From 20be64dcf7d4d08e75eb56c34890420bea7882ec Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Sat, 31 Dec 2016 00:05:49 +0800 Subject: [PATCH] gnu: tar: Fix CVE-2016-6321. * gnu/packages/patches/tar-CVE-2016-6321.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/base.scm (tar)[source]: Use it. Signed-off-by: Leo Famulari --- gnu/local.mk | 1 + gnu/packages/base.scm | 3 +- gnu/packages/patches/tar-CVE-2016-6321.patch | 51 ++++++++++++++++++++ 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/tar-CVE-2016-6321.patch diff --git a/gnu/local.mk b/gnu/local.mk index 79d6b14a2b..00f47e3165 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -857,6 +857,7 @@ dist_patch_DATA = \ %D%/packages/patches/t1lib-CVE-2010-2642.patch \ %D%/packages/patches/t1lib-CVE-2011-0764.patch \ %D%/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch \ + %D%/packages/patches/tar-CVE-2016-6321.patch \ %D%/packages/patches/tar-skip-unreliable-tests.patch \ %D%/packages/patches/tcl-mkindex-deterministic.patch \ %D%/packages/patches/tclxml-3.2-install.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 30364f373c..1962086169 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -162,7 +162,8 @@ (define-public tar (sha256 (base32 "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0")) - (patches (search-patches "tar-skip-unreliable-tests.patch")))) + (patches (search-patches "tar-CVE-2016-6321.patch" + "tar-skip-unreliable-tests.patch")))) (build-system gnu-build-system) ;; Note: test suite requires ~1GiB of disk space. (arguments diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch new file mode 100644 index 0000000000..b79be9bc94 --- /dev/null +++ b/gnu/packages/patches/tar-CVE-2016-6321.patch @@ -0,0 +1,51 @@ +Fix CVE-2016-6321: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321 +https://security-tracker.debian.org/tracker/CVE-2016-6321 + +Patch adapted from upstream source repository (the changes to 'NEWS' +don't apply to the Tar 1.29 release tarball). + +http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d + +From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Sat, 29 Oct 2016 21:04:40 -0700 +Subject: [PATCH] When extracting, skip ".." members + +* NEWS: Document this. +* src/extract.c (extract_archive): Skip members whose names +contain "..". +--- + NEWS | 8 +++++++- + src/extract.c | 8 ++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/extract.c b/src/extract.c +index f982433..7904148 100644 +--- a/src/extract.c ++++ b/src/extract.c +@@ -1629,12 +1629,20 @@ extract_archive (void) + { + char typeflag; + tar_extractor_t fun; ++ bool skip_dotdot_name; + + fatal_exit_hook = extract_finish; + + set_next_block_after (current_header); + ++ skip_dotdot_name = (!absolute_names_option ++ && contains_dot_dot (current_stat_info.orig_file_name)); ++ if (skip_dotdot_name) ++ ERROR ((0, 0, _("%s: Member name contains '..'"), ++ quotearg_colon (current_stat_info.orig_file_name))); ++ + if (!current_stat_info.file_name[0] ++ || skip_dotdot_name + || (interactive_option + && !confirm ("extract", current_stat_info.file_name))) + { +-- +2.11.0 +