diff --git a/sdk_container/src/third_party/portage-stable/app-arch/cpio/Manifest b/sdk_container/src/third_party/portage-stable/app-arch/cpio/Manifest index e3d8f9e77f..c9fcf3fa15 100644 --- a/sdk_container/src/third_party/portage-stable/app-arch/cpio/Manifest +++ b/sdk_container/src/third_party/portage-stable/app-arch/cpio/Manifest @@ -1,2 +1,3 @@ DIST cpio-2.12.tar.bz2 1258605 BLAKE2B 4b6d42a1d8aaeaa980cab5894b2e264451e96a108f2c3aa89d3e6fde0bff338e026ee233ebd7c8cf41f3c926d42d38b866778244db774055736ca8792889e160 SHA512 0cd4da5f2fbca179ab4e666a5f878414c086a5f98bce4c76273f21d9b2a6fe422d901b5d453826c5f81bbe363aa015047a1e99779ad1a451c8feca6205c63120 +DIST cpio-2.13-CVE-2021-38185.patch.xz 7844 BLAKE2B e338950e03c3eed3b4288435c9c75af8f0c3497b43680be4ee347e628db7cfac616b437a848094bf82cfc2c7f29d59b388bf0f6368b3b99770022e3f9533be11 SHA512 4d2cafefcd1ae9d86cb5171de2896799713490dfd9ed27d3dce0886fa4588c8df2b16ad8508a5dbb9155c9de6e40b6d1083bdb4774d967193a270a1dcbe37a33 DIST cpio-2.13.tar.bz2 1354559 BLAKE2B 45d77723acb55f15c8574ab5a2fdff6fb1767629d177dd3416b0268e9f82ee6bdd11b4fa591ef020efccbdc3f4918cf77263169da1a0f6422dfe1a9712295778 SHA512 459398e69f7f48201c04d1080218c50f75edcf114ffcbb236644ff6fcade5fcc566929bdab2ebe9be5314828d6902e43b348a8adf28351df978c8989590e93a3 diff --git a/sdk_container/src/third_party/portage-stable/app-arch/cpio/cpio-2.12-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/cpio/cpio-2.12-r1.ebuild index 8e803897a8..684d6aa82d 100644 --- a/sdk_container/src/third_party/portage-stable/app-arch/cpio/cpio-2.12-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/app-arch/cpio/cpio-2.12-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 @@ -7,9 +7,9 @@ DESCRIPTION="A file archival tool which can also read and write tar files" HOMEPAGE="https://www.gnu.org/software/cpio/cpio.html" SRC_URI="mirror://gnu/cpio/${P}.tar.bz2" -LICENSE="GPL-3" +LICENSE="GPL-3+" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" IUSE="nls" PATCHES=( diff --git a/sdk_container/src/third_party/portage-stable/app-arch/cpio/cpio-2.13-r3.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/cpio/cpio-2.13-r3.ebuild new file mode 100644 index 0000000000..a09ffc983c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-arch/cpio/cpio-2.13-r3.ebuild @@ -0,0 +1,50 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools + +DESCRIPTION="A file archival tool which can also read and write tar files" +HOMEPAGE="https://www.gnu.org/software/cpio/cpio.html" +SRC_URI="mirror://gnu/cpio/${P}.tar.bz2" +SRC_URI+=" https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-CVE-2021-38185.patch.xz" + +LICENSE="GPL-3+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="nls" + +PATCHES=( + "${FILESDIR}"/${PN}-2.12-non-gnu-compilers.patch #275295 + "${WORKDIR}"/${P}-CVE-2021-38185.patch + "${FILESDIR}"/${PN}-2.13-sysmacros-glibc-2.26.patch + "${FILESDIR}"/${PN}-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch +) + +src_prepare() { + default + + # Drop after 2.13 (only here for CVE patch) + eautoreconf +} + +src_configure() { + local myeconfargs=( + $(use_enable nls) + --bindir="${EPREFIX}"/bin + --with-rmt="${EPREFIX}"/usr/sbin/rmt + # install as gcpio for better compatibility with non-GNU userland + --program-prefix=g + ) + + econf "${myeconfargs[@]}" +} + +src_install() { + default + + # make cpio a symlink + dosym gcpio /bin/cpio + dosym gcpio.1 /usr/share/man/man1/cpio.1 +} diff --git