Patch to fix a directory traversal vulnerability, #189682

  thanks to Robert Buchholz.
Package-Manager: portage-2.1.3.6

7 files changed, 197 insertions, 5 deletions

diff --git a/app-arch/tar/ChangeLog b/app-arch/tar/ChangeLog
index 9c3e85962a94..19b40f009783 100644
--- a/app-arch/tar/ChangeLog
+++ b/app-arch/tar/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for app-arch/tar
 # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/ChangeLog,v 1.108 2007/08/21 17:40:39 jer Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/ChangeLog,v 1.109 2007/08/22 09:09:15 uberlord Exp $
+
+*tar-1.18-r2 (22 Aug 2007)
+*tar-1.17-r1 (22 Aug 2007)
+
+  22 Aug 2007; Roy Marples <uberlord@gentoo.org>
+  +files/tar-1.15.1-alt-contains-dot-dot.patch, +tar-1.17-r1.ebuild,
+  +tar-1.18-r2.ebuild:
+  Patch to fix a directory traversal vulnerability, #189682
+  thanks to Robert Buchholz.
 
   21 Aug 2007; Jeroen Roovers <jer@gentoo.org> tar-1.18-r1.ebuild:
   Stable for HPPA too.
diff --git a/app-arch/tar/Manifest b/app-arch/tar/Manifest
index ccd7e3f823a9..935d5d6e7a20 100644
--- a/app-arch/tar/Manifest
+++ b/app-arch/tar/Manifest
@@ -10,6 +10,10 @@ AUX rmt 273 RMD160 18f5fac369cc3372af7bd83384bb437a67baaa44 SHA1 971081167d145e4
 MD5 38de71f12e9b0b3a5a5083f420e812bd files/rmt 273
 RMD160 18f5fac369cc3372af7bd83384bb437a67baaa44 files/rmt 273
 SHA256 8de946561fc5fe3603627c78c9777dc1f7bad7926171822f3a25958a6cd3be55 files/rmt 273
+AUX tar-1.15.1-alt-contains-dot-dot.patch 531 RMD160 ea2c3d75c0821c43312650694be71aca1ea4807b SHA1 85011e648a365236fc4c3215645984f0f25ee92e SHA256 50c116a76624ffdb41d92bd1cf6cc5a08e860ad43aec1aed5f8319d191f566a6
+MD5 66123ac05bd7cdc8791e35480d6870c9 files/tar-1.15.1-alt-contains-dot-dot.patch 531
+RMD160 ea2c3d75c0821c43312650694be71aca1ea4807b files/tar-1.15.1-alt-contains-dot-dot.patch 531
+SHA256 50c116a76624ffdb41d92bd1cf6cc5a08e860ad43aec1aed5f8319d191f566a6 files/tar-1.15.1-alt-contains-dot-dot.patch 531
 AUX tar-1.15.1-dont-abort-long-names.patch 1586 RMD160 3c13978030c20830996fd56ddeb3f95024c23530 SHA1 d7ab5b32a957621d1ca358f6ea9931be907e2dc1 SHA256 049132675793b924a581fcf025c449bff03b29b754f1eda85cbf30a0b962daa7
 MD5 6c645ac1da5d382a9f7ca85729b7e9e9 files/tar-1.15.1-dont-abort-long-names.patch 1586
 RMD160 3c13978030c20830996fd56ddeb3f95024c23530 files/tar-1.15.1-dont-abort-long-names.patch 1586
@@ -54,6 +58,10 @@ EBUILD tar-1.16.1.ebuild 1647 RMD160 037df97a39b885f8a54fcc922e86a1270b2f8d69 SH
 MD5 56680a1691fde6784cb08cedb7c0f99a tar-1.16.1.ebuild 1647
 RMD160 037df97a39b885f8a54fcc922e86a1270b2f8d69 tar-1.16.1.ebuild 1647
