NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2024.05.x-kumquat
kumquat-buildroot/package/tar/tar.mk
Fabrice Fontaine c68d67bfad package/tar: security bump to version 1.35 
Fix CVE-2022-48303: GNU Tar through 1.34 has a one-byte out-of-bounds
read that results in use of uninitialized memory for a conditional
jump. Exploitation to change the flow of control has not been
demonstrated. The issue occurs in from_header in list.c via a V7
archive in which mtime has approximately 11 whitespace characters.

With the bump to 1.35, the build will fail on systems that are not
Y2038, such as some uClibc configurations.

In order to preserve the previous behavior, pass --disable-year2038.
See the gnulib documentation for details [1]. Contrary to what the
option name might suggest, it doesn't really disable Y2038 support,
but only the check that the system is Y2038 compliant. So even with
--disable-year2038, if the system is Y2038 compliant (uses a 64-bit
arch, uses the musl C library, or uses the glibc C library with
BR2_TIME_BITS_64=y), tar will be Y2038 compliant.

Update hash of COPYING (http replaced by https)

[0] https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html
[1] https://www.gnu.org/software/gnulib/manual/html_node/Avoiding-the-year-2038-problem.html

For the version bump:

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d4d483451f)
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

For the Y2038 fix:

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7f1088f9ca)
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2024-05-09 22:45:06 +02:00

62 lines
1.6 KiB
Makefile
Raw Permalink Blame History

################################################################################
#
# tar
#
################################################################################
TAR_VERSION = 1.35
TAR_SOURCE = tar-$(TAR_VERSION).tar.xz
TAR_SITE = $(BR2_GNU_MIRROR)/tar
TAR_LICENSE = GPL-3.0+
TAR_LICENSE_FILES = COPYING
TAR_CPE_ID_VENDOR = gnu
TAR_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES)
TAR_CONF_ENV = LIBS=$(TARGET_NLS_LIBS)
# busybox installs in /bin, so we need tar to install as well in /bin
# so that we don't end up with two different tar
#
# --disable-year2038: tells the configure script to not abort if the
# system is not Y2038 compliant. tar will support year2038 if the
# system is compliant even with this option passed
TAR_CONF_OPTS = \
--exec-prefix=/ \
--disable-year2038
ifeq ($(BR2_PACKAGE_ACL),y)
TAR_DEPENDENCIES += acl
TAR_CONF_OPTS += --with-posix-acls
else
TAR_CONF_OPTS += --without-posix-acls
endif
ifeq ($(BR2_PACKAGE_ATTR),y)
TAR_DEPENDENCIES += attr
TAR_CONF_OPTS += --with-xattrs
else
TAR_CONF_OPTS += --without-xattrs
endif
$(eval $(autotools-package))
# host-tar: use cpio.gz instead of tar.gz to prevent chicken-egg problem
# of needing tar to build tar.
HOST_TAR_SOURCE = tar-$(TAR_VERSION).cpio.gz
define HOST_TAR_EXTRACT_CMDS
mkdir -p $(@D)
cd $(@D) && \
$(call suitable-extractor,$(HOST_TAR_SOURCE)) $(TAR_DL_DIR)/$(HOST_TAR_SOURCE) | cpio -i --preserve-modification-time
mv $(@D)/tar-$(HOST_TAR_VERSION)/* $(@D)
rmdir $(@D)/tar-$(HOST_TAR_VERSION)
endef
HOST_TAR_CONF_OPTS = --without-selinux
# we are built before ccache
HOST_TAR_CONF_ENV = \
CC="$(HOSTCC_NOCCACHE)" \
CXX="$(HOSTCXX_NOCCACHE)"
$(eval $(host-autotools-package))
Reference in New Issue View Git Blame Copy Permalink