a/sdk_container/src/third_party/portage-stable/app-arch/cpio/cpio-2.13.ebuild b/sdk_container/src/third_party/portage-stable/app-arch/cpio/cpio-2.13.ebuild deleted file mode 100644 index 89a3336d5a..0000000000 --- a/sdk_container/src/third_party/portage-stable/app-arch/cpio/cpio-2.13.ebuild +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -DESCRIPTION="A file archival tool which can also read and write tar files" -HOMEPAGE="https://www.gnu.org/software/cpio/cpio.html" -SRC_URI="mirror://gnu/cpio/${P}.tar.bz2" - -LICENSE="GPL-3" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -IUSE="nls" - -PATCHES=( - "${FILESDIR}"/${PN}-2.12-non-gnu-compilers.patch #275295 - "${FILESDIR}"/${PN}-2.12-gcc-10.patch #705900 -) - -src_configure() { - local myeconfargs=( - $(use_enable nls) - --bindir="${EPREFIX}"/bin - --with-rmt="${EPREFIX}"/usr/sbin/rmt - ) - econf "${myeconfargs[@]}" -} diff --git a/sdk_container/src/third_party/portage-stable/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch b/sdk_container/src/third_party/portage-stable/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch new file mode 100644 index 0000000000..326489a549 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch @@ -0,0 +1,47 @@ +https://sources.debian.org/patches/cpio/2.13%2Bdfsg-7.1/revert-CVE-2015-1197-handling.patch/ +https://bugs.gentoo.org/700020 + +From: Chris Lamb +Date: Sat, 1 Feb 2020 13:36:37 +0100 +Subject: Fix a regression in handling of CVE-2015-1197 & + --no-absolute-filenames. + +See: + + * https://bugs.debian.org/946267 + * https://bugs.debian.org/946469 + +This reverts (most of): https://git.savannah.gnu.org/cgit/cpio.git/diff/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca&id2=3177d660a4c62a6acb538b0f7c54ba423698889a +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -646,8 +646,6 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) + link_name = xstrdup (file_hdr->c_tar_linkname); + } + +- cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false); +- + res = UMASKED_SYMLINK (link_name, file_hdr->c_name, + file_hdr->c_mode); + if (res < 0 && create_dir_flag) +--- a/tests/testsuite ++++ b/tests/testsuite +@@ -2787,7 +2787,7 @@ read at_status <"$at_status_file" + #AT_START_14 + at_fn_group_banner 14 'CVE-2015-1197.at:17' \ + "CVE-2015-1197 (--no-absolute-filenames for symlinks)" "" +-at_xfail=no ++at_xfail=yes + ( + $as_echo "14. $at_setup_line: testing $at_desc ..." + $at_traceon + +--- a/tests/CVE-2015-1197.at ++++ b/tests/CVE-2015-1197.at +@@ -15,6 +15,7 @@ + # along with this program. If not, see . + + AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)]) ++AT_XFAIL_IF([true]) + AT_CHECK([ + tempdir=$(pwd)/tmp + mkdir $tempdir diff --git a/sdk_container/src/third_party/portage-stable/app-arch/cpio/files/cpio-2.13-sysmacros-glibc-2.26.patch b/sdk_container/src/third_party/portage-stable/app-arch/cpio/files/cpio-2.13-sysmacros-glibc-2.26.patch new file mode 100644 index 0000000000..0f902f060f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-arch/cpio/files/cpio-2.13-sysmacros-glibc-2.26.patch @@ -0,0 +1,12 @@ +--- a/am/ax_compile_check_rettype.m4 ++++ b/am/ax_compile_check_rettype.m4 +@@ -70,6 +70,7 @@ AC_CACHE_VAL(AC_CV_NAME, + [for ac_type in char short int long "long long" $4 + do + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ ++#include + #include + $3 + ]], [[switch (0) case 0: case (sizeof ($1($2)) == sizeof ($ac_type)):;]])], [AC_CV_NAME=$ac_type]) + +