From patchwork Wed Aug 16 22:19:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: auh@yoctoproject.org X-Patchwork-Id: 28947 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 562B5C2FC22 for ; Wed, 16 Aug 2023 22:19:12 +0000 (UTC) Received: from a27-23.smtp-out.us-west-2.amazonses.com (a27-23.smtp-out.us-west-2.amazonses.com [54.240.27.23]) by mx.groups.io with SMTP id smtpd.web11.173803.1692224343970671896 for ; Wed, 16 Aug 2023 15:19:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@yoctoproject.org header.s=lvjh2tk576v2ro5mi6k4dt3mc6wpqbky header.b=ZvQTRL4Y; dkim=pass header.i=@amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=WVC7Bxfg; spf=pass (domain: us-west-2.amazonses.com, ip: 54.240.27.23, mailfrom: 0101018a006e65ca-3ab90c8e-5acb-4d63-9856-14d21f6e076f-000000@us-west-2.amazonses.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=lvjh2tk576v2ro5mi6k4dt3mc6wpqbky; d=yoctoproject.org; t=1692224349; h=Content-Type:MIME-Version:From:To:Cc:Subject:Message-Id:Date; bh=NAoq/w1MpaijdgvVAiMC5ojnPipzczbud1UIPnuyAb8=; b=ZvQTRL4Yw7x7rYu7Kb2Zhb9B0GozPNjqBtd9Q0IZ4UCI07KFhIVIlI0okp5evs1A 1w+8x+cSogA98Vv38zAuUdcQxzxctrG9h1t7xunRubW/AfGf3+YlKo9c2d0AJNfmNak 9lYqO6axTjfr7Re5egvSEgdufwtio0jWXsjR2DZA= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=hsbnp7p3ensaochzwyq5wwmceodymuwv; d=amazonses.com; t=1692224349; h=Content-Type:MIME-Version:From:To:Cc:Subject:Message-Id:Date:Feedback-ID; bh=NAoq/w1MpaijdgvVAiMC5ojnPipzczbud1UIPnuyAb8=; b=WVC7BxfgxByVLScdfwdx9AO5LKwCeHkAlLUrABhgKGwDS7vhCPI+5YGngMe0bqrO KH135S6Ak9JJQWmfBRpTqQNTnHG/+9pzn83xT7svMFoPXnTBN0rFeJClV2O8BKkyGYt dUzMPxyWKLVgfqqKGFdXdTkTxMslBHpCckTjdQJE= MIME-Version: 1.0 From: auh@yoctoproject.org To: Chen Qi Cc: openembedded-core@lists.openembedded.org Subject: [AUH] tar: upgrading to 1.35 SUCCEEDED Message-ID: <0101018a006e65ca-3ab90c8e-5acb-4d63-9856-14d21f6e076f-000000@us-west-2.amazonses.com> Date: Wed, 16 Aug 2023 22:19:09 +0000 Feedback-ID: 1.us-west-2.9np3MYPs3fEaOBysGKSlUD4KtcmPijcmS9Az2Hwf7iQ=:AmazonSES X-SES-Outgoing: 2023.08.16-54.240.27.23 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 16 Aug 2023 22:19:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/186209 Hello, this email is a notification from the Auto Upgrade Helper that the automatic attempt to upgrade the recipe *tar* to *1.35* has Succeeded. Next steps: - apply the patch: git am 0001-tar-upgrade-1.34-1.35.patch - check the changes to upstream patches and summarize them in the commit message, - compile an image that contains the package - perform some basic sanity tests - amend the patch and sign it off: git commit -s --reset-author --amend - send it to the appropriate mailing list Alternatively, if you believe the recipe should not be upgraded at this time, you can fill RECIPE_NO_UPDATE_REASON in respective recipe file so that automatic upgrades would no longer be attempted. Please review the attached files for further information and build/update failures. Any problem please file a bug at https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Automated%20Update%20Handler Regards, The Upgrade Helper -- >8 -- From b26d321f38a48251d63c49237785d94a47a4e460 Mon Sep 17 00:00:00 2001 From: Upgrade Helper Date: Wed, 16 Aug 2023 09:05:58 +0000 Subject: [PATCH] tar: upgrade 1.34 -> 1.35 --- .../tar/tar/CVE-2022-48303.patch | 43 --------------- .../tar/{tar_1.34.bb => tar_1.35.bb} | 53 +++++++++++++++++-- 2 files changed, 48 insertions(+), 48 deletions(-) delete mode 100644 meta/recipes-extended/tar/tar/CVE-2022-48303.patch rename meta/recipes-extended/tar/{tar_1.34.bb => tar_1.35.bb} (45%) diff --git a/meta/recipes-extended/tar/tar/CVE-2022-48303.patch b/meta/recipes-extended/tar/tar/CVE-2022-48303.patch deleted file mode 100644 index b2f40f3e64..0000000000 --- a/meta/recipes-extended/tar/tar/CVE-2022-48303.