[PATCH] gnu: tar: Update to 1.30.

DoneSubmitted by Alex Vong.
Details
3 participants
  • Alex Vong
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Severity
normal
A
A
Alex Vong wrote on 1 Feb 2018 16:55
(address . guix-patches@gnu.org)
87a7wsaen4.fsf@gmail.com
Hello,
This patch updates tar to its latest version for core-updates. I add a2016 copyright header because I forgot to add it in 20be64dcf.
From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Thu, 1 Feb 2018 23:03:55 +0800Subject: [PATCH] gnu: tar: Update to 1.30.
* gnu/packages/base.scm (tar): Update to 1.30.[source]: Remove 'tar-CVE-2016-6321.patch'.* gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.* gnu/local.mk (dist_patch_DATA): Adjust accordingly.--- gnu/local.mk | 1 - gnu/packages/base.scm | 8 ++--- gnu/packages/patches/tar-CVE-2016-6321.patch | 51 ---------------------------- 3 files changed, 4 insertions(+), 56 deletions(-) delete mode 100644 gnu/packages/patches/tar-CVE-2016-6321.patch
Toggle diff (103 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 9df027a8d..7bddb4060 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -1076,7 +1076,6 @@ dist_patch_DATA = \ %D%/packages/patches/t1lib-CVE-2010-2642.patch \ %D%/packages/patches/t1lib-CVE-2011-0764.patch \ %D%/packages/patches/t1lib-CVE-2011-1552+.patch \- %D%/packages/patches/tar-CVE-2016-6321.patch \ %D%/packages/patches/tar-skip-unreliable-tests.patch \ %D%/packages/patches/tclxml-3.2-install.patch \ %D%/packages/patches/tcsh-fix-autotest.patch \diff --git a/gnu/packages/base.scm b/gnu/packages/base.scmindex 92acbd364..faa5066cc 100644--- a/gnu/packages/base.scm+++ b/gnu/packages/base.scm@@ -7,6 +7,7 @@ ;;; Copyright © 2014, 2015 Manolis Fragkiskos Ragkousis <manolis837@gmail.com> ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>+;;; Copyright © 2016, 2018 Alex Vong <alexvong1995@gmail.com> ;;; Copyright © 2017 Rene Saavedra <rennes@openmailbox.org> ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com> ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>@@ -166,16 +167,15 @@ implementation offers several extensions over the standard utility.") (define-public tar (package (name "tar")- (version "1.29")+ (version "1.30") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/tar/tar-" version ".tar.xz")) (sha256 (base32- "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"))- (patches (search-patches "tar-CVE-2016-6321.patch"- "tar-skip-unreliable-tests.patch"))))+ "1lyjyk8z8hdddsxw0ikchrsfg3i0x3fsh7l63a8jgaz1n7dr5gzi"))+ (patches (search-patches "tar-skip-unreliable-tests.patch")))) (build-system gnu-build-system) ;; Note: test suite requires ~1GiB of disk space. (argumentsdiff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patchdeleted file mode 100644index b79be9bc9..000000000--- a/gnu/packages/patches/tar-CVE-2016-6321.patch+++ /dev/null@@ -1,51 +0,0 @@-Fix CVE-2016-6321:--https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321-https://security-tracker.debian.org/tracker/CVE-2016-6321--Patch adapted from upstream source repository (the changes to 'NEWS'-don't apply to the Tar 1.29 release tarball).--http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d--From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001-From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>-Date: Sat, 29 Oct 2016 21:04:40 -0700-Subject: [PATCH] When extracting, skip ".." members--* NEWS: Document this.-* src/extract.c (extract_archive): Skip members whose names-contain "..".----- NEWS | 8 +++++++-- src/extract.c | 8 ++++++++- 2 files changed, 15 insertions(+), 1 deletion(-)--diff --git a/src/extract.c b/src/extract.c-index f982433..7904148 100644---- a/src/extract.c-+++ b/src/extract.c-@@ -1629,12 +1629,20 @@ extract_archive (void)- {- char typeflag;- tar_extractor_t fun;-+ bool skip_dotdot_name;- - fatal_exit_hook = extract_finish;- - set_next_block_after (current_header);- -+ skip_dotdot_name = (!absolute_names_option-+ && contains_dot_dot (current_stat_info.orig_file_name));-+ if (skip_dotdot_name)-+ ERROR ((0, 0, _("%s: Member name contains '..'"),-+ quotearg_colon (current_stat_info.orig_file_name)));-+- if (!current_stat_info.file_name[0]-+ || skip_dotdot_name- || (interactive_option- && !confirm ("extract", current_stat_info.file_name)))- {--- -2.11.0--- 2.16.1
