aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2014-12-30 14:13:20 -0500
committerMark H Weaver <mhw@netris.org>2014-12-30 14:48:13 -0500
commitc7bdc7ece5650be75314dc302f3cdcf02806857b (patch)
treea9e7d038daf6e113e79d50255c0143c3719a4cbb
parent1c69e4ce3f33242ee8d209b8078fc78a73355446 (diff)
downloadpatches-c7bdc7ece5650be75314dc302f3cdcf02806857b.tar
patches-c7bdc7ece5650be75314dc302f3cdcf02806857b.tar.gz
gnu: cpio: Add fixes for CVE-2014-9112.
* gnu/packages/patches/cpio-CVE-2014-9112-pt1.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt3.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch, gnu/packages/patches/cpio-CVE-2014-9112-pt5.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/cpio.scm (cpio): Add patches. Add 'autoconf' to native-inputs.
-rw-r--r--gnu-system.am5
-rw-r--r--gnu/packages/cpio.scm15
-rw-r--r--gnu/packages/patches/cpio-CVE-2014-9112-pt1.patch231
-rw-r--r--gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch51
-rw-r--r--gnu/packages/patches/cpio-CVE-2014-9112-pt3.patch23
-rw-r--r--gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch105
-rw-r--r--gnu/packages/patches/cpio-CVE-2014-9112-pt5.patch88
7 files changed, 517 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am
index fea7447964..a91915051a 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -339,6 +339,11 @@ dist_patch_DATA = \
gnu/packages/patches/clucene-pkgconfig.patch \
gnu/packages/patches/cmake-fix-tests.patch \
gnu/packages/patches/coreutils-dummy-man.patch \
+ gnu/packages/patches/cpio-CVE-2014-9112-pt1.patch \
+ gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch \
+ gnu/packages/patches/cpio-CVE-2014-9112-pt3.patch \
+ gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch \
+ gnu/packages/patches/cpio-CVE-2014-9112-pt5.patch \
gnu/packages/patches/cpio-gets-undeclared.patch \
gnu/packages/patches/cssc-gets-undeclared.patch \
gnu/packages/patches/cssc-missing-include.patch \
diff --git a/gnu/packages/cpio.scm b/gnu/packages/cpio.scm
index eff146ded5..87f85d00e8 100644
--- a/gnu/packages/cpio.scm
+++ b/gnu/packages/cpio.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
+;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -19,6 +20,7 @@
(define-module (gnu packages cpio)
#:use-module (guix licenses)
#:use-module (gnu packages)
+ #:use-module (gnu packages autotools)
#:use-module (guix packages)
#:use-module (guix download)
#:use-module (guix build-system gnu))
@@ -34,8 +36,19 @@
(sha256
(base32
"1gavgpzqwgkpagjxw72xgxz52y1ifgz0ckqh8g7cckz7jvyhp0mv"))
- (patches (list (search-patch "cpio-gets-undeclared.patch")))))
+ (patches (list (search-patch "cpio-CVE-2014-9112-pt1.patch")
+ (search-patch "cpio-CVE-2014-9112-pt2.patch")
+ (search-patch "cpio-CVE-2014-9112-pt3.patch")
+ (search-patch "cpio-CVE-2014-9112-pt4.patch")
+ (search-patch "cpio-CVE-2014-9112-pt5.patch")
+ (search-patch "cpio-gets-undeclared.patch")))))
(build-system gnu-build-system)
+
+ ;; FIXME: autoconf is needed to run autom4te, to update to test suite
+ ;; after the CVE-2014-9112 patches. Remove this when cpio is
+ ;; updated to post-2.11.
+ (native-inputs `(("autoconf" ,autoconf)))
+
(home-page "https://www.gnu.org/software/cpio/")
(synopsis "Manage cpio and tar file archives")
(description
diff --git a/gnu/packages/patches/cpio-CVE-2014-9112-pt1.patch b/gnu/packages/patches/cpio-CVE-2014-9112-pt1.patch
new file mode 100644
index 0000000000..1224c6c22d
--- /dev/null
+++ b/gnu/packages/patches/cpio-CVE-2014-9112-pt1.patch
@@ -0,0 +1,231 @@
+Partially fix CVE-2014-9112, part 1/5. Backported to 2.11.
