commit: a52ec56f85b11ee1faceddac7874666ad6d2b164 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Tue Oct 18 19:11:52 2022 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Tue Oct 18 19:12:00 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a52ec56f
app-arch/cpio: revert CVE-2015-1197 fix for --no-absolute-filenames At least we can have the fix for CVE-2021-38185. Bug: https://bugs.gentoo.org/699456 Bug: https://bugs.gentoo.org/807088 Closes: https://bugs.gentoo.org/700020 Signed-off-by: Sam James <sam <AT> gentoo.org> .../{cpio-2.13-r1.ebuild => cpio-2.13-r2.ebuild} | 1 + ...e-filenames-revert-CVE-2015-1197-handling.patch | 47 ++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/app-arch/cpio/cpio-2.13-r1.ebuild b/app-arch/cpio/cpio-2.13-r2.ebuild similarity index 92% rename from app-arch/cpio/cpio-2.13-r1.ebuild rename to app-arch/cpio/cpio-2.13-r2.ebuild index 6005349fe120..c3924649236b 100644 --- a/app-arch/cpio/cpio-2.13-r1.ebuild +++ b/app-arch/cpio/cpio-2.13-r2.ebuild @@ -19,6 +19,7 @@ PATCHES=( "${FILESDIR}"/${PN}-2.12-non-gnu-compilers.patch #275295 "${WORKDIR}"/${P}-CVE-2021-38185.patch "${FILESDIR}"/${PN}-2.13-sysmacros-glibc-2.26.patch + "${FILESDIR}"/${PN}-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch ) src_prepare() { diff --git a/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch b/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch new file mode 100644 index 000000000000..326489a54943 --- /dev/null +++ b/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch @@ -0,0 +1,47 @@ +https://sources.debian.org/patches/cpio/2.13%2Bdfsg-7.1/revert-CVE-2015-1197-handling.patch/ +https://bugs.gentoo.org/700020 + +From: Chris Lamb <la...@debian.org> +Date: Sat, 1 Feb 2020 13:36:37 +0100 +Subject: Fix a regression in handling of CVE-2015-1197 & + --no-absolute-filenames. + +See: + + * https://bugs.debian.org/946267 + * https://bugs.debian.org/946469 + +This reverts (most of): https://git.savannah.gnu.org/cgit/cpio.git/diff/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca&id2=3177d660a4c62a6acb538b0f7c54ba423698889a +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -646,8 +646,6 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) + link_name = xstrdup (file_hdr->c_tar_linkname); + } + +- cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false); +- + res = UMASKED_SYMLINK (link_name, file_hdr->c_name, + file_hdr->c_mode); + if (res < 0 && create_dir_flag) +--- a/tests/testsuite ++++ b/tests/testsuite +@@ -2787,7 +2787,7 @@ read at_status <"$at_status_file" + #AT_START_14 + at_fn_group_banner 14 'CVE-2015-1197.at:17' \ + "CVE-2015-1197 (--no-absolute-filenames for symlinks)" "" +-at_xfail=no ++at_xfail=yes + ( + $as_echo "14. $at_setup_line: testing $at_desc ..." + $at_traceon + +--- a/tests/CVE-2015-1197.at ++++ b/tests/CVE-2015-1197.at +@@ -15,6 +15,7 @@ + # along with this program. If not, see <http://www.gnu.org/licenses/>. + + AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)]) ++AT_XFAIL_IF([true]) + AT_CHECK([ + tempdir=$(pwd)/tmp + mkdir $tempdir
