From b12e28d8512af62637d09108016855e58a84f4e0 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 17 May 2022 06:23:54 -0400 Subject: [PATCH] import cpio-2.13-16.el9 --- .cpio.metadata | 1 + .gitignore | 1 + SOURCES/cpio-2.10-longnames-split.patch | 27 + SOURCES/cpio-2.10-patternnamesigsegv.patch | 49 ++ SOURCES/cpio-2.11-crc-fips-nit.patch | 19 + SOURCES/cpio-2.11-retain-symlink-times.patch | 94 +++ SOURCES/cpio-2.13-CVE-2021-38185.patch | 621 ++++++++++++++++++ SOURCES/cpio-2.13-dev_number.patch | 28 + SOURCES/cpio-2.13-exitCode.patch | 39 ++ SOURCES/cpio-2.13-mutiple-definition.patch | 13 + SOURCES/cpio-2.13-reset-gid-uid.patch | 63 ++ .../cpio-2.13-revert-CVE-2015-1197-fix.patch | 91 +++ SOURCES/cpio-2.9-rh.patch | 69 ++ SOURCES/cpio-2.9.90-defaultremoteshell.patch | 20 + SOURCES/cpio.1 | 438 ++++++++++++ SPECS/cpio.spec | 607 +++++++++++++++++ 16 files changed, 2180 insertions(+) create mode 100644 .cpio.metadata create mode 100644 .gitignore create mode 100644 SOURCES/cpio-2.10-longnames-split.patch create mode 100644 SOURCES/cpio-2.10-patternnamesigsegv.patch create mode 100644 SOURCES/cpio-2.11-crc-fips-nit.patch create mode 100644 SOURCES/cpio-2.11-retain-symlink-times.patch create mode 100644 SOURCES/cpio-2.13-CVE-2021-38185.patch create mode 100644 SOURCES/cpio-2.13-dev_number.patch create mode 100644 SOURCES/cpio-2.13-exitCode.patch create mode 100644 SOURCES/cpio-2.13-mutiple-definition.patch create mode 100644 SOURCES/cpio-2.13-reset-gid-uid.patch create mode 100644 SOURCES/cpio-2.13-revert-CVE-2015-1197-fix.patch create mode 100644 SOURCES/cpio-2.9-rh.patch create mode 100644 SOURCES/cpio-2.9.90-defaultremoteshell.patch create mode 100644 SOURCES/cpio.1 create mode 100644 SPECS/cpio.spec diff --git a/.cpio.metadata b/.cpio.metadata new file mode 100644 index 0000000..172fbc3 --- /dev/null +++ b/.cpio.metadata @@ -0,0 +1 @@ +4dcefc0e1bc36b11506a354768d82b15e3fe6bb8 SOURCES/cpio-2.13.tar.bz2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7faeb9d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/cpio-2.13.tar.bz2 diff --git a/SOURCES/cpio-2.10-longnames-split.patch b/SOURCES/cpio-2.10-longnames-split.patch new file mode 100644 index 0000000..6f4ba6e --- /dev/null +++ b/SOURCES/cpio-2.10-longnames-split.patch @@ -0,0 +1,27 @@ +From: Pavel Raiskup +Date: Mon, 14 Sep 2015 09:49:12 +0200 +Subject: [PATCH 6/7] Fix for splitting long file names while creating ustar + archive + +Resolves: #866467 + +diff --git a/src/tar.c b/src/tar.c +index a2ce171..e2b5f45 100644 +--- a/src/tar.c ++++ b/src/tar.c +@@ -49,10 +49,12 @@ split_long_name (const char *name, size_t length) + { + size_t i; + +- if (length > TARPREFIXSIZE) +- length = TARPREFIXSIZE+2; ++ if (length > TARPREFIXSIZE + 1) ++ length = TARPREFIXSIZE + 1; ++ else if (ISSLASH (name[length - 1])) ++ length--; + for (i = length - 1; i > 0; i--) +- if (name[i] == '/') ++ if (ISSLASH (name[i])) + break; + return i; + } diff --git a/SOURCES/cpio-2.10-patternnamesigsegv.patch b/SOURCES/cpio-2.10-patternnamesigsegv.patch new file mode 100644 index 0000000..27e3742 --- /dev/null +++ b/SOURCES/cpio-2.10-patternnamesigsegv.patch @@ -0,0 +1,49 @@ +From: =?UTF-8?q?Ond=C5=99ej=20Va=C5=A1=C3=ADk?= +Date: Mon, 14 Sep 2015 09:47:05 +0200 +Subject: [PATCH 5/7] fix segfault with nonexisting file with patternnames + (#567022) + +diff --git a/src/copyin.c b/src/copyin.c +index 12bd27c..183b5b5 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -870,21 +870,24 @@ read_pattern_file () + + pattern_fp = fopen (pattern_file_name, "r"); + if (pattern_fp == NULL) +- open_fatal (pattern_file_name); +- while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL) +- { +- if (new_num_patterns >= max_new_patterns) +- { +- max_new_patterns += 1; +- new_save_patterns = (char **) +- xrealloc ((char *) new_save_patterns, +- max_new_patterns * sizeof (char *)); +- } +- new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string); +- ++new_num_patterns; +- } +- if (ferror (pattern_fp) || fclose (pattern_fp) == EOF) +- close_error (pattern_file_name); ++ open_error (pattern_file_name); ++ else ++ { ++ while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL) ++ { ++ if (new_num_patterns >= max_new_patterns) ++ { ++ max_new_patterns += 1; ++ new_save_patterns = (char **) ++ xrealloc ((char *) new_save_patterns, ++ max_new_patterns * sizeof (char *)); ++ } ++ new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string); ++ ++new_num_patterns; ++ } ++ if (ferror (pattern_fp) || fclose (pattern_fp) == EOF) ++ close_error (pattern_file_name); ++ } + + for (i = 0; i < num_patterns; ++i) + new_save_patterns[i] = save_patterns[i]; diff --git a/SOURCES/cpio-2.11-crc-fips-nit.patch b/SOURCES/cpio-2.11-crc-fips-nit.patch new file mode 100644 index 0000000..bd447b5 --- /dev/null +++ b/SOURCES/cpio-2.11-crc-fips-nit.patch @@ -0,0 +1,19 @@ +From: Pavel Raiskup +Date: Mon, 14 Sep 2015 09:51:12 +0200 +Subject: [PATCH 7/7] Note that cpio uses Sum32 checksum only + +Related to Package Wrangler and FIPS check. + +diff --git a/src/main.c b/src/main.c +index a875a13..13cdfcf 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -167,7 +167,7 @@ static struct argp_option options[] = { + {"pattern-file", 'E', N_("FILE"), 0, + N_("Read additional patterns specifying filenames to extract or list from FILE"), 210}, + {"only-verify-crc", ONLY_VERIFY_CRC_OPTION, 0, 0, +- N_("When reading a CRC format archive, only verify the CRC's of each file in the archive, don't actually extract the files"), 210}, ++ N_("When reading a CRC format archive, only verify the checksum of each file in the archive, don't actually extract the files"), 210}, + {"rename", 'r', 0, 0, + N_("Interactively rename files"), GRID+1 }, + {"rename-batch-file", RENAME_BATCH_FILE_OPTION, N_("FILE"), OPTION_HIDDEN, diff --git a/SOURCES/cpio-2.11-retain-symlink-times.patch b/SOURCES/cpio-2.11-retain-symlink-times.patch new file mode 100644 index 0000000..1aeb174 --- /dev/null +++ b/SOURCES/cpio-2.11-retain-symlink-times.patch @@ -0,0 +1,94 @@ +From 8bce60df53f93c9cbfb18274c6700c143a0092c6 Mon Sep 17 00:00:00 2001 +From: Pavel Raiskup +Date: Fri, 3 Jul 2020 13:00:18 +0200 +Subject: [PATCH] Extract: retain times for symlinks + +Original report by Pat Riehecky at +https://bugzilla.redhat.com/1486364 + +* src/copyin.c (copyin_device): Don't check for retain_time_flag +global, it's done by set_file_times. +(copyin_link): Call set_file_times to restore symlink times. +* src/util.c (set_perms): Don't check for retain_time_flag global, +done by set_file_times call. +(set_file_times): Do nothing if retain_time_flag global is false. +* src/copypass.c (process_copy_pass): Call set_file_times for +symlinks. +--- + src/copyin.c | 5 ++--- + src/copypass.c | 2 ++ + src/util.c | 8 +++++--- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/copyin.c b/src/copyin.c +index bf3b0a8..93b006a 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -615,9 +615,7 @@ copyin_device (struct cpio_file_stat* file_hdr) + /* chown may have turned off some permissions we wanted. */ + if (chmod (file_hdr->c_name, file_hdr->c_mode) < 0) + chmod_error_details (file_hdr->c_name, file_hdr->c_mode); +- if (retain_time_flag) +- set_file_times (-1, file_hdr->c_name, file_hdr->c_mtime, +- file_hdr->c_mtime); ++ set_file_times (-1, file_hdr->c_name, file_hdr->c_mtime, file_hdr->c_mtime); + } + + static void +@@ -668,6 +666,7 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des) + && errno != EPERM) + chown_error_details (file_hdr->c_name, uid, gid); + } ++ set_file_times (-1, file_hdr->c_name, file_hdr->c_mtime, file_hdr->c_mtime); + free (link_name); + } + +diff --git a/src/copypass.c b/src/copypass.c +index dc13b5b..a5f9b7b 100644 +--- a/src/copypass.c ++++ b/src/copypass.c +@@ -306,6 +306,8 @@ process_copy_pass () + && errno != EPERM) + chown_error_details (output_name.ds_string, uid, gid); + } ++ set_file_times (-1, output_name.ds_string, ++ in_file_stat.st_atime, in_file_stat.st_mtime); + free (link_name); + } + #endif +diff --git a/src/util.c b/src/util.c +index 4421b20..0e8d88c 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -1230,8 +1230,7 @@ set_perms (int fd, struct cpio_file_stat *header) + /* chown may have turned off some permissions we wanted. */ + if (fchmod_or_chmod (fd, header->c_name, header->c_mode) < 0) + chmod_error_details (header->c_name, header->c_mode); +- if (retain_time_flag) +- set_file_times (fd, header->c_name, header->c_mtime, header->c_mtime); ++ set_file_times (fd, header->c_name, header->c_mtime, header->c_mtime); + } + + void +@@ -1239,6 +1238,8 @@ set_file_times (int fd, + const char *name, unsigned long atime, unsigned long mtime) + { + struct timespec ts[2]; ++ if (!retain_time_flag) ++ return; + + memset (&ts, 0, sizeof ts); + +@@ -1247,7 +1248,8 @@ set_file_times (int fd, + + /* Silently ignore EROFS because reading the file won't have upset its + timestamp if it's on a read-only filesystem. */ +- if (fdutimens (fd, name, ts) < 0 && errno != EROFS) ++ if ((fd >= 0 ? fdutimens (fd, NULL, ts) : lutimens (name, ts)) < 0 ++ && errno != EROFS) + utime_error (name); + } + +-- +2.24.1 + diff --git a/SOURCES/cpio-2.13-CVE-2021-38185.patch b/SOURCES/cpio-2.13-CVE-2021-38185.patch new file mode 100644 index 0000000..920e2b0 --- /dev/null +++ b/SOURCES/cpio-2.13-CVE-2021-38185.patch @@ -0,0 +1,621 @@ +From a458d64ad1e47c0912c2ba0702a148c396984105 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Mon, 