From 90801cd8cb23719031aaaba1578a8446e1824cad Mon Sep 17 00:00:00 2001 From: Wang Mingyu Date: Tue, 1 Aug 2023 15:41:18 +0800 Subject: tar: upgrade 1.34 -> 1.35 CVE-2022-48303.patch removed since it's included in 1.35 License-Update: http changed to https Changelog: =========== * Fail when building GNU tar, if the platform supports 64-bit time_t but the build uses only 32-bit time_t. * Leave the devmajor and devminor fields empty (rather than zero) for non-special files, as this is more compatible with traditional tar. * Bug fixes ** Fix interaction of --update with --wildcards. ** When extracting archives into an empty directory, do not create hard links to files outside that directory. ** Handle partial reads from regular files. ** Warn "file changed as we read it" less often. ** Fix --ignore-failed-read to ignore file-changed read errors ** Fix --remove-files to not remove a file that changed while we read it. ** Fix --atime-preserve=replace to not fail if there was no need to replace, either because we did not read the file, or the atime did not change. ** Fix race when creating a parent directory while another process is also doing so. ** Fix handling of prefix keywords not followed by "." in pax headers. ** Fix handling of out-of-range sparse entries in pax headers. ** Fix handling of --transform='s/s/@/2'. ** Fix treatment of options ending in / in files-from list. ** Fix crash on 'tar --checkpoint-action exec=\"'. ** Fix low-memory crash when reading incremental dumps. ** Fix --exclude-vcs-ignores memory allocation misuse. (From OE-Core rev: c63769de05ce08c0627d302d14316ced31816b4d) Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie --- meta/recipes-extended/tar/tar/CVE-2022-48303.patch | 43 ------------- meta/recipes-extended/tar/tar_1.34.bb | 70 ---------------------- meta/recipes-extended/tar/tar_1.35.bb | 68 +++++++++++++++++++++ 3 files changed, 68 insertions(+), 113 deletions(-) delete mode 100644 meta/recipes-extended/tar/tar/CVE-2022-48303.patch delete mode 100644 meta/recipes-extended/tar/tar_1.34.bb create mode 100644 meta/recipes-extended/tar/tar_1.35.bb (limited to 'meta/recipes-extended/tar') diff --git a/meta/recipes-extended/tar/tar/CVE-2022-48303.patch b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch deleted file mode 100644 index b2f40f3e64..0000000000 --- a/meta/recipes-extended/tar/tar/CVE-2022-48303.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 -From: Sergey Poznyakoff -Date: Sat, 11 Feb 2023 11:57:39 +0200 -Subject: Fix boundary checking in base-256 decoder - -* src/list.c (from_header): Base-256 encoding is at least 2 bytes -long. - -Upstream-Status: Backport [see reference below] -CVE: CVE-2022-48303 - -Reference to upstream patch: -https://savannah.gnu.org/bugs/?62387 -https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 - -Signed-off-by: Rodolfo Quesada Zumbado -Signed-off-by: Joe Slater ---- - src/list.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado - - -(limited to 'src/list.c') - -diff --git a/src/list.c b/src/list.c -index 9fafc42..86bcfdd 100644 ---- a/src/list.c -+++ b/src/list.c -@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, - where++; - } - } -- else if (*where == '\200' /* positive base-256 */ -- || *where == '\377' /* negative base-256 */) -+ else if (where <= lim - 2 -+ && (*where == '\200' /* positive base-256 */ -+ || *where == '\377' /* negative base-256 */)) - { - /* Parse base-256 output. A nonnegative number N is - represented as (256**DIGS)/2 + N; a negative number -N is --- -cgit v1.1 - diff --git a/meta/recipes-extended/tar/tar_1.34.bb b/meta/recipes-extended/tar/tar_1.34.bb deleted file mode 100644 index 1ef5fe221e..0000000000 --- a/meta/recipes-extended/tar/tar_1.34.bb +++ /dev/null @@ -1,70 +0,0 @@ -SUMMARY = "GNU file archiving program" -DESCRIPTION = "GNU tar saves many files together into a single tape \ -or disk archive, and can restore individual files from the archive." -HOMEPAGE = "http://www.gnu.org/software/tar/" -SECTION = "base" -LICENSE = "GPL-3.