQm0mD/_old 2017-05-10 20:31:40.074424118 +0200 +++ /var/tmp/diff_new_pack.RQm0mD/_new 2017-05-10 20:31:40.078423554 +0200 @@ -1,7 +1,7 @@ # # spec file for package cpio # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,10 +27,9 @@ Source1: http://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.bz2.sig Source2: %{name}.keyring Patch2: cpio-use_new_ascii_format.patch -#oouch what a ...?! pieces of code grabed from mt_st package to add missing functionality (e.g. density info) -#TODO: review is patches needed while mt is no longer building -Patch3: cpio-mt.patch Patch4: cpio-use_sbin_rmt.patch +#PATCH-FIX-UPSTREAM cpio-2.12 cpio-open_nonblock.patch bnc#94449, +#https://savannah.gnu.org/patch/?9263 -- open device with O_NONBLOCK option Patch5: cpio-open_nonblock.patch Patch15: cpio-eof_tape_handling.patch # make posibble to have device nodes with major number > 127 @@ -47,10 +46,11 @@ Patch27: cpio-2.12-out_of_bounds_write.patch BuildRequires: autoconf BuildRequires: automake -Recommends: mt_st Requires(post): %{install_info_prereq} Requires(preun): %{install_info_prereq} Recommends: %{name}-lang = %{version} +Recommends: %{name}-mt = %{version} +Recommends: rmt BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -60,16 +60,22 @@ time stamps, and access permissions. The archive can be another file on the disk, a magnetic tape, or a pipe. -This package also includes the program 'rmt', which provides remote tape -drive control. The 'mt', a local tape drive control program can be found -in mt_st package. +%package mt +Summary: Tape drive control utility +Group: Productivity/Archiving/Backup +Requires: %{name} = %{version} +Requires(post): update-alternatives +Requires(postun): update-alternatives +Provides: mt + +%description mt +This package includes the 'mt', a local tape drive control program. %lang_package %prep %setup -q %patch2 -%patch3 %patch4 %patch5 %patch15 @@ -82,37 +88,49 @@ %patch25 -p1 %patch26 -p1 %patch27 -p1 -#chmod 755 . -#chmod u+w * -#chmod a+r * %build gettextize -f -autoreconf --force --install -CFLAGS="%{optflags} -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fPIE" \ -LDFLAGS="-pie" \ -./configure \ - --prefix=%{_prefix} \ - --mandir=%{_mandir} \ - --infodir=%{_infodir} \ - --libdir=%{_libdir} \ - --disable-silent-rules +autoreconf -fiv +export CFLAGS="%{optflags} -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fPIE" +export LDFLAGS="-pie" +%configure \ + --with-rmt="%{_bindir}/rmt" \ + --enable-mt \ + --disable-silent-rules \ + --program-transform-name='s/^mt$/gnumt/' make %{?_smp_mflags} %install mkdir -p %{buildroot}/{usr/bin,bin} -make prefix=%{buildroot}%{_prefix} infodir=%{buildroot}%{_infodir} mandir=%{buildroot}%{_mandir} \ - DEFAULT_RMT_DIR=%{buildroot}%{_sbindir} install +%make_install +mkdir -p %{buildroot}%{_sysconfdir}/alternatives +ln -sf %{_sysconfdir}/alternatives/mt %{buildroot}%{_bindir}/mt +ln -sf %{_sysconfdir}/alternatives/mt.1%{ext_man} %{buildroot}%{_mandir}/man1/mt.1%{ext_man} #UsrMerge ln -sf %{_bindir}/cpio %{buildroot}/bin #EndUsrMerge + %find_lang %{name} +%check +make %{?_smp_mflags} check + +%post mt +%{_sbindir}/update-alternatives --force \ + --install %{_bindir}/mt mt %{_bindir}/gnumt 10 \ + --slave %{_mandir}/man1/mt.1%{ext_man} mt.1%{ext_man} %{_mandir}/man1/gnumt.1%{ext_man} + %post -%install_info --info-dir=%{_infodir} %{_infodir}/%{name}.info.gz +%install_info --info-dir=%{_infodir} %{_infodir}/%{name}.info%{ext_info} %preun -%install_info_delete --info-dir=%{_infodir} %{_infodir}/%{name}.info.gz +%install_info_delete --info-dir=%{_infodir} %{_infodir}/%{name}.info%{ext_info} + +%postun mt +if [ ! -f %{_bindir}/gnumt ] ; then + "%{_sbindir}/update-alternatives" --remove mt %{_bindir}/gnumt +fi %files %defattr(-,root,root) @@ -120,10 +138,17 @@ /bin/cpio #EndUsrMerge %{_bindir}/cpio -%{_sbindir}/rmt -%{_infodir}/cpio.info.gz -%{_mandir}/man1/cpio.1.gz -%{_mandir}/man8/rmt.8.gz +%{_infodir}/cpio.info%{ext_info} +%{_mandir}/man1/cpio.1%{ext_man} + +%files mt +%defattr(-,root,root) +%ghost %{_bindir}/mt +%{_bindir}/gnumt +%ghost %{_mandir}/man1/mt.1%{ext_man} +%{_mandir}/man1/gnumt.1%{ext_man} +%ghost %{_sysconfdir}/alternatives/mt +%ghost %{_sysconfdir}/alternatives/mt.1%{ext_man} %files lang -f %{name}.lang %defattr(-,root,root) ++++++ cpio-2.12-out_of_bounds_write.patch ++++++ --- /var/tmp/diff_new_pack.RQm0mD/_old 2017-05-10 20:31:40.126416783 +0200 +++ /var/tmp/diff_new_pack.RQm0mD/_new 2017-05-10 20:31:40.138415090 +0200 @@ -11,12 +11,22 @@ =================================================================== --- cpio-2.12.orig/src/copyin.c +++ cpio-2.12/src/copyin.c -@@ -1434,6 +1434,8 @@ process_copy_in () +@@ -1433,6 +1433,18 @@ process_copy_in () break; } -+ if (file_hdr.c_namesize <= 1) -+ file_hdr.c_name = xrealloc(file_hdr.c_name, 2); ++ /* Fix for CVE-2016-2037 (bsc#963448) and resultant regression (bsc#1028410). ++ For tar and ustar archive formats, file_hdr.c_namesize is not defined and ++ file_hdr.c_name uses static memory. Therefore we can't rely on ++ file_hdr.c_namesize and we can't realloc memory for these archive types. ++ However the patch is still correct for CVE-2016-2037 (we have to be sure ++ that the allocated NAME buffer has a capacity at least 2 bytes to allow ++ us to store the "." string inside) as static char array for tar and ustar ++ has size 2 at least (see tar.c:stash_tar_filename()). ++ */ ++ if (archive_format != arf_tar && archive_format != arf_ustar ++ && file_hdr.c_namesize <= 1) ++ file_hdr.c_name = xrealloc(file_hdr.c_name, 2); cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, false); @@ -36,3 +46,4 @@ void cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, bool strip_leading_dots) + ++++++ cpio-open_nonblock.patch ++++++ --- /var/tmp/diff_new_pack.RQm0mD/_old 2017-05-10 20:31:40.298392521 +0200 +++ /var/tmp/diff_new_pack.RQm0mD/_new 2017-05-10 20:31:40.306391391 +0200 @@ -1,13 +1,41 @@ +From: Alexey Svistunov <[email protected]> +Date: 2017-02-17 16:07:00 +0300 +Subject: open device with O_NONBLOCK option +References: https://savannah.gnu.org/patch/?9263, bnc#94449 +Upstream: submitted + +When running the 2.6 kernel, "mt -f /dev/nst0 status" blocks if there is +no media in the drive. The same occurs for other commands. + +When running the 2.4.24 kernel, "mt -f /dev/nst0 status" does not block +when there is no tape in the drive. + +This behavior change is documented for the 2.6 kernel (see +kernel-source-2.6.3/Documentation/scsi/st.txt for the full doc): + +If the open option O_NONBLOCK is used, open succeeds even if the +drive is not ready. If O_NONBLOCK is not used, the driver waits for +the drive to become ready. If this does not happen in ST_BLOCK_SECONDS +seconds, open fails with the errno value EIO. With O_NONBLOCK the +device can be opened for writing even if there is a write protected +tape in the drive (commands trying to write something return error if +attempted). + +It appears that the use of O_NONBLOCK is safe with pre-2.6 kernels. +Suggest adding the use of O_NONBLOCK when opening the device. As it is, +for long-running commands such as "fsf", one cannot tell if the command is +progressing or if it's blocking waiting for media. + Index: src/mt.c =================================================================== --- src/mt.c.orig +++ src/mt.c -@@ -723,11 +723,11 @@ main (int argc, char **argv) - #ifdef MTDATCOMP - case MTDATCOMP: +@@ -333,11 +333,11 @@ + #ifdef MTERASE + case MTERASE: #endif -- tapedesc = rmtopen (tapedev, O_WRONLY, 0, rsh_command_option); -+ tapedesc = rmtopen (tapedev, O_WRONLY | O_NONBLOCK, 0, rsh_command_option); +- tapedesc = rmtopen (tapedev, O_WRONLY, 0, rsh_command_option); ++ tapedesc = rmtopen (tapedev, O_WRONLY | O_NONBLOCK, 0, rsh_command_option); break; default: @@ -20,7 +48,7 @@ =================================================================== --- src/util.c.orig +++ src/util.c -@@ -767,14 +767,14 @@ open_archive (char *file) +@@ -814,14 +814,14 @@ copy_in = process_copy_in; if (copy_function == copy_in)
