Hello community,
here is the log from the commit of package cpio for openSUSE:Factory checked in at 2017-05-10 20:31:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cpio (Old)
and /work/SRC/openSUSE:Factory/.cpio.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cpio"
Wed May 10 20:31:36 2017 rev:54 rq:487331 version:2.12
Changes:
--------
--- /work/SRC/openSUSE:Factory/cpio/cpio.changes 2016-03-14 09:56:31.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.cpio.new/cpio.changes 2017-05-10 20:31:38.310672952 +0200
@@ -1,0 +2,30 @@
+Tue Apr 11 10:06:17 UTC 2017 - kstreitova@suse.com
+
+- modify cpio-2.12-out_of_bounds_write.patch to fix a regression
+ causing cpio to crash for tar and ustar archive types
+ [bsc#1028410]
+
+-------------------------------------------------------------------
+Mon Mar 27 11:13:08 UTC 2017 - mpluskal@suse.com
+
+- Use macro for configure and make install
+- Use update-alternatives according to current documentation
+- Enable testsuite
+
+-------------------------------------------------------------------
+Fri Mar 24 13:28:00 UTC 2017 - svalx@svalx.net
+
+- Enable mt building
+- Separated cpio-mt subpackge
+- Change recommend to own mt subpackge
+- Remove cpio-mt.patch - those features available in original mt-st package
+- Switch to use alternatives system for mt
+- Disable rmt building: this binary fully identical to rmt from tar
+- Change default rmt dir to /usr/bin
+
+-------------------------------------------------------------------
+Thu Mar 23 15:14:25 UTC 2017 - kstreitova@suse.com
+
+- cleanup with spec-cleaner
+
+-------------------------------------------------------------------
Old:
----
cpio-mt.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cpio.spec ++++++
--- /var/tmp/diff_new_pack.RQm0mD/_old 2017-05-10 20:31:40.074424118 +0200
+++ /var/tmp/diff_new_pack.RQm0mD/_new 2017-05-10 20:31:40.078423554 +0200
@@ -1,7 +1,7 @@
#
# spec file for package cpio
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -27,10 +27,9 @@
Source1: http://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.bz2.sig
Source2: %{name}.keyring
Patch2: cpio-use_new_ascii_format.patch
-#oouch what a ...?! pieces of code grabed from mt_st package to add missing functionality (e.g. density info)
-#TODO: review is patches needed while mt is no longer building
-Patch3: cpio-mt.patch
Patch4: cpio-use_sbin_rmt.patch
+#PATCH-FIX-UPSTREAM cpio-2.12 cpio-open_nonblock.patch bnc#94449,
+#https://savannah.gnu.org/patch/?9263 -- open device with O_NONBLOCK option
Patch5: cpio-open_nonblock.patch
Patch15: cpio-eof_tape_handling.patch
# make posibble to have device nodes with major number > 127
@@ -47,10 +46,11 @@
Patch27: cpio-2.12-out_of_bounds_write.patch
BuildRequires: autoconf
BuildRequires: automake
-Recommends: mt_st
Requires(post): %{install_info_prereq}
Requires(preun): %{install_info_prereq}
Recommends: %{name}-lang = %{version}
+Recommends: %{name}-mt = %{version}
+Recommends: rmt
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -60,16 +60,22 @@
time stamps, and access permissions. The archive can be another file on
the disk, a magnetic tape, or a pipe.
-This package also includes the program 'rmt', which provides remote tape
-drive control. The 'mt', a local tape drive control program can be found
-in mt_st package.
+%package mt
+Summary: Tape drive control utility
+Group: Productivity/Archiving/Backup
+Requires: %{name} = %{version}
+Requires(post): update-alternatives
+Requires(postun): update-alternatives
+Provides: mt
+
+%description mt
+This package includes the 'mt', a local tape drive control program.
%lang_package
%prep
%setup -q
%patch2
-%patch3
%patch4
%patch5
%patch15
@@ -82,37 +88,49 @@
%patch25 -p1
%patch26 -p1
%patch27 -p1
-#chmod 755 .
