head	1.2;
access;
symbols
	pkgsrc-2023Q2:1.1.0.4
	pkgsrc-2023Q2-base:1.1
	pkgsrc-2023Q1:1.1.0.2
	pkgsrc-2023Q1-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2023.08.06.07.23.07;	author adam;	state dead;
branches;
next	1.1;
commitid	8Vx5DPHLErLKeHzE;

1.1
date	2023.03.26.09.18.48;	author spz;	state Exp;
branches;
next	;
commitid	UOXOaM6dhsyA9CiE;


desc
@@


1.2
log
@gtar: updated to 1.35

version 1.35

* Fail when building GNU tar, if the platform supports 64-bit time_t
  but the build uses only 32-bit time_t.

* Leave the devmajor and devminor fields empty (rather than zero) for
  non-special files, as this is more compatible with traditional tar.

* Bug fixes

** Fix interaction of --update with --wildcards.

** When extracting archives into an empty directory, do not create
   hard links to files outside that directory.

** Handle partial reads from regular files.

** Warn "file changed as we read it" less often.
   Formerly, tar warned if the file's size or ctime changed.
   However, this generated a false positive if tar read a file
   while another process hard-linked to it, changing its ctime.
   Now, tar warns if the file's size, mtime, user ID, group ID,
   or mode changes.  Although neither heuristic is perfect,
   the new one should work better in practice.

** Fix --ignore-failed-read to ignore file-changed read errors
   as far as exit status is concerned.  You can now suppress file-changed
   issues entirely with --ignore-failed-read --warning=no-file-changed.

** Fix --remove-files to not remove a file that changed while we read it.

** Fix --atime-preserve=replace to not fail if there was no need to replace,
   either because we did not read the file, or the atime did not change.

** Fix race when creating a parent directory while another process is
   also doing so.

** Fix handling of prefix keywords not followed by "." in pax headers.

** Fix handling of out-of-range sparse entries in pax headers.

** Fix handling of --transform='s/s/@@/2'.

** Fix treatment of options ending in / in files-from list.

** Fix crash on 'tar --checkpoint-action exec=\"'.

** Fix low-memory crash when reading incremental dumps.

** Fix --exclude-vcs-ignores memory allocation misuse.
@
text
@$NetBSD: patch-CVE-2022-48303,v 1.1 2023/03/26 09:18:48 spz Exp $

fix for CVE-2022-48303
from git.savannah.gnu.org commit 3da78400eafcccb97e2f2fd4b227ea40d794ede8

--- src/list.c.orig	2021-02-04 14:00:33.000000000 +0000
+++ src/list.c
@@@@ -874,8 +874,9 @@@@ from_header (char const *where0, size_t 
 	  where++;
 	}
     }
-  else if (*where == '\200' /* positive base-256 */
-	   || *where == '\377' /* negative base-256 */)
+  else if (where <= lim - 2
+	  && (*where == '\200' /* positive base-256 */
+	      || *where == '\377' /* negative base-256 */))
     {
       /* Parse base-256 output.  A nonnegative number N is
 	 represented as (256**DIGS)/2 + N; a negative number -N is
@


1.1
log
@add the patch for CVE-2022-48303 from the gtar git
@
text
@d1 1
a1 1
$NetBSD$
@