app-arch/tar-1.34: Adding a patch to fix CVE-2022-48303 #29776
Conversation
Pull Request assignmentSubmitter: @nobellium1997 app-arch/tar: @gentoo/base-system Linked bugsNo bugs to link found. If your pull request references any of the Gentoo bug reports, please add appropriate GLEP 66 tags to the commit message and request reassignment. If you do not receive any reply to this pull request, please open or link a bug to attract the attention of maintainers. In order to force reassignment and/or bug reference scan, please append Docs: Code of Conduct ● Copyright policy (expl.) ● Devmanual ● GitHub PRs ● Proxy-maint guide |
gentoo-bot
added
assigned
Pull request CI reportReport generated at: 2023-02-24 23:28 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
nobellium1997
force-pushed
the
tar-cve-fix
branch
from
7a3d9e5
to
53ba246
Compare
|
Just created the bug for this CVE and added it to the commit message. |
Pull request CI reportReport generated at: 2023-02-27 18:53 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
nobellium1997
force-pushed
the
tar-cve-fix
branch
from
53ba246
to
7358e28
Compare
Pull request CI reportReport generated at: 2023-02-27 19:13 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
|
Hey folks, any word on this PR? |
app-alternatives/tar/tar-0.ebuild
Outdated
| @@ -4,7 +4,7 @@ | |||
| EAPI=8 | |||
|
|
|||
| ALTERNATIVES=( | |||
| "gnu:>=app-arch/tar-1.34-r2" | |||
There was a problem hiding this comment.
You could keep this part if you want, but we don't really need it.
There was a problem hiding this comment.
Sounds good, dropped.
app-alternatives/tar/tar-0.ebuild
Outdated
| @@ -15,7 +15,7 @@ KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv | |||
| IUSE="split-usr" | |||
|
|
|||
| RDEPEND=" | |||
| !<app-arch/tar-1.34-r2 | |||
| @@ -0,0 +1,30 @@ | |||
| From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 | |||
There was a problem hiding this comment.
Please include at the top of the patch:
- A link to the relevant Gentoo bug
- A link to the upstream commit
| @@ -37,6 +37,10 @@ PDEPEND=" | |||
| app-alternatives/tar | |||
| " | |||
|
|
|||
| PATCHES=( | |||
There was a problem hiding this comment.
Please don't git mv for the ebuild, instead cp and then ekeyword ~all for the new ebuild.
There was a problem hiding this comment.
So here's the problem, the sdk I'm using (I'm a developer for "Container OS" which is a chrome os offshoot for servers) doesn't have all the tooling you'd expect on a typical gentoo system.
The sdk is basically a barebones chroot of the gentoo userspace with bunch of stuff missing. Is there a way I could just manually set the keywords here? Do I just set them to ~all?
There was a problem hiding this comment.
You just put a ~ prefix before every keyword in KEYWORDS. I can handle it now, it's definitely easy to do manually so no need for the manual tool.
nobellium1997
force-pushed
the
tar-cve-fix
branch
2 times, most recently
from
75f17f6
to
2d660d4
Compare
This patch is cherry-picked from the upstream gnu/tar repository which fixes a heap buffer overflow issue in the utility. This fix is needed to resolve CVE-2022-48303. Bug: https://bugs.gentoo.org/898176 Signed-off-by: Nobel Barakat <nobelbarakat@google.com>
nobellium1997
force-pushed
the
tar-cve-fix
branch
from
2d660d4
to
a0dee07
Compare
|
Thanks, I've merged with a slightly tweaked commit message (dropped version prefix before the colon) and also restored the old stable ebuild. Cheers! |
This patch is cherry-picked from the upstream gnu/tar repository which fixes a heap buffer overflow issue in the utility. Since the tar project only made this commit in master and has not made a release with this fix yet, I'm back-porting it to 1.34 to resolve CVE-2022-48303.
No bug has been created yet since I couldn't create a bug within 24 hours of creating my gentoo bugzilla account.
tar commit in master is: 3da78400eafcccb97e2f2fd4b227ea40d794ede8