diff options
Diffstat (limited to 'app-arch/xz-utils')
| -rw-r--r-- | app-arch/xz-utils/Manifest | 7 | ||||
| -rw-r--r-- | app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch | 88 | ||||
| -rw-r--r-- | app-arch/xz-utils/xz-utils-5.2.5-r1.ebuild | 45 | ||||
| -rw-r--r-- | app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild | 118 | ||||
| -rw-r--r-- | app-arch/xz-utils/xz-utils-9999.ebuild | 48 |
5 files changed, 278 insertions, 28 deletions
diff --git a/app-arch/xz-utils/Manifest b/app-arch/xz-utils/Manifest index f158fe61146e..e53e8c5ea3cf 100644 --- a/app-arch/xz-utils/Manifest +++ b/app-arch/xz-utils/Manifest @@ -1,4 +1,7 @@ +AUX xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch 3383 BLAKE2B c244f412f6d2bea84c5ef41b9f08d0f7be73cb9af1097e58169c9d9061b8eeff274903fbbc4b4639d06344bf9691f0d289671c4d07a4c5073efe9bc536e31a5a SHA512 97ba1bbe9fec7602d77e53961b94691d6551813ed9de5b6fde71f3724205848d2865c6085ace75b7df963d43b99c55c539547f028dd8d86da911aaa2b6a433cd DIST xz-5.2.5.tar.gz 1791345 BLAKE2B aded57324e129572c41646b3cc3b0b59a459452d9338d9245663b63dac2a463fb1f1b2b1d2d4ad3c09cb71fb8439df52cd94f24db99e782fc899b94a288a3043 SHA512 7443674247deda2935220fbc4dfc7665e5bb5a260be8ad858c8bd7d7b9f0f868f04ea45e62eb17c0a5e6a2de7c7500ad2d201e2d668c48ca29bd9eea5a73a3ce -EBUILD xz-utils-5.2.5-r1.ebuild 2660 BLAKE2B 5fc3dd2d38beccbc29717e9c1d3b142e5182088863ad72518ecf721b0313b5b6a7344c32351c5042fd0d1a3a8699521f6baff98be277c0bb8c5fd748ead28090 SHA512 9411d78194f2964bf7d299645a1e0d43a377bb5dcb5e61d316fb45e71234ddfbb835a3bd351f50e19b34b303a84411cd94eb3e8d5bf9526e1be019c337fbf03d -EBUILD xz-utils-9999.ebuild 2668 BLAKE2B f9ede09dc4650c384799272ea7666e67ad4585c72695f75ab6006dcb4976e10517539f07c5fac12bded5da360dc52154515eb3c647a93a52daedee686245066e SHA512 7d004c0c34b3d9ea7b1ec7f68c367a55015ff6f7de9cc4b10a3cec7b79f835962928b1a137a8e74e0fd52d14f79e088df66288603c52c4ba3f8d88a5e3c128be +DIST xz-5.2.5.tar.gz.sig 566 BLAKE2B 8b40d8d7913eaebe2595ea41a735d972d1969d8b58f42b2bee6591b51e2e626473fc85d64f1bbbff3cba6b0e1b4423556d6ddaf16f646ccc18ba1bad5cf45d83 SHA512 3aa21484bef0282ed0b83e3fcd5cf3d87bf51fa68e24d55bb11f91bc96f0ac29f468949bc4c8cc20fbd6ad12f5735686fe09ee42efe2b8d728010da9668aa5a9 +EBUILD xz-utils-5.2.5-r1.ebuild 2913 BLAKE2B 077e7ad7023d3aa9e10dcea19501ee8b98fab6a0546bf4d0f36f70fb619d966ae5a5c4c434b5fe7f423d85830d0304a28886315ff6c2281a4a20ff70a8e6b104 SHA512 b38722baf5c93b5a0969b6c7a8aded1593569a435aaf424670328dace1b63116a78c5377a5286e3e17123f5aff55b02eb6d38150ae77f1faf5c1985ee3797890 +EBUILD xz-utils-5.2.5-r2.ebuild 2973 BLAKE2B ec6a2e8aae9b9ae9f5d3575f7b84e1916eb87a2853fb1f72155408cc2645bd1ff16cf9c8548eba588f9a87afd7b4c57fe72cbce6a4f00827540c32610359bd68 SHA512 d1b11fda1b657996c2b770c6fb733f3ba4b64bc75227155e4171f9505d72652e6fb814d78b1718629a3d0c37bdd596007befa5dce5f62f82f397806def79fcab +EBUILD xz-utils-9999.ebuild 2956 BLAKE2B 4f4253e58bde435729d911dfd7b1460f33eaf638e33562852bd69f5dc5db3c6aa04e7ffa5c3890010917300be6f95f3cd0c2f212a1d4031b1daf9776233da83c SHA512 de44465c0cfca619887dc2f4284fc235d22ef82a7034f7fc116b2e050e595314ce3f47bea32f3ba013752e6605891d3c782fcf01a31a02f35c315b46b5c46a2b MISC metadata.xml 539 BLAKE2B 