Fri Mar 24 19:42:46 UTC 202320230324194246_15.0

patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txz:  Upgraded.
  This package provides the latest timezone updates.
patches/packages/tar-1.34-x86_64-2_slack15.0.txz:  Rebuilt.
  GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use
  of uninitialized memory for a conditional jump. Exploitation to change the
  flow of control has not been demonstrated. The issue occurs in from_header
  in list.c via a V7 archive in which mtime has approximately 11 whitespace
  characters.
  Thanks to marav for the heads-up.
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2022-48303
  (* Security fix *)

7 files changed, 325 insertions, 0 deletions

diff --git a/patches/packages/glibc-zoneinfo-2022g-noarch-1_slack15.0.txt b/patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txt
index c6e7a698e..c6e7a698e 100644
--- a/patches/packages/glibc-zoneinfo-2022g-noarch-1_slack15.0.txt
+++ b/patches/packages/glibc-zoneinfo-2023b-noarch-1_slack15.0.txt
diff --git a/patches/packages/tar-1.34-x86_64-2_slack15.0.txt b/patches/packages/tar-1.34-x86_64-2_slack15.0.txt
new file mode 100644
index 000000000..a2ff0aa53
--- /dev/null
+++ b/patches/packages/tar-1.34-x86_64-2_slack15.0.txt
@@ -0,0 +1,11 @@
+tar: tar (archiving utility)
+tar:
+tar: This is the GNU version of tar, an archiving program designed to store
+tar: and extract files from an archive file known as a tarfile. A tarfile
+tar: may be made on a tape drive, however, it is also common to write a
+tar: tarfile to a normal file.
+tar:
+tar: Slackware's package system uses tarfiles compressed with bzip2, gzip,
+tar: lzip, or xz.
+tar:
+tar:
diff --git a/patches/source/tar/CVE-2022-48303.patch b/patches/source/tar/CVE-2022-48303.patch
new file mode 100644
index 000000000..b248fb089
--- /dev/null
+++ b/patches/source/tar/CVE-2022-48303.patch
@@ -0,0 +1,31 @@
+From 1d530107a24d71e798727d7f0afa0833473d1074 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@gmail.com>
+Date: Wed, 11 Jan 2023 08:55:58 +0100
+Subject: [PATCH] Fix savannah bug #62387
+
+* src/list.c (from_header): Check for the end of field after leading byte
+  (0x80 or 0xff) of base-256 encoded header value
+---
+ src/list.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425..bf41b581 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -895,6 +895,12 @@ from_header (char const *where0, size_t digs, char const *type,
+ 			   << (CHAR_BIT * sizeof (uintmax_t)
+ 			       - LG_256 - (LG_256 - 2)));
+       value = (*where++ & ((1 << (LG_256 - 2)) - 1)) - signbit;
++      if (where == lim)
++        {
++          if (type && !silent)
++            ERROR ((0, 0, _("Archive base-256 value is invalid")));
++          return -1;
++        }
+       for (;;)
+ 	{
+ 	  value = (value << LG_256) + (unsigned char) *where++;
+-- 
+2.38.1
+
diff --git a/patches/source/tar/slack-desc b/patches/source/tar/slack-desc
new file mode 100644
index 000000000..2314ce9a3
--- /dev/null
+++ b/patches/source/tar/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in. You must
+# make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':'.
+
+   |-----handy-ruler------------------------------------------------------|
+tar: tar (archiving utility)
+tar:
+tar: This is the GNU version of tar, an archiving program designed to store
+tar: and extract files from an archive file known as a tarfile. A tarfile
+tar: may be made on a tape drive, however, it is also common to write a
+tar: tarfile to a normal file.
+tar:
+tar: Slackware's package system uses tarfiles compressed with bzip2, gzip,
+tar: lzip, or xz.
