Hello community,

here is the log from the commit of package arc for openSUSE:Factory checked in 
at 2019-01-10 15:20:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/arc (Old)
 and      /work/SRC/openSUSE:Factory/.arc.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "arc"

Thu Jan 10 15:20:55 2019 rev:2 rq:663613 version:5.21q

Changes:
--------
--- /work/SRC/openSUSE:Factory/arc/arc.changes  2018-02-01 21:28:58.574230655 
+0100
+++ /work/SRC/openSUSE:Factory/.arc.new.28833/arc.changes       2019-01-10 
15:21:16.310459052 +0100
@@ -1,0 +2,12 @@
+Tue Jan  8 08:52:55 UTC 2019 - Karol Babioch <kbabi...@suse.de>
+
+- Make use of license %macro 
+- Applied spec-cleaner
+- Added patches:
+  * arc-5.21p-directory-traversel.patch: Fixes a directory traversal
+    vulnerability (CVE-2015-9275 bsc#1121032)
+  * arc-5.21p-fix-arcdie.patch: Fixed a crash on 64 bit machines when arcdie
+    gets called with more than 1 variable argument
+  * arc-5.21p-hdrv1-read-fix.patch: Fixed version 1 arc header reading
+
+-------------------------------------------------------------------

New:
----
  arc-5.21p-directory-traversel.patch
  arc-5.21p-fix-arcdie.patch
  arc-5.21p-hdrv1-read-fix.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ arc.spec ++++++
--- /var/tmp/diff_new_pack.RY6CCr/_old  2019-01-10 15:21:16.838458504 +0100
+++ /var/tmp/diff_new_pack.RY6CCr/_new  2019-01-10 15:21:16.838458504 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package arc
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -20,16 +20,22 @@
 Version:        5.21q
 Release:        0
 Summary:        Archiving tool for arc achives
-License:        GPL-2.0
+License:        GPL-2.0-only
 Group:          Productivity/Archiving/Compression
 URL:            https://github.com/ani6al/arc
 Source:         
https://github.com/ani6al/arc/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0:         arc-5.21p-directory-traversel.patch
+Patch1:         arc-5.21p-fix-arcdie.patch
+Patch2:         arc-5.21p-hdrv1-read-fix.patch
 
 %description
 This package allows you to unpack *.arc file
 
 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 %build
 make %{?_smp_mflags} OPT="%{optflags}"
@@ -43,7 +49,8 @@
   %{buildroot}%{_mandir}/man1/arc.1
 
 %files
-%doc Arc521.doc Arcinfo Readme LICENSE
+%doc Arc521.doc Arcinfo Readme
+%license LICENSE
 %{_bindir}/arc
 %{_bindir}/marc
 %{_mandir}/man1/arc.1%{ext_man}

++++++ arc-5.21p-directory-traversel.patch ++++++
Fix directory traversal bugs

arc archives do not contain directory hierarchies, only filenames, so refuse
to operate on archives which have the directory-seperator inside filenames.

BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1179143
Signed-off-by: Hans de Goede <hdego...@redhat.com>
diff -up arc-5.21p/arcio.c~ arc-5.21p/arcio.c
--- arc-5.21p/arcio.c~  2015-01-16 13:04:16.000000000 +0100
+++ arc-5.21p/arcio.c   2015-01-16 15:45:31.389010626 +0100
@@ -109,6 +109,9 @@ readhdr(hdr, f)                     /* read a header from
 #if    _MTS
        (void) atoe(hdr->name, strlen(hdr->name));
 #endif
+       if (strchr(hdr->name, CUTOFF) != NULL)
+               arcdie("%s contains illegal filename %s", arcname, hdr->name);
+
        for (i = 0, hdr->size=0; i<4; hdr->size<<=8, hdr->size += dummy[16-i], 
i++);
        hdr->date = (short) ((dummy[18] << 8) + dummy[17]);
        hdr->time = (short) ((dummy[20] << 8) + dummy[19]);
++++++ arc-5.21p-fix-arcdie.patch ++++++
Fix arcdie crash when called with more then 1 variable argument

Add proper vararg handling to fix crash on 64 bit machines when arcdie gets
called with more then 1 variable argument.

