[PATCH] gnu: tar: Update to 1.30.

Alex Vong wrote on 1 Feb 2018 07:55

Recipients:(address . guix-patches@gnu.org)

Message-ID:87a7wsaen4.fsf@gmail.com

Hello,

This patch updates tar to its latest version for core-updates. I add a

2016 copyright header because I forgot to add it in 20be64dcf.

From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Thu, 1 Feb 2018 23:03:55 +0800
Subject: [PATCH] gnu: tar: Update to 1.30.

* gnu/packages/base.scm (tar): Update to 1.30.
[source]: Remove 'tar-CVE-2016-6321.patch'.
* gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
---
 gnu/local.mk                                 |  1 -
 gnu/packages/base.scm                        |  8 ++---
 gnu/packages/patches/tar-CVE-2016-6321.patch | 51 ----------------------------
 3 files changed, 4 insertions(+), 56 deletions(-)
 delete mode 100644 gnu/packages/patches/tar-CVE-2016-6321.patch

Toggle diff (103 lines)diff --git a/gnu/local.mk b/gnu/local.mk
index 9df027a8d..7bddb4060 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1076,7 +1076,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/t1lib-CVE-2010-2642.patch		\
   %D%/packages/patches/t1lib-CVE-2011-0764.patch		\
   %D%/packages/patches/t1lib-CVE-2011-1552+.patch		\
-  %D%/packages/patches/tar-CVE-2016-6321.patch			\
   %D%/packages/patches/tar-skip-unreliable-tests.patch		\
   %D%/packages/patches/tclxml-3.2-install.patch			\
   %D%/packages/patches/tcsh-fix-autotest.patch			\
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 92acbd364..faa5066cc 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2014, 2015 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
+;;; Copyright © 2016, 2018 Alex Vong <alexvong1995@gmail.com>
 ;;; Copyright © 2017 Rene Saavedra <rennes@openmailbox.org>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
@@ -166,16 +167,15 @@ implementation offers several extensions over the standard utility.")
 (define-public tar
   (package
    (name "tar")
-   (version "1.29")
+   (version "1.30")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/tar/tar-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"))
-            (patches (search-patches "tar-CVE-2016-6321.patch"
-                                     "tar-skip-unreliable-tests.patch"))))
+              "1lyjyk8z8hdddsxw0ikchrsfg3i0x3fsh7l63a8jgaz1n7dr5gzi"))
+            (patches (search-patches "tar-skip-unreliable-tests.patch"))))
    (build-system gnu-build-system)
    ;; Note: test suite requires ~1GiB of disk space.
    (arguments
diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch
deleted file mode 100644
index b79be9bc9..000000000
--- a/gnu/packages/patches/tar-CVE-2016-6321.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-Fix CVE-2016-6321:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
-https://security-tracker.debian.org/tracker/CVE-2016-6321
-
-Patch adapted from upstream source repository (the changes to 'NEWS'
-don't apply to the Tar 1.29 release tarball).
-
-http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
-
-From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
-From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
-Date: Sat, 29 Oct 2016 21:04:40 -0700
-Subject: [PATCH] When extracting, skip ".." members
-
-* NEWS: Document this.
-* src/extract.c (extract_archive): Skip members whose names
-contain "..".
----
- NEWS          | 8 +++++++-
- src/extract.c | 8 ++++++++
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/src/extract.c b/src/extract.c
-index f982433..7904148 100644
---- a/src/extract.c
-+++ b/src/extract.c
-@@ -1629,12 +1629,20 @@ extract_archive (void)
- {
-   char typeflag;
-   tar_extractor_t fun;
-+  bool skip_dotdot_name;
- 
-   fatal_exit_hook = extract_finish;
- 
-   set_next_block_after (current_header);
- 
-+  skip_dotdot_name = (!absolute_names_option
-+		      && contains_dot_dot (current_stat_info.orig_file_name));
-+  if (skip_dotdot_name)
-+    ERROR ((0, 0, _("%s: Member name contains '..'"),
-+	    quotearg_colon (current_stat_info.orig_file_name)));
-+
-   if (!current_stat_info.file_name[0]
-+      || skip_dotdot_name
-       || (interactive_option
- 	  && !confirm ("extract", current_stat_info.file_name)))
-     {
--- 
-2.11.0
-
-- 
2.16.1

Cheers,

Alex

Leo Famulari wrote on 1 Feb 2018 13:15

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 30319@debbugs.gnu.org)

Message-ID:20180201211555.GC15249@jasmine.lan

On Thu, Feb 01, 2018 at 11:55:11PM +0800, Alex Vong wrote:

Toggle quote (16 lines)> Hello,
> 
> This patch updates tar to its latest version for core-updates. I add a
> 2016 copyright header because I forgot to add it in 20be64dcf.
> 

> From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Thu, 1 Feb 2018 23:03:55 +0800
> Subject: [PATCH] gnu: tar: Update to 1.30.
> 
> * gnu/packages/base.scm (tar): Update to 1.30.
> [source]: Remove 'tar-CVE-2016-6321.patch'.
> * gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.
> * gnu/local.mk (dist_patch_DATA): Adjust accordingly.

Since the whole distro depends on tar, and we are almost done with this

core-updates cycle, we'll need to save this for the next cycle.

I added the 2016 copyright statement in commit

537a17fbe89c3102b7b6d95616a7ce0b5e3ce209.

Alex Vong wrote on 1 Feb 2018 15:24

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 30319@debbugs.gnu.org)

Message-ID:87zi4s1eg9.fsf@gmail.com

Leo Famulari <leo@famulari.name> writes:

Toggle quote (20 lines)> On Thu, Feb 01, 2018 at 11:55:11PM +0800, Alex Vong wrote:
>> Hello,
>> 
>> This patch updates tar to its latest version for core-updates. I add a
>> 2016 copyright header because I forgot to add it in 20be64dcf.
>> 
>
>> From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Thu, 1 Feb 2018 23:03:55 +0800
>> Subject: [PATCH] gnu: tar: Update to 1.30.
>> 
>> * gnu/packages/base.scm (tar): Update to 1.30.
>> [source]: Remove 'tar-CVE-2016-6321.patch'.
>> * gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.
>> * gnu/local.mk (dist_patch_DATA): Adjust accordingly.
>
> Since the whole distro depends on tar, and we are almost done with this
> core-updates cycle, we'll need to save this for the next cycle.
>

I see, I don't know about this.

Toggle quote (3 lines)

> I added the 2016 copyright statement in commit

> 537a17fbe89c3102b7b6d95616a7ce0b5e3ce209.

Thanks for taking care of it!

Ludovic Courtès wrote on 26 Feb 2018 10:05

control message for bug #30319

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87lgfftynl.fsf@gnu.org

tags 30319 fixed

close 30319

Your comment

This issue is archived.

To comment on this conversation send an email to 30319@patchwise.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 30319

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date