[PATCH] gnu: tar: Update to 1.30.

  • Done
  • quality assurance status badge
Details
3 participants
  • Alex Vong
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Alex Vong
Severity
normal

Debbugs page

A
A
Alex Vong wrote on 1 Feb 2018 07:55
(address . guix-patches@gnu.org)
87a7wsaen4.fsf@gmail.com
Hello,

This patch updates tar to its latest version for core-updates. I add a
2016 copyright header because I forgot to add it in 20be64dcf.
From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Thu, 1 Feb 2018 23:03:55 +0800
Subject: [PATCH] gnu: tar: Update to 1.30.

* gnu/packages/base.scm (tar): Update to 1.30.
[source]: Remove 'tar-CVE-2016-6321.patch'.
* gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
---
gnu/local.mk | 1 -
gnu/packages/base.scm | 8 ++---
gnu/packages/patches/tar-CVE-2016-6321.patch | 51 ----------------------------
3 files changed, 4 insertions(+), 56 deletions(-)
delete mode 100644 gnu/packages/patches/tar-CVE-2016-6321.patch

Toggle diff (103 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 9df027a8d..7bddb4060 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1076,7 +1076,6 @@ dist_patch_DATA = \
%D%/packages/patches/t1lib-CVE-2010-2642.patch \
%D%/packages/patches/t1lib-CVE-2011-0764.patch \
%D%/packages/patches/t1lib-CVE-2011-1552+.patch \
- %D%/packages/patches/tar-CVE-2016-6321.patch \
%D%/packages/patches/tar-skip-unreliable-tests.patch \
%D%/packages/patches/tclxml-3.2-install.patch \
%D%/packages/patches/tcsh-fix-autotest.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 92acbd364..faa5066cc 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -7,6 +7,7 @@
;;; Copyright © 2014, 2015 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
+;;; Copyright © 2016, 2018 Alex Vong <alexvong1995@gmail.com>
;;; Copyright © 2017 Rene Saavedra <rennes@openmailbox.org>
;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
@@ -166,16 +167,15 @@ implementation offers several extensions over the standard utility.")
(define-public tar
(package
(name "tar")
- (version "1.29")
+ (version "1.30")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/tar/tar-"
version ".tar.xz"))
(sha256
(base32
- "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"))
- (patches (search-patches "tar-CVE-2016-6321.patch"
- "tar-skip-unreliable-tests.patch"))))
+ "1lyjyk8z8hdddsxw0ikchrsfg3i0x3fsh7l63a8jgaz1n7dr5gzi"))
+ (patches (search-patches "tar-skip-unreliable-tests.patch"))))
(build-system gnu-build-system)
;; Note: test suite requires ~1GiB of disk space.
(arguments
diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch
deleted file mode 100644
index b79be9bc9..000000000
--- a/gnu/packages/patches/tar-CVE-2016-6321.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-Fix CVE-2016-6321:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
-https://security-tracker.debian.org/tracker/CVE-2016-6321
-
-Patch adapted from upstream source repository (the changes to 'NEWS'
-don't apply to the Tar 1.29 release tarball).
-
-http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
-
-From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
-From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
-Date: Sat, 29 Oct 2016 21:04:40 -0700
-Subject: [PATCH] When extracting, skip ".." members
-
-* NEWS: Document this.
-* src/extract.c (extract_archive): Skip members whose names
-contain "..".
----
- NEWS | 8 +++++++-
- src/extract.c | 8 ++++++++
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/src/extract.c b/src/extract.c
-index f982433..7904148 100644
---- a/src/extract.c
-+++ b/src/extract.c
-@@ -1629,12 +1629,20 @@ extract_archive (void)
- {
- char typeflag;
- tar_extractor_t fun;
-+ bool skip_dotdot_name;
-
- fatal_exit_hook = extract_finish;
-
- set_next_block_after (current_header);
-
-+ skip_dotdot_name = (!absolute_names_option
-+ && contains_dot_dot (current_stat_info.orig_file_name));
-+ if (skip_dotdot_name)
-+ ERROR ((0, 0, _("%s: Member name contains '..'"),
-+ quotearg_colon (current_stat_info.orig_file_name)));
-+
- if (!current_stat_info.file_name[0]
-+ || skip_dotdot_name
- || (interactive_option
- && !confirm ("extract", current_stat_info.file_name)))
- {
---
-2.11.0
-
--
2.16.1
Cheers,
Alex
L
L
Leo Famulari wrote on 1 Feb 2018 13:15
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 30319@debbugs.gnu.org)
20180201211555.GC15249@jasmine.lan
On Thu, Feb 01, 2018 at 11:55:11PM +0800, Alex Vong wrote:
Toggle quote (16 lines)
> Hello,
>
> This patch updates tar to its latest version for core-updates. I add a
> 2016 copyright header because I forgot to add it in 20be64dcf.
>