13 Sep 2021 08:13:08 +0200 +Subject: [PATCH] * src/dstring.c (ds_init): Take a single argument. + (ds_free): New function. (ds_resize): Take a single argument. Use + x2nrealloc to expand the storage. + (ds_reset,ds_append,ds_concat,ds_endswith): New function. (ds_fgetstr): + Rewrite. In particular, this fixes integer overflow. (ds_resize): Take + additional argument: number of bytes to leave available after ds_idx. All + uses changed. * src/dstring.h (dynamic_string): Keep both the allocated + length (ds_size) and index of the next free byte in the string (ds_idx). + (ds_init,ds_resize): Change signature. (ds_len): New macro. + (ds_free,ds_reset,ds_append,ds_concat,ds_endswith): New protos. * + src/copyin.c: Use new ds_ functions. (read_name_from_file): Handle len == 0. + (read_name_from_file): Print error message and skip file if its name is not + nul-terminated. (long_format): Cast rdev numbers to unsigned long * + src/copyout.c: Likewise. * src/copypass.c: Likewise. * src/util.c: Likewise. + (tape_empty_output_buffer): Fix condition. * src/idcache.c + (getuser,getgroup): Use umaxtostr instead of sprintf. * src/userspec.c + (parse_user_spec): Likewise. * configure.ac: Raise version number to 2.13.90. + +--- + configure.ac | 6 ++-- + src/copyin.c | 69 ++++++++++++++++++++++------------------ + src/copyout.c | 16 ++++------ + src/copypass.c | 32 +++++++++---------- + src/dstring.c | 85 ++++++++++++++++++++++++++++++++++++-------------- + src/dstring.h | 30 +++++++++--------- + src/idcache.c | 11 +++---- + src/userspec.c | 9 ++---- + src/util.c | 9 ++---- + 9 files changed, 150 insertions(+), 117 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 2132256..875b44f 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -15,13 +15,13 @@ dnl + dnl You should have received a copy of the GNU General Public License + dnl along with this program. If not, see . + +-AC_INIT([GNU cpio], [2.13], [bug-cpio@gnu.org],, ++AC_INIT([GNU cpio], [2.13.90], [bug-cpio@gnu.org],, + [http://www.gnu.org/software/cpio]) + AC_CONFIG_SRCDIR(src/cpio.h) + AC_CONFIG_AUX_DIR([build-aux]) + AC_CONFIG_HEADERS([config.h]) +-AC_PREREQ([2.63]) +-AM_INIT_AUTOMAKE([1.11.1 gnits tar-ustar dist-bzip2 std-options silent-rules]) ++AC_PREREQ([2.64]) ++AM_INIT_AUTOMAKE([1.15 gnits tar-ustar dist-bzip2 std-options silent-rules]) + + # Enable silent rules by default: + AM_SILENT_RULES([yes]) +diff --git a/src/copyin.c b/src/copyin.c +index 93b006a..df5da9c 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -56,10 +56,10 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out, + static dynamic_string new_name; /* New file name for rename option. */ + static int initialized_new_name = false; + if (!initialized_new_name) +- { +- ds_init (&new_name, 128); +- initialized_new_name = true; +- } ++ { ++ ds_init (&new_name); ++ initialized_new_name = true; ++ } + + if (rename_flag) + { +@@ -756,8 +756,9 @@ long_format (struct cpio_file_stat *file_hdr, char const *link_name) + + if ((file_hdr->c_mode & CP_IFMT) == CP_IFCHR + || (file_hdr->c_mode & CP_IFMT) == CP_IFBLK) +- printf ("%3lu, %3lu ", file_hdr->c_rdev_maj, +- file_hdr->c_rdev_min); ++ printf ("%3lu, %3lu ", ++ (unsigned long) file_hdr->c_rdev_maj, ++ (unsigned long) file_hdr->c_rdev_min); + else + printf ("%8"PRIuMAX" ", (uintmax_t) file_hdr->c_filesize); + +@@ -777,21 +778,20 @@ long_format (struct cpio_file_stat *file_hdr, char const *link_name) + already in `save_patterns' (from the command line) are preserved. */ + + static void +-read_pattern_file () ++read_pattern_file (void) + { +- int max_new_patterns; +- char **new_save_patterns; +- int new_num_patterns; ++ char **new_save_patterns = NULL; ++ size_t max_new_patterns; ++ size_t new_num_patterns; + int i; +- dynamic_string pattern_name; ++ dynamic_string pattern_name = DYNAMIC_STRING_INITIALIZER; + FILE *pattern_fp; + + if (num_patterns < 0) + num_patterns = 0; +- max_new_patterns = 1 + num_patterns; +- new_save_patterns = (char **) xmalloc (max_new_patterns * sizeof (char *)); + new_num_patterns = num_patterns; +- ds_init (&pattern_name, 128); ++ max_new_patterns = num_patterns; ++ new_save_patterns = xcalloc (max_new_patterns, sizeof (new_save_patterns[0])); + + pattern_fp = fopen (pattern_file_name, "r"); + if (pattern_fp == NULL) +@@ -800,16 +800,16 @@ read_pattern_file () + { + while (ds_fgetstr (pattern_fp, &pattern_name, '\n') != NULL) + { +- if (new_num_patterns >= max_new_patterns) +- { +- max_new_patterns += 1; +- new_save_patterns = (char **) +- xrealloc ((char *) new_save_patterns, +- max_new_patterns * sizeof (char *)); +- } ++ if (new_num_patterns == max_new_patterns) ++ new_save_patterns = x2nrealloc (new_save_patterns, ++ &max_new_patterns, ++ sizeof (new_save_patterns[0])); + new_save_patterns[new_num_patterns] = xstrdup (pattern_name.ds_string); + ++new_num_patterns; + } ++ ++ ds_free (&pattern_name); ++ + if (ferror (pattern_fp) || fclose (pattern_fp) == EOF) + close_error (pattern_file_name); + } +@@ -999,8 +999,21 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) + static void + read_name_from_file (struct cpio_file_stat *file_hdr, int fd, uintmax_t len) + { +- cpio_realloc_c_name (file_hdr, len); +- tape_buffered_read (file_hdr->c_name, fd, len); ++ if (len == 0) ++ { ++ error (0, 0, _("malformed header: file name of zero length")); ++ } ++ else ++ { ++ cpio_realloc_c_name (file_hdr, len); ++ tape_buffered_read (file_hdr->c_name, fd, len); ++ if (file_hdr->c_name[len-1] != 0) ++ { ++ error (0, 0, _("malformed header: file name is not nul-terminated")); ++ /* Skip this file */ ++ len = 0; ++ } ++ } + file_hdr->c_namesize = len; + } + +@@ -1197,9 +1210,8 @@ swab_array (char *ptr, int count) + in the file system. */ + + void +-process_copy_in () ++process_copy_in (void) + { +- char done = false; /* True if trailer reached. */ + FILE *tty_in = NULL; /* Interactive file for rename option. */ + FILE *tty_out = NULL; /* Interactive file for rename option. */ + FILE *rename_in = NULL; /* Batch file for rename option. */ +@@ -1271,7 +1283,7 @@ process_copy_in () + change_dir (); + + /* While there is more input in the collection, process the input. */ +- while (!done) ++ while (1) + { + swapping_halfwords = swapping_bytes = false; + +@@ -1305,10 +1317,7 @@ process_copy_in () + { + /* Is this the header for the TRAILER file? */ + if (strcmp (CPIO_TRAILER_NAME, file_hdr.c_name) == 0) +- { +- done = true; +- break; +- } ++ break; + + cpio_safer_name_suffix (file_hdr.c_name, false, !no_abs_paths_flag, + false); +diff --git a/src/copyout.c b/src/copyout.c +index 4b7336b..421d36d 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -594,9 +594,10 @@ assign_string (char **pvar, char *value) + The format of the header depends on the compatibility (-c) flag. */ + + void +-process_copy_out () ++process_copy_out (void) + { +- dynamic_string input_name; /* Name of file read from stdin. */ ++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of file read from stdin. */ + struct stat file_stat; /* Stat record for file. */ + struct cpio_file_stat file_hdr = CPIO_FILE_STAT_INITIALIZER; + /* Output header information. */ +@@ -605,7 +606,6 @@ process_copy_out () + char *orig_file_name = NULL; + + /* Initialize the copy out. */ +- ds_init (&input_name, 128); + file_hdr.c_magic = 070707; + + /* Check whether the output file might be a tape. */ +@@ -657,14 +657,9 @@ process_copy_out () + { + if (file_hdr.c_mode & CP_IFDIR) + { +- int len = strlen (input_name.ds_string); + /* Make sure the name ends with a slash */ +- if (input_name.ds_string[len-1] != '/') +- { +- ds_resize (&input_name, len + 2); +- input_name.ds_string[len] = '/'; +- input_name.ds_string[len+1] = 0; +- } ++ if (!ds_endswith (&input_name, '/')) ++ ds_append (&input_name, '/'); + } + } + +@@ -875,6 +870,7 @@ process_copy_out () + (unsigned long) blocks), (unsigned long) blocks); + } + cpio_file_stat_free (&file_hdr); ++ ds_free (&input_name); + } + + +diff --git a/src/copypass.c b/src/copypass.c +index a5f9b7b..43bde7e 100644 +--- a/src/copypass.c ++++ b/src/copypass.c +@@ -48,10 +48,12 @@ set_copypass_perms (int fd, const char *name, struct stat *st) + If `link_flag', link instead of copying. */ + + void +-process_copy_pass () ++process_copy_pass (void) + { +- dynamic_string input_name; /* Name of file from stdin. */ +- dynamic_string output_name; /* Name of new file. */ ++ dynamic_string input_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of file from stdin. */ ++ dynamic_string output_name = DYNAMIC_STRING_INITIALIZER; ++ /* Name of new file. */ + size_t dirname_len; /* Length of `directory_name'. */ + int res; /* Result of functions. */ + char *slash; /* For moving past slashes in input name. */ +@@ -65,25 +67,18 @@ process_copy_pass () + created files */ + + /* Initialize the copy pass. */ +- ds_init (&input_name, 128); + + dirname_len = strlen (directory_name); + if (change_directory_option && !ISSLASH (directory_name[0])) + { + char *pwd = xgetcwd (); + +- dirname_len += strlen (pwd) + 1; +- ds_init (&output_name, dirname_len + 2); +- strcpy (output_name.ds_string, pwd); +- strcat (output_name.ds_string, "/"); +- strcat (output_name.ds_string, directory_name); ++ ds_concat (&output_name, pwd); ++ ds_append (&output_name, '/'); + } +- else +- { +- ds_init (&output_name, dirname_len + 2); +- strcpy (output_name.ds_string, directory_name); +- } +- output_name.ds_string[dirname_len] = '/'; ++ ds_concat (&output_name, directory_name); ++ ds_append (&output_name, '/'); ++ dirname_len = ds_len (&output_name); + output_is_seekable = true; + + change_dir (); +@@ -116,8 +111,8 @@ process_copy_pass () + /* Make the name of the new file. */ + for (slash = input_name.ds_string; *slash == '/'; ++slash) + ; +- ds_resize (&output_name, dirname_len + strlen (slash) + 2); +- strcpy (output_name.ds_string + dirname_len + 1, slash); ++ ds_reset (&output_name, dirname_len); ++ ds_concat (&output_name, slash); + + existing_dir = false; + if (lstat (output_name.ds_string, &out_file_stat) == 0) +@@ -335,6 +330,9 @@ process_copy_pass () + (unsigned long) blocks), + (unsigned long) blocks); + } ++ ++ ds_free (&input_name); ++ ds_free (&output_name); + } + + /* Try and create a hard link from FILE_NAME to another file +diff --git a/src/dstring.c b/src/dstring.c +index e9c063f..c788057 100644 +--- a/src/dstring.c ++++ b/src/dstring.c +@@ -22,6 +22,7 @@ + #endif + + #include ++#include + #if defined(HAVE_STRING_H) || defined(STDC_HEADERS) + #include + #else +@@ -33,24 +34,40 @@ + /* Initialiaze dynamic string STRING with space for SIZE characters. */ + + void +-ds_init (dynamic_string *string, int size) ++ds_init (dynamic_string *string) + { +- string->ds_length = size; +- string->ds_string = (char *) xmalloc (size); ++ memset (string, 0, sizeof *string); + } + +-/* Expand dynamic string STRING, if necessary, to hold SIZE characters. */ ++/* Free the dynamic string storage. */ + + void +-ds_resize (dynamic_string *string, int size) ++ds_free (dynamic_string *string) + { +- if (size > string->ds_length) ++ free (string->ds_string); ++} ++ ++/* Expand dynamic string STRING, if necessary. */ ++ ++void ++ds_resize (dynamic_string *string, size_t len) ++{ ++ while (len + string->ds_idx >= string->ds_size) + { +- string->ds_length = size; +- string->ds_string = (char *) xrealloc ((char *) string->ds_string, size); ++ string->ds_string = x2nrealloc (string->ds_string, &string->ds_size, ++ 1); + } + } + ++/* Reset the index of the dynamic string S to LEN. */ ++ ++void ++ds_reset (dynamic_string *s, size_t len) ++{ ++ ds_resize (s, len); ++ s->ds_idx = len; ++} ++ + /* Dynamic string S gets a string terminated by the EOS character + (which is removed) from file F. S will increase + in size during the function if the string from F is longer than +@@ -61,34 +78,49 @@ ds_resize (dynamic_string *string, int size) + char * + ds_fgetstr (FILE *f, dynamic_string *s, char eos) + { +- int insize; /* Amount needed for line. */ +- int strsize; /* Amount allocated for S. */ + int next_ch; + + /* Initialize. */ +- insize = 0; +- strsize = s->ds_length; ++ s->ds_idx = 0; + + /* Read the input string. */ +- next_ch = getc (f); +- while (next_ch != eos && next_ch != EOF) ++ while ((next_ch = getc (f)) != eos && next_ch != EOF) + { +- if (insize >= strsize - 1) +- { +- ds_resize (s, strsize * 2 + 2); +- strsize = s->ds_length; +- } +- s->ds_string[insize++] = next_ch; +- next_ch = getc (f); ++ ds_resize (s, 0); ++ s->ds_string[s->ds_idx++] = next_ch; + } +- s->ds_string[insize++] = '\0'; ++ ds_resize (s, 0); ++ s->ds_string[s->ds_idx] = '\0'; + +- if (insize == 1 && next_ch == EOF) ++ if (s->ds_idx == 0 && next_ch == EOF) + return NULL; + else + return s->ds_string; + } + ++void ++ds_append (dynamic_string *s, int c) ++{ ++ ds_resize (s, 0); ++ s->ds_string[s->ds_idx] = c; ++ if (c) ++ { ++ s->ds_idx++; ++ ds_resize (s, 0); ++ s->ds_string[s->ds_idx] = 0; ++ } ++} ++ ++void ++ds_concat (dynamic_string *s, char const *str) ++{ ++ size_t len = strlen (str); ++ ds_resize (s, len); ++ memcpy (s->ds_string + s->ds_idx, str, len); ++ s->ds_idx += len; ++ s->ds_string[s->ds_idx] = 0; ++} ++ + char * + ds_fgets (FILE *f, dynamic_string *s) + { +@@ -100,3 +132,10 @@ ds_fgetname (FILE *f, dynamic_string *s) + { + return ds_fgetstr (f, s, '\0'); + } ++ ++/* Return true if the dynamic string S ends with character C. */ ++int ++ds_endswith (dynamic_string *s, int c) ++{ ++ return (s->ds_idx > 0 && s->ds_string[s->ds_idx - 1] == c); ++} +diff --git a/src/dstring.h b/src/dstring.h +index b5135fe..756cc1f 100644 +--- a/src/dstring.h ++++ b/src/dstring.h +@@ -17,10 +17,6 @@ + Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301 USA. */ + +-#ifndef NULL +-#define NULL 0 +-#endif +- + /* A dynamic string consists of record that records the size of an + allocated string and the pointer to that string. The actual string + is a normal zero byte terminated string that can be used with the +@@ -30,22 +26,24 @@ + + typedef struct + { +- int ds_length; /* Actual amount of storage allocated. */ +- char *ds_string; /* String. */ ++ size_t ds_size; /* Actual amount of storage allocated. */ ++ size_t ds_idx; /* Index of the next free byte in the string. */ ++ char *ds_string; /* String storage. */ + } dynamic_string; + ++#define DYNAMIC_STRING_INITIALIZER { 0, 0, NULL } + +-/* Macros that look similar to the original string functions. +- WARNING: These macros work only on pointers to dynamic string records. +- If used with a real record, an "&" must be used to get the pointer. */ +-#define ds_strlen(s) strlen ((s)->ds_string) +-#define ds_strcmp(s1, s2) strcmp ((s1)->ds_string, (s2)->ds_string) +-#define ds_strncmp(s1, s2, n) strncmp ((s1)->ds_string, (s2)->ds_string, n) +-#define ds_index(s, c) index ((s)->ds_string, c) +-#define ds_rindex(s, c) rindex ((s)->ds_string, c) ++void ds_init (dynamic_string *string); ++void ds_free (dynamic_string *string); ++void ds_reset (dynamic_string *s, size_t len); + +-void ds_init (dynamic_string *string, int size); +-void ds_resize (dynamic_string *string, int size); ++/* All functions below guarantee that s->ds_string[s->ds_idx] == '\0' */ + char *ds_fgetname (FILE *f, dynamic_string *s); + char *ds_fgets (FILE *f, dynamic_string *s); + char *ds_fgetstr (FILE *f, dynamic_string *s, char eos); ++void ds_append (dynamic_string *s, int c); ++void ds_concat (dynamic_string *s, char const *str); ++ ++#define ds_len(s) ((s)->ds_idx) ++ ++int ds_endswith (dynamic_string *s, int c); +diff --git a/src/idcache.c b/src/idcache.c +index 33b0d3f..6bd1f3e 100644 +--- a/src/idcache.c ++++ b/src/idcache.c +@@ -34,6 +34,7 @@ + #endif + + #include ++#include + + struct userid + { +@@ -59,7 +60,6 @@ getuser (uid_t uid) + { + register struct userid *tail; + struct passwd *pwent; +- char usernum_string[20]; + + for (tail = user_alist; tail; tail = tail->next) + if (tail->id.u == uid) +@@ -70,8 +70,8 @@ getuser (uid_t uid) + tail->id.u = uid; + if (pwent == 0) + { +- sprintf (usernum_string, "%u", (unsigned) uid); +- tail->name = xstrdup (usernum_string); ++ char nbuf[UINTMAX_STRSIZE_BOUND]; ++ tail->name = xstrdup (umaxtostr (uid, nbuf)); + } + else + tail->name = xstrdup (pwent->pw_name); +@@ -134,7 +134,6 @@ getgroup (gid_t gid) + { + register struct userid *tail; + struct group *grent; +- char groupnum_string[20]; + + for (tail = group_alist; tail; tail = tail->next) + if (tail->id.g == gid) +@@ -145,8 +144,8 @@ getgroup (gid_t gid) + tail->id.g = gid; + if (grent == 0) + { +- sprintf (groupnum_string, "%u", (unsigned int) gid); +- tail->name = xstrdup (groupnum_string); ++ char nbuf[UINTMAX_STRSIZE_BOUND]; ++ tail->name = xstrdup (umaxtostr (gid, nbuf)); + } + else + tail->name = xstrdup (grent->gr_name); +diff --git a/src/userspec.c b/src/userspec.c +index eb3640e..b03234e 100644 +--- a/src/userspec.c ++++ b/src/userspec.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #ifndef HAVE_ENDPWENT + # define endpwent() +@@ -141,12 +142,8 @@ parse_user_spec (const char *spec_arg, uid_t *uid, gid_t *gid, + grp = getgrgid (pwd->pw_gid); + if (grp == NULL) + { +- /* This is enough room to hold the unsigned decimal +- representation of any 32-bit quantity and the trailing +- zero byte. */ +- char uint_buf[21]; +- sprintf (uint_buf, "%u", (unsigned) (pwd->pw_gid)); +- V_STRDUP (groupname, uint_buf); ++ char nbuf[UINTMAX_STRSIZE_BOUND]; ++ V_STRDUP (groupname, umaxtostr (pwd->pw_gid, nbuf)); + } + else + { +diff --git a/src/util.c b/src/util.c +index 0e8d88c..b721f37 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -79,8 +79,7 @@ tape_empty_output_buffer (int out_des) + + if (output_is_special + && (bytes_written >= 0 +- || (bytes_written < 0 +- && (errno == ENOSPC || errno == EIO || errno == ENXIO)))) ++ || (errno == ENOSPC || errno == EIO || errno == ENXIO))) + { + get_next_reel (out_des); + if (bytes_written > 0) +@@ -846,11 +845,9 @@ get_next_reel (int tape_des) + FILE *tty_out; /* File for interacting with user. */ + int old_tape_des; + char *next_archive_name; +- dynamic_string new_name; ++ dynamic_string new_name = DYNAMIC_STRING_INITIALIZER; + char *str_res; + +- ds_init (&new_name, 128); +- + /* Open files for interactive communication. */ + tty_in = fopen (TTY_NAME, "r"); + if (tty_in == NULL) +@@ -925,7 +922,7 @@ get_next_reel (int tape_des) + error (PAXEXIT_FAILURE, 0, _("internal error: tape descriptor changed from %d to %d"), + old_tape_des, tape_des); + +- free (new_name.ds_string); ++ ds_free (&new_name); + fclose (tty_in); + fclose (tty_out); + } +-- +2.31.1 + diff --git a/SOURCES/cpio-2.13-dev_number.patch b/SOURCES/cpio-2.13-dev_number.patch new file mode 100644 index 0000000..20943a3 --- /dev/null +++ b/SOURCES/cpio-2.13-dev_number.patch @@ -0,0 +1,28 @@ +From: Kamil Dudka +Date: Mon, 14 Sep 2015 09:37:15 +0200 +Subject: [PATCH 3/7] Support major/minor device numbers over 127 (bz#450109) + +diff --git a/src/copyin.c