+tar:
+tar:
diff --git a/patches/source/tar/tar-1.13.bzip2.diff b/patches/source/tar/tar-1.13.bzip2.diff
new file mode 100644
index 000000000..891301d14
--- /dev/null
+++ b/patches/source/tar/tar-1.13.bzip2.diff
@@ -0,0 +1,56 @@
+diff -Nur tar-1.13.orig/src/tar.c tar-1.13/src/tar.c
+--- tar-1.13.orig/src/tar.c	1999-07-07 00:49:50.000000000 -0500
++++ tar-1.13/src/tar.c	2017-12-22 00:39:37.515271544 -0600
+@@ -16,6 +16,8 @@
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.  */
+ 
++/* Patched to integrate bzip2 as compression filter (option -j)  */
++
+ #include "system.h"
+ 
+ #include <getopt.h>
+@@ -164,6 +166,8 @@
+   {"block-number", no_argument, NULL, 'R'},
+   {"block-size", required_argument, NULL, OBSOLETE_BLOCKING_FACTOR},
+   {"blocking-factor", required_argument, NULL, 'b'},
++  {"bzip2", required_argument, NULL, 'j'},
++  {"bunzip2", required_argument, NULL, 'j'},
+   {"catenate", no_argument, NULL, 'A'},
+   {"checkpoint", no_argument, &checkpoint_option, 1},
+   {"compare", no_argument, NULL, 'd'},
+@@ -340,6 +344,7 @@
+               PATTERN                at list/extract time, a globbing PATTERN\n\
+   -o, --old-archive, --portability   write a V7 format archive\n\
+       --posix                        write a POSIX conformant archive\n\
++  -j, --bzip2, --bunzip2             filter the archive through bzip2\n\
+   -z, --gzip, --ungzip               filter the archive through gzip\n\
+   -Z, --compress, --uncompress       filter the archive through compress\n\
+       --use-compress-program=PROG    filter through PROG (must accept -d)\n"),
+@@ -410,13 +415,13 @@
+ | Parse the options for tar.  |
+ `----------------------------*/
+ 
+-/* Available option letters are DEHIJQY and aejnqy.  Some are reserved:
++/* Available option letters are DEHIJQY and aenqy.  Some are reserved:
+ 
+    y  per-file gzip compression
+    Y  per-block gzip compression */
+ 
+ #define OPTION_STRING \
+-  "-01234567ABC:F:GK:L:MN:OPRST:UV:WX:Zb:cdf:g:hiklmoprstuvwxz"
++  "-01234567ABC:F:GK:L:MN:OPRST:UV:WX:Zb:cdf:g:hijklmoprstuvwxz"
+ 
+ static void
+ set_subcommand_option (enum subcommand subcommand)
+@@ -788,6 +793,10 @@
+ 	  FATAL_ERROR ((0, errno, "%s", optarg));
+ 	break;
+ 
++      case 'j':
++        set_use_compress_program_option ("bzip2");
++        break;
++
+       case 'z':
+ 	set_use_compress_program_option ("gzip");
+ 	break;
diff --git a/patches/source/tar/tar.SlackBuild b/patches/source/tar/tar.SlackBuild
new file mode 100755
index 000000000..edb7ba59c
--- /dev/null
+++ b/patches/source/tar/tar.SlackBuild
@@ -0,0 +1,177 @@
+#!/bin/bash
+
+# Copyright 2005-2023  Patrick J. Volkerding, Sebeka, MN, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+#  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO
+#  EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+#  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+#  OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+#  OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+#  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Slackware build script for tar
+
+cd $(dirname $0) ; CWD=$(pwd)
+
+PKGNAM=tar
+VERSION=1.34
+BUILD=${BUILD:-2_slack15.0}
+
+NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
+
+# Automatically determine architecture for build & packaging:
+if [ -z "$ARCH" ]; then
+  case "$( uname -m )" in
+    i?86) export ARCH=i586 ;;
+    # Unless $ARCH is already set, use uname -m for all other archs:
+    *)    export ARCH=$( uname -m ) ;;
+  esac
+fi
+
+# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
+# the name of the created package would be, and then exit. This information
+# could be useful to other scripts.
+if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
+  echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
+  exit 0
+fi
+
+TMP=${TMP:-/tmp}
+PKG=$TMP/package-tar
+
+# Don't use icecream:
+PATH=$(echo $PATH | sed "s|/usr/libexec/icecc/bin||g" | tr -s : | sed "s/^://g" | sed "s/:$//g")
+
+rm -rf $PKG
+mkdir -p $TMP $PKG
+
+if [ "$ARCH" = "i586" ]; then
+  SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+elif [ "$ARCH" = "s390" ]; then
+  SLKCFLAGS="-O2"
+elif [ "$ARCH" = "x86_64" ]; then
+  SLKCFLAGS="-O2 -fPIC"
+else
+  SLKCFLAGS="-O2"
+fi
+
+# This old version is the only one that won't clobber symlinks, e.g.:
+# someone moves /opt to /usr/opt and makes a symlink.  With newer
+# versions of tar, installing any new package will remove the /opt
+# symlink and plop down a new directory there.
+# Well, there's a lot of other bugs (the remote stuff particularly I'm
+# told is flaky) in tar-1.13, so it'll only be here now for use by the
+# Slackware package utils.  And, we'll even let people remove it and
+# the pkgutils will still try to work (but eventually they'll pay the
+# price :)
+#
+# NOTE:  The latest versions of tar can supposedly work for the pkgtools,
+# but some changes to add new options to the scripts might be required.
+#
+# Until tar-1.13 won't compile any more, it might be safer to keep using
+# it, though.
+cd $TMP
+rm -rf tar-1.13
+tar xvf $CWD/tar-1.13.tar.gz || exit 1
+cd tar-1.13 || exit 1
+zcat $CWD/tar-1.13.bzip2.diff.gz | patch -p1 --verbose || exit 1
+# The original config.{guess,sub} do not work on x86_64
+cp -p --verbose /usr/share/libtool/build-aux/config.{guess,sub} .
