summaryrefslogtreecommitdiffstats
path: root/patches
diff options
context:
space:
mode:
author Patrick J Volkerding <volkerdi@slackware.com>2023-03-24 19:42:46 +0000
committer Eric Hameleers <alien@slackware.com>2023-03-25 13:30:35 +0100
commit694953a02401ef2e4b4ee493a3ad3a1cc50e32bb (patch)
treea421ea19056d5286278c14af4f50e81e6873f3c6 /patches
parent8ea2d785646a6912efbd3bdce75cbff0adafe60b (diff)
downloadcurrent-694953a02401ef2e4b4ee493a3ad3a1cc50e32bb.tar.gz
current-694953a02401ef2e4b4ee493a3ad3a1cc50e32bb.tar.xz
Fri Mar 24 19:42:46 UTC 202320230324194246_15.0
patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txz: Upgraded. This package provides the latest timezone updates. patches/packages/tar-1.34-x86_64-2_slack15.0.txz: Rebuilt. GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. Thanks to marav for the heads-up. For more information, see: https://www.cve.org/CVERecord?id=CVE-2022-48303 (* Security fix *)
Diffstat (limited to 'patches')
-rw-r--r--patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txt (renamed from patches/packages/glibc-zoneinfo-2022g-noarch-1_slack15.0.txt)0
-rw-r--r--patches/packages/tar-1.34-x86_64-2_slack15.0.txt11
-rw-r--r--patches/source/tar/CVE-2022-48303.patch31
-rw-r--r--patches/source/tar/slack-desc19
-rw-r--r--patches/source/tar/tar-1.13.bzip2.diff56
-rwxr-xr-xpatches/source/tar/tar.SlackBuild177
-rw-r--r--patches/source/tar/tar.nolonezero.diff31
7 files changed, 325 insertions, 0 deletions
diff --git a/patches/packages/glibc-zoneinfo-2022g-noarch-1_slack15.0.txt b/patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txt
index c6e7a698e..c6e7a698e 100644
--- a/patches/packages/glibc-zoneinfo-2022g-noarch-1_slack15.0.txt
+++ b/patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txt
diff --git a/patches/packages/tar-1.34-x86_64-2_slack15.0.txt b/patches/packages/tar-1.34-x86_64-2_slack15.0.txt
new file mode 100644
index 000000000..a2ff0aa53
--- /dev/null
+++ b/patches/packages/tar-1.34-x86_64-2_slack15.0.txt
@@ -0,0 +1,11 @@
+tar: tar (archiving utility)
+tar:
+tar: This is the GNU version of tar, an archiving program designed to store
+tar: and extract files from an archive file known as a tarfile. A tarfile
+tar: may be made on a tape drive, however, it is also common to write a
+tar: tarfile to a normal file.
+tar:
+tar: Slackware's package system uses tarfiles compressed with bzip2, gzip,
+tar: lzip, or xz.
+tar:
+tar:
diff --git a/patches/source/tar/CVE-2022-48303.patch b/patches/source/tar/CVE-2022-48303.patch
new file mode 100644
index 000000000..b248fb089
--- /dev/null
+++ b/patches/source/tar/CVE-2022-48303.patch
@@ -0,0 +1,31 @@
+From 1d530107a24d71e798727d7f0afa0833473d1074 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@gmail.com>
+Date: Wed, 11 Jan 2023 08:55:58 +0100
+Subject: [PATCH] Fix savannah bug #62387
+
+* src/list.c (from_header): Check for the end of field after leading byte
+ (0x80 or 0xff) of base-256 encoded header value
+---
+ src/list.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425..bf41b581 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -895,6 +895,12 @@ from_header (char const *where0, size_t digs, char const *type,
+ << (CHAR_BIT * sizeof (uintmax_t)
+ - LG_256 - (LG_256 - 2)));
+ value = (*where++ & ((1 << (LG_256 - 2)) - 1)) - signbit;
++ if (where == lim)
++ {
++ if (type && !silent)
++ ERROR ((0, 0, _("Archive base-256 value is invalid")));
++ return -1;
++ }
+ for (;;)
+ {
+ value = (value << LG_256) + (unsigned char) *where++;
+--
+2.38.1
+
diff --git a/patches/source/tar/slack-desc b/patches/source/tar/slack-desc
new file mode 100644
index 000000000..2314ce9a3
--- /dev/null
+++ b/patches/source/tar/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in. You must
+# make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+tar: tar (archiving utility)
+tar:
+tar: This is the GNU version of tar, an archiving program designed to store
+tar: and extract files from an archive file known as a tarfile. A tarfile
+tar: may be made on a tape drive, however, it is also common to write a
+tar: tarfile to a normal file.
+tar:
+tar: Slackware's package system uses tarfiles compressed with bzip2, gzip,
+tar: lzip, or xz.
