From 6a54302de21f88cf52567bb8b03bf24e6aabd088 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 27 2018 04:20:59 +0000 Subject: import rh-dotnet21-dotnet-2.1.500-5.el7 --- diff --git a/SOURCES/corefx-32165-out-of-directory-extract.patch b/SOURCES/corefx-32165-out-of-directory-extract.patch new file mode 100644 index 0000000..ca93a09 --- /dev/null +++ b/SOURCES/corefx-32165-out-of-directory-extract.patch @@ -0,0 +1,53 @@ +From 65a19e18d7d4b94f50772bd3118c0b9868766af5 Mon Sep 17 00:00:00 2001 +From: Maryam Ariyan +Date: Fri, 7 Sep 2018 10:53:25 -0700 +Subject: [PATCH] Fixes extract out of directory by ensuring trailing separator + for nested paths. + +Related to PR #32127 +--- + .../System/IO/Compression/ZipFileExtensions.cs | 2 ++ + .../tests/ZipFileConvenienceMethods.cs | 17 +++++++++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs b/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs +index 3fef7883c953..c749c8250f9c 100644 +--- a/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs ++++ b/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs +@@ -160,6 +160,8 @@ public static void ExtractToDirectory(this ZipArchive source, string destination + // Note that this will give us a good DirectoryInfo even if destinationDirectoryName exists: + DirectoryInfo di = Directory.CreateDirectory(destinationDirectoryName); + string destinationDirectoryFullPath = di.FullName; ++ if (!destinationDirectoryFullPath.EndsWith(Path.DirectorySeparatorChar)) ++ destinationDirectoryFullPath += Path.DirectorySeparatorChar; + + foreach (ZipArchiveEntry entry in source.Entries) + { +diff --git a/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs b/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs +index 69c822e3fc7e..3a0255d03862 100644 +--- a/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs ++++ b/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs +@@ -186,6 +186,23 @@ public void ExtractToDirectoryExtension_Unicode() + } + } + ++ [Theory] ++ [InlineData("../Foo")] ++ [InlineData("../Barbell")] ++ [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Second case fails.")] ++ public void ExtractOutOfRoot(string entryName) ++ { ++ string archivePath = GetTestFilePath(); ++ using (FileStream stream = new FileStream(archivePath, FileMode.Create)) ++ using (ZipArchive archive = new ZipArchive(stream, ZipArchiveMode.Create, leaveOpen: true)) ++ { ++ ZipArchiveEntry entry = archive.CreateEntry(entryName); ++ } ++ ++ DirectoryInfo destination = Directory.CreateDirectory(Path.Combine(GetTestFilePath(), "Bar")); ++ Assert.Throws(() => ZipFile.ExtractToDirectory(archivePath, destination.FullName)); ++ } ++ + [Fact] + public void CreatedEmptyDirectoriesRoundtrip() + { diff --git a/SPECS/dotnet.spec b/SPECS/dotnet.spec index ff03703..de799d4 100644 --- a/SPECS/dotnet.spec +++ b/SPECS/dotnet.spec @@ -35,7 +35,7 @@ Name: %{?scl_prefix}dotnet Version: %{sdk_version} -Release: 3%{?dist} +Release: 5%{?dist} Group: Development/Languages Summary: .NET Core CLI tools and runtime License: MIT and ASL 2.0 and BSD @@ -51,8 +51,10 @@ URL: https://github.com/dotnet/ Source0: dotnet-v%{runtime_version}a.tar.gz Source1: check-debug-symbols.py -Patch100: corefx-32956-alpn.patch -Patch300: core-setup-4510-commit-id.patch +Patch100: corefx-32956-alpn.patch +Patch101: corefx-32165-out-of-directory-extract.patch + +Patch300: core-setup-4510-commit-id.patch ExclusiveArch: x86_64 @@ -171,6 +173,7 @@ sed -i 's|/usr/share/dotnet|%{_libdir}/%{pkg_name}|' src/core-setup/src/corehost pushd src/corefx %patch100 -p1 +%patch101 -p1 popd pushd src/core-setup @@ -255,6 +258,11 @@ echo "Testing build results for debug symbols..." %{_libdir}/%{pkg_name}/sdk/%{sdk_version} %changelog +* Wed Nov 14 2018 Omair Majid - 2.1.500-5 +- Fix extract out of directory +- Resolves: CVE-2018-8416 +- Resolves: rhbz#1649693 + * Fri Nov 09 2018 Omair Majid - 2.1.500-3 - Fix linking alpn support by linking to OpenSSL correctly - Fix commit ids in dotnet --info