+chown -R root:root .
+CFLAGS="$SLKCFLAGS" \
+./configure \
+  --prefix=/usr \
+  --disable-nls \
+  --build=$ARCH-slackware-linux || exit 1
+make $NUMJOBS || make || exit 1
+mkdir -p $PKG/bin
+cat src/tar > $PKG/bin/tar-1.13
+chmod 0755 $PKG/bin/tar-1.13
+# End building of tar-1.13
+
+cd $TMP
+rm -rf tar-$VERSION
+tar xvf $CWD/tar-$VERSION.tar.xz || exit 1
+cd tar-$VERSION || exit 1
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \+ -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \+
+
+# The "A lone zero block at %s" messages also cause problems:
+zcat $CWD/tar.nolonezero.diff.gz | patch -p1 --verbose || exit 1
+
+# Patch for CVE-2022-48303:
+zcat $CWD/CVE-2022-48303.patch.gz | patch -p1 --verbose || exit 1
+
+FORCE_UNSAFE_CONFIGURE=1 \
+CFLAGS="$SLKCFLAGS" \
+./configure \
+  --prefix=/usr \
+  --infodir=/usr/info \
+  --mandir=/usr/man \
+  --docdir=/usr/doc/tar-$VERSION \
+  --enable-backup-scripts \
+  --build=$ARCH-slackware-linux || exit 1
+
+make $NUMJOBS || make || exit 1
+make install DESTDIR=$PKG || exit 1
+
+( cd $PKG
+  find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | \
+    xargs strip --strip-unneeded 2> /dev/null
+  find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | \
+    xargs strip --strip-unneeded 2> /dev/null
+)
+
+mv $PKG/usr/bin/tar $PKG/bin
+( cd $PKG/usr/bin ; ln -sf /bin/tar . )
+( cd $PKG/bin ; ln -sf tar tar-$VERSION )
+
+# Support "historic" rmt locations:
+mkdir -p $PKG/{etc,sbin}
+( cd $PKG/etc
+  ln -sf /usr/libexec/rmt .
+  cd $PKG/sbin
+  ln -sf /usr/libexec/rmt .
+)
+
+# Compress manual pages:
+find $PKG/usr/man -type f -exec gzip -9 {} \+
+for i in $( find $PKG/usr/man -type l ) ; do
+  ln -s $( readlink $i ).gz $i.gz
+  rm $i
+done
+
+# Compress info files, if any:
+if [ -d $PKG/usr/info ]; then
+  ( cd $PKG/usr/info
+    rm -f dir
+    gzip -9 *
+  )
+fi
+
+mkdir -p $PKG/usr/doc/tar-$VERSION
+cp -a \
+  AUTHORS COPYING* NEWS PORTS README* THANKS TODO \
+  $PKG/usr/doc/tar-$VERSION
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+cd $PKG
+/sbin/makepkg -l y -c n $TMP/tar-$VERSION-$ARCH-$BUILD.txz
+
diff --git a/patches/source/tar/tar.nolonezero.diff b/patches/source/tar/tar.nolonezero.diff
new file mode 100644
index 000000000..529679724
--- /dev/null
+++ b/patches/source/tar/tar.nolonezero.diff
@@ -0,0 +1,31 @@
+--- ./src/list.c.orig	2017-12-16 15:23:12.000000000 -0600
++++ ./src/list.c	2018-09-06 16:51:52.982740004 -0500
+@@ -242,15 +242,22 @@
+ 
+ 	  if (!ignore_zeros_option)
+ 	    {
+-	      char buf[UINTMAX_STRSIZE_BOUND];
++
++	      /*
++	       * According to POSIX tar specs, this is wrong, but on the web
++	       * there are some tar specs that can trigger this, and some tar
++	       * implementations create tars according to that spec.  For now,
++	       * let's not be pedantic about issuing the warning.
++	       *
++	       * char buf[UINTMAX_STRSIZE_BOUND]; */
+ 
+ 	      status = read_header (&current_header, &current_stat_info,
+ 	                            read_header_auto);
+-	      if (status == HEADER_ZERO_BLOCK)
+-		break;
+-	      WARNOPT (WARN_ALONE_ZERO_BLOCK,
+-		       (0, 0, _("A lone zero block at %s"),
+-			STRINGIFY_BIGINT (current_block_ordinal (), buf)));
++	      /* if (status == HEADER_ZERO_BLOCK)
++	       *	break;
++	       * WARNOPT (WARN_ALONE_ZERO_BLOCK,
++	       *	       (0, 0, _("A lone zero block at %s"),
++	       *		STRINGIFY_BIGINT (current_block_ordinal (), buf))); */
+ 	      break;
+ 	    }
+ 	  status = prev_status;