New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
app-arch/tar-1.34: Adding a patch to fix CVE-2022-48303 #29776
Conversation
Pull Request assignmentSubmitter: @nobellium1997 app-arch/tar: @gentoo/base-system Linked bugsNo bugs to link found. If your pull request references any of the Gentoo bug reports, please add appropriate GLEP 66 tags to the commit message and request reassignment. If you do not receive any reply to this pull request, please open or link a bug to attract the attention of maintainers. In order to force reassignment and/or bug reference scan, please append Docs: Code of Conduct ● Copyright policy (expl.) ● Devmanual ● GitHub PRs ● Proxy-maint guide |
Pull request CI reportReport generated at: 2023-02-24 23:28 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
7a3d9e5
to
53ba246
Compare
Just created the bug for this CVE and added it to the commit message. |
Pull request CI reportReport generated at: 2023-02-27 18:53 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
53ba246
to
7358e28
Compare
Pull request CI reportReport generated at: 2023-02-27 19:13 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Hey folks, any word on this PR? |
app-alternatives/tar/tar-0.ebuild
Outdated
@@ -4,7 +4,7 @@ | |||
EAPI=8 | |||
|
|||
ALTERNATIVES=( | |||
"gnu:>=app-arch/tar-1.34-r2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could keep this part if you want, but we don't really need it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good, dropped.
app-alternatives/tar/tar-0.ebuild
Outdated
@@ -15,7 +15,7 @@ KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv | |||
IUSE="split-usr" | |||
|
|||
RDEPEND=" | |||
!<app-arch/tar-1.34-r2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Drop.
@@ -0,0 +1,30 @@ | |||
From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please include at the top of the patch:
- A link to the relevant Gentoo bug
- A link to the upstream commit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -37,6 +37,10 @@ PDEPEND=" | |||
app-alternatives/tar | |||
" | |||
|
|||
PATCHES=( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't git mv
for the ebuild, instead cp
and then ekeyword ~all
for the new ebuild.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So here's the problem, the sdk I'm using (I'm a developer for "Container OS" which is a chrome os offshoot for servers) doesn't have all the tooling you'd expect on a typical gentoo system.
The sdk is basically a barebones chroot of the gentoo userspace with bunch of stuff missing. Is there a way I could just manually set the keywords here? Do I just set them to ~all
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You just put a ~ prefix before every keyword in KEYWORDS
. I can handle it now, it's definitely easy to do manually so no need for the manual tool.
75f17f6
to
2d660d4
Compare
This patch is cherry-picked from the upstream gnu/tar repository which fixes a heap buffer overflow issue in the utility. This fix is needed to resolve CVE-2022-48303. Bug: https://bugs.gentoo.org/898176 Signed-off-by: Nobel Barakat <nobelbarakat@google.com>
2d660d4
to
a0dee07
Compare
Thanks, I've merged with a slightly tweaked commit message (dropped version prefix before the colon) and also restored the old stable ebuild. Cheers! |
This patch is cherry-picked from the upstream gnu/tar repository which fixes a heap buffer overflow issue in the utility. Since the tar project only made this commit in master and has not made a release with this fix yet, I'm back-porting it to 1.34 to resolve CVE-2022-48303.
No bug has been created yet since I couldn't create a bug within 24 hours of creating my gentoo bugzilla account.
tar commit in master is: 3da78400eafcccb97e2f2fd4b227ea40d794ede8