linux/poky.git/meta/recipes-extended/tar/tar_1.34.bb, branch styhead-5.1.4

tar: upgrade 1.34 -> 1.35

2023-08-21T10:34:12+00:00

CVE-2022-48303.patch removed since it's included in 1.35 License-Update: http changed to https Changelog: =========== * Fail when building GNU tar, if the platform supports 64-bit time_t but the build uses only 32-bit time_t. * Leave the devmajor and devminor fields empty (rather than zero) for non-special files, as this is more compatible with traditional tar. * Bug fixes ** Fix interaction of --update with --wildcards. ** When extracting archives into an empty directory, do not create hard links to files outside that directory. ** Handle partial reads from regular files. ** Warn "file changed as we read it" less often. ** Fix --ignore-failed-read to ignore file-changed read errors ** Fix --remove-files to not remove a file that changed while we read it. ** Fix --atime-preserve=replace to not fail if there was no need to replace, either because we did not read the file, or the atime did not change. ** Fix race when creating a parent directory while another process is also doing so. ** Fix handling of prefix keywords not followed by "." in pax headers. ** Fix handling of out-of-range sparse entries in pax headers. ** Fix handling of --transform='s/s/@/2'. ** Fix treatment of options ending in / in files-from list. ** Fix crash on 'tar --checkpoint-action exec=\"'. ** Fix low-memory crash when reading incremental dumps. ** Fix --exclude-vcs-ignores memory allocation misuse. (From OE-Core rev: c63769de05ce08c0627d302d14316ced31816b4d) Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie

tar: Update fix for CVE-2022-48303 to upstream version

2023-02-19T07:47:53+00:00

Fixes CVE-2022-48303 by checking Base-256 encoding is at least 2 bytes long. GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-48303 Upstream patch: https://savannah.gnu.org/bugs/?62387 https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 (From OE-Core rev: 0043c9d3f7b65a0cbb0a27c37b4825b8f5511dec) Signed-off-by: Rodolfo Quesada Zumbado Signed-off-by: Joe Slater Signed-off-by: Richard Purdie

tar: Fix CVE-2022-48303

2023-02-15T10:21:34+00:00

(From OE-Core rev: 4573a584397f197fbc9170abec3c590ea36667f7) Signed-off-by: Chee Yang Lee Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie

meta/meta-selftest/meta-skeleton: Update LICENSE variable to use SPDX license identifiers

2022-02-20T16:45:25+00:00

An automated conversion using scripts/contrib/convert-spdx-licenses.py to convert to use the standard SPDX license identifiers. Two recipes in meta-selftest were not converted as they're that way specifically for testing. A change in linux-firmware was also skipped and may need a more manual tweak. (From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0) Signed-off-by: Richard Purdie

tar: filter CVEs using vendor name

2021-10-11T17:41:38+00:00

Recently a number of CVEs have been logged against a nodejs project called "node-tar". These appear as false positives against the GNU tar being built by Yocto. Some of these have been manually excluded using CVE_CHECK_WHITELIST. To avoid this problem, use the vendor name (in addition to package name) for filtering CVEs. The syntax for this is: CVE_PRODUCT = "vendor:package" When not specified, the vendor defaults to "%" which matches anything. (From OE-Core rev: 45d1a0bea0c628f84a00d641a4d323491988106f) Signed-off-by: Ralph Siemsen Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie

tar: ignore node-tar CVEs

2021-09-16T08:50:34+00:00

These three CVEs are specific to the Node package node-tar. exclude: CVE-2021-37701 CVE-2021-37712 CVE-2021-37713 (From OE-Core rev: 9f9317a02d73c1e5aea026683a037e52c996c7bb) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie

tar: add pkgconfig for selinux

2021-09-10T08:25:38+00:00

Add pkgconfig setting for selinux. (From OE-Core rev: 348ce6f8d5f5f3f598d01d8db55d575a972fe847) Signed-off-by: Mingli Yu Signed-off-by: Richard Purdie

tar: ignore node-tar CVEs

2021-08-16T09:24:55+00:00

These two CVEs are specific to the Node package node-tar. (From OE-Core rev: bc7216e8148d0dee7b56e6851da6615e93647a0a) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie

Convert to new override syntax

2021-08-02T14:44:10+00:00

This is the result of automated script conversion: scripts/contrib/convert-overrides.py converting the metadata to use ":" as the override character instead of "_". (From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae) Signed-off-by: Richard Purdie

tar: update to 1.34

2021-02-16T11:28:16+00:00

(From OE-Core rev: 6dd51b6d2f2c7110d8c2755dadcdb04f60db7d83) Signed-off-by: Oleksandr Kravchuk Signed-off-by: Richard Purdie