b/src/copyin.c +index b29f348..1142d6a 100644 +--- a/src/copyin.c ++++ b/src/copyin.c +@@ -1123,15 +1123,15 @@ read_in_binary (struct cpio_file_stat *file_hdr, + swab_array ((char *) short_hdr, 13); + } + +- file_hdr->c_dev_maj = major (short_hdr->c_dev); +- file_hdr->c_dev_min = minor (short_hdr->c_dev); ++ file_hdr->c_dev_maj = major ((unsigned short)short_hdr->c_dev); ++ file_hdr->c_dev_min = minor ((unsigned short)short_hdr->c_dev); + file_hdr->c_ino = short_hdr->c_ino; + file_hdr->c_mode = short_hdr->c_mode; + file_hdr->c_uid = short_hdr->c_uid; + file_hdr->c_gid = short_hdr->c_gid; + file_hdr->c_nlink = short_hdr->c_nlink; +- file_hdr->c_rdev_maj = major (short_hdr->c_rdev); +- file_hdr->c_rdev_min = minor (short_hdr->c_rdev); ++ file_hdr->c_rdev_maj = major ((unsigned short)short_hdr->c_rdev); ++ file_hdr->c_rdev_min = minor ((unsigned short)short_hdr->c_rdev); + file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16 + | short_hdr->c_mtimes[1]; + file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16 diff --git a/SOURCES/cpio-2.13-exitCode.patch b/SOURCES/cpio-2.13-exitCode.patch new file mode 100644 index 0000000..4af7736 --- /dev/null +++ b/SOURCES/cpio-2.13-exitCode.patch @@ -0,0 +1,39 @@ +Subject: [PATCH 2/7] set exit code to 1 when cpio fails to store file > 4GB + (#183224) + +diff --git a/src/copyout.c b/src/copyout.c +index 8b0beb6..4b7336b 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -290,7 +290,7 @@ field_width_error (const char *filename, const char *fieldname, + { + char valbuf[UINTMAX_STRSIZE_BOUND + 1]; + char maxbuf[UINTMAX_STRSIZE_BOUND + 1]; +- error (0, 0, _("%s: value %s %s out of allowed range 0..%s"), ++ error (1, 0, _("%s: value %s %s out of allowed range 0..%s"), + filename, fieldname, + STRINGIFY_BIGINT (value, valbuf), + STRINGIFY_BIGINT (MAX_VAL_WITH_DIGITS (width - nul, LG_8), +diff --git a/tests/CVE-2019-14866.at b/tests/CVE-2019-14866.at +index e877b39..50ad60b 100644 +--- a/tests/CVE-2019-14866.at ++++ b/tests/CVE-2019-14866.at +@@ -30,6 +30,5 @@ fi + [0], + [], + [cpio: file: value size 17179869184 out of allowed range 0..8589934591 +-2 blocks + ]) + AT_CLEANUP +diff --git a/tests/testsuite b/tests/testsuite +index b45c731..fd8454d 100755 +--- a/tests/testsuite ++++ b/tests/testsuite +@@ -2885,7 +2885,6 @@ fi + at_status=$? at_failed=false + $at_check_filter + echo >>"$at_stderr"; $as_echo "cpio: file: value size 17179869184 out of allowed range 0..8589934591 +-2 blocks + " | \ + $at_diff - "$at_stderr" || at_failed=: + at_fn_diff_devnull "$at_stdout" || at_failed=: diff --git a/SOURCES/cpio-2.13-mutiple-definition.patch b/SOURCES/cpio-2.13-mutiple-definition.patch new file mode 100644 index 0000000..ac97b81 --- /dev/null +++ b/SOURCES/cpio-2.13-mutiple-definition.patch @@ -0,0 +1,13 @@ +diff -up cpio-2.13/src/global.c.me cpio-2.13/src/global.c +--- cpio-2.13/src/global.c.me 2020-01-30 17:17:42.015259283 +0100 ++++ cpio-2.13/src/global.c 2020-01-30 17:24:12.680794025 +0100 +@@ -184,9 +184,6 @@ unsigned int warn_option = 0; + /* Extract to standard output? */ + bool to_stdout_option = false; + +-/* The name this program was run with. */ +-char *program_name; +- + /* A pointer to either lstat or stat, depending on whether + dereferencing of symlinks is done for input files. */ + int (*xstat) (); diff --git a/SOURCES/cpio-2.13-reset-gid-uid.patch b/SOURCES/cpio-2.13-reset-gid-uid.patch new file mode 100644 index 0000000..56f720d --- /dev/null +++ b/SOURCES/cpio-2.13-reset-gid-uid.patch @@ -0,0 +1,63 @@ +From 5913893d6f3de65b16e1ad294b88893305efb20f Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Thu, 18 Feb 2021 09:59:31 +0100 +Subject: [PATCH] * lib/system.h (ERRNO_IS_EACCES): Remove. Not used anymore. + (sys_reset_uid_gid): Re-initialize supplementary groups when switching + privileges. Fix ordering of setgid and setuid calls. + +--- + lib/system.h | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +diff --git a/lib/system.h b/lib/system.h +index 1c1a5d0..4fd3ce9 100644 +--- a/lib/system.h ++++ b/lib/system.h +@@ -470,19 +470,37 @@ char *getenv (); + #if MSDOS + # include + # define SET_BINARY_MODE(arc) setmode(arc, O_BINARY) +-# define ERRNO_IS_EACCES errno == EACCES + # define mkdir(file, mode) (mkdir) (file) + # define TTY_NAME "con" + # define sys_reset_uid_gid() + #else + # define SET_BINARY_MODE(arc) +-# define ERRNO_IS_EACCES 0 + # define TTY_NAME "/dev/tty" +-# define sys_reset_uid_gid() \ +- do { \ +- if (! (setuid (getuid ()) == 0 && setgid (getgid ()) == 0)) \ +- abort (); \ +- } while (0) ++# include ++static inline void ++sys_reset_uid_gid (void) ++{ ++ struct passwd *pw; ++ uid_t uid = getuid (); ++ gid_t gid = getgid (); ++ ++ if ((pw = getpwuid (uid)) == NULL) ++ { ++ FATAL_ERROR ((0, errno, "%s(%lu)", "getpwuid", (unsigned long)uid)); ++ } ++ if (initgroups (pw->pw_name, getgid ())) ++ { ++ FATAL_ERROR ((0, errno, "%s", "initgroups")); ++ } ++ if (gid != getegid () && setgid (gid) && errno != EPERM) ++ { ++ FATAL_ERROR ((0, errno, "%s", "setgid")); ++ } ++ if (uid != geteuid () && setuid (uid) && errno != EPERM) ++ { ++ FATAL_ERROR ((0, errno, "%s", "setuid")); ++ } ++} + #endif + + #if XENIX +-- +2.26.0 + diff --git a/SOURCES/cpio-2.13-revert-CVE-2015-1197-fix.patch b/SOURCES/cpio-2.13-revert-CVE-2015-1197-fix.patch new file mode 100644 index 0000000..1106ac7 --- /dev/null +++ b/SOURCES/cpio-2.13-revert-CVE-2015-1197-fix.patch @@ -0,0 +1,91 @@ +revert fix for CVE-2015-1197 as it causes shutdown issues + +revert suggested as a workaround by upstream: +https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00016.html + +--- b/src/copyin.c ++++ a/src/copyin.c +@@ -645,14 +645,13 @@ + link_name = xstrdup (file_hdr->c_tar_linkname); + } + +- cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false); +- + res = UMASKED_SYMLINK (link_name, file_hdr->c_name, + file_hdr->c_mode); + if (res < 0 && create_dir_flag) + { + create_all_directories (file_hdr->c_name); ++ res = UMASKED_SYMLINK (link_name, file_hdr->c_name, ++ file_hdr->c_mode); +- res = UMASKED_SYMLINK (link_name, file_hdr->c_name, file_hdr->c_mode); + } + if (res < 0) + { +--- b/tests/CVE-2015-1197.at ++++ /dev/null +@@ -1,43 +0,0 @@ +-# Process this file with autom4te to create testsuite. -*- Autotest -*- +-# Copyright (C) 2009-2019 Free Software Foundation, Inc. +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; either version 3, or (at your option) +-# any later version. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program. If not, see . +- +-AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)]) +-AT_CHECK([ +-tempdir=$(pwd)/tmp +-mkdir $tempdir +-touch $tempdir/file +-ln -s $tempdir dir +-AT_DATA([filelist], +-[dir +-dir/file +-]) +-ln -s /tmp dir +-touch /tmp/file +-cpio -o < filelist > test.cpio +-rm dir /tmp/file +-cpio --no-absolute-filenames -iv < test.cpio +-], +-[2], +-[], +-[1 block +-cpio: Removing leading `/' from hard link targets +-dir +-cpio: dir/file: Cannot open: No such file or directory +-dir/file +-1 block +-]) +-AT_CLEANUP +- +--- b/tests/Makefile.am ++++ a/tests/Makefile.am +@@ -56,9 +56,8 @@ + symlink-long.at\ + symlink-to-stdout.at\ + version.at\ + big-block-size.at\ +- CVE-2015-1197.at\ + CVE-2019-14866.at + + TESTSUITE = $(srcdir)/testsuite + +--- b/tests/testsuite.at ++++ a/tests/testsuite.at +@@ -43,6 +43,5 @@ + m4_include([setstat04.at]) + m4_include([setstat05.at]) + m4_include([big-block-size.at]) + +-m4_include([CVE-2015-1197.at]) + m4_include([CVE-2019-14866.at]) diff --git a/SOURCES/cpio-2.9-rh.patch b/SOURCES/cpio-2.9-rh.patch new file mode 100644 index 0000000..23d70db --- /dev/null +++ b/SOURCES/cpio-2.9-rh.patch @@ -0,0 +1,69 @@ +From: Pavel Raiskup +Date: Mon, 14 Sep 2015 09:27:21 +0200 +Subject: [PATCH 1/7] make '-c' equivalent to '-H newc' + +diff --git a/doc/cpio.texi b/doc/cpio.texi +index e631934..a788b5d 100644 +--- a/doc/cpio.texi ++++ b/doc/cpio.texi +@@ -261,7 +261,8 @@ Sets the I/O block size to @var{block-size} * 512 bytes. + @item -B + Set the I/O block size to 5120 bytes. + @item -c +-Use the old portable (ASCII) archive format. ++Identical to "-H newc", use the new (SVR4) portable format. If you wish the old ++portable (ASCII) archive format, use "-H odc" instead. + @item -C @var{number} + @itemx --io-size=@var{number} + Set the I/O block size to the given @var{number} of bytes. +@@ -343,7 +344,8 @@ Equivalent to @option{-sS}. + @item -B + Set the I/O block size to 5120 bytes. + @item -c +-Use the old portable (ASCII) archive format. ++Identical to "-H newc", use the new (SVR4) portable format. If you wish the old ++portable (ASCII) archive format, use "-H odc" instead. + @item -C @var{number} + @itemx --io-size=@var{number} + Set the I/O block size to the given @var{number} of bytes. +@@ -454,7 +456,8 @@ Sets the I/O block size to @var{block-size} * 512 bytes. + @item -B + Set the I/O block size to 5120 bytes. + @item -c +-Use the old portable (ASCII) archive format. ++Identical to "-H newc", use the new (SVR4) portable format. If you wish the old ++portable (ASCII) archive format, use "-H odc" instead. + @item -C @var{number} + @itemx --io-size=@var{number} + Set the I/O block size to the given @var{number} of bytes. +@@ -600,7 +603,8 @@ block size is 512 bytes. + + @item -c + [@ref{copy-in},@ref{copy-out},@ref{copy-pass}] +-@*Use the old portable (ASCII) archive format. ++@*Identical to "-H newc", use the new (SVR4) portable format. If you wish the ++old portable (ASCII) archive format, use "-H odc" instead. + + @item -C @var{io-size} + @itemx --io-size=@var{io-size} +diff --git a/src/main.c b/src/main.c +index a13861f..a875a13 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -124,7 +124,7 @@ static struct argp_option options[] = { + {"block-size", BLOCK_SIZE_OPTION, N_("BLOCK-SIZE"), 0, + N_("Set the I/O block size to BLOCK-SIZE * 512 bytes"), GRID+1 }, + {NULL, 'c', NULL, 0, +- N_("Use the old portable (ASCII) archive format"), GRID+1 }, ++ N_("Identical to \"-H newc\", use the new (SVR4) portable format. If you wish the old portable (ASCII) archive format, use \"-H odc\" instead."), GRID+1 }, + {"dot", 'V', NULL, 0, + N_("Print a \".