From 63079c346586abcdf9326a8df8059a0081efee5e Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Nov 06 2019 09:47:10 +0000 Subject: new upstream release Resolves: rhbz#1769233, CVE-2015-1197, CVE-2019-14866, CVE-2016-2037 Version: 2.13-1 --- diff --git a/.gitignore b/.gitignore index e85e645..879ab87 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/cpio-2.12.tar.bz2 +/cpio-*.tar.bz2 diff --git a/cpio-2.13-dev_number.patch b/cpio-2.13-dev_number.patch new file mode 100644 index 0000000..20943a3 --- /dev/null +++ b/cpio-2.13-dev_number.patch @@ -0,0 +1,28 @@ +From: Kamil Dudka +Date: Mon, 14 Sep 2015 09:37:15 +0200 +Subject: [PATCH 3/7] Support major/minor device numbers over 127 (bz#450109) + +diff --git a/src/copyin.c b/src/copyin.c +index b29f348..1142d6a 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -1123,15 +1123,15 @@ read_in_binary (struct cpio_file_stat *file_hdr, + swab_array ((char *) short_hdr, 13); + } + +- file_hdr->c_dev_maj = major (short_hdr->c_dev); +- file_hdr->c_dev_min = minor (short_hdr->c_dev); ++ file_hdr->c_dev_maj = major ((unsigned short)short_hdr->c_dev); ++ file_hdr->c_dev_min = minor ((unsigned short)short_hdr->c_dev); + file_hdr->c_ino = short_hdr->c_ino; + file_hdr->c_mode = short_hdr->c_mode; + file_hdr->c_uid = short_hdr->c_uid; + file_hdr->c_gid = short_hdr->c_gid; + file_hdr->c_nlink = short_hdr->c_nlink; +- file_hdr->c_rdev_maj = major (short_hdr->c_rdev); +- file_hdr->c_rdev_min = minor (short_hdr->c_rdev); ++ file_hdr->c_rdev_maj = major ((unsigned short)short_hdr->c_rdev); ++ file_hdr->c_rdev_min = minor ((unsigned short)short_hdr->c_rdev); + file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16 + | short_hdr->c_mtimes[1]; + file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16 diff --git a/cpio-2.13-exitCode.patch b/cpio-2.13-exitCode.patch new file mode 100644 index 0000000..4af7736 --- /dev/null +++ b/cpio-2.13-exitCode.patch @@ -0,0 +1,39 @@ +Subject: [PATCH 2/7] set exit code to 1 when cpio fails to store file > 4GB + (#183224) + +diff --git a/src/copyout.c b/src/copyout.c +index 8b0beb6..4b7336b 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -290,7 +290,7 @@ field_width_error (const char *filename, const char *fieldname, + { + char valbuf[UINTMAX_STRSIZE_BOUND + 1]; + char maxbuf[UINTMAX_STRSIZE_BOUND + 1]; +- error (0, 0, _("%s: value %s %s out of allowed range 0..%s"), ++ error (1, 0, _("%s: value %s %s out of allowed range 0..%s"), + filename, fieldname, + STRINGIFY_BIGINT (value, valbuf), + STRINGIFY_BIGINT (MAX_VAL_WITH_DIGITS (width - nul, LG_8), +diff --git a/tests/CVE-2019-14866.at b/tests/CVE-2019-14866.at +index e877b39..50ad60b 100644 +--- a/tests/CVE-2019-14866.at ++++ b/tests/CVE-2019-14866.at +@@ -30,6 +30,5 @@ fi + [0], + [], + [cpio: file: value size 17179869184 out of allowed range 0..8589934591 +-2 blocks + ]) + AT_CLEANUP +diff --git a/tests/testsuite b/tests/testsuite +index b45c731..fd8454d 100755 +--- a/tests/testsuite ++++ b/tests/testsuite +@@ -2885,7 +2885,6 @@ fi + at_status=$? at_failed=false + $at_check_filter + echo >>"$at_stderr"; $as_echo "cpio: file: value size 17179869184 out of allowed range 0..8589934591 +-2 blocks + " | \ + $at_diff - "$at_stderr" || at_failed=: + at_fn_diff_devnull "$at_stdout" || at_failed=: diff --git a/cpio-2.9-dev_number.patch b/cpio-2.9-dev_number.patch deleted file mode 100644 index cf6d242..0000000 --- a/cpio-2.9-dev_number.