Hello community, here is the log from the commit of package arc for openSUSE:Leap:15.2 checked in at 2020-01-30 06:08:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/arc (Old) and /work/SRC/openSUSE:Leap:15.2/.arc.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "arc" Thu Jan 30 06:08:00 2020 rev:10 rq:767050 version:5.21q Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/arc/arc.changes 2020-01-15 14:47:17.509291410 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.arc.new.26092/arc.changes 2020-01-30 06:08:33.834469874 +0100 @@ -1,0 +2,27 @@ +Fri Jan 17 09:14:38 UTC 2020 - Martin Pluskal <mplus...@suse.com> + +- Cleanup package + +------------------------------------------------------------------- +Wed Dec 25 14:47:00 UTC 2019 - John Vandenberg <jay...@gmail.com> + +- Add Conflicts: arcanist + +------------------------------------------------------------------- +Thu Oct 17 13:31:31 UTC 2019 - Richard Brown <rbr...@suse.com> + +- Remove obsolete Groups tag (fate#326485) + +------------------------------------------------------------------- +Tue Jan 8 08:52:55 UTC 2019 - Karol Babioch <kbabi...@suse.de> + +- Make use of license %macro +- Applied spec-cleaner +- Added patches: + * arc-5.21p-directory-traversel.patch: Fixes a directory traversal + vulnerability (CVE-2015-9275 bsc#1121032) + * arc-5.21p-fix-arcdie.patch: Fixed a crash on 64 bit machines when arcdie + gets called with more than 1 variable argument + * arc-5.21p-hdrv1-read-fix.patch: Fixed version 1 arc header reading + +------------------------------------------------------------------- New: ---- arc-5.21p-directory-traversel.patch arc-5.21p-fix-arcdie.patch arc-5.21p-hdrv1-read-fix.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ arc.spec ++++++ --- /var/tmp/diff_new_pack.1kH0Sm/_old 2020-01-30 06:08:34.478470235 +0100 +++ /var/tmp/diff_new_pack.1kH0Sm/_new 2020-01-30 06:08:34.482470236 +0100 @@ -1,7 +1,7 @@ # # spec file for package arc # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -20,19 +20,23 @@ Version: 5.21q Release: 0 Summary: Archiving tool for arc achives -License: GPL-2.0 -Group: Productivity/Archiving/Compression +License: GPL-2.0-only URL: https://github.com/ani6al/arc Source: https://github.com/ani6al/arc/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: arc-5.21p-directory-traversel.patch +Patch1: arc-5.21p-fix-arcdie.patch +Patch2: arc-5.21p-hdrv1-read-fix.patch +# /usr/bin/arc binary name conflicts +Conflicts: arcanist %description This package allows you to unpack *.arc file %prep -%setup -q +%autosetup -p1 %build -make %{?_smp_mflags} OPT="%{optflags}" +%make_build OPT="%{optflags}" %install install -Dpm 0755 arc \ @@ -43,9 +47,10 @@ %{buildroot}%{_mandir}/man1/arc.1 %files -%doc Arc521.doc Arcinfo Readme LICENSE +%doc Arc521.doc Arcinfo Readme +%license LICENSE %{_bindir}/arc %{_bindir}/marc -%{_mandir}/man1/arc.1%{ext_man} +%{_mandir}/man1/arc.1%{?ext_man} %changelog ++++++ arc-5.21p-directory-traversel.patch ++++++ Fix directory traversal bugs arc archives do not contain directory hierarchies, only filenames, so refuse to operate on archives which have the directory-seperator inside filenames. BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527 BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1179143 Signed-off-by: Hans de Goede <hdego...