+
+From 746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org.ua>
+Date: Mon, 01 Dec 2014 13:15:28 +0000
+Subject: Fix memory overrun on reading improperly created link records.
+
+See http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
+
+* src/copyin.c (get_link_name): New function.
+(list_file, copyin_link): use get_link_name
+
+* tests/symlink-bad-length.at: New file.
+* tests/symlink-long.at: New file.
+* tests/Makefile.am: Add new files.
+* tests/testsuite.at: Likewise.
+---
+diff --git a/src/copyin.c b/src/copyin.c
+index 38d809f..c502c7d 100644
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -124,10 +124,30 @@ tape_skip_padding (int in_file_des, off_t offset)
+ if (pad != 0)
+ tape_toss_input (in_file_des, pad);
+ }
+-
++
++static char *
++get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
++{
++ off_t n = file_hdr->c_filesize + 1;
++ char *link_name;
++
++ if (n == 0 || n > SIZE_MAX)
++ {
++ error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);
++ link_name = NULL;
++ }
++ else
++ {
++ link_name = xmalloc (n);
++ tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
++ link_name[file_hdr->c_filesize] = '\0';
++ tape_skip_padding (in_file_des, file_hdr->c_filesize);
++ }
++ return link_name;
++}
+
+ static void
+-list_file(struct cpio_file_stat* file_hdr, int in_file_des)
++list_file (struct cpio_file_stat* file_hdr, int in_file_des)
+ {
+ if (verbose_flag)
+ {
+@@ -136,21 +156,16 @@ list_file(struct cpio_file_stat* file_hdr, int in_file_des)
+ {
+ if (archive_format != arf_tar && archive_format != arf_ustar)
+ {
+- char *link_name = NULL; /* Name of hard and symbolic links. */
+-
+- link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+- link_name[file_hdr->c_filesize] = '\0';
+- tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+- long_format (file_hdr, link_name);
+- free (link_name);
+- tape_skip_padding (in_file_des, file_hdr->c_filesize);
+- return;
++ char *link_name = get_link_name (file_hdr, in_file_des);
++ if (link_name)
++ {
++ long_format (file_hdr, link_name);
++ free (link_name);
++ }
+ }
+ else
+- {
+- long_format (file_hdr, file_hdr->c_tar_linkname);
+- return;
+- }
++ long_format (file_hdr, file_hdr->c_tar_linkname);
++ return;
+ }
+ else
+ #endif
+@@ -650,10 +665,7 @@ copyin_link(struct cpio_file_stat *file_
+
+ if (archive_format != arf_tar && archive_format != arf_ustar)
+ {
+- link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+- link_name[file_hdr->c_filesize] = '\0';
+- tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+- tape_skip_padding (in_file_des, file_hdr->c_filesize);
++ link_name = get_link_name (file_hdr, in_file_des);
+ }
+ else
+ {
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 3f714d1..b4ca92d 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -52,6 +52,8 @@ TESTSUITE_AT = \
+ setstat04.at\
+ setstat05.at\
+ symlink.at\
++ symlink-bad-length.at\
++ symlink-long.at\
+ version.at
+
+ TESTSUITE = $(srcdir)/testsuite
+diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
+new file mode 100644
+index 0000000..6f804b1
+--- a/dev/null
++++ b/tests/symlink-bad-length.at
+@@ -0,0 +1,49 @@
++# Process this file with autom4te to create testsuite. -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11 did segfault with badly set symlink length.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-bad-length])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_DATA([ARCHIVE.base64],
++[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
++JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
++UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
++])
++
++AT_CHECK([
++base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
++cpio -ntv < ARCHIVE
++test $? -eq 2
++],
++[0],
++[-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE
++],[cpio: LINK: stored filename length too big
++cpio: premature end of file
++])
++
++AT_CLEANUP
+diff --git a/tests/symlink-long.at b/tests/symlink-long.at
+new file mode 100644
+index 0000000..d3def2d
+--- a/dev/null
++++ b/tests/symlink-long.at
+@@ -0,0 +1,46 @@
++# Process this file with autom4te to create testsuite. -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11.90 changed the way symlink name is read from archive.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-long])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_CHECK([
++
++# len(dirname) > READBUFSIZE
++dirname=
++for i in {1..52}; do
++ dirname="xxxxxxxxx/$dirname"
++ mkdir "$dirname"
++done
++ln -s "$dirname" x || AT_SKIP_TEST
++
++echo x | cpio -o > ar
++list=`cpio -tv < ar | sed 's|.*-> ||'`
++test "$list" = "$dirname" && echo success || echo fail
++],
++[0],
++[success
++],[2 blocks
++2 blocks
++])
++
++AT_CLEANUP
+diff --git a/tests/testsuite.at b/tests/testsuite.at
+index e67689f..3b5377e 100644
+--- a/tests/testsuite.at
++++ b/tests/testsuite.at
+@@ -31,6 +31,8 @@ m4_include([version.at])
+
+ m4_include([inout.at])
+ m4_include([symlink.at])
++m4_include([symlink-bad-length.at])
++m4_include([symlink-long.at])
+ m4_include([interdir.at])
+
+ m4_include([setstat01.at])
+--
+cgit v0.9.0.2
diff --git a/gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch b/gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch
new file mode 100644
index 0000000000..77c531cb54
--- /dev/null
+++ b/gnu/packages/patches/cpio-CVE-2014-9112-pt2.patch
@@ -0,0 +1,51 @@
+Partially fix CVE-2014-9112, part 2/5.
+
+From 54d1c42ac2cb91389fca04a5018ad573e4ae265a Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org.ua>
+Date: Mon, 01 Dec 2014 19:10:39 +0000
+Subject: Bugfix
+
+* src/copyin.c (get_link_name): Fix range checking.
+* tests/symlink-bad-length.at: Change expected error message.
+---
+diff --git a/src/copyin.c b/src/copyin.c
+index c502c7d..042cc41 100644
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -128,17 +128,17 @@ tape_skip_padding (int in_file_des, off_t offset)
+ static char *
+ get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
+ {
+- off_t n = file_hdr->c_filesize + 1;
+ char *link_name;
+
+- if (n == 0 || n > SIZE_MAX)
++ if (file_hdr->c_filesize < 0 || file_hdr->c_filesize > SIZE_MAX-1)
+ {
+- error (0, 0, _("%s: stored filename length too big"), file_hdr->c_name);
++ error (0, 0, _("%s: stored filename length is out of range"),
++ file_hdr->c_name);
+ link_name = NULL;
+ }
+ else
+ {
+- link_name = xmalloc (n);
++ link_name = xmalloc (file_hdr->c_filesize);
+ tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+ link_name[file_hdr->c_filesize] = '\0';
+ tape_skip_padding (in_file_des, file_hdr->c_filesize);
+diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
+index 6f804b1..cbf4aa7 100644
+--- a/tests/symlink-bad-length.at
++++ b/tests/symlink-bad-length.at
+@@ -42,7 +42,7 @@ test $? -eq 2
+ ],
+ [0],
+ [-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE
+-],[cpio: LINK: stored filename length too big
++],[cpio: LINK: stored filename length is out of range
+ cpio: premature end of file
+ ])
+
+--
+cgit v0.9.0.2
diff --git a/gnu/packages/patches/cpio-CVE-2014-9112-pt3.patch b/gnu/packages/patches/cpio-CVE-2014-9112-pt3.patch
new file mode 100644
index 0000000000..644dc6f9ef
--- /dev/null
+++ b/gnu/packages/patches/cpio-CVE-2014-9112-pt3.patch
@@ -0,0 +1,23 @@
+Partially fix CVE-2014-9112, part 3/5.
+
+From 58df4f1b44a1142bba500f980fd26806413b1728 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org.ua>
+Date: Tue, 02 Dec 2014 09:33:29 +0000
+Subject: Fix typo
+
+---
+diff --git a/src/copyin.c b/src/copyin.c
+index 042cc41..264bfcb 100644
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -138,7 +138,7 @@ get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
+ }
+ else
+ {
+- link_name = xmalloc (file_hdr->c_filesize);
++ link_name = xmalloc (file_hdr->c_filesize + 1);
+ tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+ link_name[file_hdr->c_filesize] = '\0';
+ tape_skip_padding (in_file_des, file_hdr->c_filesize);
+--
+cgit v0.9.0.2
diff --git a/gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch b/gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch
new file mode 100644
index 0000000000..fa2e8530b2
--- /dev/null
+++ b/gnu/packages/patches/cpio-CVE-2014-9112-pt4.patch
@@ -0,0 +1,105 @@
+Partially fix CVE-2014-9112, part 4/5. Backported to 2.11.
+
+From fd262d116c4564c1796be9be2799619cf7785d07 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org.ua>
+Date: Thu, 11 Dec 2014 10:51:21 +0000
+Subject: Fix error recovery in copy-in mode
+
+* src/copyin.c (copyin_link): Fix null dereference.
+(read_in_header): Fix error recovery (bug introduced by
+27e0ae55).
+* tests/symlink-bad-length.at: Test error recovery.
+Catch various architecture-dependent error messages (suggested
+by Pavel Raiskup).
+---
+diff --git a/src/copyin.c b/src/copyin.c
+index 264bfcb..ca12356 100644
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -655,7 +655,7 @@ copyin_device (struct cpio_file_stat* file_hdr)
+ }
+
+ static void
+-copyin_link(struct cpio_file_stat *file_hdr, int in_file_des)
++copyin_link (struct cpio_file_stat *file_hdr, int in_file_des)
+ {
+ char *link_name = NULL; /* Name of hard and symbolic links. */
+ int res; /* Result of various function calls. */
+@@ -666,6 +666,8 @@ copyin_link(struct cpio_file_stat *file_
+ if (archive_format != arf_tar && archive_format != arf_ustar)
+ {
+ link_name = get_link_name (file_hdr, in_file_des);
++ if (!link_name)
++ return;
+ }
+ else
+ {
+@@ -1017,7 +1019,7 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
+
+ file_hdr->c_tar_linkname = NULL;
+
+- tape_buffered_read (magic.str, in_des, 6L);
++ tape_buffered_read (magic.str, in_des, sizeof (magic.str));
+ while (1)
+ {
+ if (append_flag)
+@@ -1062,8 +1064,8 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
+ break;
+ }
+ bytes_skipped++;
+- memmove (magic.str, magic.str + 1, 5);
+- tape_buffered_read (magic.str, in_des, 1L);
++ memmove (magic.str, magic.str + 1, sizeof (magic.str) - 1);
++ tape_buffered_read (magic.str + sizeof (magic.str) - 1, in_des, 1L);
+ }
+ }
+
+diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
+index cbf4aa7..4dbeaa3 100644
+--- a/tests/symlink-bad-length.at
++++ b/tests/symlink-bad-length.at
+@@ -24,9 +24,9 @@ AT_SETUP([symlink-bad-length])
+ AT_KEYWORDS([symlink-long copyout])
+
+ AT_DATA([ARCHIVE.base64],
+-[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
+-JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
+-UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++[x3ECCJ1jtIHoA2QAAQAAAIlUwl0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxAgidHv+h6ANk
++AAEAAACJVHFtBQD/////TElOSwAARklMRcdxAgieHqSB6ANkAAEAAACJVDJuBgAAABIARklMRTIA
++c29tZSBtb3JlIGNvbnRlbnQKx3EAAAAAAAAAAAAAAQAAAAAAAAALAAAAAABUUkFJTEVSISEhAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+@@ -37,13 +37,23 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+
+ AT_CHECK([
+ base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
+-cpio -ntv < ARCHIVE
+-test $? -eq 2
++TZ=UTC cpio -ntv < ARCHIVE 2>stderr
++rc=$?
++cat stderr | grep -v \
++ -e 'stored filename length is out of range' \
++ -e 'premature end of file' \
++ -e 'archive header has reverse byte-order' \
++ -e 'memory exhausted' \
++ >&2
++echo >&2 STDERR
++test "$rc" -ne 0
+ ],
+-[0],
+-[-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE
+-],[cpio: LINK: stored filename length is out of range
+-cpio: premature end of file
++[1],
++[-rw-rw-r-- 1 1000 100 13 Dec 11 09:02 FILE
++-rw-r--r-- 1 1000 100 18 Dec 11 10:13 FILE2
++],[cpio: warning: skipped 4 bytes of junk
++1 block
++STDERR
+ ])
+
+ AT_CLEANUP
+--
+cgit v0.9.0.2
diff --git a/gnu/packages/patches/cpio-CVE-2014-9112-pt5.patch b/gnu/packages/patches/cpio-CVE-2014-9112-pt5.patch
new file mode 100644
index 0000000000..75313cbefa
--- /dev/null
+++ b/gnu/packages/patches/cpio-CVE-2014-9112-pt5.patch
@@ -0,0 +1,88 @@
+Partially fix CVE-2014-9112, part 5/5. Backported to 2.11.
+
+From f6a8a2cbd2d5ca40ea94900b55b845dd5ca87328 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org.ua>
+Date: Thu, 11 Dec 2014 13:21:40 +0000
+Subject: Fix symlink-bad-length test for 64-bit architectures.
+
+* src/util.c: Return non-zero exit code if EOF is hit prematurely.
+* tests/symlink-bad-length.at: Revert to original archive: there's
+no use testing for recovery, because that depends on the host
+architecture. Don't test for exit code as well (same reason).
+Account for eventual warning messages.
+---
+diff --git a/src/util.c b/src/util.c
+index 6c483f8..39c9813 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -206,10 +206,7 @@ tape_fill_input_buffer (int in_des, int
+ if (input_size < 0)
+ error (1, errno, _("read error"));
+ if (input_size == 0)
+- {
+- error (0, 0, _("premature end of file"));
+- exit (1);
+- }
++ error (PAXEXIT_FAILURE, 0, _("premature end of file"));
+ input_bytes += input_size;
+ }
+
+diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
+index 4dbeaa3..e1a7093 100644
+--- a/tests/symlink-bad-length.at
++++ b/tests/symlink-bad-length.at
+@@ -24,9 +24,9 @@ AT_SETUP([symlink-bad-length])
+ AT_KEYWORDS([symlink-long copyout])
+
+ AT_DATA([ARCHIVE.base64],
+-[x3ECCJ1jtIHoA2QAAQAAAIlUwl0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxAgidHv+h6ANk
+-AAEAAACJVHFtBQD/////TElOSwAARklMRcdxAgieHqSB6ANkAAEAAACJVDJuBgAAABIARklMRTIA
+-c29tZSBtb3JlIGNvbnRlbnQKx3EAAAAAAAAAAAAAAQAAAAAAAAALAAAAAABUUkFJTEVSISEhAAAA
++[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
++JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
++UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+@@ -35,25 +35,30 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+ ])
+
++# The exact error message and exit status depend on the host architecture,
++# therefore strderr is filtered out and error code is not checked.
++
++# So far the only case when cpio would exit with code 0 is when it skips
++# several bytes and encounters a valid record header. Perhaps it should
++# exit with code 2 (non-critical error), if at least one byte was skipped,
++# but that could hurt backward compatibility.
++
+ AT_CHECK([
+ base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
+-TZ=UTC cpio -ntv < ARCHIVE 2>stderr
+-rc=$?
++TZ=UTC cpio -ntv < ARCHIVE 2>stderr
+ cat stderr | grep -v \
+ -e 'stored filename length is out of range' \
+ -e 'premature end of file' \
+ -e 'archive header has reverse byte-order' \
+ -e 'memory exhausted' \
++ -e 'skipped [[0-9][0-9]*] bytes of junk' \
++ -e '[[0-9][0-9]*] block' \
+ >&2
+ echo >&2 STDERR
+-test "$rc" -ne 0
+ ],
+-[1],
+-[-rw-rw-r-- 1 1000 100 13 Dec 11 09:02 FILE
+--rw-r--r-- 1 1000 100 18 Dec 11 10:13 FILE2
+-],[cpio: warning: skipped 4 bytes of junk
+-1 block
+-STDERR
++[0],
++[-rw-rw-r-- 1 10029 10031 13 Nov 25 11:52 FILE
++],[STDERR
+ ])
+
+ AT_CLEANUP
+--
+cgit v0.9.0.2