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Kamil Dudka -Date: Mon, 14 Sep 2015 09:37:15 +0200 -Subject: [PATCH 3/7] Support major/minor device numbers over 127 (bz#450109) - -diff --git a/src/copyin.c b/src/copyin.c -index cde911e..12bd27c 100644 ---- a/src/copyin.c -+++ b/src/copyin.c -@@ -1196,15 +1196,15 @@ read_in_binary (struct cpio_file_stat *file_hdr, - swab_array ((char *) short_hdr, 13); - } - -- file_hdr->c_dev_maj = major (short_hdr->c_dev); -- file_hdr->c_dev_min = minor (short_hdr->c_dev); -+ file_hdr->c_dev_maj = major ((unsigned short)short_hdr->c_dev); -+ file_hdr->c_dev_min = minor ((unsigned short)short_hdr->c_dev); - file_hdr->c_ino = short_hdr->c_ino; - file_hdr->c_mode = short_hdr->c_mode; - file_hdr->c_uid = short_hdr->c_uid; - file_hdr->c_gid = short_hdr->c_gid; - file_hdr->c_nlink = short_hdr->c_nlink; -- file_hdr->c_rdev_maj = major (short_hdr->c_rdev); -- file_hdr->c_rdev_min = minor (short_hdr->c_rdev); -+ file_hdr->c_rdev_maj = major ((unsigned short)short_hdr->c_rdev); -+ file_hdr->c_rdev_min = minor ((unsigned short)short_hdr->c_rdev); - file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16 - | short_hdr->c_mtimes[1]; - diff --git a/cpio-2.9-exitCode.patch b/cpio-2.9-exitCode.patch deleted file mode 100644 index e4a4781..0000000 --- a/cpio-2.9-exitCode.patch +++ /dev/null @@ -1,18 +0,0 @@ -From: Peter Vrabec -Date: Mon, 14 Sep 2015 09:31:08 +0200 -Subject: [PATCH 2/7] set exit code to 1 when cpio fails to store file > 4GB - (#183224) - -diff --git a/src/copyout.c b/src/copyout.c -index 1f0987a..dcae449 100644 ---- a/src/copyout.c -+++ b/src/copyout.c -@@ -287,7 +287,7 @@ to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase) - static void - field_width_error (const char *filename, const char *fieldname) - { -- error (0, 0, _("%s: field width not sufficient for storing %s"), -+ error (1, 0, _("%s: field width not sufficient for storing %s"), - filename, fieldname); - } - diff --git a/cpio.spec b/cpio.spec index a164e2f..aafee24 100644 --- a/cpio.spec +++ b/cpio.spec @@ -1,7 +1,7 @@ Summary: A GNU archiving program Name: cpio -Version: 2.12 -Release: 12%{?dist} +Version: 2.13 +Release: 1%{?dist} License: GPLv3+ URL: http://www.gnu.org/software/cpio/ Source: ftp://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2 @@ -15,11 +15,11 @@ Patch1: cpio-2.9-rh.patch # fix warn_if_file_changed() and set exit code to 1 when cpio fails to store # file > 4GB (#183224) # http://lists.gnu.org/archive/html/bug-cpio/2006-11/msg00000.html -Patch2: cpio-2.9-exitCode.patch +Patch2: cpio-2.13-exitCode.patch # Support major/minor device numbers over 127 (bz#450109) # http://lists.gnu.org/archive/html/bug-cpio/2008-07/msg00000.html -Patch3: cpio-2.9-dev_number.patch +Patch3: cpio-2.13-dev_number.patch # Define default remote shell as /usr/bin/ssh (#452904) Patch4: cpio-2.9.90-defaultremoteshell.patch @@ -97,6 +97,10 @@ make check || { %{_infodir}/*.info* %changelog +* Wed Nov 06 2019 Pavel Raiskup - 2.13-1 +- new upstream release, per release notes + https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html + * Wed Jul 24 2019 Fedora Release Engineering - 2.12-12 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild diff --git a/sources b/sources index c087492..58af22f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -93eea9f07c0058c097891c73e4955456 cpio-2.12.tar.bz2 +SHA512 (cpio-2.13.tar.bz2) = 459398e69f7f48201c04d1080218c50f75edcf114ffcbb236644ff6fcade5fcc566929bdab2ebe9be5314828d6902e43b348a8adf28351df978c8989590e93a3