tjh.dev
gnutar: 1.29 -> 1.30
-35
pkgs/tools/archivers/gnutar/CVE-2016-6321.patch
-35
pkgs/tools/archivers/gnutar/CVE-2016-6321.patch
···
1
-
commit 7340f67b9860ea0531c1450e5aa261c50f67165d
2
-
Author: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
3
-
Date: Sat Oct 29 21:04:40 2016 -0700
4
-
5
-
When extracting, skip ".." members
6
-
7
-
* NEWS: Document this.
8
-
* src/extract.c (extract_archive): Skip members whose names
9
-
contain "..".
10
-
11
-
diff --git a/src/extract.c b/src/extract.c
12
-
index f982433..7904148 100644
13
-
--- a/src/extract.c
14
-
+++ b/src/extract.c
15
-
@@ -1629,12 +1629,20 @@ extract_archive (void)
16
-
{
17
-
char typeflag;
18
-
tar_extractor_t fun;
19
-
+ bool skip_dotdot_name;
20
-
21
-
fatal_exit_hook = extract_finish;
22
-
23
-
set_next_block_after (current_header);
24
-
25
-
+ skip_dotdot_name = (!absolute_names_option
26
-
+ && contains_dot_dot (current_stat_info.orig_file_name));
27
-
+ if (skip_dotdot_name)
28
-
+ ERROR ((0, 0, _("%s: Member name contains '..'"),
29
-
+ quotearg_colon (current_stat_info.orig_file_name)));
30
-
+
31
-
if (!current_stat_info.file_name[0]
32
-
+ || skip_dotdot_name
33
-
|| (interactive_option
34
-
&& !confirm ("extract", current_stat_info.file_name)))
35
-
{
+2
-4
pkgs/tools/archivers/gnutar/default.nix
+2
-4
pkgs/tools/archivers/gnutar/default.nix
···
2
2
3
3
stdenv.mkDerivation rec {
4
4
name = "gnutar-${version}";
5
-
version = "1.29";
5
+
version = "1.30";
6
6
7
7
src = fetchurl {
8
8
url = "mirror://gnu/tar/tar-${version}.tar.xz";
9
-
sha256 = "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0";
9
+
sha256 = "1lyjyk8z8hdddsxw0ikchrsfg3i0x3fsh7l63a8jgaz1n7dr5gzi";
10
10
};
11
-
12
-
patches = [ ./CVE-2016-6321.patch ];
13
11
14
12
# avoid retaining reference to CF during stdenv bootstrap
15
13
configureFlags = stdenv.lib.optionals stdenv.isDarwin [