-#chmod u+w *
-#chmod a+r *
%build
gettextize -f
-autoreconf --force --install
-CFLAGS="%{optflags} -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fPIE" \
-LDFLAGS="-pie" \
-./configure \
- --prefix=%{_prefix} \
- --mandir=%{_mandir} \
- --infodir=%{_infodir} \
- --libdir=%{_libdir} \
- --disable-silent-rules
+autoreconf -fiv
+export CFLAGS="%{optflags} -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fPIE"
+export LDFLAGS="-pie"
+%configure \
+ --with-rmt="%{_bindir}/rmt" \
+ --enable-mt \
+ --disable-silent-rules \
+ --program-transform-name='s/^mt$/gnumt/'
make %{?_smp_mflags}
%install
mkdir -p %{buildroot}/{usr/bin,bin}
-make prefix=%{buildroot}%{_prefix} infodir=%{buildroot}%{_infodir} mandir=%{buildroot}%{_mandir} \
- DEFAULT_RMT_DIR=%{buildroot}%{_sbindir} install
+%make_install
+mkdir -p %{buildroot}%{_sysconfdir}/alternatives
+ln -sf %{_sysconfdir}/alternatives/mt %{buildroot}%{_bindir}/mt
+ln -sf %{_sysconfdir}/alternatives/mt.1%{ext_man} %{buildroot}%{_mandir}/man1/mt.1%{ext_man}
#UsrMerge
ln -sf %{_bindir}/cpio %{buildroot}/bin
#EndUsrMerge
+
%find_lang %{name}
+%check
+make %{?_smp_mflags} check
+
+%post mt
+%{_sbindir}/update-alternatives --force \
+ --install %{_bindir}/mt mt %{_bindir}/gnumt 10 \
+ --slave %{_mandir}/man1/mt.1%{ext_man} mt.1%{ext_man} %{_mandir}/man1/gnumt.1%{ext_man}
+
%post
-%install_info --info-dir=%{_infodir} %{_infodir}/%{name}.info.gz
+%install_info --info-dir=%{_infodir} %{_infodir}/%{name}.info%{ext_info}
%preun
-%install_info_delete --info-dir=%{_infodir} %{_infodir}/%{name}.info.gz
+%install_info_delete --info-dir=%{_infodir} %{_infodir}/%{name}.info%{ext_info}
+
+%postun mt
+if [ ! -f %{_bindir}/gnumt ] ; then
+ "%{_sbindir}/update-alternatives" --remove mt %{_bindir}/gnumt
+fi
%files
%defattr(-,root,root)
@@ -120,10 +138,17 @@
/bin/cpio
#EndUsrMerge
%{_bindir}/cpio
-%{_sbindir}/rmt
-%{_infodir}/cpio.info.gz
-%{_mandir}/man1/cpio.1.gz
-%{_mandir}/man8/rmt.8.gz
+%{_infodir}/cpio.info%{ext_info}
+%{_mandir}/man1/cpio.1%{ext_man}
+
+%files mt
+%defattr(-,root,root)
+%ghost %{_bindir}/mt
+%{_bindir}/gnumt
+%ghost %{_mandir}/man1/mt.1%{ext_man}
+%{_mandir}/man1/gnumt.1%{ext_man}
+%ghost %{_sysconfdir}/alternatives/mt
+%ghost %{_sysconfdir}/alternatives/mt.1%{ext_man}
%files lang -f %{name}.lang
%defattr(-,root,root)
++++++ cpio-2.12-out_of_bounds_write.patch ++++++
--- /var/tmp/diff_new_pack.RQm0mD/_old 2017-05-10 20:31:40.126416783 +0200
+++ /var/tmp/diff_new_pack.RQm0mD/_new 2017-05-10 20:31:40.138415090 +0200
@@ -11,12 +11,22 @@
===================================================================
--- cpio-2.12.orig/src/copyin.c
+++ cpio-2.12/src/copyin.c
-@@ -1434,6 +1434,8 @@ process_copy_in ()
+@@ -1433,6 +1433,18 @@ process_copy_in ()
break;
}
-+ if (file_hdr.c_namesize <= 1)
-+ file_hdr.c_name = xrealloc(file_hdr.c_name, 2);
++ /* Fix for CVE-2016-2037 (bsc#963448) and resultant regression (bsc#1028410).
++ For tar and ustar archive formats, file_hdr.c_namesize is not defined and
++ file_hdr.c_name uses static memory. Therefore we can't rely on
++ file_hdr.c_namesize and we can't realloc memory for these archive types.
++ However the patch is still correct for CVE-2016-2037 (we have to be sure
++ that the allocated NAME buffer has a capacity at least 2 bytes to allow
++ us to store the "." string inside) as static char array for tar and ustar
++ has size 2 at least (see tar.c:stash_tar_filename()).
++ */
++ if (archive_format != arf_tar && archive_format != arf_ustar
++ && file_hdr.c_namesize <= 1)
++ file_hdr.c_name = xrealloc(file_hdr.c_name, 2);
cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag,
false);
@@ -36,3 +46,4 @@
void
cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
bool strip_leading_dots)
+
++++++ cpio-open_nonblock.patch ++++++
--- /var/tmp/diff_new_pack.RQm0mD/_old 2017-05-10 20:31:40.298392521 +0200
+++ /var/tmp/diff_new_pack.RQm0mD/_new 2017-05-10 20:31:40.306391391 +0200
@@ -1,13 +1,41 @@
+From: Alexey Svistunov