\" for each file processed"), GRID+1 }, + {"io-size", 'C', N_("NUMBER"), 0, +@@ -329,6 +329,7 @@ parse_opt (int key, char *arg, struct argp_state *state) + case 'c': /* Use the old portable ASCII format. */ + if (archive_format != arf_unknown) + USAGE_ERROR ((0, 0, _("Archive format multiply defined"))); ++#define SVR4_COMPAT + #ifdef SVR4_COMPAT + archive_format = arf_newascii; /* -H newc. */ + #else diff --git a/SOURCES/cpio-2.9.90-defaultremoteshell.patch b/SOURCES/cpio-2.9.90-defaultremoteshell.patch new file mode 100644 index 0000000..01dbd5d --- /dev/null +++ b/SOURCES/cpio-2.9.90-defaultremoteshell.patch @@ -0,0 +1,20 @@ +From: =?UTF-8?q?Ond=C5=99ej=20Va=C5=A1=C3=ADk?= +Date: Mon, 14 Sep 2015 09:39:13 +0200 +Subject: [PATCH 4/7] define default remote shell as /usr/bin/ssh(#452904), use + /etc/rmt as default rmt command + +diff --git a/lib/rtapelib.c b/lib/rtapelib.c +index 7213031..7d0bd52 100644 +--- a/lib/rtapelib.c ++++ b/lib/rtapelib.c +@@ -59,6 +59,10 @@ + # include + #endif + ++#ifndef REMOTE_SHELL ++# define REMOTE_SHELL "/usr/bin/ssh" ++#endif ++ + #include + #include + diff --git a/SOURCES/cpio.1 b/SOURCES/cpio.1 new file mode 100644 index 0000000..670277c --- /dev/null +++ b/SOURCES/cpio.1 @@ -0,0 +1,438 @@ +.\" DO NOT MODIFY THIS FILE! It was (partly) generated by help2man from +.\" cpio --help/cpio --version output and partly patched by downstream +.\" package maintainers. +.TH CPIO 1L \" -*- nroff -*- +.SH NAME +cpio \- copy files to and from archives +.SH __WARNING__ +.PP +The cpio utility is considered LEGACY based on POSIX specification. Users are +encouraged to use other archiving tools for archive creation. + +If you decided to use cpio, you should almost always force cpio to use the +ustar format in copy-out mode by the -H option (cpio -o -H ustar). This is +because the ustar format is well defined in POSIX specification and thus +readable by wide range of other archiving tools (including tar e.g.). + +By default, GNU cpio uses (for historical reasons) the very old binary format +('bin') which has significant problems nowadays, e.g. with storing big inode +numbers (see the Red Hat bug #952313). + +Note also that these days the modern 'pax' archive format should be considered +as the default -- but this format is not implemented in GNU cpio. You should, +again, consider using other archivers (e.g. 'tar --format=pax'). + +.SH SYNOPSIS +\&\fBCopy-out mode\fR +.PP +In copy-out mode, cpio copies files into an archive. It reads a list +of filenames, one per line, on the standard input, and writes the +archive onto the standard output. A typical way to generate the list +of filenames is with the find command; you should give find the \-depth +option to minimize problems with permissions on directories that are +unreadable. see \*(lqOptions\*(rq. +.PP +.B cpio +{\-o|\-\-create} [\-0acvABLV] [\-C bytes] [\-H format] [\-D DIR] +[\-M message] [\-O [[user@]host:]archive] [\-F [[user@]host:]archive] +[\-\-file=[[user@]host:]archive] [\-\-format=format] [\-\-warning=FLAG] +[\-\-message=message][\-\-null] [\-\-reset\-access\-time] [\-\-verbose] +[\-\-dot] [\-\-append] [\-\-block\-size=blocks] [\-\-dereference] +[\-\-io\-size=bytes] [\-\-rsh\-command=command] [\-\-license] [\-\-usage] +[\-\-help] [\-\-version] +< name-list [> archive] +.PP +\&\fBCopy-in mode\fR +.PP +In copy-in mode, cpio copies files out of an archive or lists the +archive contents. It reads the archive from the standard input. Any +non-option command line arguments are shell globbing patterns; only +files in the archive whose names match one or more of those patterns are +copied from the archive. Unlike in the shell, an initial `\fB.\fR' in a +filename does match a wildcard at the start of a pattern, and a `\fB/\fR' in a +filename can match wildcards. If no patterns are given, all files are +extracted. see \*(lqOptions\*(rq. +.PP +.B cpio +{\-i|\-\-extract} [\-bcdfmnrtsuvBSV] [\-C bytes] [\-E file] [\-H format] +[\-D DIR] +[\-M message] [\-R [user][:.][group]] [\-I [[user@]host:]archive] +[\-F [[user@]host:]archive] [\-\-file=[[user@]host:]archive] +[\-\-make-directories] [\-\-nonmatching] [\-\-preserve-modification-time] +[\-\-numeric-uid-gid] [\-\-rename] [\-t|\-\-list] [\-\-swap-bytes] [\-\-swap] +[\-\-dot] [\-\-warning=FLAG] [\-\-unconditional] [\-\-verbose] +[\-\-block-size=blocks] [\-\-swap-halfwords] [\-\-io-size=bytes] +[\-\-pattern-file=file] [\-\-format=format] [\-\-owner=[user][:.][group]] +[\-\-no-preserve-owner] [\-\-message=message] +[\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-absolute\-filenames] +[\-\-sparse] [\-\-only\-verify\-crc] [\-\-to\-stdout] [\-\-quiet] +[\-\-ignore\-devno] [\-\-renumber\-inodes] [\-\-device\-independent] +[\-\-reproducible] +[\-\-rsh-command=command] [\-\-license] [\-\-usage] [\-\-help] +[\-\-version] [pattern...] [< archive] +.PP +\&\fBCopy-pass mode\fR +.PP +In copy-pass mode, cpio copies files from one directory tree to +another, combining the copy-out and copy-in steps without actually +using an archive. It reads the list of files to copy from the standard +input; the directory into which it will copy them is given as a +non-option argument. see \*(lqOptions\*(rq. +.PP +.B cpio +{\-p|\-\-pass-through} [\-0adlmuvLV] [\-R [user][:.][group]] [\-D DIR] +[\-\-null] [\-\-reset-access-time] [\-\-make-directories] [\-\-link] [\-\-quiet] +[\-\-preserve-modification-time] [\-\-unconditional] [\-\-verbose] [\-\-dot] +[\-\-warning=FLAG] [\-\-dereference] [\-\-owner=[user][:.][group]] +[\-\-no-preserve-owner] [\-\-sparse] [\-\-license] [\-\-usage] [\-\-help] +[\-\-version] destination-directory < name-list +.PP +.SH DESCRIPTION +GNU cpio is a tool for creating and extracting archives, or copying +files from one place to another. It handles a number of cpio formats as +well as reading and writing tar files. +.PP +Following archive formats are supported: binary, old ASCII, new ASCII, crc, HPUX binary, HPUX old +ASCII, old tar, and POSIX.1 tar. The tar format is provided for compatibility with the tar program. By +default, cpio creates binary format archives, for compatibility with older cpio programs. When extracting +from archives, cpio automatically recognizes which kind of archive it is reading and can read archives created +on machines with a different byte-order. +.PP +.SS "Main operation mode:" +.TP +\fB\-i\fR, \fB\-\-extract\fR +Extract files from an archive (run in copy\-in +mode) +.TP +\fB\-o\fR, \fB\-\-create\fR +Create the archive (run in copy\-out mode) +.TP +\fB\-p\fR, \fB\-\-pass\-through\fR +Run in copy\-pass mode +.TP +\fB\-t\fR, \fB\-\-list\fR +Print a table of contents of the input +.SS "Operation modifiers valid in any mode:" +.TP +\fB\-\-block\-size\fR=\fI\,BLOCK\-SIZE\/\fR +Set the I/O block size to BLOCK\-SIZE * 512 +bytes +.TP +\fB\-B\fR +Set the I/O block size to 5120 bytes. +Initially the block size is 512 bytes. +.TP +\fB\-c\fR +Identical to "\-H newc", use the new (SVR4) +portable format. If you wish the old portable +(ASCII) archive format, use "\-H odc" instead. +.TP +\fB\-C\fR, \fB\-\-io\-size\fR=\fI\,NUMBER\/\fR +Set the I/O block size to the given NUMBER of +bytes +.TP +\fB\-D\fR, \fB\-\-directory\fR=\fI\,DIR\/\fR +Change to directory DIR +.TP +\fB\-\-force\-local\fR +With \-F, \-I, or \-O, take the archive file name to be a local file +even if it contains a colon, which would ordinarily indicate a +remote host name. +.TP +\fB\-H\fR, \fB\-\-format\fR=\fI\,FORMAT\/\fR +Use given archive FORMAT. +The valid formats are listed below; the same names are also recognized in +all\-caps. The default in copy-in mode is to automatically detect the archive +format, and in copy-out mode is `\fBbin\fR'. +.TP +`bin' +The obsolete binary format. +.TP +`odc' +The old (\s-1POSIX\s0.1) portable format. +.TP +`newc' +The new (\s-1SVR4\s0) portable format, which supports file systems +having more than 65536 i\-nodes. +.TP +`crc' +The new (\s-1SVR4\s0) portable format with a checksum (Sum32) added. +.TP +`tar' +The old tar format. +.TP +`ustar' +The \s-1POSIX\s0.1 tar format. Also recognizes \s-1GNU\s0 tar archives, +which are similar but not identical. +.TP +`hpbin' +The obsolete binary format used by \s-1HPUX\s0's cpio (which stores +device files differently). +.TP +`hpodc' +The portable format used by \s-1HPUX\s0's cpio (which stores device +files differently). +.TP +\fB\-\-quiet\fR +Do not print the number of blocks copied +.TP +\fB\-R\fR, \fB\-\-owner\fR=\fI\,[USER][\/\fR:.][GROUP] +Set the ownership of all files created to the +specified USER and/or GROUP. +Either the user, the group, or both, must be present. If the group is omitted +but the \&\*(lq:\*(rq or \*(lq.