deleted file mode 100644
@@ -1,43 +0,0 @@
-From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001
-From: Sergey Poznyakoff <gray@gnu.org>
-Date: Sat, 11 Feb 2023 11:57:39 +0200
-Subject: Fix boundary checking in base-256 decoder
-
-* src/list.c (from_header): Base-256 encoding is at least 2 bytes
-long.
-
-Upstream-Status: Backport [see reference below]
-CVE: CVE-2022-48303
-
-Reference to upstream patch:
-https://savannah.gnu.org/bugs/?62387
-https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
-
-Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com>
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
----
- src/list.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com>
-
-
-(limited to 'src/list.c')
-
-diff --git a/src/list.c b/src/list.c
-index 9fafc42..86bcfdd 100644
---- a/src/list.c
-+++ b/src/list.c
-@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type,
- where++;
- }
- }
-- else if (*where == '\200' /* positive base-256 */
-- || *where == '\377' /* negative base-256 */)
-+ else if (where <= lim - 2
-+ && (*where == '\200' /* positive base-256 */
-+ || *where == '\377' /* negative base-256 */))
- {
- /* Parse base-256 output. A nonnegative number N is
- represented as (256**DIGS)/2 + N; a negative number -N is
-cgit v1.1
-
similarity index 45%
rename from meta/recipes-extended/tar/tar_1.34.bb
rename to meta/recipes-extended/tar/tar_1.35.bb
@@ -1,16 +1,59 @@
+# FIXME: the LIC_FILES_CHKSUM values have been updated by 'devtool upgrade'.
+# The following is the difference between the old and the new license text.
+# Please update the LICENSE value if needed, and summarize the changes in
+# the commit message via 'License-Update:' tag.
+# (example: 'License-Update: copyright years updated.')
+#
+# The changes:
+#
+# --- COPYING
+# +++ COPYING
+# @@ -1,7 +1,7 @@
+# GNU GENERAL PUBLIC LICENSE
+# Version 3, 29 June 2007
+#
+# - Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+# + Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+# Everyone is permitted to copy and distribute verbatim copies
+# of this license document, but changing it is not allowed.
+#
+# @@ -645,7 +645,7 @@
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# - along with this program. If not, see <http://www.gnu.org/licenses/>.
+# + along with this program. If not, see <https://www.gnu.org/licenses/>.
+#
+# Also add information on how to contact you by electronic and paper mail.
+#
+# @@ -664,11 +664,11 @@
+# You should also get your employer (if you work as a programmer) or school,
+# if any, to sign a "copyright disclaimer" for the program, if necessary.
+# For more information on this, and how to apply and follow the GNU GPL, see
+# -<http://www.gnu.org/licenses/>.
+# +<https://www.gnu.org/licenses/>.
+#
+# The GNU General Public License does not permit incorporating your program
+# into proprietary programs. If your program is a subroutine library, you
+# may consider it more useful to permit linking proprietary applications with
+# the library. If this is what you want to do, use the GNU Lesser General
+# Public License instead of this License. But first, please read
+# -<http://www.gnu.org/philosophy/why-not-lgpl.html>.
+# +<https://www.gnu.org/licenses/why-not-lgpl.html>.
+#
+#
+
SUMMARY = "GNU file archiving program"
DESCRIPTION = "GNU tar saves many files together into a single tape \
or disk archive, and can restore individual files from the archive."
HOMEPAGE = "http://www.gnu.org/software/tar/"
SECTION = "base"
LICENSE = "GPL-3.0-only"
-LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
+LIC_FILES_CHKSUM = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464"
-SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
- file://CVE-2022-48303.patch \
-"
+SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2"
-SRC_URI[sha256sum] = "b44cc67f8a1f6b0250b7c860e952b37e8ed932a90bd9b1862a511079255646ff"
+SRC_URI[sha256sum] = "7edb8886a3dc69420a1446e1e2d061922b642f1cf632d2cd0f9ee7e690775985"
inherit autotools gettext texinfo
Hello, this email is a notification from the Auto Upgrade Helper that the automatic attempt to upgrade the recipe *tar* to *1.35* has Succeeded. Next steps: - apply the patch: git am 0001-tar-upgrade-1.34-1.35.patch - check the changes to upstream patches and summarize them in the commit message, - compile an image that contains the package - perform some basic sanity tests - amend the patch and sign it off: git commit -s --reset-author --amend - send it to the appropriate mailing list Alternatively, if you believe the recipe should not be upgraded at this time, you can fill RECIPE_NO_UPDATE_REASON in respective recipe file so that automatic upgrades would no longer be attempted. Please review the attached files for further information and build/update failures. Any problem please file a bug at https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Automated%20Update%20Handler Regards, The Upgrade Helper -- >8 -- From b26d321f38a48251d63c49237785d94a47a4e460 Mon Sep 17 00:00:00 2001 From: Upgrade Helper <auh@yoctoproject.org> Date: Wed, 16 Aug 2023 09:05:58 +0000 Subject: [PATCH] tar: upgrade 1.34 -> 1.35 --- .../tar/tar/CVE-2022-48303.patch | 43 --------------- .../tar/{tar_1.34.bb => tar_1.35.bb} | 53 +++++++++++++++++-- 2 files changed, 48 insertions(+), 48 deletions(-) delete mode 100644 meta/recipes-extended/tar/tar/CVE-2022-48303.patch rename meta/recipes-extended/tar/{tar_1.34.bb => tar_1.35.bb} (45%)