+tar:
+tar:
diff --git a/patches/source/tar/tar-1.13.bzip2.diff b/patches/source/tar/tar-1.13.bzip2.diff
new file mode 100644
index 000000000..891301d14
--- /dev/null
+++ b/patches/source/tar/tar-1.13.bzip2.diff
@@ -0,0 +1,56 @@
+diff -Nur tar-1.13.orig/src/tar.c tar-1.13/src/tar.c
+--- tar-1.13.orig/src/tar.c 1999-07-07 00:49:50.000000000 -0500
++++ tar-1.13/src/tar.c 2017-12-22 00:39:37.515271544 -0600
+@@ -16,6 +16,8 @@
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */
+
++/* Patched to integrate bzip2 as compression filter (option -j) */
++
+ #include "system.h"
+
+ #include <getopt.h>
+@@ -164,6 +166,8 @@
+ {"block-number", no_argument, NULL, 'R'},
+ {"block-size", required_argument, NULL, OBSOLETE_BLOCKING_FACTOR},
+ {"blocking-factor", required_argument, NULL, 'b'},
++ {"bzip2", required_argument, NULL, 'j'},
++ {"bunzip2", required_argument, NULL, 'j'},
+ {"catenate", no_argument, NULL, 'A'},
+ {"checkpoint", no_argument, &checkpoint_option, 1},
+ {"compare", no_argument, NULL, 'd'},
+@@ -340,6 +344,7 @@
+ PATTERN at list/extract time, a globbing PATTERN\n\
+ -o, --old-archive, --portability write a V7 format archive\n\
+ --posix write a POSIX conformant archive\n\
++ -j, --bzip2, --bunzip2 filter the archive through bzip2\n\
+ -z, --gzip, --ungzip filter the archive through gzip\n\
+ -Z, --compress, --uncompress filter the archive through compress\n\
+ --use-compress-program=PROG filter through PROG (must accept -d)\n"),
+@@ -410,13 +415,13 @@
+ | Parse the options for tar. |
+ `----------------------------*/
+
+-/* Available option letters are DEHIJQY and aejnqy. Some are reserved:
++/* Available option letters are DEHIJQY and aenqy. Some are reserved:
+
+ y per-file gzip compression
+ Y per-block gzip compression */
+
+ #define OPTION_STRING \
+- "-01234567ABC:F:GK:L:MN:OPRST:UV:WX:Zb:cdf:g:hiklmoprstuvwxz"
++ "-01234567ABC:F:GK:L:MN:OPRST:UV:WX:Zb:cdf:g:hijklmoprstuvwxz"
+
+ static void
+ set_subcommand_option (enum subcommand subcommand)
+@@ -788,6 +793,10 @@
+ FATAL_ERROR ((0, errno, "%s", optarg));
+ break;
+
++ case 'j':
++ set_use_compress_program_option ("bzip2");
++ break;
++
+ case 'z':
+ set_use_compress_program_option ("gzip");
+ break;
diff --git a/patches/source/tar/tar.SlackBuild b/patches/source/tar/tar.SlackBuild
new file mode 100755
index 000000000..edb7ba59c
--- /dev/null
+++ b/patches/source/tar/tar.SlackBuild
@@ -0,0 +1,177 @@
+#!/bin/bash
+
+# Copyright 2005-2023 Patrick J. Volkerding, Sebeka, MN, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Slackware build script for tar
+
+cd $(dirname $0) ; CWD=$(pwd)
+
+PKGNAM=tar
+VERSION=1.34
+BUILD=${BUILD:-2_slack15.0}
+
+NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
+
+# Automatically determine architecture for build & packaging:
+if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) export ARCH=i586 ;;
+ # Unless $ARCH is already set, use uname -m for all other archs:
+ *) export ARCH=$( uname -m ) ;;
+ esac
+fi
+
+# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
+# the name of the created package would be, and then exit. This information
+# could be useful to other scripts.
+if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
+ echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
+ exit 0
+fi
+
+TMP=${TMP:-/tmp}
+PKG=$TMP/package-tar
+
+# Don't use icecream:
+PATH=$(echo $PATH | sed "s|/usr/libexec/icecc/bin||g" | tr -s : | sed "s/^://g" | sed "s/:$//g")
+
+rm -rf $PKG
+mkdir -p $TMP $PKG
+
+if [ "$ARCH" = "i586" ]; then
+ SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+elif [ "$ARCH" = "s390" ]; then
+ SLKCFLAGS="-O2"
+elif [ "$ARCH" = "x86_64" ]; then
+ SLKCFLAGS="-O2 -fPIC"
+else
+ SLKCFLAGS="-O2"
+fi
+
+# This old version is the only one that won't clobber symlinks, e.g.:
+# someone moves /opt to /usr/opt and makes a symlink. With newer
+# versions of tar, installing any new package will remove the /opt
+# symlink and plop down a new directory there.
+# Well, there's a lot of other bugs (the remote stuff particularly I'm
+# told is flaky) in tar-1.13, so it'll only be here now for use by the
+# Slackware package utils. And, we'll even let people remove it and
+# the pkgutils will still try to work (but eventually they'll pay the
+# price :)
+#
+# NOTE: The latest versions of tar can supposedly work for the pkgtools,
+# but some changes to add new options to the scripts might be required.