 SHA256 56656c80be0193290c67d4d7464247e79bc5b096212ce849796ba5cf4beea4dd tar-1.16.1.ebuild 1647
+EBUILD tar-1.17-r1.ebuild 1778 RMD160 aaffa3b141b912c568f0846505b59ca4caafcb82 SHA1 cdfd3dc89c26a72c106b34cb3b445cf424785e1e SHA256 55069d29aa22c99e5f3d83051830432d88c7f3f1327285f189770274d80959b4
+MD5 35198272aa477c8c858694e6807513da tar-1.17-r1.ebuild 1778
+RMD160 aaffa3b141b912c568f0846505b59ca4caafcb82 tar-1.17-r1.ebuild 1778
+SHA256 55069d29aa22c99e5f3d83051830432d88c7f3f1327285f189770274d80959b4 tar-1.17-r1.ebuild 1778
 EBUILD tar-1.17.ebuild 1691 RMD160 6889ffbd7a9ddff434ffd0896a36eb0f30f3ea07 SHA1 062587b357b1ea740acd8003febfad766ee1b865 SHA256 338487e83892d86c60c8ef05b6f9ed089649029a97e9a72a1a8913da1d11029e
 MD5 f7d3f6fffcd67b1a9d78027f702bab55 tar-1.17.ebuild 1691
 RMD160 6889ffbd7a9ddff434ffd0896a36eb0f30f3ea07 tar-1.17.ebuild 1691
@@ -62,10 +70,14 @@ EBUILD tar-1.18-r1.ebuild 1649 RMD160 a59b4fb0a71e7a4b69c868715e7d10a3c6f486cd S
 MD5 9f7899d2100fa7c9847b77d7557f6fb3 tar-1.18-r1.ebuild 1649
 RMD160 a59b4fb0a71e7a4b69c868715e7d10a3c6f486cd tar-1.18-r1.ebuild 1649
 SHA256 2d96054ad397afe36116c11992883446625eb5cb0c5291e565205b11ed94603a tar-1.18-r1.ebuild 1649
-MISC ChangeLog 17044 RMD160 6e942eb886234e0f8bc50f5a5f90cee4b5391112 SHA1 e452c933f213c6d6ec4ecaf56d0804de92e4a399 SHA256 ae55e7ced632c5c1ca973b115f73d6b8c94d7a0ef3d625a22cfa317c464dc056
-MD5 2bcffc7d34d5449d12641c52fbfb3ab7 ChangeLog 17044
-RMD160 6e942eb886234e0f8bc50f5a5f90cee4b5391112 ChangeLog 17044
-SHA256 ae55e7ced632c5c1ca973b115f73d6b8c94d7a0ef3d625a22cfa317c464dc056 ChangeLog 17044
+EBUILD tar-1.18-r2.ebuild 1732 RMD160 60fa9342483aba3c427332965da018d12f9c71df SHA1 f3fb535935cf44d9be4fcb378d376d9595e96930 SHA256 007a1aaa46e34b116f5e2e2b4f13074fcbcf80d247f6108727043cc9a0f739d7
+MD5 dbc3c4c1c49d416b0ca172c0d061657c tar-1.18-r2.ebuild 1732
+RMD160 60fa9342483aba3c427332965da018d12f9c71df tar-1.18-r2.ebuild 1732
+SHA256 007a1aaa46e34b116f5e2e2b4f13074fcbcf80d247f6108727043cc9a0f739d7 tar-1.18-r2.ebuild 1732
+MISC ChangeLog 17335 RMD160 64edb43a033bebe4eb407a24a595df866f2e60e9 SHA1 14caf4c80c9109d14dc6a76ee1ebbcc4c6c2368d SHA256 b31a19e8e0fe630a4b064dc74a3db6b0a6607c68249b617a014dd99f9287d92d
+MD5 188d34c8e972658f40971da6fbc5793c ChangeLog 17335
+RMD160 64edb43a033bebe4eb407a24a595df866f2e60e9 ChangeLog 17335
+SHA256 b31a19e8e0fe630a4b064dc74a3db6b0a6607c68249b617a014dd99f9287d92d ChangeLog 17335
 MISC metadata.xml 164 RMD160 f43cbec30b7074319087c9acffdb9354b17b0db3 SHA1 9c213f5803676c56439df3716be07d6692588856 SHA256 f5f2891f2a4791cd31350bb2bb572131ad7235cd0eeb124c9912c187ac10ce92
