Add fix for CVE-2007-4476 #196978.

Package-Manager: portage-2.1.3.16

5 files changed, 165 insertions, 9 deletions

diff --git a/app-arch/cpio/ChangeLog b/app-arch/cpio/ChangeLog
index 946f7df179d0..1ea9998f8820 100644
--- a/app-arch/cpio/ChangeLog
+++ b/app-arch/cpio/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for app-arch/cpio
 # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-arch/cpio/ChangeLog,v 1.81 2007/10/03 06:06:28 tgall Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-arch/cpio/ChangeLog,v 1.82 2007/10/28 21:40:19 vapier Exp $
+
+*cpio-2.9-r1 (28 Oct 2007)
+
+  28 Oct 2007; Mike Frysinger <vapier@gentoo.org>
+  +files/cpio-2.9-CVE-2007-4476.patch, +cpio-2.9-r1.ebuild:
+  Add fix for CVE-2007-4476 #196978.
 
   02 Oct 2007; Tom Gall <tgall@gentoo.org> cpio-2.9.ebuild:
   stable on ppc64
diff --git a/app-arch/cpio/Manifest b/app-arch/cpio/Manifest
index 8555a4ba6692..188f17ab5059 100644
--- a/app-arch/cpio/Manifest
+++ b/app-arch/cpio/Manifest
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
 AUX cpio-2.7-copypass.patch 439 RMD160 099995b064adc56e194aa8515783da628a7937de SHA1 1bab5e3fd912b9e9a4d83eeb44563b26461c8465 SHA256 068a0d9e30641eebe9ab1d789b31b2d0214346f5f0b01364e3fb6cc09637cde3
 MD5 e6bb7e6cda41fa5527b4992e696bc7a3 files/cpio-2.7-copypass.patch 439
 RMD160 099995b064adc56e194aa8515783da628a7937de files/cpio-2.7-copypass.patch 439
@@ -6,6 +9,10 @@ AUX cpio-2.7-link-terminate.patch 542 RMD160 1b2bf69ec397c73a802527e34537252f306
 MD5 51a98390e403e158256d8351e7e2a66e files/cpio-2.7-link-terminate.patch 542
 RMD160 1b2bf69ec397c73a802527e34537252f306a8d76 files/cpio-2.7-link-terminate.patch 542
 SHA256 3a868339b78d4bb66c7efb1d0bfdd70a5c5ecd48ac6a7ba2fe60097f308fccba files/cpio-2.7-link-terminate.patch 542
+AUX cpio-2.9-CVE-2007-4476.patch 2330 RMD160 88ba8d2103f9666f7886f6a39696ab47f46c8d5d SHA1 da29807e9ffb0dbb39e69eff44cc6ad44977764f SHA256 0c0a2fb1c1c02da04fd9b4d2ecb28087849611a2dfaeea821ba7fce0313c61f7
+MD5 86a4dcce33e568aee1225d9a47850251 files/cpio-2.9-CVE-2007-4476.patch 2330
+RMD160 88ba8d2103f9666f7886f6a39696ab47f46c8d5d files/cpio-2.9-CVE-2007-4476.patch 2330
+SHA256 0c0a2fb1c1c02da04fd9b4d2ecb28087849611a2dfaeea821ba7fce0313c61f7 files/cpio-2.9-CVE-2007-4476.patch 2330
 DIST cpio-2.7.tar.bz2 698221 RMD160 0ae35717237133da5bba18376af0ec685ac67360 SHA1 ce1c8ab703d62fc1d30ca59e044ba9f43c3db574 SHA256 b59390450233b5298d210f6369e98d91d07b7f4261ddb962d654185dd02b5b0e
 DIST cpio-2.8.tar.bz2 745180 RMD160 23d321a656eced97e9cd4cfc13b068fbc95ff900 SHA1 73517edeb77a8723c003b0b0dd1a5159411d0cdf SHA256 b0a12fabee60023a99e8dbd97a83b6c0e3846054cc6c24a33ab56db58db182f0
