GNU bug report logs - #30319
[PATCH] gnu: tar: Update to 1.30.

Previous Next

Package: guix-patches;

Reported by: Alex Vong <alexvong1995 <at> gmail.com>

Date: Thu, 1 Feb 2018 15:56:01 UTC

Severity: normal

Tags: fixed, patch

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30319 in the body.
You can then email your comments to 30319 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#30319; Package guix-patches. (Thu, 01 Feb 2018 15:56:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Alex Vong <alexvong1995 <at> gmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Thu, 01 Feb 2018 15:56:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: tar: Update to 1.30.
Date: Thu, 01 Feb 2018 23:55:11 +0800

[Message part 1 (text/plain, inline)]
Hello,

This patch updates tar to its latest version for core-updates. I add a
2016 copyright header because I forgot to add it in 20be64dcf.


[0001-gnu-tar-Update-to-1.30.patch (text/x-diff, inline)]
From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995 <at> gmail.com>
Date: Thu, 1 Feb 2018 23:03:55 +0800
Subject: [PATCH] gnu: tar: Update to 1.30.

* gnu/packages/base.scm (tar): Update to 1.30.
[source]: Remove 'tar-CVE-2016-6321.patch'.
* gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
---
 gnu/local.mk                                 |  1 -
 gnu/packages/base.scm                        |  8 ++---
 gnu/packages/patches/tar-CVE-2016-6321.patch | 51 ----------------------------
 3 files changed, 4 insertions(+), 56 deletions(-)
 delete mode 100644 gnu/packages/patches/tar-CVE-2016-6321.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 9df027a8d..7bddb4060 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1076,7 +1076,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/t1lib-CVE-2010-2642.patch		\
   %D%/packages/patches/t1lib-CVE-2011-0764.patch		\
   %D%/packages/patches/t1lib-CVE-2011-1552+.patch		\
-  %D%/packages/patches/tar-CVE-2016-6321.patch			\
   %D%/packages/patches/tar-skip-unreliable-tests.patch		\
   %D%/packages/patches/tclxml-3.2-install.patch			\
   %D%/packages/patches/tcsh-fix-autotest.patch			\
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 92acbd364..faa5066cc 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2014, 2015 Manolis Fragkiskos Ragkousis <manolis837 <at> gmail.com>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim <at> flashner.co.il>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke <at> gnu.org>
+;;; Copyright © 2016, 2018 Alex Vong <alexvong1995 <at> gmail.com>
 ;;; Copyright © 2017 Rene Saavedra <rennes <at> openmailbox.org>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe <at> gmail.com>
 ;;; Copyright © 2017 Marius Bakke <mbakke <at> fastmail.com>
@@ -166,16 +167,15 @@ implementation offers several extensions over the standard utility.")
 (define-public tar
   (package
    (name "tar")
-   (version "1.29")
+   (version "1.30")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/tar/tar-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"))
-            (patches (search-patches "tar-CVE-2016-6321.patch"
-                                     "tar-skip-unreliable-tests.patch"))))
+              "1lyjyk8z8hdddsxw0ikchrsfg3i0x3fsh7l63a8jgaz1n7dr5gzi"))
+            (patches (search-patches "tar-skip-unreliable-tests.patch"))))
    (build-system gnu-build-system)
    ;; Note: test suite requires ~1GiB of disk space.
    (arguments
diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch
deleted file mode 100644
index b79be9bc9..000000000
--- a/gnu/packages/patches/tar-CVE-2016-6321.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-Fix CVE-2016-6321:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
-https://security-tracker.debian.org/tracker/CVE-2016-6321
-
-Patch adapted from upstream source repository (the changes to 'NEWS'
-don't apply to the Tar 1.29 release tarball).
-
-http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
-
-From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
-From: Paul Eggert <eggert <at> Penguin.CS.UCLA.EDU>
-Date: Sat, 29 Oct 2016 21:04:40 -0700
-Subject: [PATCH] When extracting, skip ".." members
-
-* NEWS: Document this.
-* src/extract.c (extract_archive): Skip members whose names
-contain "..".
----
- NEWS          | 8 +++++++-
- src/extract.c | 8 ++++++++
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/src/extract.c b/src/extract.c
-index f982433..7904148 100644
---- a/src/extract.c
-+++ b/src/extract.c
-@@ -1629,12 +1629,20 @@ extract_archive (void)
- {
-   char typeflag;
-   tar_extractor_t fun;
-+  bool skip_dotdot_name;
- 
-   fatal_exit_hook = extract_finish;
- 
-   set_next_block_after (current_header);
- 
-+  skip_dotdot_name = (!absolute_names_option
-+		      && contains_dot_dot (current_stat_info.orig_file_name));
-+  if (skip_dotdot_name)
-+    ERROR ((0, 0, _("%s: Member name contains '..'"),
-+	    quotearg_colon (current_stat_info.orig_file_name)));
-+
-   if (!current_stat_info.file_name[0]
-+      || skip_dotdot_name
-       || (interactive_option
- 	  && !confirm ("extract", current_stat_info.file_name)))
-     {
--- 
-2.11.0
-
-- 
2.16.1


