Fri May 25 23:29:36 UTC 201813.37

patches/packages/glibc-zoneinfo-2018e-noarch-2_slack13.37.txz:  Rebuilt.
  Handle removal of US/Pacific-New timezone. If we see that the machine is
  using this, it will be automatically switched to US/Pacific.

1 files changed, 42 insertions, 0 deletions

diff --git a/patches/source/slocate/slocate.CVE-2007-0277.diff b/patches/source/slocate/slocate.CVE-2007-0277.diff
new file mode 100644
index 000000000..4f109922f
--- /dev/null
+++ b/patches/source/slocate/slocate.CVE-2007-0277.diff
@@ -0,0 +1,42 @@
+--- slocate-3.1.orig/src/utils.c
++++ slocate-3.1/src/utils.c
+@@ -524,6 +524,7 @@
+ {
+ 	struct stat path_stat;
+ 	int ret = 0;
++	char *path_copy = NULL;
+ 	char *ptr = NULL;
+ 
+ 	if (lstat(path, &path_stat) == -1)
+@@ -532,15 +533,25 @@
+ 	if (!S_ISLNK(path_stat.st_mode)) {
+ 		if (access(path, F_OK) != 0)
+ 		    goto EXIT;
+-	} else if ((ptr = rindex(path, '/'))) {
+-		*ptr = 0;
+-		if (access(path, F_OK) == 0)
+-		    ret = 1;
+-		*ptr = '/';
+-		goto EXIT;
+ 	}
+ 
++	/* "path" is const, so we shouldn't modify it.  Also, for speed,
++	 * I suspect strdup/free is less expensive than the deep access
++	 * checks... */
++	if (!(path_copy = strdup(path)))
++		goto EXIT;
++
+ 	ret = 1;
++
++	/* Each directory leading to the file (symlink or not) must be
++	 * readable for us to allow it to be listed in search results. */
++	while (ret && (ptr=rindex(path_copy,'/'))) {
++		*ptr=0;
++		if (*path_copy && access(path_copy, R_OK) != 0)
++		    ret = 0;
++	}
++	free(path_copy);
++
+ EXIT:
+ 	return ret;
+ }