tar: patch for CVE-2016-6321

https://lwn.net/Vulnerabilities/705216/

2 files changed, 36 insertions, 1 deletions

diff --git a/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch b/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch
new file mode 100644
index 00000000000..c53d92891fc
--- /dev/null
+++ b/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch
@@ -0,0 +1,35 @@
+commit 7340f67b9860ea0531c1450e5aa261c50f67165d
+Author: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
+Date:   Sat Oct 29 21:04:40 2016 -0700
+
+    When extracting, skip ".." members
+    
+    * NEWS: Document this.
+    * src/extract.c (extract_archive): Skip members whose names
+    contain "..".
+
+diff --git a/src/extract.c b/src/extract.c
+index f982433..7904148 100644
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++		      && contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++    ERROR ((0, 0, _("%s: Member name contains '..'"),
++	    quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++      || skip_dotdot_name
+       || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+     {
diff --git a/pkgs/tools/archivers/gnutar/default.nix b/pkgs/tools/archivers/gnutar/default.nix
index 16660fea3e7..80c84236b8d 100644
--- a/pkgs/tools/archivers/gnutar/default.nix
+++ b/pkgs/tools/archivers/gnutar/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0";
   };
 
-  patches = [ ]; # FIXME: remove on another stdenv rebuild
+  patches = [ ./CVE-2016-6321.patch ]; # FIXME: remove on another stdenv rebuild
 
   # avoid retaining reference to CF during stdenv bootstrap
   configureFlags = stdenv.lib.optionals stdenv.isDarwin [