[Message part 3 (text/plain, inline)]
Cheers,
Alex
Information forwarded to guix-patches <at> gnu.org:
bug#30319; Package guix-patches. (Thu, 01 Feb 2018 21:17:01 GMT) Full text and rfc822 format available.

Message #8 received at 30319 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Alex Vong <alexvong1995 <at> gmail.com>
Cc: 30319 <at> debbugs.gnu.org
Subject: Re: [bug#30319] [PATCH] gnu: tar: Update to 1.30.
Date: Thu, 1 Feb 2018 16:15:55 -0500

[Message part 1 (text/plain, inline)]
On Thu, Feb 01, 2018 at 11:55:11PM +0800, Alex Vong wrote:
> Hello,
> 
> This patch updates tar to its latest version for core-updates. I add a
> 2016 copyright header because I forgot to add it in 20be64dcf.
> 

> From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995 <at> gmail.com>
> Date: Thu, 1 Feb 2018 23:03:55 +0800
> Subject: [PATCH] gnu: tar: Update to 1.30.
> 
> * gnu/packages/base.scm (tar): Update to 1.30.
> [source]: Remove 'tar-CVE-2016-6321.patch'.
> * gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.
> * gnu/local.mk (dist_patch_DATA): Adjust accordingly.

Since the whole distro depends on tar, and we are almost done with this
core-updates cycle, we'll need to save this for the next cycle.

I added the 2016 copyright statement in commit
537a17fbe89c3102b7b6d95616a7ce0b5e3ce209.

[signature.asc (application/pgp-signature, inline)]
Information forwarded to guix-patches <at> gnu.org:
bug#30319; Package guix-patches. (Thu, 01 Feb 2018 23:25:02 GMT) Full text and rfc822 format available.

Message #11 received at 30319 <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 30319 <at> debbugs.gnu.org
Subject: Re: [bug#30319] [PATCH] gnu: tar: Update to 1.30.
Date: Fri, 02 Feb 2018 07:24:06 +0800

Leo Famulari <leo <at> famulari.name> writes:

> On Thu, Feb 01, 2018 at 11:55:11PM +0800, Alex Vong wrote:
>> Hello,
>> 
>> This patch updates tar to its latest version for core-updates. I add a
>> 2016 copyright header because I forgot to add it in 20be64dcf.
>> 
>
>> From bc2c8230c7089cbd3e9de8776dd97bd758dcde2d Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995 <at> gmail.com>
>> Date: Thu, 1 Feb 2018 23:03:55 +0800
>> Subject: [PATCH] gnu: tar: Update to 1.30.
>> 
>> * gnu/packages/base.scm (tar): Update to 1.30.
>> [source]: Remove 'tar-CVE-2016-6321.patch'.
>> * gnu/packages/patches/tar-CVE-2016-6321.patch: Remove.
>> * gnu/local.mk (dist_patch_DATA): Adjust accordingly.
>
> Since the whole distro depends on tar, and we are almost done with this
> core-updates cycle, we'll need to save this for the next cycle.
>
I see, I don't know about this.

> I added the 2016 copyright statement in commit
> 537a17fbe89c3102b7b6d95616a7ce0b5e3ce209.

Thanks for taking care of it!
Added tag(s) fixed. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Mon, 26 Feb 2018 18:06:01 GMT) Full text and rfc822 format available.
bug closed, send any further explanations to 30319 <at> debbugs.gnu.org and Alex Vong <alexvong1995 <at> gmail.com> Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Mon, 26 Feb 2018 18:06:01 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 27 Mar 2018 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 7 years and 86 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.