diff options
Diffstat (limited to 'app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch')
-rw-r--r-- | app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch b/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch new file mode 100644 index 000000000000..326489a54943 --- /dev/null +++ b/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch @@ -0,0 +1,47 @@ +https://sources.debian.org/patches/cpio/2.13%2Bdfsg-7.1/revert-CVE-2015-1197-handling.patch/ +https://bugs.gentoo.org/700020 + +From: Chris Lamb <lamby@debian.org> +Date: Sat, 1 Feb 2020 13:36:37 +0100 +Subject: Fix a regression in handling of CVE-2015-1197 & + --no-absolute-filenames. + +See: + + * https://bugs.debian.org/946267 + * https://bugs.debian.org/946469 + +This reverts (most of): https://git.savannah.gnu.org/cgit/cpio.git/diff/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca&id2=3177d660a4c62a6acb538b0f7c54ba423698889a +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -646,8 +646,6 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) + link_name = xstrdup (file_hdr->c_tar_linkname); + } + +- cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false); +- + res = UMASKED_SYMLINK (link_name, file_hdr->c_name, + file_hdr->c_mode); + if (res < 0 && create_dir_flag) +--- a/tests/testsuite ++++ b/tests/testsuite +@@ -2787,7 +2787,7 @@ read at_status <"$at_status_file" + #AT_START_14 + at_fn_group_banner 14 'CVE-2015-1197.at:17' \ + "CVE-2015-1197 (--no-absolute-filenames for symlinks)" "" +-at_xfail=no ++at_xfail=yes + ( + $as_echo "14. $at_setup_line: testing $at_desc ..." + $at_traceon + +--- a/tests/CVE-2015-1197.at ++++ b/tests/CVE-2015-1197.at +@@ -15,6 +15,7 @@ + # along with this program. If not, see <http://www.gnu.org/licenses/>. + + AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)]) ++AT_XFAIL_IF([true]) + AT_CHECK([ + tempdir=$(pwd)/tmp + mkdir $tempdir |