diff --git a/pkgs/tools/archivers/cpio/CVE-2015-1197-cpio-2.12.patch b/pkgs/tools/archivers/cpio/CVE-2015-1197-cpio-2.12.patch new file mode 100644 index 00000000000..7d05063ef13 --- /dev/null +++ b/pkgs/tools/archivers/cpio/CVE-2015-1197-cpio-2.12.patch @@ -0,0 +1,149 @@ +Original: https://marc.info/?l=oss-security&m=142289947619786&w=2 + +Re-applied to 2.12 by Tobias Geerinckx-Rice + - any bugs are (probably) mine. + +diff -Naur cpio-2.12a/doc/cpio.1 cpio-2.12b/doc/cpio.1 +--- cpio-2.12a/doc/cpio.1 2015-09-12 12:57:30.000000000 +0200 ++++ cpio-2.12b/doc/cpio.1 2015-09-18 05:35:48.158146735 +0200 +@@ -29,6 +29,7 @@ + [\fB\-\-block\-size=\fIblocks\fR] [\fB\-\-dereference\fR] + [\fB\-\-io\-size=\fIBYTES\fR] [\fB\-\-quiet\fR] + [\fB\-\-force\-local\fR] [\fB\-\-rsh\-command=\fICOMMAND\fR] ++[\fB\-\-extract\-over\-symlinks] + \fB<\fR \fIname-list\fR [\fB>\fR \fIarchive\fR] + + .B cpio +diff -Naur cpio-2.12a/src/copyin.c cpio-2.12b/src/copyin.c +--- cpio-2.12a/src/copyin.c 2015-09-12 12:57:30.000000000 +0200 ++++ cpio-2.12b/src/copyin.c 2015-09-18 05:31:22.088544481 +0200 +@@ -695,6 +695,50 @@ + free (link_name); + } + ++static int ++path_contains_symlink(char *path) ++{ ++ struct stat st; ++ char *slash; ++ char *nextslash; ++ ++ /* we got NULL pointer or empty string */ ++ if (!path || !*path) { ++ return false; ++ } ++ ++ slash = path; ++ ++ while ((nextslash = strchr(slash + 1, '/')) != NULL) { ++ slash = nextslash; ++ *slash = '\0'; ++ ++ if (lstat(path, &st) != 0) { ++ if (errno == ELOOP) { ++ /* ELOOP - too many symlinks */ ++ *slash = '/'; ++ return true; ++ } else if (errno == ENOMEM) { ++ /* No memory for lstat - terminate */ ++ xalloc_die(); ++ } else { ++ /* cannot lstat path - give up */ ++ *slash = '/'; ++ return false; ++ } ++ } ++ ++ if (S_ISLNK(st.st_mode)) { ++ *slash = '/'; ++ return true; ++ } ++ ++ *slash = '/'; ++ } ++ ++ return false; ++} ++ + static void + copyin_file (struct cpio_file_stat *file_hdr, int in_file_des) + { +@@ -1468,6 +1512,23 @@ + { + /* Copy the input file into the directory structure. */ + ++ /* Can we write files over symlinks? */ ++ if (!extract_over_symlinks) ++ { ++ if (path_contains_symlink(file_hdr.c_name)) ++ { ++ /* skip the file */ ++ /* ++ fprintf(stderr, "Can't write over symlinks. Skipping %s\n", file_hdr.c_name); ++ tape_toss_input (in_file_des, file_hdr.c_filesize); ++ tape_skip_padding (in_file_des, file_hdr.c_filesize); ++ continue; ++ */ ++ /* terminate */ ++ error (1, 0, _("Can't write over symlinks: %s\n"), file_hdr.c_name); ++ } ++ } ++ + /* Do we need to rename the file? */ + if (rename_flag || rename_batch_file) + { +diff -Naur cpio-2.12a/src/extern.h cpio-2.12b/src/extern.h +--- cpio-2.12a/src/extern.h 2015-09-12 12:57:30.000000000 +0200 ++++ cpio-2.12b/src/extern.h 2015-09-18 05:34:45.208241420 +0200 +@@ -96,6 +96,7 @@ + extern char output_is_special; + extern char input_is_seekable; + extern char output_is_seekable; ++extern bool extract_over_symlinks; + extern int (*xstat) (); + extern void (*copy_function) (); + extern char *change_directory_option; +diff -Naur cpio-2.12a/src/global.c cpio-2.12b/src/global.c +--- cpio-2.12a/src/global.c 2015-09-12 12:57:30.000000000 +0200 ++++ cpio-2.12b/src/global.c 2015-09-18 05:32:00.598487355 +0200 +@@ -187,6 +187,9 @@ + /* The name this program was run with. */ + char *program_name; + ++/* Extract files over symbolic links */ ++bool extract_over_symlinks; ++ + /* A pointer to either lstat or stat, depending on whether + dereferencing of symlinks is done for input files. */ + int (*xstat) (); +diff -Naur cpio-2.12a/src/main.c cpio-2.12b/src/main.c +--- cpio-2.12a/src/main.c 2015-09-12 12:57:30.000000000 +0200 ++++ cpio-2.12b/src/main.c 2015-09-18 05:34:20.018279218 +0200 +@@ -59,6 +59,7 @@ + DEBUG_OPTION, + BLOCK_SIZE_OPTION, + TO_STDOUT_OPTION, ++ EXTRACT_OVER_SYMLINKS, + RENUMBER_INODES_OPTION, + IGNORE_DEVNO_OPTION, + DEVICE_INDEPENDENT_OPTION +@@ -243,6 +244,8 @@ + N_("Create leading directories where needed"), GRID+1 }, + {"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0, + N_("Do not change the ownership of the files"), GRID+1 }, ++ {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0, ++ N_("Force writing over symbolic links"), GRID+1 }, + {"unconditional", 'u', NULL, 0, + N_("Replace all files unconditionally"), GRID+1 }, + {"sparse", SPARSE_OPTION, NULL, 0, +@@ -432,6 +435,10 @@ + no_chown_flag = true; + break; + ++ case EXTRACT_OVER_SYMLINKS: /* --extract-over-symlinks */ ++ extract_over_symlinks = true; ++ break; ++ + case 'o': /* Copy-out mode. */ + if (copy_function != 0) + USAGE_ERROR ((0, 0, _("Mode already defined"))); diff --git a/pkgs/tools/archivers/cpio/darwin-fix.patch b/pkgs/tools/archivers/cpio/darwin-fix.patch deleted file mode 100644 index 0e8ff168c52..00000000000 --- a/pkgs/tools/archivers/cpio/darwin-fix.patch +++ /dev/null @@ -1,15 +0,0 @@ -Fix Darwin builds. - -From . -See also . - -diff --git a/src/filetypes.h b/src/filetypes.h -index f80faab..81f0c32 100644 ---- a/src/filetypes.h -+++ b/src/filetypes.h -@@ -81,5 +81,3 @@ - #ifndef S_ISLNK - #define lstat stat - #endif --int lstat (); --int stat (); diff --git a/pkgs/tools/archivers/cpio/default.nix b/pkgs/tools/archivers/cpio/default.nix index f2207b58849..095b3086ff3 100644 --- a/pkgs/tools/archivers/cpio/default.nix +++ b/pkgs/tools/archivers/cpio/default.nix @@ -1,36 +1,24 @@ { stdenv, fetchurl, fetchpatch }: -stdenv.mkDerivation { - name = "cpio-2.11"; +let + version = "2.12"; + name = "cpio-${version}"; +in stdenv.mkDerivation { + inherit name; src = fetchurl { - url = mirror://gnu/cpio/cpio-2.11.tar.bz2; - sha256 = "bb820bfd96e74fc6ce43104f06fe733178517e7f5d1cdee553773e8eff7d5bbd"; + url = "mirror://gnu/cpio/${name}.tar.bz2"; + sha256 = "0vi9q475h1rki53100zml75vxsykzyhrn70hidy41s5c2rc8r6bh"; }; - patches = [ - ./no-gets.patch - (fetchpatch { - name = "CVE-2014-9112.diff"; - url = "http://pkgs.fedoraproject.org/cgit/cpio.git/plain/cpio-2.11" - + "-CVE-2014-9112.patch?h=f21&id=b475b4d6f31c95e073edc95c742a33a39ef4ec95"; - sha256 = "0c9yrysvpwbmiq7ph84dk6mv46hddiyvkgya1zsmj76n9ypb1b4i"; - }) - ] ++ stdenv.lib.optional stdenv.isDarwin ./darwin-fix.patch; - - postPatch = let pp = - fetchpatch { - name = "CVE-2015-1197.diff"; - url = "https://marc.info/?l=oss-security&m=142289947619786&w=2"; - sha256 = "0fr95bj416zfljv40fl1sh50059d18wdmfgaq8ad2fqi5cnbk859"; - }; - # one "<" and one "&" sign get mangled in the patch - in "cat ${pp} | sed 's/</,,' '' else null; + enableParallelBuilding = true; + meta = { homepage = http://www.gnu.org/software/cpio/; description = "A program to create or extract from cpio archives"; diff --git a/pkgs/tools/archivers/cpio/no-gets.patch b/pkgs/tools/archivers/cpio/no-gets.patch deleted file mode 100644 index f7a9be324df..00000000000 --- a/pkgs/tools/archivers/cpio/no-gets.patch +++ /dev/null @@ -1,24 +0,0 @@ -https://bugs.gentoo.org/424974 - -hack until gzip pulls a newer gnulib version - -From 66712c23388e93e5c518ebc8515140fa0c807348 Mon Sep 17 00:00:00 2001 -From: Eric Blake -Date: Thu, 29 Mar 2012 13:30:41 -0600 -Subject: [PATCH] stdio: don't assume gets any more - -Gnulib intentionally does not have a gets module, and now that C11 -and glibc have dropped it, we should be more proactive about warning -any user on a platform that still has a declaration of this dangerous -interface. - ---- a/gnu/stdio.in.h -+++ b/gnu/stdio.in.h -@@ -125,7 +125,6 @@ - so any use of gets warrants an unconditional warning. Assume it is - always declared, since it is required by C89. */ - #undef gets --_GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead"); - - #if @GNULIB_FOPEN@ - # if @REPLACE_FOPEN@