+#
+# Until tar-1.13 won't compile any more, it might be safer to keep using
+# it, though.
+cd $TMP
+rm -rf tar-1.13
+tar xvf $CWD/tar-1.13.tar.gz || exit 1
+cd tar-1.13 || exit 1
+zcat $CWD/tar-1.13.bzip2.diff.gz | patch -p1 --verbose || exit 1
+# The original config.{guess,sub} do not work on x86_64
+cp -p --verbose /usr/share/libtool/build-aux/config.{guess,sub} .
+chown -R root:root .
+CFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --disable-nls \
+ --build=$ARCH-slackware-linux || exit 1
+make $NUMJOBS || make || exit 1
+mkdir -p $PKG/bin
+cat src/tar > $PKG/bin/tar-1.13
+chmod 0755 $PKG/bin/tar-1.13
+# End building of tar-1.13
+
+cd $TMP
+rm -rf tar-$VERSION
+tar xvf $CWD/tar-$VERSION.tar.xz || exit 1
+cd tar-$VERSION || exit 1
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \+ -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \+
+
+# The "A lone zero block at %s" messages also cause problems:
+zcat $CWD/tar.nolonezero.diff.gz | patch -p1 --verbose || exit 1
+
+# Patch for CVE-2022-48303:
+zcat $CWD/CVE-2022-48303.patch.gz | patch -p1 --verbose || exit 1
+
+FORCE_UNSAFE_CONFIGURE=1 \
+CFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --infodir=/usr/info \
+ --mandir=/usr/man \
+ --docdir=/usr/doc/tar-$VERSION \
+ --enable-backup-scripts \
+ --build=$ARCH-slackware-linux || exit 1
+
+make $NUMJOBS || make || exit 1
+make install DESTDIR=$PKG || exit 1
+
+( cd $PKG
+ find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | \
+ xargs strip --strip-unneeded 2> /dev/null
+ find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | \
+ xargs strip --strip-unneeded 2> /dev/null
+)
+
+mv $PKG/usr/bin/tar $PKG/bin
+( cd $PKG/usr/bin ; ln -sf /bin/tar . )
+( cd $PKG/bin ; ln -sf tar tar-$VERSION )
+
+# Support "historic" rmt locations:
+mkdir -p $PKG/{etc,sbin}
+( cd $PKG/etc
+ ln -sf /usr/libexec/rmt .
+ cd $PKG/sbin
+ ln -sf /usr/libexec/rmt .
+)
+
+# Compress manual pages:
+find $PKG/usr/man -type f -exec gzip -9 {} \+
+for i in $( find $PKG/usr/man -type l ) ; do
+ ln -s $( readlink $i ).gz $i.gz
+ rm $i
+done
+
+# Compress info files, if any:
+if [ -d $PKG/usr/info ]; then
+ ( cd $PKG/usr/info
+ rm -f dir
+ gzip -9 *
+ )
+fi
+
+mkdir -p $PKG/usr/doc/tar-$VERSION
+cp -a \
+ AUTHORS COPYING* NEWS PORTS README* THANKS TODO \
+ $PKG/usr/doc/tar-$VERSION
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+cd $PKG
+/sbin/makepkg -l y -c n $TMP/tar-$VERSION-$ARCH-$BUILD.txz
+
diff --git a/patches/source/tar/tar.nolonezero.diff b/patches/source/tar/tar.nolonezero.diff
new file mode 100644
index 000000000..529679724
--- /dev/null
+++ b/patches/source/tar/tar.nolonezero.diff
@@ -0,0 +1,31 @@
+--- ./src/list.c.orig 2017-12-16 15:23:12.000000000 -0600
++++ ./src/list.c 2018-09-06 16:51:52.982740004 -0500
+@@ -242,15 +242,22 @@
+
+ if (!ignore_zeros_option)
+ {
+- char buf[UINTMAX_STRSIZE_BOUND];
++
++ /*
++ * According to POSIX tar specs, this is wrong, but on the web
++ * there are some tar specs that can trigger this, and some tar
++ * implementations create tars according to that spec. For now,
++ * let's not be pedantic about issuing the warning.
++ *
++ * char buf[UINTMAX_STRSIZE_BOUND]; */
+
+ status = read_header (&current_header, &current_stat_info,
+ read_header_auto);
+- if (status == HEADER_ZERO_BLOCK)
+- break;
+- WARNOPT (WARN_ALONE_ZERO_BLOCK,
+- (0, 0, _("A lone zero block at %s"),
+- STRINGIFY_BIGINT (current_block_ordinal (), buf)));
++ /* if (status == HEADER_ZERO_BLOCK)
++ * break;
++ * WARNOPT (WARN_ALONE_ZERO_BLOCK,
++ * (0, 0, _("A lone zero block at %s"),
++ * STRINGIFY_BIGINT (current_block_ordinal (), buf))); */
+ break;
+ }
+ status = prev_status;