Package: libtar / 1.2.20-7
Metadata
Package | Version | Patches format |
---|---|---|
libtar | 1.2.20-7 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
no_static_buffers.patch | (download) |
lib/decode.c |
25 18 + 7 - 0 ! |
decode: avoid using a static buffer in th_get_pathname() decode: avoid using a static buffer in th_get_pathname() A solution suggested by Chris Frey: https://lists.feep.net:8080/pipermail/libtar/2013-October/000377.html Note this can break programs that expect sizeof(TAR) to be fixed. |
no_maxpathlen.patch | (download) |
compat/basename.c |
32 26 + 6 - 0 ! |
fix ftbfs on hurd by dynamically allocating path names. Depends on no_static_buffers.patch, which introduced the th_pathname field. |
CVE 2013 4420.patch | (download) |
lib/decode.c |
33 31 + 2 - 0 ! |
avoid directory traversal when extracting archives by skipping over leading slashes and any prefix containing ".." components. |
th_get_size unsigned int.patch | (download) |
lib/libtar.h |
6 5 + 1 - 0 ! |
[patch] change th_get_size() macro to return unsigned int On systems where size_t is larger than an int (and larger than unsigned int), then in various places in the library, where stuff like this happens: size_t sz = th_get_size(t); then the int value returned from th_get_size() is sign extended to some unwieldy amount. On 64bit systems, this can yield extremely large values. By fixing this problem in the header, and only for th_get_size(), we avoid breaking the API of the function call oct_to_int() (which arguably should return an unsigned int, since the sscanf() it uses expects to yield an unsigned int). We also fix the library, which uses th_get_size() internally to assign sizes to size_t. The drawback is that not all client code that uses th_get_size() will be fixed, until they recompile, but they will automatically take advantage of the bugs fixed *inside* the library. The remaining th_get_*() functions operate on modes and CRC values and the like, and should be fine, remaining as ints. Thanks very much to Magnus Holmgren for catching this behaviour. https://lists.feep.net:8080/pipermail/libtar/2013-October/000365.html |
oldgnu_prefix.patch | (download) |
lib/decode.c |
9 8 + 1 - 0 ! |
detect old-style gnu headers correctly |
testsuite.patch | (download) |
Makefile.am |
2 1 + 1 - 0 ! |
--- |
no_strip.patch | (download) |
lib/Makefile.in |
2 1 + 1 - 0 ! |
make install must not strip binaries |