From 6a54302de21f88cf52567bb8b03bf24e6aabd088 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 27 2018 04:20:59 +0000
Subject: import rh-dotnet21-dotnet-2.1.500-5.el7


---

diff --git a/SOURCES/corefx-32165-out-of-directory-extract.patch b/SOURCES/corefx-32165-out-of-directory-extract.patch
new file mode 100644
index 0000000..ca93a09
--- /dev/null
+++ b/SOURCES/corefx-32165-out-of-directory-extract.patch
@@ -0,0 +1,53 @@
+From 65a19e18d7d4b94f50772bd3118c0b9868766af5 Mon Sep 17 00:00:00 2001
+From: Maryam Ariyan <maryam.ariyan@microsoft.com>
+Date: Fri, 7 Sep 2018 10:53:25 -0700
+Subject: [PATCH] Fixes extract out of directory by ensuring trailing separator
+ for nested paths.
+
+Related to PR #32127
+---
+ .../System/IO/Compression/ZipFileExtensions.cs  |  2 ++
+ .../tests/ZipFileConvenienceMethods.cs          | 17 +++++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs b/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs
+index 3fef7883c953..c749c8250f9c 100644
+--- a/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs
++++ b/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs
+@@ -160,6 +160,8 @@ public static void ExtractToDirectory(this ZipArchive source, string destination
+             // Note that this will give us a good DirectoryInfo even if destinationDirectoryName exists:
+             DirectoryInfo di = Directory.CreateDirectory(destinationDirectoryName);
+             string destinationDirectoryFullPath = di.FullName;
++            if (!destinationDirectoryFullPath.EndsWith(Path.DirectorySeparatorChar))
++                destinationDirectoryFullPath += Path.DirectorySeparatorChar;
+ 
+             foreach (ZipArchiveEntry entry in source.Entries)
+             {
+diff --git a/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs b/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs
+index 69c822e3fc7e..3a0255d03862 100644
+--- a/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs
++++ b/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs
+@@ -186,6 +186,23 @@ public void ExtractToDirectoryExtension_Unicode()
+             }
+         }
+ 
++        [Theory]
++        [InlineData("../Foo")]
++        [InlineData("../Barbell")]
++        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Second case fails.")]
++        public void ExtractOutOfRoot(string entryName)
++        {
++            string archivePath = GetTestFilePath();
++            using (FileStream stream = new FileStream(archivePath, FileMode.Create))
++            using (ZipArchive archive = new ZipArchive(stream, ZipArchiveMode.Create, leaveOpen: true))
++            {
++                ZipArchiveEntry entry = archive.CreateEntry(entryName);
++            }
++
++            DirectoryInfo destination = Directory.CreateDirectory(Path.Combine(GetTestFilePath(), "Bar"));
++            Assert.Throws<IOException>(() => ZipFile.ExtractToDirectory(archivePath, destination.FullName));
++        }
++
+         [Fact]
+         public void CreatedEmptyDirectoriesRoundtrip()
+         {
diff --git a/SPECS/dotnet.spec b/SPECS/dotnet.spec
index ff03703..de799d4 100644
--- a/SPECS/dotnet.spec
+++ b/SPECS/dotnet.spec
@@ -35,7 +35,7 @@
 
 Name:           %{?scl_prefix}dotnet
 Version:        %{sdk_version}
-Release:        3%{?dist}
+Release:        5%{?dist}
 Group:          Development/Languages
 Summary:        .NET Core CLI tools and runtime
 License:        MIT and ASL 2.0 and BSD
@@ -51,8 +51,10 @@ URL:            https://github.com/dotnet/
 Source0:        dotnet-v%{runtime_version}a.tar.gz
 Source1:        check-debug-symbols.py
 
-Patch100:         corefx-32956-alpn.patch
-Patch300:         core-setup-4510-commit-id.patch
+Patch100:       corefx-32956-alpn.patch
+Patch101:       corefx-32165-out-of-directory-extract.patch
+
+Patch300:       core-setup-4510-commit-id.patch
 
 ExclusiveArch:  x86_64
 
@@ -171,6 +173,7 @@ sed -i 's|/usr/share/dotnet|%{_libdir}/%{pkg_name}|' src/core-setup/src/corehost
 
 pushd src/corefx
 %patch100 -p1
+%patch101 -p1
 popd
 
 pushd src/core-setup
@@ -255,6 +258,11 @@ echo "Testing build results for debug symbols..."
 %{_libdir}/%{pkg_name}/sdk/%{sdk_version}
 
 %changelog
+* Wed Nov 14 2018 Omair Majid <omajid@redhat.com> - 2.1.500-5
+- Fix extract out of directory
+- Resolves: CVE-2018-8416
+- Resolves: rhbz#1649693
+
 * Fri Nov 09 2018 Omair Majid <omajid@redhat.com> - 2.1.500-3
 - Fix linking alpn support by linking to OpenSSL correctly
 - Fix commit ids in dotnet --info