rpms/xar/F-11 xar-1.5.2-CVE-2010-0055.patch, NONE, 1.1 xar.spec, 1.10, 1.11
Matthias Saou
thias at fedoraproject.org
Wed Apr 28 12:28:57 UTC 2010
- Previous message: rpms/xar/EL-5 xar-1.5.2-CVE-2010-0055.patch, NONE, 1.1 .cvsignore, 1.2, 1.3 sources, 1.2, 1.3 xar.spec, 1.1, 1.2
- Next message: rpms/xar/F-12 xar-1.5.2-CVE-2010-0055.patch, NONE, 1.1 xar.spec, 1.12, 1.13
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: thias
Update of /cvs/extras/rpms/xar/F-11
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv32506/F-11
Modified Files:
xar.spec
Added Files:
xar-1.5.2-CVE-2010-0055.patch
Log Message:
Update EPEL branches to 1.5.2 and include fix for CVE-2010-0055 to all branches.
xar-1.5.2-CVE-2010-0055.patch:
archive.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
--- NEW FILE xar-1.5.2-CVE-2010-0055.patch ---
Index: xar/lib/archive.c
===================================================================
--- xar/lib/archive.c (revision 224)
+++ xar/lib/archive.c (revision 225)
@@ -330,6 +330,44 @@
EVP_DigestFinal(&XAR(ret)->toc_ctx, toccksum, &tlen);
+ const char *value;
+ uint64_t offset = 0;
+ uint64_t length = tlen;
+ if( xar_prop_get( XAR_FILE(ret) , "checksum/offset", &value) == 0 ) {
+ errno = 0;
+ offset = strtoull( value, (char **)NULL, 10);
+ if( errno != 0 ) {
+ xar_close(ret);
+ return NULL;
+ }
+ } else if( xar_signature_first(ret) != NULL ) {
+ // All archives that have a signature also specify the location
+ // of the checksum. If the location isn't specified, error out.
+ xar_close(ret);
+ return NULL;
+ }
+
+ XAR(ret)->heap_offset = xar_get_heap_offset(ret) + offset;
+ if( lseek(XAR(ret)->fd, XAR(ret)->heap_offset, SEEK_SET) == -1 ) {
+ xar_close(ret);
+ return NULL;
+ }
+ if( xar_prop_get( XAR_FILE(ret) , "checksum/size", &value) == 0 ) {
+ errno = 0;
+ length = strtoull( value, (char **)NULL, 10);
+ if( errno != 0 ) {
+ xar_close(ret);
+ return NULL;
+ }
+ } else if( xar_signature_first(ret) != NULL ) {
+ xar_close(ret);
+ return NULL;
+ }
+ if( length != tlen ) {
+ xar_close(ret);
+ return NULL;
+ }
+
xar_read_fd(XAR(ret)->fd, cval, tlen);
XAR(ret)->heap_offset += tlen;
if( memcmp(cval, toccksum, tlen) != 0 ) {
Index: xar.spec
===================================================================
RCS file: /cvs/extras/rpms/xar/F-11/xar.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- xar.spec 26 Feb 2009 07:40:02 -0000 1.10
+++ xar.spec 28 Apr 2010 12:28:57 -0000 1.11
@@ -1,12 +1,13 @@
Summary: The eXtensible ARchiver
Name: xar
Version: 1.5.2
-Release: 3%{?dist}
+Release: 6%{?dist}
License: BSD
Group: Applications/Archiving
URL: http://code.google.com/p/xar/
Source: http://xar.googlecode.com/files/xar-%{version}.tar.gz
Patch0: xar-1.5-norpath.patch
+Patch1: xar-1.5.2-CVE-2010-0055.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: libxml2-devel
BuildRequires: openssl-devel
@@ -37,6 +38,7 @@ Development files for the eXtensible ARc
%prep
%setup -q
%patch0 -p1 -b .norpath
+%patch1 -p1 -b .CVE-2010-0055
%build
@@ -73,6 +75,15 @@ Development files for the eXtensible ARc
%changelog
+* Wed Apr 28 2010 Matthias Saou <http://freshrpms.net/> 1.5.2-6
+- Include patch to fix CVE-2010-0055 (#570678).
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz at redhat.com> - 1.5.2-5
+- rebuilt with new openssl
+
+* Mon Jul 27 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
- Previous message: rpms/xar/EL-5 xar-1.5.2-CVE-2010-0055.patch, NONE, 1.1 .cvsignore, 1.2, 1.3 sources, 1.2, 1.3 xar.spec, 1.1, 1.2
- Next message: rpms/xar/F-12 xar-1.5.2-CVE-2010-0055.patch, NONE, 1.1 xar.spec, 1.12, 1.13
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list