57809a0b57c640a42eca00c3cfbec8a549647b82afc6229b904c769b94b3ee109610d412af69cefe6b86c7cce9a7c363cf376bb87c19b5cee96b45bdd980cddc SHA512 5b86a0f7c76d5b33f32e5db91dafe675dc01399659c5304fafd77adf83b403c936019afadeed1f075834bbb31169d60c87c9d9e69783e7c7a720890f512172a7 diff --git a/app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch b/app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch new file mode 100644 index 000000000000..7293a982c269 --- /dev/null +++ b/app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch @@ -0,0 +1,88 @@ +https://bugs.gentoo.org/837155 +https://git.tukaani.org/?p=xz.git;a=commitdiff;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6;hp=bd93b776c1bd15e90661033c918cdeb354dbcc38 + +From: Lasse Collin <lasse.collin@tukaani.org> +Date: Tue, 29 Mar 2022 19:19:12 +0300 +Subject: [PATCH 1/1] xzgrep: Fix escaping of malicious filenames + (ZDI-CAN-16587). + +Malicious filenames can make xzgrep to write to arbitrary files +or (with a GNU sed extension) lead to arbitrary code execution. + +xzgrep from XZ Utils versions up to and including 5.2.5 are +affected. 5.3.1alpha and 5.3.2alpha are affected as well. +This patch works for all of them. + +This bug was inherited from gzip's zgrep. gzip 1.12 includes +a fix for zgrep. + +The issue with the old sed script is that with multiple newlines, +the N-command will read the second line of input, then the +s-commands will be skipped because it's not the end of the +file yet, then a new sed cycle starts and the pattern space +is printed and emptied. So only the last line or two get escaped. + +One way to fix this would be to read all lines into the pattern +space first. However, the included fix is even simpler: All lines +except the last line get a backslash appended at the end. To ensure +that shell command substitution doesn't eat a possible trailing +newline, a colon is appended to the filename before escaping. +The colon is later used to separate the filename from the grep +output so it is fine to add it here instead of a few lines later. + +The old code also wasn't POSIX compliant as it used \n in the +replacement section of the s-command. Using \<newline> is the +POSIX compatible method. + +LC_ALL=C was added to the two critical sed commands. POSIX sed +manual recommends it when using sed to manipulate pathnames +because in other locales invalid multibyte sequences might +cause issues with some sed implementations. In case of GNU sed, +these particular sed scripts wouldn't have such problems but some +other scripts could have, see: + + info '(sed)Locale Considerations' + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative + +Thanks to Jim Meyering and Paul Eggert discussing the different +ways to fix this and for coordinating the patch release schedule +with gzip. +--- a/src/scripts/xzgrep.in ++++ b/src/scripts/xzgrep.in +@@ -180,22 +180,26 @@ for i; do + { test $# -eq 1 || test $no_filename -eq 1; }; then + eval "$grep" + else ++ # Append a colon so that the last character will never be a newline ++ # which would otherwise get lost in shell command substitution. ++ i="$i:" ++ ++ # Escape & \ | and newlines only if such characters are present ++ # (speed optimization). + case $i in + (*' + '* | *'&'* | *'\'* | *'|'*) +- i=$(printf '%s\n' "$i" | +- sed ' +- $!N +- $s/[&\|]/\\&/g +- $s/\n/\\n/g +- ');; ++ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');; + esac +- sed_script="s|^|$i:|" ++ ++ # $i already ends with a colon so don't add it here. ++ sed_script="s|^|$i|" + + # Fail if grep or sed fails. + r=$( + exec 4>&1 +- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&- ++ (eval "$grep" 4>&-; echo $? >&4) 3>&- | ++ LC_ALL=C sed "$sed_script" >&3 4>&- + ) || r=2 + exit $r + fi >&3 5>&- diff --git a/app-arch/xz-utils/xz-utils-5.2.5-r1.ebuild b/app-arch/xz-utils/xz-utils-5.2.5-r1.ebuild index 7a24ca8fbd0d..bfc58200630a 100644 --- a/app-arch/xz-utils/xz-utils-5.2.5-r1.ebuild +++ b/app-arch/xz-utils/xz-utils-5.2.5-r1.ebuild @@ -8,20 +8,27 @@ EAPI=7 inherit libtool multilib multilib-minimal preserve-libs usr-ldscript -if [[ ${PV} == "9999" ]] ; then +if [[ ${PV} == 9999 ]] ; then EGIT_REPO_URI="https://git.tukaani.org/xz.git" inherit git-r3 autotools - SRC_URI="" - BDEPEND="sys-devel/gettext dev-vcs/cvs >=sys-devel/libtool-2" #272880 286068 + + # bug #272880 and bug #286068 + BDEPEND="sys-devel/gettext >=sys-devel/libtool-2" else + VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/lassecollin.asc + inherit verify-sig + MY_P="${PN/-utils}-${PV/_}" SRC_URI="https://tukaani.org/xz/${MY_P}.tar.gz" - [[ "${PV}" == *_alpha* ]] || [[ "${PV}" == *_beta* ]] || \ - KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" + SRC_URI+=" verify-sig? ( https://tukaani.org/xz/${MY_P}.tar.gz.sig )" + + if [[ ${PV} != *_alpha* ]] && [[ ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" + fi S="${WORKDIR}/${MY_P}" fi -DESCRIPTION="utils for managing LZMA compressed files" +DESCRIPTION="Utils for managing LZMA compressed files" HOMEPAGE="https://tukaani.org/xz/" # See top-level COPYING file as it outlines the various pieces and their licenses. @@ -33,17 +40,20 @@ RDEPEND="!<app-arch/lzma-4.63 !<app-arch/p7zip-4.57 !<app-i18n/man-pages-de-2.16" DEPEND="${RDEPEND}" +BDEPEND="verify-sig? ( sec-keys/openpgp-keys-lassecollin )" # Tests currently do not account for smaller feature set RESTRICT="!extra-filters? ( test )" src_prepare() { default - if [[ ${PV} == "9999" ]] ; then + + if [[ ${PV} == 9999 ]] ; then eautopoint eautoreconf else - elibtoolize # to allow building shared libs on Solaris/x64 + # Allow building shared libs on Solaris/x64 + elibtoolize fi } @@ -53,24 +63,32 @@ multilib_src_configure() { $(use_enable nls) $(use_enable static-libs static) ) - multilib_is_native_abi || - myconf+=( --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts} ) - if ! use extra-filters; then + + if ! multilib_is_native_abi ; then + myconf+=( + --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts} + ) + fi + + if ! use extra-filters ; then myconf+=( # LZMA1 + LZMA2 for standard .lzma & .xz files --enable-encoders=lzma1,lzma2 --enable-decoders=lzma1,lzma2 + # those are used by default, depending on preset --enable-match-finders=hc3,hc4,bt4 + # CRC64 is used by default, though some (old?) files use CRC32 --enable-checks=crc32,crc64 ) fi if [[ ${CHOST} == *-solaris* ]] ; then - # undo Solaris-based defaults pointing to /usr/xpg5/bin + export