\*(rq separator is given, use the given user's +login group. Only the super-user can change files' ownership in copy\-in mode. +.TP +\fB\-v\fR, \fB\-\-verbose\fR +List the files processed, or with `\fB\-t\fR', give an `\fBls \-l\fR' style +table of contents listing. In a verbose table of contents of a +ustar archive, user and group names in the archive that do not +exist on the local system are replaced by the names that +correspond locally to the numeric \s-1UID\s0 and \s-1GID\s0 stored in the +archive. +.TP +\fB\-V\fR, \fB\-\-dot\fR +Print a "." for each file processed +.TP +\fB\-W\fR, \fB\-\-warning\fR=\fI\,FLAG\/\fR +Control warning display. Currently FLAG is one of +\&'none', 'truncate', 'all'. Multiple options +accumulate. +.SS "Operation modifiers valid in copy-in and copy-out modes:" +.TP +\fB\-F\fR, \fB\-\-file\fR=\fI\,[[USER\/\fR@]HOST:]FILE\-NAME +Use this FILE\-NAME instead of standard input or +output. Optional USER and HOST specify the user +and host names in case of a remote archive +.TP +\fB\-M\fR, \fB\-\-message\fR=\fI\,STRING\/\fR +Print \s-1STRING\s0 when the end of a volume of the backup media (such +as a tape or a floppy disk) is reached, to prompt the user to +insert a new volume. If \s-1STRING\s0 contains the string \*(lq%d\*(rq, it is +replaced by the current volume number (starting at 1). +.TP +\fB\-\-rsh\-command\fR=\fI\,COMMAND\/\fR +Use COMMAND instead of rsh +(typically /usr/bin/ssh) +.SS "Operation modifiers valid only in copy-in mode:" +.TP +\fB\-b\fR, \fB\-\-swap\fR +Swap both halfwords of words and bytes of +halfwords in the data. Equivalent to \fB\-sS\fR +Use this option to convert 32\-bit integers between big-endian and little-endian +machines. +.TP +\fB\-f\fR, \fB\-\-nonmatching\fR +Only copy files that do not match any of the given +patterns +.TP +\fB\-I\fR [[USER@]HOST:]FILE\-NAME +Archive filename to use instead of standard input. +Optional USER and HOST specify the user and host +names in case of a remote archive +.TP +\fB\-n\fR, \fB\-\-numeric\-uid\-gid\fR +In the verbose table of contents listing, show +numeric UID and GID +.TP +\fB\-r\fR, \fB\-\-rename\fR +Interactively rename files +.TP +\fB\-s\fR, \fB\-\-swap\-bytes\fR +Swap the bytes of each halfword in the files +.TP +\fB\-S\fR, \fB\-\-swap\-halfwords\fR +Swap the halfwords of each word (4 bytes) in the +files +.TP +\fB\-\-to\-stdout\fR +Extract files to standard output +.TP +\fB\-E\fR, \fB\-\-pattern\-file\fR=\fI\,FILE\/\fR +Read additional patterns specifying filenames to +extract or list from FILE +.TP +\fB\-\-only\-verify\-crc\fR +When reading a CRC format archive, only verify the +checksum of each file in the archive, don't +actually extract the files +.SS "Operation modifiers valid only in copy-out mode:" +.TP +\fB\-A\fR, \fB\-\-append\fR +Append to an existing archive. +The archive must be a disk file specified with the \-O or \-F (\-file) option. +.TP +\fB\-\-device\-independent\fR, \fB\-\-reproducible\fR +Create device\-independent (reproducible) archives +.TP +\fB\-\-ignore\-devno\fR +Don't store device numbers +.TP +\fB\-O\fR [[USER@]HOST:]FILE\-NAME +Archive filename to use instead of standard +output. Optional USER and HOST specify the user +and host names in case of a remote archive +.TP +\fB\-\-renumber\-inodes\fR +Renumber inodes +.SS "Operation modifiers valid only in copy-pass mode:" +.TP +\fB\-l\fR, \fB\-\-link\fR +Link files instead of copying them, when +possible +.SS "Operation modifiers valid in copy-in and copy-out modes:" +.TP +\fB\-\-absolute\-filenames\fR +Do not strip file system prefix components from +the file names +.TP +\fB\-\-no\-absolute\-filenames\fR +Create all files relative to the current +directory +.SS "Operation modifiers valid in copy-out and copy-pass modes:" +.TP +\fB\-0\fR, \fB\-\-null\fR +Filenames in the list are delimited by null +characters instead of newlines, so that files whose names contain newlines can +be archived. \s-1GNU\s0 find is one way to produce a list of null-terminated +filenames. +.TP +\fB\-a\fR, \fB\-\-reset\-access\-time\fR +Reset the access times of files after reading them, so that it +does not look like they have just been read. +.TP +\fB\-L\fR, \fB\-\-dereference\fR +Dereference symbolic links (copy the files +that they point to instead of copying the links). +.SS "Operation modifiers valid in copy-in and copy-pass modes:" +.TP +\fB\-d\fR, \fB\-\-make\-directories\fR +Create leading directories where needed +.TP +\fB\-m\fR, \fB\-\-preserve\-modification\-time\fR +Retain previous file modification times when +creating files +.TP +\fB\-\-no\-preserve\-owner\fR +Do not change the ownership of the files; leave them owned by the +user extracting them. This is the default for non-root users, so +that users on System V don't inadvertently give away files. This +option can be used in copy-in mode and copy-pass mode +.TP +\fB\-\-sparse\fR +Write files with large blocks of zeros as sparse +files +.TP +\fB\-u\fR, \fB\-\-unconditional\fR +Replace all files unconditionally +.TP +\-?, \fB\-\-help\fR +give this help list +.TP +\fB\-\-usage\fR +give a short usage message +.TP +\fB\-\-version\fR +print program version +.PP +Mandatory or optional arguments to long options are also mandatory or optional +for any corresponding short options. + +.PP +.SH EXAMPLES +When creating an archive, cpio takes the list of files to be +processed from the standard input, and then sends the archive to the +standard output, or to the device defined by the `\fB\-F\fR' option. +Usually find or ls is used to provide this list to +the standard input. In the following example you can see the +possibilities for archiving the contents of a single directory. +.PP +.B % ls | cpio \-ov > directory.cpio +.PP +The `\fB\-o\fR' option creates the archive, and the `\fB\-v\fR' option prints the +names of the files archived as they are added. Notice that the options +can be put together after a single `\fB\-\fR' or can be placed separately on +the command line. The `\fB>\fR' redirects the cpio output to the file +`\fBdirectory.cpio\fR'. +.PP +If you wanted to archive an entire directory tree, the find command +can provide the file list to cpio: +.PP +.B % find . \-print \-depth | cpio \-ov > tree.cpio +.PP +This will take all the files in the current directory, the +directories below and place them in the archive tree.cpio. Again the +`\fB\-o\fR' creates an archive, and the `\fB\-v\fR' option shows you the name of the +files as they are archived. see \*(lqCopy\-out mode\*(rq. Using the `\fB.\fR' in +the find statement will give you more flexibility when doing restores, +as it will save file names with a relative path vice a hard wired, +absolute path. The `\fB\-depth\fR' option forces `\fBfind\fR' to print of the +entries in a directory before printing the directory itself. This +limits the effects of restrictive directory permissions by printing the +directory entries in a directory before the directory name itself. +.PP +Extracting an archive requires a bit more thought because cpio will +not create directories by default. Another characteristic, is it will +not overwrite existing files unless you tell it to. +.PP +.B % cpio \-iv < directory.cpio +.PP +This will retrieve the files archived in the file directory.cpio and +place them in the present directory. The `\fB\-i\fR' option extracts the +archive and the `\fB\-v\fR' shows the file names as they are extracted. If +you are dealing with an archived directory tree, you need to use the +`\fB\-d\fR' option to create directories as necessary, something like: +.PP +.B % cpio \-idv < tree.cpio +.PP +This will take the contents of the archive tree.cpio and extract it +to the current directory. If you try to extract the files on top of +files of the same name that already exist (and have the same or later +modification time) cpio will not extract the file unless told to do so +by the \-u option. see \*(lqCopy\-in mode\*(rq. +.PP +In copy-pass mode, cpio copies files from one directory tree to +another, combining the copy-out and copy-in steps without actually +using an archive. It reads the list of files to copy from the standard +input; the directory into which it will copy them is given as a +non-option argument. see \*(lqCopy\-pass mode\*(rq. +.PP +.B % find . \-depth \-print0 | cpio \-\-null \-pvd new-dir +.PP +The example shows copying the files of the present directory, and +sub-directories to a new directory called new\-dir. Some new options are +the `\fB\-print0\fR' available with \s-1GNU\s0 find, combined with the `\fB\-\-null\fR' +option of cpio. These two options act together to send file names +between find and cpio, even if special characters are embedded in the +file names. Another is `\fB\-p\fR', which tells cpio to pass the files it +finds to the directory `\fBnew-dir\fR'. + + +.SH AUTHOR +Written by Phil Nelson, David MacKenzie, John Oleynick, +and Sergey Poznyakoff. +.SH "REPORTING BUGS" +Report bugs to . +Report bugs in this manual page via https://bugzilla.redhat.com. +.SH COPYRIGHT +Copyright \(co 2015 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later . +.br +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. +.SH "SEE ALSO" +The full documentation for +.B cpio +is maintained as a Texinfo manual. If the +.B info +and +.B cpio +programs are properly installed at your site, the command +.IP +.B info cpio +.PP +should give you access to the complete manual. + +The online copy of the documentation is available at the following address: +.PP +http://www.gnu.org/software/cpio/manual diff --git a/SPECS/cpio.spec b/SPECS/cpio.spec new file mode 100644 index 0000000..c5a774b --- /dev/null +++ b/SPECS/cpio.spec @@ -0,0 +1,607 @@ +Summary: A GNU archiving program +Name: cpio +Version: 2.13 +Release: 16%{?dist} +License: GPLv3+ +URL: https://www.gnu.org/software/cpio/ +Source: https://ftp.gnu.org/gnu/cpio/cpio-%{version}.tar.bz2 + +# help2man generated manual page distributed only in RHEL/Fedora +Source1: cpio.1 + +# We use SVR4 portable format as default. +Patch1: cpio-2.9-rh.patch + +# fix warn_if_file_changed() and set exit code to 1 when cpio fails to store +# file > 4GB (#183224) +# http://lists.gnu.org/archive/html/bug-cpio/2006-11/msg00000.html +Patch2: cpio-2.13-exitCode.patch + +# Support major/minor device numbers over 127 (bz#450109) +# http://lists.gnu.org/archive/html/bug-cpio/2008-07/msg00000.html +Patch3: cpio-2.13-dev_number.patch + +# Define default remote shell as /usr/bin/ssh (#452904) +Patch4: cpio-2.9.90-defaultremoteshell.patch + +# Fix segfault with nonexisting file with patternnames (#567022) +# http://savannah.gnu.org/bugs/index.php?28954 +# We have slightly different solution than upstream. +Patch5: cpio-2.10-patternnamesigsegv.patch + +# Fix bad file name splitting while creating ustar archive (#866467) +# (fix backported from tar's source) +Patch7: cpio-2.10-longnames-split.patch + +# Cpio does Sum32 checksum, not CRC (downstream) +Patch8: cpio-2.11-crc-fips-nit.patch + +# Fix multiple definition of `program_name' +Patch9: cpio-2.13-mutiple-definition.patch + +# Revert fix for CVE-2015-1197 (#1797163) +# reverts upstream commit 45b0ee2b4 +Patch10: cpio-2.13-revert-CVE-2015-1197-fix.patch + +# Extract: retain times for symlinks +# downstream patch (#1486364) +# https://www.mail-archive.com/bug-cpio@gnu.org/msg00605.html +Patch11: cpio-2.11-retain-symlink-times.patch + +# Properly drop priviledges for remote command +# http://git.savannah.gnu.org/cgit/paxutils.git/commit/?id=d247e3c2809a37b6d0c3067251d96bb7f12555e7 +Patch12: cpio-2.13-reset-gid-uid.patch + +# Fixed integer overflow in ds_fgetstr() +# upstream patch (#1992512) +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dfc801c44a93bed7b3951905b188823d6a0432c8 +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=236684f6deb3178043fe72a8e2faca538fa2aae1 +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=4d169305dcb34137dc41acc761d8703eae2c63bf +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=86dacfe3e060ce95d5a2c0c5ec01f6437b0b6089 +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7dd8ba91d8b6a2640e6c01c3e3a4234828646f23 +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=684b7ac5767e676cda78c161aeb7fe7b45a07529 +# https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=b1c85839bf1381f749dd45bf6a5a38924e3315a0 +Patch13: cpio-2.13-CVE-2021-38185.patch + +Provides: bundled(gnulib) +Provides: bundled(paxutils) +Provides: /bin/cpio +BuildRequires: gcc +BuildRequires: texinfo, autoconf, automake, gettext, gettext-devel, rmt +BuildRequires: make + +%description +GNU cpio copies files into or out of a cpio or tar archive. Archives +are files which contain a collection of other files plus information +about them, such as their file name, owner, timestamps, and access +permissions. The archive can be another file on the disk, a magnetic +tape, or a pipe. GNU cpio supports the following archive formats: binary, +old ASCII, new ASCII, crc, HPUX binary, HPUX old ASCII, old tar and POSIX.1 +tar. By default, cpio creates binary format archives, so that they are +compatible with older cpio programs. When it is extracting files from +archives, cpio automatically recognizes which kind of archive it is reading +and can read archives created on machines with a different byte-order. + +Install cpio if you need a program to manage file archives. + + +%prep +%autosetup -p1 + + +%build +autoreconf -fi +export CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -pedantic -fno-strict-aliasing -Wall $CFLAGS" +%configure --with-rmt="%{_sysconfdir}/rmt" +%make_build +(cd po && make update-gmo) + + +%install +%make_install + +rm -f $RPM_BUILD_ROOT%{_libexecdir}/rmt +rm -f $RPM_BUILD_ROOT%{_infodir}/dir +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/*.1* +install -c -p -m 0644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_mandir}/man1 + +%find_lang %{name} + +%check +rm -f ${RPM_BUILD_ROOT}/test/testsuite +make check || { + echo "### TESTSUITE.LOG ###" + cat tests/testsuite.log + exit 1 +} + + +%files -f %{name}.lang +%doc AUTHORS ChangeLog NEWS README THANKS TODO +%license COPYING +%{_bindir}/* +%{_mandir}/man*/* +%{_infodir}/*.info* + +%changelog +* Thu Aug 26 2021 Ondrej Dubaj - 2.13-16 +- Fixed CVE-2021-38185 (#1992512) + +* Thu Aug 19 2021 Ondrej Dubaj - 2.13-15 +- Revert patch for CVE-2021-38185 (#1992512) + +* Mon Aug 16 2021 Ondrej Dubaj - 2.13-14 +- Minor fix for CVE-2021-38185 (#1992512) + +* Mon Aug 16 2021 Ondrej Dubaj - 2.13-13 +- Fixed CVE-2021-38185 (#1992512) + +* Mon Aug 09 2021 Mohan Boddu - 2.13-12 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Thu Apr 15 2021 Mohan Boddu - 2.13-11 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Thu Feb 18 2021 Ondrej Dubaj - 2.13-10 +- Properly drop priviledges for remote command + +* Tue Jan 26 2021 Fedora Release Engineering - 2.13-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 2.13-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 13 2020 Tom Stellard - 2.13-7 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Mon Jun 15 2020 Ondrej Dubaj - 2.13-6 +- Extract: retain times for symlinks (#1486364) + +* Tue Apr 07 2020 Ondrej Dubaj - 2.13-5.1 +- Release bump due to testing of gating + +* Wed Feb 05 2020 Petr Kubat - 2.13-4 +- Revert fix for CVE-2015-1197 as it causes shutdown issues (#1797163) + +* Thu Jan 30 2020 Than Ngo - 2.13-3 +- Fix multiple definition of program_name + +* Tue Jan 28 2020 Fedora Release Engineering - 2.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Nov 06 2019 Pavel Raiskup - 2.13-1 +- new upstream release, per release notes + https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html + +* Wed Jul 24 2019 Fedora Release Engineering - 2.12-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Feb 19 2019 Pavel Raiskup - 2.12-11 +- admit that we bundle paxutils project + +* Thu Jan 31 2019 Fedora Release Engineering - 2.12-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 2.12-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Apr 11 2018 Pavel Raiskup - 2.12-8 +- spring spec cleanup + +* Wed Feb 07 2018 Fedora Release Engineering - 2.12-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Aug 02 2017 Fedora Release Engineering - 2.12-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.12-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 2.12-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Feb 03 2016 Fedora Release Engineering - 2.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Sep 14 2015 Pavel Raiskup - 2.12-2 +- (re)generate manual page for new options + +* Mon Sep 14 2015 Pavel Raiskup - 2.12-1 +- rebase, per release notes + http://lists.gnu.org/archive/html/bug-cpio/2015-09/msg00004.html + +* Mon Jul 06 2015 Ondrej Vasik - 2.11-36 +- in 2015, file name in CVE-2014-9112 shows in a bit different timestamp + format (fix FTBFS, #1239416) + +* Wed Jun 17 2015 Fedora Release Engineering - 2.11-35 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Feb 21 2015 Till Maas - 2.11-34 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Wed Dec 03 2014 Pavel Raiskup - 2.11-33 +- the stored archive in testsuite has little endian headers, expect also + 'reversed byte-order' warning on big-endian + +* Wed Dec 03 2014 Pavel Raiskup - 2.11-32 +- adjust the testsuite fix for CVE-2014-9112 (#1167573) +- put the testsuite.log to standard output if make check fails + +* Tue Dec 02 2014 Pavel Raiskup - 2.11-31 +- fix for CVE-2014-9112 (#1167573) + +* Sat Aug 16 2014 Fedora Release Engineering - 2.11-30 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 11 2014 Tom Callaway - 2.11-29 +- fix license handling + +* Sat Jun 07 2014 Fedora Release Engineering - 2.11-28 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat May 24 2014 Pavel Raiskup - 2.11-27 +- better fix for bad read() error checking (#996150) + +* Mon Apr 07 2014 Pavel Raiskup - 2.11-26 +- fix manual page to warn users about inode truncation (#952313) +- fix for RU translation (#1075510) + +* Tue Nov 12 2013 Pavel Raiskup - 2.11-25 +- fix build for ppc64le (#1029540) + +* Mon Sep 30 2013 Pavel Raiskup - 2.11-24 +- properly trim "crc" checksum to 32 bits (#1001965) +- remove unneeded patch for config.gues/config.sub (#951442) +- allow treat read() errors (#996150) + +* Sat Aug 03 2013 Fedora Release Engineering - 2.11-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Mar 27 2013 Pavel Raiskup - 2.11-20 +- fix another bogus date in changelog +- update config.guess/config.sub for aarm64 build (#925189) +- run autoreconf instead of autoheader + +* Fri Mar 15 2013 Pavel Raiskup - 2.11-19 +- revert the fix for memory leak (at least for now) #921725 + +* Tue Mar 12 2013 Pavel Raiskup - 2.11-18 +- explicitly provide /bin/cpio for packages that are dependant on this file + +* Mon Mar 11 2013 Pavel Raiskup - 2.11-17 +- fix small memory leak in copyin.c (#919454) +- remove %%defattr and install 'cpio' to real %%{_bindir} +- CovScan: add %%{?