 MD5 9a09f8d531c582e78977dbfd96edc1f2 metadata.xml 164
 RMD160 f43cbec30b7074319087c9acffdb9354b17b0db3 metadata.xml 164
@@ -79,6 +91,12 @@ SHA256 779d91a741a2e1e16f26de90c2c25b1c38aeb9132ca71b2a7ab974a436163bc2 files/di
 MD5 76fd4387f46d6edc1f7e4771411354af files/digest-tar-1.17 232
 RMD160 9369888ef973870b88e47e67102ecdf01e2a18d6 files/digest-tar-1.17 232
 SHA256 f569c6950e4c0779c8ae9499a1023460a561e61b1f6531a7462448b3d6487186 files/digest-tar-1.17 232
+MD5 76fd4387f46d6edc1f7e4771411354af files/digest-tar-1.17-r1 232
+RMD160 9369888ef973870b88e47e67102ecdf01e2a18d6 files/digest-tar-1.17-r1 232
+SHA256 f569c6950e4c0779c8ae9499a1023460a561e61b1f6531a7462448b3d6487186 files/digest-tar-1.17-r1 232
 MD5 2a4c2cef33202b7c83c4a87f32512b5b files/digest-tar-1.18-r1 232
 RMD160 59528176381f24905dedc2f69cd1bf0cebfcb765 files/digest-tar-1.18-r1 232
 SHA256 a51da4b71a4e3ead5181f8d00573d01e876cc22461033318932e9462ce85fc9a files/digest-tar-1.18-r1 232
+MD5 2a4c2cef33202b7c83c4a87f32512b5b files/digest-tar-1.18-r2 232
+RMD160 59528176381f24905dedc2f69cd1bf0cebfcb765 files/digest-tar-1.18-r2 232
+SHA256 a51da4b71a4e3ead5181f8d00573d01e876cc22461033318932e9462ce85fc9a files/digest-tar-1.18-r2 232
diff --git a/app-arch/tar/files/digest-tar-1.17-r1 b/app-arch/tar/files/digest-tar-1.17-r1
new file mode 100644
index 000000000000..71e71f65d601
--- /dev/null
+++ b/app-arch/tar/files/digest-tar-1.17-r1
@@ -0,0 +1,3 @@
+MD5 c6c4f1c075dbf0f75c29737faa58f290 tar-1.17.tar.bz2 1882911
+RMD160 f4671e909c1ff8fac531d438b50a4a197049bc45 tar-1.17.tar.bz2 1882911
+SHA256 19f9021dda51a16295e4706e80870e71f87107675e51c176a491eba0fc4ca492 tar-1.17.tar.bz2 1882911
diff --git a/app-arch/tar/files/digest-tar-1.18-r2 b/app-arch/tar/files/digest-tar-1.18-r2
new file mode 100644
index 000000000000..1e3df17e14e6
--- /dev/null
+++ b/app-arch/tar/files/digest-tar-1.18-r2
@@ -0,0 +1,3 @@
+MD5 70170208d7c1bb9ab40120579434b6a3 tar-1.18.tar.bz2 1877207
+RMD160 129e1a53ed3b580f5efc582622a90fdfc9d105f5 tar-1.18.tar.bz2 1877207
+SHA256 44944ee0427c8e0d8dbaa0b8f900073a7456819610cc521c53630c3eb117cf5e tar-1.18.tar.bz2 1877207
diff --git a/app-arch/tar/files/tar-1.15.1-alt-contains-dot-dot.patch b/app-arch/tar/files/tar-1.15.1-alt-contains-dot-dot.patch
new file mode 100644
index 000000000000..27b2c955f02f
--- /dev/null
+++ b/app-arch/tar/files/tar-1.15.1-alt-contains-dot-dot.patch
@@ -0,0 +1,20 @@
+2005-05-15  Dmitry V. Levin <ldv@altlinux.org>
+
+	* src/names.c (contains_dot_dot): Fix ".." detection.
+	Previous edition fails to recognize "foo//.." case.