gl_cv_posix_shell="${EPREFIX}"/bin/sh + + # Undo Solaris-based defaults pointing to /usr/xpg5/bin myconf+=( --disable-path-for-script ) - export gl_cv_posix_shell=${EPREFIX}/bin/sh fi ECONF_SOURCE="${S}" econf "${myconf[@]}" @@ -78,6 +96,7 @@ multilib_src_configure() { multilib_src_install() { default + gen_usr_ldscript -a lzma } diff --git a/app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild b/app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild new file mode 100644 index 000000000000..b4c00cf4b51d --- /dev/null +++ b/app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild @@ -0,0 +1,118 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# Remember: we cannot leverage autotools in this ebuild in order +# to avoid circular deps with autotools + +EAPI=7 + +inherit libtool multilib multilib-minimal preserve-libs usr-ldscript + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://git.tukaani.org/xz.git" + inherit git-r3 autotools + + # bug #272880 and bug #286068 + BDEPEND="sys-devel/gettext >=sys-devel/libtool-2" +else + VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/lassecollin.asc + inherit verify-sig + + MY_P="${PN/-utils}-${PV/_}" + SRC_URI="https://tukaani.org/xz/${MY_P}.tar.gz" + SRC_URI+=" verify-sig? ( https://tukaani.org/xz/${MY_P}.tar.gz.sig )" + + if [[ ${PV} != *_alpha* ]] && [[ ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" + fi + S="${WORKDIR}/${MY_P}" +fi + +DESCRIPTION="Utils for managing LZMA compressed files" +HOMEPAGE="https://tukaani.org/xz/" + +# See top-level COPYING file as it outlines the various pieces and their licenses. +LICENSE="public-domain LGPL-2.1+ GPL-2+" +SLOT="0" +IUSE="+extra-filters nls static-libs" + +RDEPEND="!<app-arch/lzma-4.63 + !<app-arch/p7zip-4.57 + !<app-i18n/man-pages-de-2.16" +DEPEND="${RDEPEND}" +BDEPEND="verify-sig? ( sec-keys/openpgp-keys-lassecollin )" + +# Tests currently do not account for smaller feature set +RESTRICT="!extra-filters? ( test )" + +PATCHES=( + "${FILESDIR}"/${P}-xzgrep-ZDI-CAN-16587.patch +) + +src_prepare() { + default + + if [[ ${PV} == 9999 ]] ; then + eautopoint + eautoreconf + else + # Allow building shared libs on Solaris/x64 + elibtoolize + fi +} + +multilib_src_configure() { + local myconf=( + --enable-threads + $(use_enable nls) + $(use_enable static-libs static) + ) + + if ! multilib_is_native_abi ; then + myconf+=( + --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts} + ) + fi + + if ! use extra-filters ; then + myconf+=( + # LZMA1 + LZMA2 for standard .lzma & .xz files + --enable-encoders=lzma1,lzma2 + --enable-decoders=lzma1,lzma2 + + # those are used by default, depending on preset + --enable-match-finders=hc3,hc4,bt4 + + # CRC64 is used by default, though some (old?) files use CRC32 + --enable-checks=crc32,crc64 + ) + fi + + if [[ ${CHOST} == *-solaris* ]] ; then + export gl_cv_posix_shell="${EPREFIX}"/bin/sh + + # Undo Solaris-based defaults pointing to /usr/xpg5/bin + myconf+=( --disable-path-for-script ) + fi + + ECONF_SOURCE="${S}" econf "${myconf[@]}" +} + +multilib_src_install() { + default + + gen_usr_ldscript -a lzma +} + +multilib_src_install_all() { + find "${ED}" -type f -name '*.la' -delete || die + rm "${ED}"/usr/share/doc/${PF}/COPYING* || die +} + +pkg_preinst() { + preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0) +} + +pkg_postinst() { + preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0) +} diff --git a/app-arch/xz-utils/xz-utils-9999.ebuild b/app-arch/xz-utils/xz-utils-9999.ebuild index 0b2c2d879fb8..0397c369c1bb 100644 --- a/app-arch/xz-utils/xz-utils-9999.ebuild +++ b/app-arch/xz-utils/xz-utils-9999.ebuild @@ -8,20 +8,27 @@ EAPI=7 inherit libtool multilib multilib-minimal preserve-libs usr-ldscript -if [[ ${PV} == "9999" ]] ; then +if [[ ${PV} == 9999 ]] ; then EGIT_REPO_URI="https://git.tukaani.org/xz.git" inherit git-r3 autotools - SRC_URI="" - BDEPEND="sys-devel/gettext dev-vcs/cvs >=sys-devel/libtool-2" #272880 286068 + + # bug #272880 and bug #286068 + BDEPEND="sys-devel/gettext >=sys-devel/libtool-2" else + VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/lassecollin.asc + inherit verify-sig + MY_P="${PN/-utils}-${PV/_}" SRC_URI="https://tukaani.org/xz/${MY_P}.tar.gz" - [[ "${PV}" == *_alpha* ]] || [[ "${PV}" == *_beta* ]] || \ - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" + SRC_URI+=" verify-sig? ( https://tukaani.org/xz/${MY_P}.tar.gz.sig )" + + if [[ ${PV} != *_alpha* ]] && [[ ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" + fi S="${WORKDIR}/${MY_P}" fi -DESCRIPTION="utils for managing LZMA compressed files" +DESCRIPTION="Utils for managing LZMA compressed files" HOMEPAGE="https://tukaani.org/xz/" # See top-level COPYING file as it outlines the various pieces and their licenses. @@ -34,16 +41,22 @@ RDEPEND="!<app-arch/lzma-4.63 !<app-i18n/man-pages-de-2.16" DEPEND="${RDEPEND}" +if [[ ${PV} != 9999 ]] ; then + BDEPEND="verify-sig? ( sec-keys/openpgp-keys-lassecollin )" +fi + # Tests currently do not account for smaller feature set RESTRICT="!extra-filters? ( test )" src_prepare() { default - if [[ ${PV} == "9999" ]] ; then + + if [[ ${PV} == 9999 ]] ; then eautopoint eautoreconf else - elibtoolize # to allow building shared libs on Solaris/x64 + # Allow building shared libs on Solaris/x64 + elibtoolize fi } @@ -53,24 +66,32 @@ multilib_src_configure() { $(use_enable nls) $(use_enable static-libs static) ) - multilib_is_native_abi || - myconf+=( --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts} ) - if ! use extra-filters; then + + if ! multilib_is_native_abi ; then + myconf+=( + --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts} + ) + fi + + if ! use extra-filters ; then myconf+=( # LZMA1 + LZMA2 for standard .lzma & .xz files --enable-encoders=lzma1,lzma2 --enable-decoders=lzma1,lzma2 + # those are used by default, depending on preset --enable-match-finders=hc3,hc4,bt4 + # CRC64 is used by default, though some (old?) files use CRC32 --enable-checks=crc32,crc64 ) fi if [[ ${CHOST} == *-solaris* ]] ; then - # undo Solaris-based defaults pointing to /usr/xpg5/bin + export gl_cv_posix_shell="${EPREFIX}"/bin/sh + + # Undo Solaris-based defaults pointing to /usr/xpg5/bin myconf+=( --disable-path-for-script ) - export gl_cv_posix_shell=${EPREFIX}/bin/sh fi ECONF_SOURCE="${S}" econf "${myconf[@]}" @@ -78,6 +99,7 @@ multilib_src_configure() { multilib_src_install() { default + gen_usr_ldscript -a lzma } |