@redhat.com> diff -up arc-5.21p/arcio.c~ arc-5.21p/arcio.c --- arc-5.21p/arcio.c~ 2015-01-16 13:04:16.000000000 +0100 +++ arc-5.21p/arcio.c 2015-01-16 15:45:31.389010626 +0100 @@ -109,6 +109,9 @@ readhdr(hdr, f) /* read a header from #if _MTS (void) atoe(hdr->name, strlen(hdr->name)); #endif + if (strchr(hdr->name, CUTOFF) != NULL) + arcdie("%s contains illegal filename %s", arcname, hdr->name); + for (i = 0, hdr->size=0; i<4; hdr->size<<=8, hdr->size += dummy[16-i], i++); hdr->date = (short) ((dummy[18] << 8) + dummy[17]); hdr->time = (short) ((dummy[20] << 8) + dummy[19]); ++++++ arc-5.21p-fix-arcdie.patch ++++++ Fix arcdie crash when called with more then 1 variable argument Add proper vararg handling to fix crash on 64 bit machines when arcdie gets called with more then 1 variable argument. Signed-off-by: Hans de Goede <hdego...@redhat.com> diff -up arc-5.21p/arcmisc.c~ arc-5.21p/arcmisc.c --- arc-5.21p/arcmisc.c~ 2010-08-07 15:06:42.000000000 +0200 +++ arc-5.21p/arcmisc.c 2015-01-16 16:10:29.322603290 +0100 @@ -4,6 +4,7 @@ */ #include <stdio.h> +#include <stdarg.h> #include <ctype.h> #include "arc.h" @@ -223,11 +224,13 @@ upper(string) } /* VARARGS1 */ VOID -arcdie(s, arg1, arg2, arg3) - char *s; +arcdie(const char *s, ...) { + va_list args; fprintf(stderr, "ARC: "); - fprintf(stderr, s, arg1, arg2, arg3); + va_start(args, s); + vfprintf(stderr, s, args); + va_end(args); fprintf(stderr, "\n"); #if UNIX perror("UNIX"); ++++++ arc-5.21p-hdrv1-read-fix.patch ++++++ Fix version 1 arc header reading The code for v1 hdr reading was reading the packed header directly into an unpacked struct. Use the same read to dummy array, then manual unpack to header struct as used for v2 headers for v1 headers too. Signed-off-by: Hans de Goede <hdego...@redhat.com> diff -ur arc-5.21p/arcio.c arc-5.21p.new/arcio.c --- arc-5.21p/arcio.c 2010-08-07 15:06:42.000000000 +0200 +++ arc-5.21p.new/arcio.c 2015-01-16 12:59:43.203289118 +0100 @@ -37,6 +37,7 @@ #endif char name[FNLEN]; /* filename buffer */ int try = 0;/* retry counter */ + int hdrlen; static int first = 1; /* true only on first read */ if (!f) /* if archive didn't open */ @@ -92,23 +93,19 @@ printf("I think you need a newer version of ARC.\n"); exit(1); } + /* amount to read depends on header type */ + if (hdrver == 1) { + hdrlen = 23; /* old style is shorter */ + } else { + hdrlen = 27; + } - if (hdrver == 1) { /* old style is shorter */ - if (fread(hdr, sizeof(struct heads) - sizeof(long int), 1, f) != 1) - arcdie("%s was truncated", arcname); - hdrver = 2; /* convert header to new format */ - hdr->length = hdr->size; /* size is same when not - * packed */ - } else -#if MSDOS - if (fread(hdr, sizeof(struct heads), 1, f) != 1) - arcdie("%s was truncated", arcname); -#else - if (fread(dummy, 27, 1, f) != 1) - arcdie("%s was truncated", arcname); + if (fread(dummy, hdrlen, 1, f) != 1) + arcdie("%s was truncated", arcname); for (i = 0; i < FNLEN; hdr->name[i] = dummy[i], i++); + hdr->name[FNLEN - 1] = 0; /* ensure 0 termination */ #if _MTS (void) atoe(hdr->name, strlen(hdr->name)); #endif @@ -116,8 +113,14 @@ hdr->date = (short) ((dummy[18] << 8) + dummy[17]); hdr->time = (short) ((dummy[20] << 8) + dummy[19]); hdr->crc = (short) ((dummy[22] << 8) + dummy[21]); - for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++); -#endif + + if (hdrver == 1) { + hdrver = 2; /* convert header to new format */ + hdr->length = hdr->size; /* size is same when not + * packed */ + } else { + for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++); + } if (hdr->date > olddate || (hdr->date == olddate && hdr->time > oldtime)) {