diff --git a/0001-Avoid-path-traversal.patch b/0001-Avoid-path-traversal.patch deleted file mode 100644 index 0189717..0000000 --- a/0001-Avoid-path-traversal.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 0ccdf564b6a3e26522a8eb1858f1828844fa3536 Mon Sep 17 00:00:00 2001 -From: Stephen Kitt -Date: Mon, 5 Jan 2015 06:28:00 +0000 -Subject: [PATCH] Avoid path traversal - -gcab suffers from a directory traversal bug: it doesn't filter leading -slashes from paths in CAB files. -(see https://bugs.debian.org/774580) - -The attached patch fixes this, at the cost of ugly paths when faced with -relative traversals. At least all the CAB's contents can be extracted, -without overwriting anything outside the extraction path. - -https://bugzilla.gnome.org/show_bug.cgi?id=742331 ---- - libgcab/gcab-folder.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/libgcab/gcab-folder.c b/libgcab/gcab-folder.c -index a140e2c..9510cf3 100644 ---- a/libgcab/gcab-folder.c -+++ b/libgcab/gcab-folder.c -@@ -362,9 +362,25 @@ gcab_folder_extract (GCabFolder *self, - fname[i] = '/'; - - GFile *gfile = g_file_resolve_relative_path (path, fname); -- GFile *parent = g_file_get_parent (gfile); - g_free (fname); - -+ if (!g_file_has_prefix (gfile, path)) { -+ // "Rebase" the file in the given path, to ensure we never escape it -+ char *rawpath = g_file_get_path (gfile); -+ if (rawpath != NULL) { -+ char *newpath = rawpath; -+ while (*newpath != 0 && *newpath == G_DIR_SEPARATOR) { -+ newpath++; -+ } -+ GFile *newgfile = g_file_resolve_relative_path (path, newpath); -+ g_free (rawpath); -+ g_object_unref (gfile); -+ gfile = newgfile; -+ } -+ } -+ -+ GFile *parent = g_file_get_parent (gfile); -+ - if (!g_file_make_directory_with_parents (parent, cancellable, &my_error)) { - if (g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_EXISTS)) - g_clear_error (&my_error); --- -2.1.0 - diff --git a/0001-gcab-file-fix-wrong-file-modification-day.patch b/0001-gcab-file-fix-wrong-file-modification-day.patch new file mode 100644 index 0000000..5b59fe2 --- /dev/null +++ b/0001-gcab-file-fix-wrong-file-modification-day.patch @@ -0,0 +1,31 @@ +From 258e58715f404964a8417b2235431f565ae295e2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Thu, 30 Jul 2015 23:45:28 +0200 +Subject: [PATCH] gcab-file: fix wrong file modification day + +The day of the struct tm is not (0-30) but (1-31), no need to add +1! +This fixes creation of cabinet file and MSI that Windows Installer +rejects because of invalid date (29-02-2005 for ex). + +See bug: +https://bugzilla.gnome.org/show_bug.cgi?id=753040 +--- + libgcab/gcab-file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libgcab/gcab-file.c b/libgcab/gcab-file.c +index d97539d..b55fbb5 100644 +--- a/libgcab/gcab-file.c ++++ b/libgcab/gcab-file.c +@@ -142,7 +142,7 @@ gcab_file_update_info (GCabFile *self, GFileInfo *info) + self->cfile.usize = g_file_info_get_size (info); + self->cfile.fattr = GCAB_FILE_ATTRIBUTE_ARCH; + self->cfile.date = ((m->tm_year + 1900 - 1980 ) << 9 ) + +- ((m->tm_mon+1) << 5 ) + (m->tm_mday+1); ++ ((m->tm_mon+1) << 5 ) + (m->tm_mday); + self->cfile.time = (m->tm_hour << 11) + (m->tm_min << 5) + (m->tm_sec / 2); + + return TRUE; +-- +2.4.3 + diff --git a/gcab.spec b/gcab.spec index 2f91677..e547021 100644 --- a/gcab.spec +++ b/gcab.spec @@ -1,12 +1,13 @@ Name: gcab Version: 0.6 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Cabinet file library and tool License: LGPLv2+ #VCS: git:git://git.gnome.org/gcab URL: http://ftp.gnome.org/pub/GNOME/sources/gcab Source0: http://ftp.gnome.org/pub/GNOME/sources/gcab/%{version}/%{name}-%{version}.tar.xz +Patch0: 0001-gcab-file-fix-wrong-file-modification-day.patch BuildRequires: intltool BuildRequires: vala-tools @@ -36,6 +37,7 @@ Libraries, includes, etc. to compile with the gcab library. %prep %setup -q +%patch0 -p1 %build # --enable-fast-install is needed to fix libtool "cannot relink `gcab'" @@ -73,6 +75,9 @@ rm -f %{buildroot}%{_libdir}/*.la %{_libdir}/pkgconfig/libgcab-1.0.pc %changelog +* Thu Jul 30 2015 Marc-André Lureau - 0.6-4 +- Fix wrong file modification date when creating cab. + * Wed Jun 17 2015 Fedora Release Engineering - 0.6-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild