upgpkg: tar 1.34-2

- fix FS#77523 - fix CVE-2022-48303 git-svn-id: file:///srv/repos/svn-packages/svn@470261 eb2447ed-0c53-47e4-bac8-5bc4a241df78
archlinux · Mar 5, 2023 · 6d156a1 · 6d156a1
1 parent ed54b5c
commit 6d156a1
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 4 deletions.
diff --git a/tar/trunk/01-fix-cve-2022-48303.patch b/tar/trunk/01-fix-cve-2022-48303.patch
@@ -0,0 +1,31 @@
+From 1d530107a24d71e798727d7f0afa0833473d1074 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <[email protected]>
+Date: Wed, 11 Jan 2023 08:55:58 +0100
+Subject: [PATCH] Fix savannah bug #62387
+
+* src/list.c (from_header): Check for the end of field after leading byte
+  (0x80 or 0xff) of base-256 encoded header value
+---
+ src/list.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425..bf41b581 100644
+--- a/src/list.c
++++ b/src/list.c
+@@ -895,6 +895,12 @@ from_header (char const *where0, size_t digs, char const *type,
+ 			   << (CHAR_BIT * sizeof (uintmax_t)
+ 			       - LG_256 - (LG_256 - 2)));
+       value = (*where++ & ((1 << (LG_256 - 2)) - 1)) - signbit;
++      if (where == lim)
++        {
++          if (type && !silent)
++            ERROR ((0, 0, _("Archive base-256 value is invalid")));
++          return -1;
++        }
+       for (;;)
+ 	{
+ 	  value = (value << LG_256) + (unsigned char) *where++;
+-- 
+2.38.1
+
diff --git a/tar/trunk/PKGBUILD b/tar/trunk/PKGBUILD
@@ -4,17 +4,20 @@
 
 pkgname=tar
 pkgver=1.34
-pkgrel=1
+pkgrel=2
 pkgdesc='Utility used to store, backup, and transport files'
 arch=('x86_64')
 url='https://www.gnu.org/software/tar/'
 license=('GPL3')
-depends=('glibc' 'acl' 'attr')
+depends=('glibc' 'acl')
+checkdepends=('attr')
 options=('!emptydirs')
 validpgpkeys=('325F650C4C2B6AD58807327A3602B07F55D0C732') # Sergey Poznyakoff
-source=("https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz"{,.sig})
+source=("https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz"{,.sig}
+        '01-fix-cve-2022-48303.patch')
 sha256sums=('63bebd26879c5e1eea4352f0d03c991f966aeb3ddeb3c7445c902568d5411d28'
-            'SKIP')
+            'SKIP'
+            'f31bbde67ab1117b07441395c99aced81d038bf0c8a89810bd751a3cc21acfbd')
 
 prepare() {
   cd $pkgname-$pkgver