Cheers,Alex
L
L
Leo Famulari wrote on 1 Feb 2018 22:15
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 30319@debbugs.gnu.org)
20180201211555.GC15249@jasmine.lan
On Thu, Feb 01, 2018 at 11:55:11PM +0800, Alex Vong wrote:
Toggle quote (16 lines)> Hello,> > This patch updates tar to its latest version for core-updates. I add a> 2016 copyright header because I forgot to add it in 20be64dcf.>
> From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001> From: Alex Vong <alexvong1995@gmail.com>> Date: Thu, 1 Feb 2018 23:03:55 +0800> Subject: [PATCH] gnu: tar: Update to 1.30.> > * gnu/packages/base.scm (tar): Update to 1.30.> [source]: Remove 'tar-CVE-2016-6321.patch'.> * gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.> * gnu/local.mk (dist_patch_DATA): Adjust accordingly.
Since the whole distro depends on tar, and we are almost done with thiscore-updates cycle, we'll need to save this for the next cycle.
I added the 2016 copyright statement in commit537a17fbe89c3102b7b6d95616a7ce0b5e3ce209.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpzg4sACgkQJkb6MLrKfwidORAA4nt4hz5tTJUJpOJfCrzrfnjIwAMCAgUw7cpF57FpU2HDjhU1UClkvPKWKXjrel5rw3ub9G1DFfFFVRjoAhJtUjnTgZSDHtHqjC1/p4h6vWWg9f8wO5PPUoaYePokco7YfGdgGoLWWADf2iIzYdWzpZ/aEw5OSyQI3mrLTxMKSEtU7zIuPNKzaNmdeRaze/jjgu0x9pUeRlpEmq8P/f6/m4qx8wq4584fb9VPNzVB/J82y9GT/uCHm8qTHR1Di8e9ikseq7VCdkk5j6jqJX40kFW21azY03CJVsPN6wlFspuB3S5HQDmjiaV83swxXZCFrNpRMS6QCwZxQZ0YlFI0VYuoZISjWjS4VXbzWg8gB30nq0kDgIYg8YIl6ckwmB9M01ERMb+KFMVOWuz7nh4gjCjRGLfmEZCzo221y+Cm+l2EvjKDQXw6orWJQr7Bj5OUNy8DgQIzfUWyC7omr1nMFo2/yPqBmWG+ry1t+d/nC03nzSjPKgGu8NZzc6QBBwvS5+ebb39y5Skpv2oqStEafaCSCy3l3eTCrPzydeg/K4BW5ipSkLUC0GXaTfmuvqK35Zhp+HjB0eeY3xU2qgUS/1ftVBguXNxtvuSQmf9hFCsrsZHXx9Tg1VhwyQnFPXfO0wSDdgb3C+f796q/uj2Wu/avRC5EB7CMOcmqXo2XzkE==6GG7-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 2 Feb 2018 00:24
(name . Leo Famulari)(address . leo@famulari.name)(address . 30319@debbugs.gnu.org)
87zi4s1eg9.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:
Toggle quote (20 lines)> On Thu, Feb 01, 2018 at 11:55:11PM +0800, Alex Vong wrote:>> Hello,>> >> This patch updates tar to its latest version for core-updates. I add a>> 2016 copyright header because I forgot to add it in 20be64dcf.>> >>> From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001>> From: Alex Vong <alexvong1995@gmail.com>>> Date: Thu, 1 Feb 2018 23:03:55 +0800>> Subject: [PATCH] gnu: tar: Update to 1.30.>> >> * gnu/packages/base.scm (tar): Update to 1.30.>> [source]: Remove 'tar-CVE-2016-6321.patch'.>> * gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.>> * gnu/local.mk (dist_patch_DATA): Adjust accordingly.>> Since the whole distro depends on tar, and we are almost done with this> core-updates cycle, we'll need to save this for the next cycle.>
I see, I don't know about this.
Toggle quote (3 lines)> I added the 2016 copyright statement in commit> 537a17fbe89c3102b7b6d95616a7ce0b5e3ce209.
Thanks for taking care of it!
L
L
Ludovic Courtès wrote on 26 Feb 2018 19:05
control message for bug #30319
(address . control@debbugs.gnu.org)
87lgfftynl.fsf@gnu.org
tags 30319 fixedclose 30319
?
Your comment

This issue is archived.

To comment on this conversation send email to 30319@debbugs.gnu.org