 DIST cpio-2.9.tar.bz2 758195 RMD160 6fbd93755e266ad7ff9644cb7fe3c3e54d61ac44 SHA1 ef381d0f33f1ea74475b6d813c42a74327762c4a SHA256 bb9a5fa693a8f4ef4685eb447cea1dc5b787e37c302569928ef74df460724707
@@ -17,14 +24,18 @@ EBUILD cpio-2.8.ebuild 804 RMD160 295ad523964fe7fce42311cba0aa9e392b2d0af5 SHA1
 MD5 2a70a49a0ddf3c2d9b78c7bb418e1c73 cpio-2.8.ebuild 804
 RMD160 295ad523964fe7fce42311cba0aa9e392b2d0af5 cpio-2.8.ebuild 804
 SHA256 1ca0633111001c8b39207ac5e031bba1fa7880ad327419fe673019d822031679 cpio-2.8.ebuild 804
-EBUILD cpio-2.9.ebuild 807 RMD160 ff825c1e4d35557e17c7b128d54224cf378f30c9 SHA1 00109e7be4ea35a17a25c725a55319c463abc319 SHA256 1c24d197787468df3e3ff11d4c516564351aca5e73d8602a66ff4289e3cdc3c0
-MD5 14a89b15b50c62286bda4906f7f9be6e cpio-2.9.ebuild 807
-RMD160 ff825c1e4d35557e17c7b128d54224cf378f30c9 cpio-2.9.ebuild 807
-SHA256 1c24d197787468df3e3ff11d4c516564351aca5e73d8602a66ff4289e3cdc3c0 cpio-2.9.ebuild 807
-MISC ChangeLog 11334 RMD160 6a887b4766cfc2384ce5a6e24a54689e89f04386 SHA1 e35796411b3c85a1cb8c1fed870ad0a220b1448a SHA256 9813db1bfae32d6fcc4976e10d0f1657ed4c3ab0ad8d9d8fe088fd26146d39f4
-MD5 71c2d04f346a718615bf8568d6c420a4 ChangeLog 11334
-RMD160 6a887b4766cfc2384ce5a6e24a54689e89f04386 ChangeLog 11334
-SHA256 9813db1bfae32d6fcc4976e10d0f1657ed4c3ab0ad8d9d8fe088fd26146d39f4 ChangeLog 11334
+EBUILD cpio-2.9-r1.ebuild 916 RMD160 b0634460e1c61d03b8a4ff0d7440ccc0b3b834cf SHA1 933d1173d008328edbc484804427f1a4f9e95d35 SHA256 4a3051c05e50007645bb7b4ad2af6e9aa095a13097cd44653bb1432c1c0df5fc
+MD5 a65c6258cd4264f26bc8f32393141452 cpio-2.9-r1.ebuild 916
+RMD160 b0634460e1c61d03b8a4ff0d7440ccc0b3b834cf cpio-2.9-r1.ebuild 916
+SHA256 4a3051c05e50007645bb7b4ad2af6e9aa095a13097cd44653bb1432c1c0df5fc cpio-2.9-r1.ebuild 916
+EBUILD cpio-2.9.ebuild 804 RMD160 3ee6466ae074f329bcf64881650fdf560c269d2f SHA1 affd959396a075b77f7d3594d7d4a8cd2621d8a6 SHA256 57a1632698de87e26e8097595ef8779f4652242fb0fa37d433b14a2574b2b882
+MD5 f8a4a842256a986e74739c1917d56bd5 cpio-2.9.ebuild 804
+RMD160 3ee6466ae074f329bcf64881650fdf560c269d2f cpio-2.9.ebuild 804
+SHA256 57a1632698de87e26e8097595ef8779f4652242fb0fa37d433b14a2574b2b882 cpio-2.9.ebuild 804
+MISC ChangeLog 11511 RMD160 58c21ba6ade1b5d74a48d31e569fb3ae7ef33c43 SHA1 3fb18393cf0d299fff34cec602e5f7dbbec694ed SHA256 b7e4befe7e767640acc38510f102d69217fcb8fc21ba80aca34df9eadde8ff28
+MD5 3d6d513063b4a652f5ef8b2f83277de2 ChangeLog 11511
+RMD160 58c21ba6ade1b5d74a48d31e569fb3ae7ef33c43 ChangeLog 11511
+SHA256 b7e4befe7e767640acc38510f102d69217fcb8fc21ba80aca34df9eadde8ff28 ChangeLog 11511