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" - -SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ - file://CVE-2022-48303.patch \ -" - -SRC_URI[sha256sum] = "b44cc67f8a1f6b0250b7c860e952b37e8ed932a90bd9b1862a511079255646ff" - -inherit autotools gettext texinfo - -PACKAGECONFIG ??= "" -PACKAGECONFIG:append:class-target = " ${@bb.utils.filter('DISTRO_FEATURES', 'acl', d)}" - -PACKAGECONFIG[acl] = "--with-posix-acls,--without-posix-acls,acl" -PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux" - -EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" - -CACHED_CONFIGUREVARS += "tar_cv_path_RSH=no" - -# Let aclocal use the relative path for the m4 file rather than the -# absolute since tar has a lot of m4 files, otherwise there might -# be an "Argument list too long" error when it is built in a long/deep -# directory. -acpaths = "-I ./m4" - -do_install () { - autotools_do_install - ln -s tar ${D}${bindir}/gtar -} - -do_install:append:class-target() { - if [ "${base_bindir}" != "${bindir}" ]; then - install -d ${D}${base_bindir} - mv ${D}${bindir}/tar ${D}${base_bindir}/tar - mv ${D}${bindir}/gtar ${D}${base_bindir}/gtar - rmdir ${D}${bindir}/ - fi -} - -PACKAGES =+ "${PN}-rmt" - -FILES:${PN}-rmt = "${sbindir}/rmt*" - -inherit update-alternatives - -ALTERNATIVE_PRIORITY = "100" - -ALTERNATIVE:${PN} = "tar" -ALTERNATIVE:${PN}-rmt = "rmt" -ALTERNATIVE:${PN}:class-nativesdk = "" -ALTERNATIVE:${PN}-rmt:class-nativesdk = "" - -ALTERNATIVE_LINK_NAME[tar] = "${base_bindir}/tar" -ALTERNATIVE_LINK_NAME[rmt] = "${sbindir}/rmt" - -PROVIDES:append:class-native = " tar-replacement-native" -NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}" - -BBCLASSEXTEND = "native nativesdk" - -# Avoid false positives from CVEs in node-tar package -# For example CVE-2021-{32803,32804,37701,37712,37713} -CVE_PRODUCT = "gnu:tar" diff --git a/meta/recipes-extended/tar/tar_1.35.bb b/meta/recipes-extended/tar/tar_1.35.bb new file mode 100644 index 0000000000..4dbd418b60 --- /dev/null +++ b/meta/recipes-extended/tar/tar_1.35.bb @@ -0,0 +1,68 @@ +SUMMARY = "GNU file archiving program" +DESCRIPTION = "GNU tar saves many files together into a single tape \ +or disk archive, and can restore individual files from the archive." +HOMEPAGE = "http://www.gnu.org/software/tar/" +SECTION = "base" +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464" + +SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2" + +SRC_URI[sha256sum] = "7edb8886a3dc69420a1446e1e2d061922b642f1cf632d2cd0f9ee7e690775985" + +inherit autotools gettext texinfo + +PACKAGECONFIG ??= "" +PACKAGECONFIG:append:class-target = " ${@bb.utils.filter('DISTRO_FEATURES', 'acl', d)}" + +PACKAGECONFIG[acl] = "--with-posix-acls,--without-posix-acls,acl" +PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux" + +EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" + +CACHED_CONFIGUREVARS += "tar_cv_path_RSH=no" + +# Let aclocal use the relative path for the m4 file rather than the +# absolute since tar has a lot of m4 files, otherwise there might +# be an "Argument list too long" error when it is built in a long/deep +# directory. +acpaths = "-I ./m4" + +do_install () { + autotools_do_install + ln -s tar ${D}${bindir}/gtar +} + +do_install:append:class-target() { + if [ "${base_bindir}" != "${bindir}" ]; then + install -d ${D}${base_bindir} + mv ${D}${bindir}/tar ${D}${base_bindir}/tar + mv ${D}${bindir}/gtar ${D}${base_bindir}/gtar + rmdir ${D}${bindir}/ + fi +} + +PACKAGES =+ "${PN}-rmt" + +FILES:${PN}-rmt = "${sbindir}/rmt*" + +inherit update-alternatives + +ALTERNATIVE_PRIORITY = "100" + +ALTERNATIVE:${PN} = "tar" +ALTERNATIVE:${PN}-rmt = "rmt" +ALTERNATIVE:${PN}:class-nativesdk = "" +ALTERNATIVE:${PN}-rmt:class-nativesdk = "" + +ALTERNATIVE_LINK_NAME[tar] = "${base_bindir}/tar" +ALTERNATIVE_LINK_NAME[rmt] = "${sbindir}/rmt" + +PROVIDES:append:class-native = " tar-replacement-native" +NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}" + +BBCLASSEXTEND = "native nativesdk" + +# Avoid false positives from CVEs in node-tar package +# For example CVE-2021-{32803,32804,37701,37712,37713} +CVE_PRODUCT = "gnu:tar" -- cgit v1.2.3-54-g00ecf