Hello community, here is the log from the commit of package cpio for openSUSE:Factory checked in at 2020-09-18 14:26:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cpio (Old) and /work/SRC/openSUSE:Factory/.cpio.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cpio" Fri Sep 18 14:26:24 2020 rev:60 rq:833785 version:2.13 Changes: -------- --- /work/SRC/openSUSE:Factory/cpio/cpio.changes 2020-04-04 12:04:56.214610995 +0200 +++ /work/SRC/openSUSE:Factory/.cpio.new.4249/cpio.changes 2020-09-18 14:28:03.131269323 +0200 @@ -1,0 +2,16 @@ +Fri Sep 11 11:45:35 UTC 2020 - Dirk Mueller <[email protected]> + +- add cpio-revert-CVE-2015-1197-fix.patch as recommended by upstream + to fix https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html + +------------------------------------------------------------------- +Sat Aug 15 16:18:46 UTC 2020 - Dirk Mueller <[email protected]> + +- update to 2.13: + * CVE-2015-1197, CVE-2016-2037, CVE-2019-14866 +- remove patches (upstream): + cpio-2.12-out_of_bounds_write.patch, cpio-2.12-CVE-2019-14866.patch, + cpio-2.12-util.c_no_return_in_nonvoid_fnc.patch, + cpio-check_for_symlinks.patch + +------------------------------------------------------------------- Old: ---- cpio-2.12-CVE-2019-14866.patch cpio-2.12-out_of_bounds_write.patch cpio-2.12-util.c_no_return_in_nonvoid_fnc.patch cpio-2.12.tar.bz2 cpio-2.12.tar.bz2.sig cpio-check_for_symlinks.patch New: ---- cpio-2.13.tar.bz2 cpio-2.13.tar.bz2.sig cpio-revert-CVE-2015-1197-fix.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cpio.spec ++++++ --- /var/tmp/diff_new_pack.tRSkjt/_old 2020-09-18 14:28:04.363270563 +0200 +++ /var/tmp/diff_new_pack.tRSkjt/_new 2020-09-18 14:28:04.367270567 +0200 @@ -17,7 +17,7 @@ Name: cpio -Version: 2.12 +Version: 2.13 Release: 0 Summary: A Backup and Archiving Utility License: GPL-3.0-only @@ -40,15 +40,13 @@ Patch20: cpio-close_files_after_copy.patch Patch21: cpio-pattern-file-sigsegv.patch Patch23: paxutils-rtapelib_mtget.patch -Patch24: cpio-check_for_symlinks.patch +# see https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html +Patch24: cpio-revert-CVE-2015-1197-fix.patch Patch25: cpio-fix_truncation_check.patch -Patch26: cpio-2.12-util.c_no_return_in_nonvoid_fnc.patch -Patch27: cpio-2.12-out_of_bounds_write.patch -Patch28: cpio-2.12-CVE-2019-14866.patch BuildRequires: autoconf BuildRequires: automake -Requires(post): %{install_info_prereq} -Requires(preun): %{install_info_prereq} +#Requires(post): %{xinstall_info_prereq} +#Requires(preun): %{xinstall_info_prereq} Recommends: %{name}-mt = %{version} Recommends: rmt @@ -81,13 +79,11 @@ %patch17 %patch18 %patch20 +### %patch21 -p1 %patch23 -p1 %patch24 -p1 %patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 %build gettextize -f --no-changelog ++++++ cpio-2.12.tar.bz2 -> cpio-2.13.tar.bz2 ++++++ ++++ 73413 lines of diff (skipped) ++++++ cpio-close_files_after_copy.patch ++++++ --- /var/tmp/diff_new_pack.tRSkjt/_old 2020-09-18 14:28:05.383271590 +0200 +++ /var/tmp/diff_new_pack.tRSkjt/_new 2020-09-18 14:28:05.383271590 +0200 @@ -1,10 +1,10 @@ Index: src/copyin.c =================================================================== ---- src/copyin.c.orig 2010-08-10 16:45:19.000000000 +0200 -+++ src/copyin.c 2010-08-10 16:45:19.000000000 +0200 -@@ -1485,6 +1485,19 @@ process_copy_in () +--- src/copyin.c.orig ++++ src/copyin.c +@@ -1420,6 +1420,19 @@ process_copy_in () - apply_delayed_set_stat (); + cpio_file_stat_free (&file_hdr); + if (tty_in) + { ++++++ cpio-default_tape_dev.patch ++++++ --- /var/tmp/diff_new_pack.tRSkjt/_old 2020-09-18 14:28:05.395271603 +0200 +++ /var/tmp/diff_new_pack.tRSkjt/_new 2020-09-18 14:28:05.395271603 +0200 @@ -2,7 +2,7 @@ =================================================================== --- src/mt.c.orig +++ src/mt.c -@@ -413,11 +413,18 @@ parse_opt (int key, char *arg, struct ar +@@ -225,11 +225,18 @@ parse_opt (int key, char *arg, struct ar { tapedev = getenv ("TAPE"); if (tapedev == NULL) ++++++ cpio-dev_number.patch ++++++ --- /var/tmp/diff_new_pack.tRSkjt/_old 2020-09-18 14:28:05.407271615 +0200 +++ /var/tmp/diff_new_pack.tRSkjt/_new 2020-09-18 14:28:05.407271615 +0200 @@ -1,6 +1,8 @@ ---- src/copyin.c 2008-07-11 13:20:27.000000000 +0200 -+++ src/copyin.c 2008-07-18 10:55:58.000000000 +0200 -@@ -1269,15 +1269,15 @@ +Index: src/copyin.c +=================================================================== +--- src/copyin.c.orig ++++ src/copyin.c +@@ -1123,15 +1123,15 @@ read_in_binary (struct cpio_file_stat *f swab_array ((char *) short_hdr, 13); } @@ -19,4 +21,4 @@ + file_hdr->c_rdev_min = minor ((unsigned short)short_hdr->c_rdev); file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16 | short_hdr->c_mtimes[1]; - + file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16 ++++++ cpio-eof_tape_handling.patch ++++++ --- /var/tmp/diff_new_pack.tRSkjt/_old 2020-09-18 14:28:05.419271627 +0200 +++ /var/tmp/diff_new_pack.tRSkjt/_new 2020-09-18 14:28:05.419271627 +0200 @@ -36,7 +36,7 @@ } else break; -@@ -842,6 +856,40 @@ tape_offline (int tape_des) +@@ -829,6 +843,40 @@ tape_offline (int tape_des) #endif } ++++++ cpio-fix_truncation_check.patch ++++++ --- /var/tmp/diff_new_pack.tRSkjt/_old 2020-09-18 14:28:05.439271647 +0200 +++ /var/tmp/diff_new_pack.tRSkjt/_new 2020-09-18 14:28:05.443271651 +0200 @@ -1,8 +1,8 @@ -Index: cpio-2.11/src/mt.c +Index: cpio-2.13/src/mt.c =================================================================== ---- cpio-2.11.orig/src/mt.c 2014-07-29 11:02:31.631881572 +0200 -+++ cpio-2.11/src/mt.c 2014-07-29 11:02:31.665881951 +0200 -@@ -428,7 +428,7 @@ parse_opt (int key, char *arg, struct ar +--- cpio-2.13.orig/src/mt.c ++++ cpio-2.13/src/mt.c +@@ -208,7 +208,7 @@ parse_opt (int key, char *arg, struct ar { char *p; long val = strtol (arg, &p, 0); ++++++ cpio-open_nonblock.patch ++++++ --- /var/tmp/diff_new_pack.tRSkjt/_old 2020-09-18 14:28:05.451271659 +0200 +++ /var/tmp/diff_new_pack.tRSkjt/_new 2020-09-18 14:28:05.451271659 +0200 @@ -30,7 +30,7 @@ =================================================================== --- src/mt.c.orig +++ src/mt.c -@@ -333,11 +333,11 @@ +@@ -333,11 +333,11 @@ main (int argc, char **argv) #ifdef MTERASE case MTERASE: #endif @@ -48,7 +48,7 @@ =================================================================== --- src/util.c.orig +++ src/util.c -@@ -814,14 +814,14 @@ +@@ -801,14 +801,14 @@ open_archive (char *file) copy_in = process_copy_in; if (copy_function == copy_in) ++++++ cpio-pattern-file-sigsegv.patch ++++++ --- /var/tmp/diff_new_pack.tRSkjt/_old 2020-09-18 14:28:05.463271671 +0200 +++ /var/tmp/diff_new_pack.tRSkjt/_new 2020-09-18 14:28:05.463271671 +0200 @@ -1,8 +1,8 @@ -Index: cpio-2.12/src/copyin.c +Index: cpio-2.13/src/copyin.c =================================================================== ---- cpio-2.12.orig/src/copyin.c -+++ cpio-2.12/src/copyin.c -@@ -871,6 +871,8 @@ read_pattern_file () +--- cpio-2.13.orig/src/copyin.c ++++ cpio-2.13/src/copyin.c +@@ -798,6 +798,8 @@ read_pattern_file () pattern_fp = fopen (pattern_file_name, "r"); if (pattern_fp == NULL) open_fatal (pattern_file_name); @@ -11,7 +11,7 @@ while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL) { if (new_num_patterns >= max_new_patterns) -@@ -885,6 +887,7 @@ read_pattern_file () +@@ -812,6 +814,7 @@ read_pattern_file () } if (ferror (pattern_fp) || fclose (pattern_fp) == EOF) close_error (pattern_file_name); ++++++ cpio-revert-CVE-2015-1197-fix.patch ++++++ revert fix for CVE-2015-1197 as it causes shutdown issues revert suggested as a workaround by upstream: https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html --- b/src/copyin.c +++ a/src/copyin.c @@ -645,14 +645,13 @@ link_name = xstrdup (file_hdr->c_tar_linkname); } - cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false); - res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode); if (res < 0 && create_dir_flag) { create_all_directories (file_hdr->c_name); + res = UMASKED_SYMLINK (link_name, file_hdr->c_name, + file_hdr->c_mode); - res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode); } if (res < 0) { --- b/tests/CVE-2015-1197.at +++ /dev/null @@ -1,43 +0,0 @@ -# Process this file with autom4te to create testsuite. -*- Autotest -*- -# Copyright (C) 2009-2019 Free Software Foundation, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3, or (at your option) -# any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)]) -AT_CHECK([ -tempdir=$(pwd)/tmp -mkdir $tempdir -touch $tempdir/file -ln -s $tempdir dir -AT_DATA([filelist], -[dir -dir/file -]) -ln -s /tmp dir -touch /tmp/file -cpio -o < filelist > test.cpio -rm dir /tmp/file -cpio --no-absolute-filenames -iv < test.cpio -], -[2], -[], -[1 block -cpio: Removing leading `/' from hard link targets -dir -cpio: dir/file: Cannot open: No such file or directory -dir/file -1 block -]) -AT_CLEANUP - --- b/tests/Makefile.am +++ a/tests/Makefile.am @@ -56,9 +56,8 @@ symlink-long.at\ symlink-to-stdout.at\ version.at\ big-block-size.at\ - CVE-2015-1197.at\ CVE-2019-14866.at TESTSUITE = $(srcdir)/testsuite --- b/tests/testsuite.at +++ a/tests/testsuite.at @@ -43,6 +43,5 @@ m4_include([setstat04.at]) m4_include([setstat05.at]) m4_include([big-block-size.at]) -m4_include([CVE-2015-1197.at]) m4_include([CVE-2019-14866.at]) ++++++ cpio-use_new_ascii_format.patch ++++++ --- /var/tmp/diff_new_pack.tRSkjt/_old 2020-09-18 14:28:05.479271687 +0200 +++ /var/tmp/diff_new_pack.tRSkjt/_new 2020-09-18 14:28:05.483271691 +0200 @@ -2,7 +2,7 @@ =================================================================== --- doc/cpio.info.orig +++ doc/cpio.info -@@ -216,7 +216,8 @@ option, e.g.: +@@ -226,7 +226,8 @@ option, e.g.: '-B' Set the I/O block size to 5120 bytes. '-c' @@ -12,7 +12,7 @@ '-C NUMBER' '--io-size=NUMBER' Set the I/O block size to the given NUMBER of bytes. -@@ -296,7 +297,8 @@ option. +@@ -307,7 +308,8 @@ option. '-B' Set the I/O block size to 5120 bytes. '-c' @@ -22,7 +22,7 @@ '-C NUMBER' '--io-size=NUMBER' Set the I/O block size to the given NUMBER of bytes. -@@ -406,7 +408,8 @@ option. +@@ -417,7 +419,8 @@ option. '-B' Set the I/O block size to 5120 bytes. '-c' @@ -32,7 +32,7 @@ '-C NUMBER' '--io-size=NUMBER' Set the I/O block size to the given NUMBER of bytes. -@@ -554,7 +557,8 @@ option is valid. +@@ -565,7 +568,8 @@ option is valid. '-c' [*note copy-in::,*note copy-out::,*note copy-pass::] @@ -46,7 +46,7 @@ =================================================================== --- src/main.c.orig +++ src/main.c -@@ -329,6 +329,7 @@ parse_opt (int key, char *arg, struct ar +@@ -328,6 +328,7 @@ parse_opt (int key, char *arg, struct ar case 'c': /* Use the old portable ASCII format. */ if (archive_format != arf_unknown) USAGE_ERROR ((0, 0, _("Archive format multiply defined"))); ++++++ cpio.keyring ++++++ --- /var/tmp/diff_new_pack.tRSkjt/_old 2020-09-18 14:28:05.503271712 +0200 +++ /var/tmp/diff_new_pack.tRSkjt/_new 2020-09-18 14:28:05.503271712 +0200 @@ -1,3 +1,4 @@ +GPG keys of Sergey Poznyakoff <gray> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.7 (GNU/Linux) ++++++ paxutils-rtapelib_mtget.patch ++++++ --- /var/tmp/diff_new_pack.tRSkjt/_old 2020-09-18 14:28:05.515271724 +0200 +++ /var/tmp/diff_new_pack.tRSkjt/_new 2020-09-18 14:28:05.515271724 +0200 @@ -1,8 +1,8 @@ -Index: cpio-2.11/lib/rtapelib.c +Index: cpio-2.13/lib/rtapelib.c =================================================================== ---- cpio-2.11.orig/lib/rtapelib.c 2013-07-23 13:18:27.119431054 +0200 -+++ cpio-2.11/lib/rtapelib.c 2013-07-23 13:19:35.728188104 +0200 -@@ -710,7 +710,7 @@ rmt_ioctl__ (int handle, int operation, +--- cpio-2.13.orig/lib/rtapelib.c ++++ cpio-2.13/lib/rtapelib.c +@@ -711,7 +711,7 @@ rmt_ioctl__ (int handle, int operation, || (status = get_status (handle), status == -1)) return -1;