Signed-off-by: Hans de Goede <hdego...@redhat.com>
diff -up arc-5.21p/arcmisc.c~ arc-5.21p/arcmisc.c
--- arc-5.21p/arcmisc.c~        2010-08-07 15:06:42.000000000 +0200
+++ arc-5.21p/arcmisc.c 2015-01-16 16:10:29.322603290 +0100
@@ -4,6 +4,7 @@
  */
 
 #include <stdio.h>
+#include <stdarg.h>
 #include <ctype.h>
 #include "arc.h"
 
@@ -223,11 +224,13 @@ upper(string)
 }
 /* VARARGS1 */
 VOID
-arcdie(s, arg1, arg2, arg3)
-       char           *s;
+arcdie(const char *s, ...)
 {
+       va_list args;
        fprintf(stderr, "ARC: ");
-       fprintf(stderr, s, arg1, arg2, arg3);
+       va_start(args, s);
+       vfprintf(stderr, s, args);
+       va_end(args);
        fprintf(stderr, "\n");
 #if    UNIX
        perror("UNIX");
++++++ arc-5.21p-hdrv1-read-fix.patch ++++++
Fix version 1 arc header reading

The code for v1 hdr reading was reading the packed header directly into an
unpacked struct.

Use the same read to dummy array, then manual unpack to header struct as
used for v2 headers for v1 headers too.

Signed-off-by: Hans de Goede <hdego...@redhat.com>
diff -ur arc-5.21p/arcio.c arc-5.21p.new/arcio.c
--- arc-5.21p/arcio.c   2010-08-07 15:06:42.000000000 +0200
+++ arc-5.21p.new/arcio.c       2015-01-16 12:59:43.203289118 +0100
@@ -37,6 +37,7 @@
 #endif
        char            name[FNLEN];    /* filename buffer */
        int             try = 0;/* retry counter */
+       int             hdrlen;
        static int      first = 1;      /* true only on first read */
 
        if (!f)                 /* if archive didn't open */
@@ -92,23 +93,19 @@
                printf("I think you need a newer version of ARC.\n");
                exit(1);
        }
+
        /* amount to read depends on header type */
+       if (hdrver == 1) {
+               hdrlen = 23; /* old style is shorter */
+       } else {
+               hdrlen = 27;
+       }
 
-       if (hdrver == 1) {      /* old style is shorter */
-               if (fread(hdr, sizeof(struct heads) - sizeof(long int), 1, f) 
!= 1)
-                       arcdie("%s was truncated", arcname);
-               hdrver = 2;     /* convert header to new format */
-               hdr->length = hdr->size;        /* size is same when not
-                                                * packed */
-       } else
-#if    MSDOS
-               if (fread(hdr, sizeof(struct heads), 1, f) != 1)
-                       arcdie("%s was truncated", arcname);
-#else
-               if (fread(dummy, 27, 1, f) != 1)
-                       arcdie("%s was truncated", arcname);
+       if (fread(dummy, hdrlen, 1, f) != 1)
+               arcdie("%s was truncated", arcname);
 
        for (i = 0; i < FNLEN; hdr->name[i] = dummy[i], i++);
+       hdr->name[FNLEN - 1] = 0; /* ensure 0 termination */
 #if    _MTS
        (void) atoe(hdr->name, strlen(hdr->name));
 #endif
@@ -116,8 +113,14 @@
        hdr->date = (short) ((dummy[18] << 8) + dummy[17]);
        hdr->time = (short) ((dummy[20] << 8) + dummy[19]);
        hdr->crc = (short) ((dummy[22] << 8) + dummy[21]);
-       for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += 
dummy[26-i], i++);
-#endif
+
+       if (hdrver == 1) {
+               hdrver = 2;     /* convert header to new format */
+               hdr->length = hdr->size;        /* size is same when not
+                                                * packed */
+       } else {
+               for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += 
dummy[26-i], i++);
+       }
 
        if (hdr->date > olddate
            || (hdr->date == olddate && hdr->time > oldtime)) {

Reply via email to