_rawbuild} + +* Wed Feb 13 2013 Fedora Release Engineering - 2.11-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Nov 05 2012 Pavel Raiskup - 2.11-15 +- disable the temporary O_SYNC fix (glibc is fixed - #872366) + +* Fri Nov 02 2012 Pavel Raiskup - 2.11-14 +- fix bad changelog entries +- allow to build in Fedora Rawhide (temporarily because of #872336) (the value + is guessed from from /usr/include/asm-generic/fcntl.h) + +* Mon Oct 22 2012 Pavel Raiskup 2.11-13 +- move RH-only manual page cpio.1 from look-aside cache into dist-git repository + +* Thu Oct 18 2012 Pavel Raiskup 2.11-12 +- fix for bad file name splitting while creating ustar archive (#866467) + +* Wed Aug 29 2012 Ondrej Vasik 2.11-11 +- add missing options to manpage (#852765) + +* Wed Jul 18 2012 Fedora Release Engineering - 2.11-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 04 2012 Ondrej Vasik 2.11-9 +- fix build failure in rawhide build system (gets undefined) + +* Wed May 30 2012 Ondrej Vasik 2.11-8 +- drop unnecessary patches: cpio-2.9-dir_perm.patch and + cpio-2.9-sys_umask.patch - reported by M.Castellini + +* Tue May 15 2012 Ondrej Vasik 2.11-7 +- add virtual provides for bundled(gnulib) copylib (#821749) + +* Thu Jan 12 2012 Fedora Release Engineering - 2.11-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Oct 14 2011 Ondrej Vasik 2.11-5 +- update manpage to reflect new option, polish the style (#746209) + +* Mon Mar 07 2011 Ondrej Vasik 2.11-4 +- fix several typos and manpage syntax(Ville Skyttä, #682470) + +* Tue Feb 08 2011 Fedora Release Engineering - 2.11-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon May 31 2010 Ondrej Vasik 2.11-2 +- built with fno-strict-aliasing(#596153) + +* Thu Mar 11 2010 Ondrej Vasik 2.11-1 +- new upstream release 2.11 +- removed applied patches, run test suite + +* Wed Mar 10 2010 Ondrej Vasik 2.10-6 +- CVE-2010-0624 fix heap-based buffer overflow by expanding + a specially-crafted archive(#572150) +- comment patches + +* Thu Feb 25 2010 Ondrej Vasik 2.10-5 +- remove redundant setLocale patch +- fix segfault with nonexisting file with patternnames + (#567022) + +* Wed Jan 06 2010 Ondrej Vasik 2.10-4 +- do not fail with new POSIX 2008 utimens() glibc call + (#552320) + +* Thu Aug 06 2009 Ondrej Vasik 2.10-3 +- do process install-info only without --excludedocs(#515924) + +* Fri Jul 24 2009 Fedora Release Engineering - 2.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jun 22 2009 Ondrej Vasik 2.10-1 +- new upstream release 2.10 + +* Mon Mar 9 2009 Ondrej Vasik 2.9.90-5 +- define default remote shell as /usr/bin/ssh(#452904) +- use /etc/rmt as default rmt command + +* Tue Feb 24 2009 Fedora Release Engineering - 2.9.90-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Feb 11 2009 Ondrej Vasik 2.9.90-3 +- make -d honor system umask(#484997) + +* Fri Jul 18 2008 Kamil Dudka 2.9.90-2 +- Support major/minor device numbers over 127 (bz#450109) + +* Tue Jun 03 2008 Ondrej Vasik 2.9.90-1 +- new upstream alpha version 2.9.90 + removed applied patches + +* Mon Mar 03 2008 Radek Brich 2.9-7 +- fix -dir_perm patch to restore permissions correctly even + in passthrough mode -- revert affected code to cpio 2.8 state + (bz#430835) + +* Thu Feb 14 2008 Radek Brich 2.9-6 +- when extracting archive created with 'find -depth', + restore the permissions of directories properly (bz#430835) +- fix for GCC 4.3 + +* Thu Nov 01 2007 Radek Brich 2.9-5 +- upstream patch for CVE-2007-4476 (stack crashing in safer_name_suffix) + +* Tue Sep 04 2007 Radek Brich 2.9-4 +- Updated license tag + +* Wed Aug 29 2007 Fedora Release Engineering - 2.9-3 +- Rebuild for selinux ppc32 issue. + +* Thu Jul 19 2007 Radek Brich 2.9-1.1 +- fix spec, rebuild + +* Thu Jul 19 2007 Radek Brich 2.9-1 +- update to 2.9, GPLv3 + +* Tue Feb 20 2007 Peter Vrabec 2.6-27 +- fix typo in changelog + +* Thu Feb 08 2007 Ruben Kerkhof 2.6-26 +- Preserve timestamps when installing files + +* Thu Feb 08 2007 Peter Vrabec 2.6-25 +- set cpio bindir properly + +* Wed Feb 07 2007 Peter Vrabec 2.6-24 +- fix spec file to meet Fedora standards (#225656) + +* Mon Jan 22 2007 Peter Vrabec 2.6-23 +- fix non-failsafe install-info use in scriptlets (#223682) + +* Sun Dec 10 2006 Peter Vrabec 2.6-22 +- fix rpmlint issue in spec file + +* Tue Dec 05 2006 Peter Vrabec 2.6-21 +- fix setlocale (#200478) + +* Sat Nov 25 2006 Peter Vrabec 2.6-20 +- cpio man page provided by RedHat + +* Tue Jul 18 2006 Peter Vrabec 2.6-19 +- fix cpio --help output (#197597) + +* Wed Jul 12 2006 Jesse Keating - 2.6-18.1 +- rebuild + +* Sat Jun 10 2006 Peter Vrabec 2.6-18 +- autoconf was added to BuildRequires, because autoheader is + used in prep phase (#194737) + +* Tue Mar 28 2006 Peter Vrabec 2.6-17 +- rebuild + +* Sat Mar 25 2006 Peter Vrabec 2.6-15 +- fix (#186339) on ppc and s390 + +* Thu Mar 23 2006 Peter Vrabec 2.6-14 +- init struct file_hdr (#186339) + +* Wed Mar 15 2006 Peter Vrabec 2.6-13 +- merge toAsciiError.patch with writeOutHeaderBufferOverflow.patch +- merge largeFileGrew.patch with lfs.patch +- fix large file support, cpio is able to store files<8GB + in 'old ascii' format (-H odc option) +- adjust warnings.patch + +* Tue Mar 14 2006 Peter Vrabec 2.6-12 +- fix warn_if_file_changed() and set exit code to #1 when + cpio fails to store file > 4GB (#183224) + +* Fri Feb 10 2006 Jesse Keating - 2.6-11.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 2.6-11.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Wed Nov 23 2005 Peter Vrabec 2.6-11 +- fix previous patch(writeOutHeaderBufferOverflow) + +* Wed Nov 23 2005 Peter Vrabec 2.6-10 +- write_out_header rewritten to fix buffer overflow(#172669) + +* Mon Oct 31 2005 Peter Vrabec 2.6-9 +- fix checksum error on 64-bit machines (#171649) + +* Fri Jul 01 2005 Peter Vrabec 2.6-8 +- fix large file support, archive >4GiB, archive members <4GiB (#160056) +- fix race condition holes, use mode 0700 for dir creation + +* Tue May 17 2005 Peter Vrabec 2.6-7 +- fix #156314 (CAN-2005-1229) cpio directory traversal issue +- fix some gcc warnings + +* Mon Apr 25 2005 Peter Vrabec 2.6-6 +- fix race condition (#155749) +- use find_lang macro + +* Thu Mar 17 2005 Peter Vrabec +- rebuild 2.6-5 + +* Mon Jan 24 2005 Peter Vrabec +- insecure file creation (#145721) + +* Mon Jan 17 2005 Peter Vrabec +- fix symlinks pack (#145225) + +* Fri Jan 14 2005 Peter Vrabec +- new fixed version of lfs patch (#144688) + +* Thu Jan 13 2005 Peter Vrabec +- upgrade to cpio-2.6 + +* Tue Nov 09 2004 Peter Vrabec +- fixed "cpio -oH ustar (or tar) saves bad mtime date after Jan 10 2004" (#114580) + +* Mon Nov 01 2004 Peter Vrabec +- support large files > 2GB (#105617) + +* Thu Oct 21 2004 Peter Vrabec +- fix dependencies in spec + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Sep 23 2003 Florian La Roche +- do not link against -lnsl + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Fri Feb 14 2003 Jeff Johnson 2.5-3 +- setlocale for i18n compliance (#79136). + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Mon Nov 18 2002 Jeff Johnson 2.5-1 +- update 2.5, restack and consolidate patches. +- don't apply (but include for now) freebsd and #56346 patches. +- add url (#54598). + +* Thu Nov 7 2002 Jeff Johnson 2.4.2-30 +- rebuild from CVS. + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Wed Jan 09 2002 Tim Powers +- automated rebuild + +* Thu Nov 22 2001 Bernhard Rosenkraenzer 2.4.2-25 +- Fix up extraction of multiply linked files when the first link is + excluded (Bug #56346) + +* Mon Oct 1 2001 Bernhard Rosenkraenzer 2.4.2-24 +- Merge and adapt patches from FreeBSD, this should fix FIFO handling + +* Tue Jun 26 2001 Bernhard Rosenkraenzer +- Add and adapt Debian patch (pl36), fixes #45285 and a couple of other issues + +* Sun Jun 24 2001 Elliot Lee +- Bump release + rebuild. + +* Tue Aug 8 2000 Jeff Johnson +- update man page with decription of -c behavior (#10581). + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Thu Jun 29 2000 Preston Brown +- patch from HJ Lu for better error codes upon exit + +* Mon Jun 5 2000 Jeff Johnson +- FHS packaging. + +* Wed Feb 9 2000 Jeff Johnson +- missing defattr. + +* Mon Feb 7 2000 Bill Nottingham +- handle compressed manpages + +* Fri Dec 17 1999 Jeff Johnson +- revert the stdout patch (#3358), restoring original GNU cpio behavior + (#6376, #7538), the patch was dumb. + +* Tue Aug 31 1999 Jeff Johnson +- fix infinite loop unpacking empty files with hard links (#4208). +- stdout should contain progress information (#3358). + +* Sun Mar 21 1999 Crstian Gafton +- auto rebuild in the new build environment (release 12) + +* Sat Dec 5 1998 Jeff Johnson +- longlong dev wrong with "-o -H odc" headers (formerly "-oc"). + +* Thu Dec 03 1998 Cristian Gafton +- patch to compile on glibc 2.1, where strdup is a macro + +* Tue Jul 14 1998 Jeff Johnson +- Fiddle bindir/libexecdir to get RH install correct. +- Don't include /sbin/rmt -- use the rmt from dump package. +- Don't include /bin/mt -- use the mt from mt-st package. +- Add prereq's + +* Tue Jun 30 1998 Jeff Johnson +- fix '-c' to duplicate svr4 behavior (problem #438) +- install support programs & info pages + +* Mon Apr 27 1998 Prospector System +- translations modified for de, fr, tr + +* Fri Oct 17 1997 Donnie Barnes +- added BuildRoot +- removed "(used by RPM)" comment in Summary + +* Thu Jun 19 1997 Erik Troan +- built against glibc +- no longer statically linked as RPM doesn't use cpio for unpacking packages