rpms/tar/FC-5 tar-1.15.1-mangling.patch, NONE, 1.1 tar.spec, 1.39, 1.40
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Dec 4 15:08:07 UTC 2006
Author: pvrabec
Update of /cvs/dist/rpms/tar/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv20218
Modified Files:
tar.spec
Added Files:
tar-1.15.1-mangling.patch
Log Message:
fix CVE-2006-6097 GNU tar directory traversal (#216937)
tar-1.15.1-mangling.patch:
common.h | 3 +++
extract.c | 8 +++++++-
tar.c | 7 +++++++
3 files changed, 17 insertions(+), 1 deletion(-)
--- NEW FILE tar-1.15.1-mangling.patch ---
--- tar-1.15.1/src/common.h.mangling 2006-12-04 12:47:40.000000000 +0100
+++ tar-1.15.1/src/common.h 2006-12-04 12:47:40.000000000 +0100
@@ -124,6 +124,9 @@
GLOBAL bool absolute_names_option;
+/* Allow GNUTYPE_NAMES type? */
+GLOBAL bool allow_name_mangling_option;
+
/* Display file times in UTC */
GLOBAL bool utc_option;
--- tar-1.15.1/src/extract.c.mangling 2006-12-04 12:47:40.000000000 +0100
+++ tar-1.15.1/src/extract.c 2006-12-04 12:47:40.000000000 +0100
@@ -1171,7 +1171,13 @@
break;
case GNUTYPE_NAMES:
- extract_mangle ();
+ if (allow_name_mangling_option) {
+ extract_mangle ();
+ }
+ else {
+ ERROR ((0, 0, _("GNUTYPE_NAMES mangling ignored")));
+ skip_member ();
+ }
break;
case GNUTYPE_MULTIVOL:
--- tar-1.15.1/src/tar.c.mangling 2006-12-04 12:47:40.000000000 +0100
+++ tar-1.15.1/src/tar.c 2006-12-04 12:55:35.000000000 +0100
@@ -182,6 +182,7 @@
{
ACLS_OPTION = CHAR_MAX + 1,
ANCHORED_OPTION,
+ ALLOW_NAME_MANGLING_OPTION,
ATIME_PRESERVE_OPTION,
BACKUP_OPTION,
CHECKPOINT_OPTION,
@@ -546,6 +547,8 @@
{NULL, 'o', 0, 0,
N_("when creating, same as --old-archive. When extracting, same as --no-same-owner"), 91 },
+ {"allow-name-mangling", ALLOW_NAME_MANGLING_OPTION, 0, 0,
+ N_("when creating, allow GNUTYPE_NAMES mangling -- considered dangerous"), 91 },
{NULL, 0, NULL, 0,
N_("Other options:"), 100 },
@@ -931,6 +934,10 @@
case 'Z':
set_use_compress_program_option ("compress");
break;
+
+ case ALLOW_NAME_MANGLING_OPTION:
+ allow_name_mangling_option = true;
+ break;
case ANCHORED_OPTION:
args->exclude_options |= EXCLUDE_ANCHORED;
Index: tar.spec
===================================================================
RCS file: /cvs/dist/rpms/tar/FC-5/tar.spec,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- tar.spec 10 Oct 2006 09:13:14 -0000 1.39
+++ tar.spec 4 Dec 2006 15:08:05 -0000 1.40
@@ -2,7 +2,7 @@
Name: tar
Epoch: 2
Version: 1.15.1
-Release: 16.FC5
+Release: 17.FC5
License: GPL
Group: Applications/Archiving
URL: http://www.gnu.org/software/tar/
@@ -24,6 +24,7 @@
Patch13: tar-1.15.1-permissions.patch
Patch14: tar-1.15.1-incompatibilities.patch
Patch15: tar-1.15.1-xattrs.patch
+Patch16: tar-1.15.1-mangling.patch
Prereq: info
BuildRequires: autoconf automake gzip
Buildroot: %{_tmppath}/%{name}-%{version}-root
@@ -57,6 +58,7 @@
%patch13 -p1 -b .permissions
%patch14 -p1 -b .incompatibilities
%patch15 -p1 -b .xattrs
+%patch16 -p1 -b .mangling
%build
%configure --bindir=/bin --libexecdir=/sbin
@@ -110,9 +112,12 @@
%{_mandir}/man*/*
%endif
-%{_infodir}/tar.info*
+{_infodir}/tar.info*
%changelog
+* Mon Dec 04 2006 Peter Vrabec <pvrabec at redhat.com> 2:1.15.1-17.FC5
+- fix CVE-2006-6097 GNU tar directory traversal (#216937)
+
* Tue Oct 10 2006 Peter Vrabec <pvrabec at redhat.com> 2:1.15.1-16.FC5
- another fix of tar-1.15.1-xattrs.patch from James Antill
More information about the fedora-cvs-commits
mailing list