1 files changed, 47 insertions, 0 deletions

diff --git a/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch b/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch
new file mode 100644
index 000000000000..326489a54943
--- /dev/null
+++ b/app-arch/cpio/files/cpio-2.13-fix-no-absolute-filenames-revert-CVE-2015-1197-handling.patch
@@ -0,0 +1,47 @@
+https://sources.debian.org/patches/cpio/2.13%2Bdfsg-7.1/revert-CVE-2015-1197-handling.patch/
+https://bugs.gentoo.org/700020
+
+From: Chris Lamb <lamby@debian.org>
+Date: Sat, 1 Feb 2020 13:36:37 +0100
+Subject: Fix a regression in handling of CVE-2015-1197 &
+ --no-absolute-filenames.
+
+See:
+
+  * https://bugs.debian.org/946267
+  * https://bugs.debian.org/946469
+
+This reverts (most of): https://git.savannah.gnu.org/cgit/cpio.git/diff/?id=45b0ee2b407913c533f7ded8d6f8cbeec16ff6ca&id2=3177d660a4c62a6acb538b0f7c54ba423698889a
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -646,8 +646,6 @@ copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
+       link_name = xstrdup (file_hdr->c_tar_linkname);
+     }
+ 
+-  cpio_safer_name_suffix (link_name, true, !no_abs_paths_flag, false);
+-  
+   res = UMASKED_SYMLINK (link_name, file_hdr->c_name,
+ 			 file_hdr->c_mode);
+   if (res < 0 && create_dir_flag)
+--- a/tests/testsuite
++++ b/tests/testsuite
+@@ -2787,7 +2787,7 @@ read at_status <"$at_status_file"
+ #AT_START_14
+ at_fn_group_banner 14 'CVE-2015-1197.at:17' \
+   "CVE-2015-1197 (--no-absolute-filenames for symlinks)" ""
+-at_xfail=no
++at_xfail=yes
+ (
+   $as_echo "14. $at_setup_line: testing $at_desc ..."
+   $at_traceon
+
+--- a/tests/CVE-2015-1197.at
++++ b/tests/CVE-2015-1197.at
+@@ -15,6 +15,7 @@
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ 
+ AT_SETUP([CVE-2015-1197 (--no-absolute-filenames for symlinks)])
++AT_XFAIL_IF([true])
+ AT_CHECK([
+ tempdir=$(pwd)/tmp
+ mkdir $tempdir