Hello community, here is the log from the commit of package arc for openSUSE:Factory checked in at 2019-01-10 15:20:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/arc (Old) and /work/SRC/openSUSE:Factory/.arc.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "arc" Thu Jan 10 15:20:55 2019 rev:2 rq:663613 version:5.21q Changes: -------- --- /work/SRC/openSUSE:Factory/arc/arc.changes 2018-02-01 21:28:58.574230655 +0100 +++ /work/SRC/openSUSE:Factory/.arc.new.28833/arc.changes 2019-01-10 15:21:16.310459052 +0100 @@ -1,0 +2,12 @@ +Tue Jan 8 08:52:55 UTC 2019 - Karol Babioch <kbabi...@suse.de> + +- Make use of license %macro +- Applied spec-cleaner +- Added patches: + * arc-5.21p-directory-traversel.patch: Fixes a directory traversal + vulnerability (CVE-2015-9275 bsc#1121032) + * arc-5.21p-fix-arcdie.patch: Fixed a crash on 64 bit machines when arcdie + gets called with more than 1 variable argument + * arc-5.21p-hdrv1-read-fix.patch: Fixed version 1 arc header reading + +------------------------------------------------------------------- New: ---- arc-5.21p-directory-traversel.patch arc-5.21p-fix-arcdie.patch arc-5.21p-hdrv1-read-fix.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ arc.spec ++++++ --- /var/tmp/diff_new_pack.RY6CCr/_old 2019-01-10 15:21:16.838458504 +0100 +++ /var/tmp/diff_new_pack.RY6CCr/_new 2019-01-10 15:21:16.838458504 +0100 @@ -1,7 +1,7 @@ # # spec file for package arc # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -20,16 +20,22 @@ Version: 5.21q Release: 0 Summary: Archiving tool for arc achives -License: GPL-2.0 +License: GPL-2.0-only Group: Productivity/Archiving/Compression URL: https://github.com/ani6al/arc Source: https://github.com/ani6al/arc/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: arc-5.21p-directory-traversel.patch +Patch1: arc-5.21p-fix-arcdie.patch +Patch2: arc-5.21p-hdrv1-read-fix.patch %description This package allows you to unpack *.arc file %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build make %{?_smp_mflags} OPT="%{optflags}" @@ -43,7 +49,8 @@ %{buildroot}%{_mandir}/man1/arc.1 %files -%doc Arc521.doc Arcinfo Readme LICENSE +%doc Arc521.doc Arcinfo Readme +%license LICENSE %{_bindir}/arc %{_bindir}/marc %{_mandir}/man1/arc.1%{ext_man} ++++++ arc-5.21p-directory-traversel.patch ++++++ Fix directory traversal bugs arc archives do not contain directory hierarchies, only filenames, so refuse to operate on archives which have the directory-seperator inside filenames. BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527 BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1179143 Signed-off-by: Hans de Goede <hdego...@redhat.com> diff -up arc-5.21p/arcio.c~ arc-5.21p/arcio.c --- arc-5.21p/arcio.c~ 2015-01-16 13:04:16.000000000 +0100 +++ arc-5.21p/arcio.c 2015-01-16 15:45:31.389010626 +0100 @@ -109,6 +109,9 @@ readhdr(hdr, f) /* read a header from #if _MTS (void) atoe(hdr->name, strlen(hdr->name)); #endif + if (strchr(hdr->name, CUTOFF) != NULL) + arcdie("%s contains illegal filename %s", arcname, hdr->name); + for (i = 0, hdr->size=0; i<4; hdr->size<<=8, hdr->size += dummy[16-i], i++); hdr->date = (short) ((dummy[18] << 8) + dummy[17]); hdr->time = (short) ((dummy[20] << 8) + dummy[19]); ++++++ arc-5.21p-fix-arcdie.patch ++++++ Fix arcdie crash when called with more then 1 variable argument Add proper vararg handling to fix crash on 64 bit machines when arcdie gets called with more then 1 variable argument. Signed-off-by: Hans de Goede <hdego...@redhat.com> diff -up arc-5.21p/arcmisc.c~ arc-5.21p/arcmisc.c --- arc-5.21p/arcmisc.c~ 2010-08-07 15:06:42.000000000 +0200 +++ arc-5.21p/arcmisc.c 2015-01-16 16:10:29.322603290 +0100 @@ -4,6 +4,7 @@ */ #include <stdio.h> +#include <stdarg.h> #include <ctype.h> #include "arc.h" @@ -223,11 +224,13 @@ upper(string) } /* VARARGS1 */ VOID -arcdie(s, arg1, arg2, arg3) - char *s; +arcdie(const char *s, ...) { + va_list args; fprintf(stderr, "ARC: "); - fprintf(stderr, s, arg1, arg2, arg3); + va_start(args, s); + vfprintf(stderr, s, args); + va_end(args); fprintf(stderr, "\n"); #if UNIX perror("UNIX"); ++++++ arc-5.21p-hdrv1-read-fix.patch ++++++ Fix version 1 arc header reading The code for v1 hdr reading was reading the packed header directly into an unpacked struct. Use the same read to dummy array, then manual unpack to header struct as used for v2 headers for v1 headers too. Signed-off-by: Hans de Goede <hdego...@redhat.com> diff -ur arc-5.21p/arcio.c arc-5.21p.new/arcio.c --- arc-5.21p/arcio.c 2010-08-07 15:06:42.000000000 +0200 +++ arc-5.21p.new/arcio.c 2015-01-16 12:59:43.203289118 +0100 @@ -37,6 +37,7 @@ #endif char name[FNLEN]; /* filename buffer */ int try = 0;/* retry counter */ + int hdrlen; static int first = 1; /* true only on first read */ if (!f) /* if archive didn't open */ @@ -92,23 +93,19 @@ printf("I think you need a newer version of ARC.\n"); exit(1); } + /* amount to read depends on header type */ + if (hdrver == 1) { + hdrlen = 23; /* old style is shorter */ + } else { + hdrlen = 27; + } - if (hdrver == 1) { /* old style is shorter */ - if (fread(hdr, sizeof(struct heads) - sizeof(long int), 1, f) != 1) - arcdie("%s was truncated", arcname); - hdrver = 2; /* convert header to new format */ - hdr->length = hdr->size; /* size is same when not - * packed */ - } else -#if MSDOS - if (fread(hdr, sizeof(struct heads), 1, f) != 1) - arcdie("%s was truncated", arcname); -#else - if (fread(dummy, 27, 1, f) != 1) - arcdie("%s was truncated", arcname); + if (fread(dummy, hdrlen, 1, f) != 1) + arcdie("%s was truncated", arcname); for (i = 0; i < FNLEN; hdr->name[i] = dummy[i], i++); + hdr->name[FNLEN - 1] = 0; /* ensure 0 termination */ #if _MTS (void) atoe(hdr->name, strlen(hdr->name)); #endif @@ -116,8 +113,14 @@ hdr->date = (short) ((dummy[18] << 8) + dummy[17]); hdr->time = (short) ((dummy[20] << 8) + dummy[19]); hdr->crc = (short) ((dummy[22] << 8) + dummy[21]); - for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++); -#endif + + if (hdrver == 1) { + hdrver = 2; /* convert header to new format */ + hdr->length = hdr->size; /* size is same when not + * packed */ + } else { + for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++); + } if (hdr->date > olddate || (hdr->date == olddate && hdr->time > oldtime)) {