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 -From: Sergey Poznyakoff -Date: Sat, 11 Feb 2023 11:57:39 +0200 -Subject: Fix boundary checking in base-256 decoder - -* src/list.c (from_header): Base-256 encoding is at least 2 bytes -long. - -Upstream-Status: Backport [see reference below] -CVE: CVE-2022-48303 - -Reference to upstream patch: -https://savannah.gnu.org/bugs/?62387 -https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 - -Signed-off-by: Rodolfo Quesada Zumbado -Signed-off-by: Joe Slater ---- - src/list.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado - - -(limited to 'src/list.c') - -diff --git a/src/list.c b/src/list.c -index 9fafc42..86bcfdd 100644 ---- a/src/list.c -+++ b/src/list.c -@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, - where++; - } - } -- else if (*where == '\200' /* positive base-256 */ -- || *where == '\377' /* negative base-256 */) -+ else if (where <= lim - 2 -+ && (*where == '\200' /* positive base-256 */ -+ || *where == '\377' /* negative base-256 */)) - { - /* Parse base-256 output. A nonnegative number N is - represented as (256**DIGS)/2 + N; a negative number -N is --- -cgit v1.1 - diff --git a/meta/recipes-extended/tar/tar_1.34.bb b/meta/recipes-extended/tar/tar_1.35.bb similarity index 45% rename from meta/recipes-extended/tar/tar_1.34.bb rename to meta/recipes-extended/tar/tar_1.35.bb index 1ef5fe221e..46b9c92543 100644 --- a/meta/recipes-extended/tar/tar_1.34.bb +++ b/meta/recipes-extended/tar/tar_1.35.bb @@ -1,16 +1,59 @@ +# FIXME: the LIC_FILES_CHKSUM values have been updated by 'devtool upgrade'. +# The following is the difference between the old and the new license text. +# Please update the LICENSE value if needed, and summarize the changes in +# the commit message via 'License-Update:' tag. +# (example: 'License-Update: copyright years updated.') +# +# The changes: +# +# --- COPYING +# +++ COPYING +# @@ -1,7 +1,7 @@ +# GNU GENERAL PUBLIC LICENSE +# Version 3, 29 June 2007 +# +# - Copyright (C) 2007 Free Software Foundation, Inc. +# + Copyright (C) 2007 Free Software Foundation, Inc. +# Everyone is permitted to copy and distribute verbatim copies +# of this license document, but changing it is not allowed. +# +# @@ -645,7 +645,7 @@ +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# - along with this program. If not, see . +# + along with this program. If not, see . +# +# Also add information on how to contact you by electronic and paper mail. +# +# @@ -664,11 +664,11 @@ +# You should also get your employer (if you work as a programmer) or school, +# if any, to sign a "copyright disclaimer" for the program, if necessary. +# For more information on this, and how to apply and follow the GNU GPL, see +# -. +# +. +# +# The GNU General Public License does not permit incorporating your program +# into proprietary programs. If your program is a subroutine library, you +# may consider it more useful to permit linking proprietary applications with +# the library. If this is what you want to do, use the GNU Lesser General +# Public License instead of this License. But first, please read +# -. +# +. +# +# + SUMMARY = "GNU file archiving program" DESCRIPTION = "GNU tar saves many files together into a single tape \ or disk archive, and can restore individual files from the archive." HOMEPAGE = "http://www.gnu.org/software/tar/" SECTION = "base" LICENSE = "GPL-3.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" +LIC_FILES_CHKSUM = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464" -SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ - file://CVE-2022-48303.patch \ -" +SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2" -SRC_URI[sha256sum] = "b44cc67f8a1f6b0250b7c860e952b37e8ed932a90bd9b1862a511079255646ff" +SRC_URI[sha256sum] = "7edb8886a3dc69420a1446e1e2d061922b642f1cf632d2cd0f9ee7e690775985" inherit autotools gettext texinfo