+
+--- tar-1.15.1/src/names.c.orig	2004-09-06 11:30:54 +0000
++++ tar-1.15.1/src/names.c	2005-05-15 13:21:13 +0000
+@@ -1152,11 +1152,10 @@ contains_dot_dot (char const *name)
+       if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
+ 	return 1;
+ 
+-      do
++      while (! ISSLASH (*p))
+ 	{
+ 	  if (! *p++)
+ 	    return 0;
+ 	}
+-      while (! ISSLASH (*p));
+     }
+ }
diff --git a/app-arch/tar/tar-1.17-r1.ebuild b/app-arch/tar/tar-1.17-r1.ebuild
new file mode 100644
index 000000000000..cf3b0f99f5a3
--- /dev/null
+++ b/app-arch/tar/tar-1.17-r1.ebuild
@@ -0,0 +1,70 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/tar-1.17-r1.ebuild,v 1.1 2007/08/22 09:09:15 uberlord Exp $
+
+inherit flag-o-matic eutils
+
+DESCRIPTION="Use this to make tarballs :)"
+HOMEPAGE="http://www.gnu.org/software/tar/"
+SRC_URI="http://ftp.gnu.org/gnu/tar/${P}.tar.bz2
+	ftp://alpha.gnu.org/gnu/tar/${P}.tar.bz2
+	mirror://gnu/tar/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="nls static"
+
+RDEPEND=""
+DEPEND="${RDEPEND}
+	nls? ( >=sys-devel/gettext-0.10.35 )"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+
+	epatch "${FILESDIR}"/${PN}-1.15.1-alt-contains-dot-dot.patch #189682
+	epatch "${FILESDIR}"/${P}-exclude-test.patch
+
+	if ! use userland_GNU ; then
+		sed -i \
+			-e 's:/backup\.sh:/gbackup.sh:' \
+			scripts/{backup,dump-remind,restore}.in \
+			|| die "sed non-GNU"
+	fi
+}
+
+src_compile() {
+	local myconf
+	use static && append-ldflags -static
+	use userland_GNU || myconf="--program-prefix=g"
+	# Work around bug in sandbox #67051
+	gl_cv_func_chown_follows_symlink=yes \
+	econf \
+		--enable-backup-scripts \
+		--bindir=/bin \
+		--libexecdir=/usr/sbin \
+		$(use_enable nls) \
+		${myconf} || die
+	emake || die "emake failed"
+}
+
+src_install() {
+	local p=""
+	use userland_GNU || p=g
+
+	emake DESTDIR="${D}" install || die "make install failed"
+
+	if [[ -z ${p} ]] ; then
+		# a nasty yet required piece of baggage
+		exeinto /etc
+		doexe "${FILESDIR}"/rmt || die
+	fi
+
+	dodoc AUTHORS ChangeLog* NEWS README* PORTS THANKS
+	newman "${FILESDIR}"/tar.1 ${p}tar.1
+	mv "${D}"/usr/sbin/${p}backup{,-tar}
+	mv "${D}"/usr/sbin/${p}restore{,-tar}
+
+	rm -f "${D}"/usr/$(get_libdir)/charset.alias
+}
diff --git a/app-arch/tar/tar-1.18-r2.ebuild b/app-arch/tar/tar-1.18-r2.ebuild
new file mode 100644
index 000000000000..36a90babc142
--- /dev/null
+++ b/app-arch/tar/tar-1.18-r2.ebuild
@@ -0,0 +1,69 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/tar/tar-1.18-r2.ebuild,v 1.1 2007/08/22 09:09:15 uberlord Exp $
+
+inherit flag-o-matic eutils
+
+DESCRIPTION="Use this to make tarballs :)"
+HOMEPAGE="http://www.gnu.org/software/tar/"
+SRC_URI="http://ftp.gnu.org/gnu/tar/${P}.tar.bz2
+	ftp://alpha.gnu.org/gnu/tar/${P}.tar.bz2
+	mirror://gnu/tar/${P}.tar.bz2"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="nls static"
+
+RDEPEND=""
+DEPEND="${RDEPEND}
+	nls? ( >=sys-devel/gettext-0.10.35 )"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+
+	epatch "${FILESDIR}"/${PN}-1.15.1-alt-contains-dot-dot.patch #189682
+
+	if ! use userland_GNU ; then
+		sed -i \
+			-e 's:/backup\.sh:/gbackup.sh:' \
+			scripts/{backup,dump-remind,restore}.in \
+			|| die "sed non-GNU"
+	fi
+}
+
+src_compile() {
+	local myconf
+	use static && append-ldflags -static
+	use userland_GNU || myconf="--program-prefix=g"
+	# Work around bug in sandbox #67051
+	gl_cv_func_chown_follows_symlink=yes \
+	econf \
+		--enable-backup-scripts \
+		--bindir=/bin \
+		--libexecdir=/usr/sbin \
+		$(use_enable nls) \
+		${myconf} || die
+	emake || die "emake failed"
+}
+
+src_install() {
+	local p=""
+	use userland_GNU || p=g
+
+	emake DESTDIR="${D}" install || die "make install failed"
+
+	if [[ -z ${p} ]] ; then
+		# a nasty yet required piece of baggage
+		exeinto /etc
+		doexe "${FILESDIR}"/rmt || die
+	fi
+
+	dodoc AUTHORS ChangeLog* NEWS README* PORTS THANKS
+	newman "${FILESDIR}"/tar.1 ${p}tar.1
+	mv "${D}"/usr/sbin/${p}backup{,-tar}
+	mv "${D}"/usr/sbin/${p}restore{,-tar}
+
+	rm -f "${D}"/usr/$(get_libdir)/charset.alias
+}