 MISC metadata.xml 164 RMD160 f43cbec30b7074319087c9acffdb9354b17b0db3 SHA1 9c213f5803676c56439df3716be07d6692588856 SHA256 f5f2891f2a4791cd31350bb2bb572131ad7235cd0eeb124c9912c187ac10ce92
 MD5 9a09f8d531c582e78977dbfd96edc1f2 metadata.xml 164
 RMD160 f43cbec30b7074319087c9acffdb9354b17b0db3 metadata.xml 164
@@ -38,3 +49,13 @@ SHA256 cdb73aeb35089d4e3463080e83bee38d311f7c2a4a867e4be2b7674b5741978f files/di
 MD5 92beb7b5dd098878f7c10a19378bfc5b files/digest-cpio-2.9 229
 RMD160 20fa4fa9ee4af0884ce74d55ed5cd3a59dc8b215 files/digest-cpio-2.9 229
 SHA256 a8940d9b9ee05b42e062bc8bdbc7d5c39a4dd63a8c69c466c2e4c41e314d21c0 files/digest-cpio-2.9 229
+MD5 92beb7b5dd098878f7c10a19378bfc5b files/digest-cpio-2.9-r1 229
+RMD160 20fa4fa9ee4af0884ce74d55ed5cd3a59dc8b215 files/digest-cpio-2.9-r1 229
+SHA256 a8940d9b9ee05b42e062bc8bdbc7d5c39a4dd63a8c69c466c2e4c41e314d21c0 files/digest-cpio-2.9-r1 229
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.7 (GNU/Linux)
+
+iD8DBQFHJQHJp/wUKkr7RBoRAolyAJ4yWIssJ232chMPpR8O6ZPafVlWnQCcCiOs
+GhBgbJwF7puO179vZtbPJXQ=
+=hIM4
+-----END PGP SIGNATURE-----
diff --git a/app-arch/cpio/cpio-2.9-r1.ebuild b/app-arch/cpio/cpio-2.9-r1.ebuild
new file mode 100644
index 000000000000..1fddbaf8b28f
--- /dev/null
+++ b/app-arch/cpio/cpio-2.9-r1.ebuild
@@ -0,0 +1,36 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/cpio/cpio-2.9-r1.ebuild,v 1.1 2007/10/28 21:40:19 vapier Exp $
+
+DESCRIPTION="A file archival tool which can also read and write tar files"
+HOMEPAGE="http://www.gnu.org/software/cpio/cpio.html"
+SRC_URI="mirror://gnu/cpio/${P}.tar.bz2"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"
+IUSE="nls"
+
+DEPEND=""
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+	epatch "${FILESDIR}"/${P}-CVE-2007-4476.patch #196978
+}
+
+src_compile() {
+	econf \
+		$(use_enable nls) \
+		--bindir=/bin \
+		--with-rmt=/usr/sbin/rmt \
+		|| die
+	emake || die
+}
+
+src_install() {
+	emake install DESTDIR="${D}" || die
+	dodoc ChangeLog NEWS README
+	rm -f "${D}"/usr/share/man/man1/mt.1
+	rmdir "${D}"/usr/libexec || die
+}
diff --git a/app-arch/cpio/files/cpio-2.9-CVE-2007-4476.patch b/app-arch/cpio/files/cpio-2.9-CVE-2007-4476.patch
new file mode 100644
index 000000000000..2edbb1eb1c56
--- /dev/null
+++ b/app-arch/cpio/files/cpio-2.9-CVE-2007-4476.patch
@@ -0,0 +1,90 @@
+http://bugs.gentoo.org/196978
+
+--- lib/paxnames.c
++++ lib/paxnames.c
+@@ -36,15 +36,27 @@
+   return strcmp (name1, name2) == 0;
+ }
+ 
+-/* Return zero if TABLE contains a copy of STRING; otherwise, insert a
+-   copy of STRING to TABLE and return 1.  */
+-bool