> From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Thu, 1 Feb 2018 23:03:55 +0800
> Subject: [PATCH] gnu: tar: Update to 1.30.
>
> * gnu/packages/base.scm (tar): Update to 1.30.
> [source]: Remove 'tar-CVE-2016-6321.patch'.
> * gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.
> * gnu/local.mk (dist_patch_DATA): Adjust accordingly.

Since the whole distro depends on tar, and we are almost done with this
core-updates cycle, we'll need to save this for the next cycle.

I added the 2016 copyright statement in commit
537a17fbe89c3102b7b6d95616a7ce0b5e3ce209.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpzg4sACgkQJkb6MLrK
fwidORAA4nt4hz5tTJUJpOJfCrzrfnjIwAMCAgUw7cpF57FpU2HDjhU1UClkvPKW
KXjrel5rw3ub9G1DFfFFVRjoAhJtUjnTgZSDHtHqjC1/p4h6vWWg9f8wO5PPUoaY
ePokco7YfGdgGoLWWADf2iIzYdWzpZ/aEw5OSyQI3mrLTxMKSEtU7zIuPNKzaNmd
eRaze/jjgu0x9pUeRlpEmq8P/f6/m4qx8wq4584fb9VPNzVB/J82y9GT/uCHm8qT
HR1Di8e9ikseq7VCdkk5j6jqJX40kFW21azY03CJVsPN6wlFspuB3S5HQDmjiaV8
3swxXZCFrNpRMS6QCwZxQZ0YlFI0VYuoZISjWjS4VXbzWg8gB30nq0kDgIYg8YIl
6ckwmB9M01ERMb+KFMVOWuz7nh4gjCjRGLfmEZCzo221y+Cm+l2EvjKDQXw6orWJ
Qr7Bj5OUNy8DgQIzfUWyC7omr1nMFo2/yPqBmWG+ry1t+d/nC03nzSjPKgGu8NZz
c6QBBwvS5+ebb39y5Skpv2oqStEafaCSCy3l3eTCrPzydeg/K4BW5ipSkLUC0GXa
TfmuvqK35Zhp+HjB0eeY3xU2qgUS/1ftVBguXNxtvuSQmf9hFCsrsZHXx9Tg1Vhw
yQnFPXfO0wSDdgb3C+f796q/uj2Wu/avRC5EB7CMOcmqXo2XzkE=
=6GG7
-----END PGP SIGNATURE-----


A
A
Alex Vong wrote on 1 Feb 2018 15:24
(name . Leo Famulari)(address . leo@famulari.name)(address . 30319@debbugs.gnu.org)
87zi4s1eg9.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (20 lines)
> On Thu, Feb 01, 2018 at 11:55:11PM +0800, Alex Vong wrote:
>> Hello,
>>
>> This patch updates tar to its latest version for core-updates. I add a
>> 2016 copyright header because I forgot to add it in 20be64dcf.
>>
>
>> From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Thu, 1 Feb 2018 23:03:55 +0800
>> Subject: [PATCH] gnu: tar: Update to 1.30.
>>
>> * gnu/packages/base.scm (tar): Update to 1.30.
>> [source]: Remove 'tar-CVE-2016-6321.patch'.
>> * gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.
>> * gnu/local.mk (dist_patch_DATA): Adjust accordingly.
>
> Since the whole distro depends on tar, and we are almost done with this
> core-updates cycle, we'll need to save this for the next cycle.
>
I see, I don't know about this.

Toggle quote (3 lines)
> I added the 2016 copyright statement in commit
> 537a17fbe89c3102b7b6d95616a7ce0b5e3ce209.

Thanks for taking care of it!
L
L
Ludovic Courtès wrote on 26 Feb 2018 10:05
control message for bug #30319
(address . control@debbugs.gnu.org)
87lgfftynl.fsf@gnu.org
tags 30319 fixed
close 30319
?
Your comment

This issue is archived.

To comment on this conversation send an email to 30319@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 30319
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch