Blob Blame History Raw
Summary:        Tar file manipulation API
Name:           libtar
Version:        1.2.20
Release:        17%{?dist}
License:        MIT
URL:            http://repo.or.cz/libtar.git
Source:         http://repo.or.cz/libtar.git/snapshot/refs/tags/v1.2.20.tar.gz#/libtar-v1.2.20.tar.gz
Patch1:         libtar-1.2.11-missing-protos.patch
Patch4:         libtar-1.2.11-mem-deref.patch
Patch5:         libtar-1.2.20-fix-resource-leaks.patch
Patch6:         libtar-1.2.11-bz729009.patch
Patch7:         libtar-1.2.20-no-static-buffer.patch

# fix programming mistakes detected by static analysis (#1602596)
Patch8:         libtar-1.2.20-static-analysis.patch

# fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644)
Patch9:         libtar-1.2.20-CVE-2021-33643-CVE-2021-33644.patch

# fix memory leaks through gnu_long{name,link} (CVE-2021-33645 CVE-2021-33646)
Patch10:        libtar-1.2.20-CVE-2021-33645-CVE-2021-33646.patch

BuildRequires:  libtool
BuildRequires:  zlib-devel

%description
libtar is a C library for manipulating tar archives. It supports both
the strict POSIX tar format and many of the commonly-used GNU
extensions.


%package        devel
Summary:        Development files for %{name}
Requires:       %{name} = %{version}-%{release}

%description    devel
The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.


%prep
%autosetup -n libtar-v%{version} -p1

# set correct version for .so build
%global ltversion %(echo %{version} | tr '.' ':')
sed -i 's/-rpath $(libdir)/-rpath $(libdir) -version-number %{ltversion}/' \
  lib/Makefile.in

autoreconf -iv


%build
%configure --disable-static
make %{?_smp_mflags}


%install
make install DESTDIR=$RPM_BUILD_ROOT
# Without this we get no debuginfo and stripping
chmod +x $RPM_BUILD_ROOT%{_libdir}/libtar.so.%{version}
rm $RPM_BUILD_ROOT%{_libdir}/*.la


%ldconfig_scriptlets


%files
%doc COPYRIGHT TODO README ChangeLog*
%{_bindir}/%{name}
%{_libdir}/lib*.so.*

%files devel
%{_includedir}/libtar.h
%{_includedir}/libtar_listhash.h
%{_libdir}/lib*.so
%{_mandir}/man3/*.3*


%changelog
* Mon Dec 19 2022 Kamil Dudka <kdudka@redhat.com> - 1.2.20-17
- fix use-after-free bugs introduced by incorrect memleak fixes (CVE-2021-33640)

* Fri Aug 26 2022 Kamil Dudka <kdudka@redhat.com> - 1.2.20-16
- fix memory leaks through gnu_long{name,link} (CVE-2021-33645 CVE-2021-33646)
- fix out-of-bounds read in gnu_long{name,link} (CVE-2021-33643 CVE-2021-33644)

* Wed Nov 07 2018 Kamil Dudka <kdudka@redhat.com> - 1.2.20-15
- fix programming mistakes detected by static analysis (#1602596)

* Thu Jul 12 2018 Kamil Dudka <kdudka@redhat.com> - 1.2.20-14
- fix source URL and re-download the upstream tarball

* Wed May 30 2018 Kamil Dudka <kdudka@redhat.com> - 1.2.20-13
- drop obsolete Group tags
- replace dead project URL

* Thu Feb 08 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.2.20-12
- Switch to %%ldconfig_scriptlets

* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.20-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.20-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.20-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.20-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.20-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.20-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Sat Feb 21 2015 Till Maas <opensource@till.name> - 1.2.20-6
- Rebuilt for Fedora 23 Change
  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code

* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.20-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.20-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Fri Oct 25 2013 Kamil Dudka <kdudka@redhat.com> - 1.2.20-3
- avoid using a static buffer in th_get_pathname()

* Wed Oct 16 2013 Kamil Dudka <kdudka@redhat.com> - 1.2.20-2
- use the upstream version of resource leak patches

* Thu Oct 10 2013 Kamil Dudka <kdudka@redhat.com> - 1.2.20-1
- update to 1.2.20 (latest upstream release)

* Thu Oct 10 2013 Kamil Dudka <kdudka@redhat.com> - 1.2.11-28
- fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive

* Fri Oct 04 2013 Kamil Dudka <kdudka@redhat.com> - 1.2.11-27
- fix file descriptor leaks reported by cppcheck (#785760)

* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.11-26
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.11-25
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Tue Aug 28 2012 Kamil Dudka <kdudka@redhat.com> - 1.2.11-24
- fix specfile issues reported by the fedora-review script

* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.11-23
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.11-22
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Tue Aug 09 2011 Kamil Dudka <kdudka@redhat.com> - 1.2.11-21
- Allow to extract debug-info from /usr/bin/libtar (#729009)

* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.11-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Thu May 27 2010 Kamil Dudka <kdudka@redhat.com> - 1.2.11-19
- Completed review of memory leaks related patches (#589056)

* Mon May 3 2010 Huzaifa Sidhpurwala <huzaifas@redhat.com> - 1.2.11-18
- Fix more memory leaks

* Mon May 3 2010 Huzaifa Sidhpurwala <huzaifas@redhat.com> - 1.2.11-17
- Fix lot of memory leaks

* Thu Dec 31 2009 Huzaifa Sidhpurwala <huzaifas@redhat.com> - 1.2.11-16
- Fix invalid memory de-reference issue in BZ #551415

* Fri Nov 20 2009 Huzaifa Sidhpurwala <huzaifas@redhat.com> - 1.2.11-15
- Fix buffer overflow in BZ #538770

* Tue Sep 22 2009 Stepan Kasal <skasal@redhat.com> - 1.2.11-14
- fix up so that it builds again (#511566)

* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.11-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.11-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Thu Apr  3 2008 Hans de Goede <j.w.r.degoede@hhs.nl> 1.2.11-11
- Fix missing prototype compiler warnings

* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.2.11-10
- Autorebuild for GCC 4.3

* Mon Aug 13 2007 Hans de Goede <j.w.r.degoede@hhs.nl> 1.2.11-9
- Update License tag for new Licensing Guidelines compliance

* Mon Aug 28 2006 Hans de Goede <j.w.r.degoede@hhs.nl> 1.2.11-8
- FE6 Rebuild

* Sun Jul 23 2006 Hans de Goede <j.w.r.degoede@hhs.nl> 1.2.11-7
- Taking over as maintainer since Anvil has other priorities
- Add a bunch of patches from Debian, which build a .so instead of a .a
  and fix a bunch of memory leaks.
- Reinstate a proper devel package as we now build a .so

* Thu Mar 16 2006 Dams <anvil[AT]livna.org> - 1.2.11-6.fc5
- Modified URL and added one in Source0

* Sun May 22 2005 Jeremy Katz <katzj@redhat.com> - 1.2.11-5
- rebuild on all arches

* Fri Apr  8 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
- rebuilt

* Sat Aug 16 2003 Dams <anvil[AT]livna.org> 0:1.2.11-0.fdr.3
- Merged devel and main packages
- Package provide now libtar-devel

* Tue Jul  8 2003 Dams <anvil[AT]livna.org>
- Initial build.