+-hash_string_insert (Hash_table **table, char const *string)
++/* Return zero if TABLE contains a LEN-character long prefix of STRING,
++   otherwise, insert a newly allocated copy of this prefix to TABLE and
++   return 1.  If RETURN_PREFIX is not NULL, point it to the allocated
++   copy. */
++static bool
++hash_string_insert_prefix (Hash_table **table, char const *string, size_t len,
++			   const char **return_prefix)
+ {
+   Hash_table *t = *table;
+-  char *s = xstrdup (string);
++  char *s;
+   char *e;
+ 
++  if (len)
++    {
++      s = xmalloc (len + 1);
++      memcpy (s, string, len);
++      s[len] = 0;
++    }
++  else
++    s = xstrdup (string);
++  
+   if (! ((t
+ 	  || (*table = t = hash_initialize (0, 0, hash_string_hasher,
+ 					    hash_string_compare, 0)))
+@@ -52,7 +64,11 @@
+     xalloc_die ();
+ 
+   if (e == s)
+-    return 1;
++    {
++      if (return_prefix)
++	*return_prefix = s;
++      return 1;
++    }
+   else
+     {
+       free (s);
+@@ -60,6 +76,14 @@
+     }
+ }
+ 
++/* Return zero if TABLE contains a copy of STRING; otherwise, insert a
++   copy of STRING to TABLE and return 1.  */
++bool
++hash_string_insert (Hash_table **table, char const *string)
++{
++  return hash_string_insert_prefix (table, string, 0, NULL);
++}
++
+ /* Return 1 if TABLE contains STRING.  */
+ bool
+ hash_string_lookup (Hash_table const *table, char const *string)
+@@ -88,7 +112,8 @@
+    If ABSOLUTE_NAMES is 0, strip filesystem prefix from the file name. */
+ 
+ char *
+-safer_name_suffix (char const *file_name, bool link_target, bool absolute_names)
++safer_name_suffix (char const *file_name, bool link_target,
++		   bool absolute_names)
+ {
+   char const *p;
+ 
+@@ -121,11 +146,9 @@
+ 
+       if (prefix_len)
+ 	{
+-	  char *prefix = alloca (prefix_len + 1);
+-	  memcpy (prefix, file_name, prefix_len);
+-	  prefix[prefix_len] = '\0';
+-
+-	  if (hash_string_insert (&prefix_table[link_target], prefix))
++	  const char *prefix;
++	  if (hash_string_insert_prefix (&prefix_table[link_target], file_name,
++					 prefix_len, &prefix))
+ 	    {
+ 	      static char const *const diagnostic[] =
+ 	      {
diff --git a/app-arch/cpio/files/digest-cpio-2.9-r1 b/app-arch/cpio/files/digest-cpio-2.9-r1
new file mode 100644
index 000000000000..3827e3d7fe96
--- /dev/null
+++ b/app-arch/cpio/files/digest-cpio-2.9-r1
@@ -0,0 +1,3 @@
+MD5 e387abfdae3a0b9a8a5f762db653a96d cpio-2.9.tar.bz2 758195
+RMD160 6fbd93755e266ad7ff9644cb7fe3c3e54d61ac44 cpio-2.9.tar.bz2 758195
+SHA256 bb9a5fa693a8f4ef4685eb447cea1dc5b787e37c302569928ef74df460724707 cpio-2.9.tar.bz2 758195