184984 2007-07-11 19:06 0000 app-arch/libarchive (former app-arch/bsdtar): multiple vulnerabilities 2007-08-09 07:34:37 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED B2? [glsa] DerCorny P2 normal --- 1 flameeyes@gentoo.org security@gentoo.org uberlord@gentoo.org flameeyes@gentoo.org 2007-07-11 19:06:36 0000 From: Colin Percival <cperciva@freebsd.org> To: Free Software Distribution Vendors <vendor-sec@lst.de>, Diego 'Flameeyes' Pettenò <flameeyes@gmail.com> Cc: Ludwig Nussel <ludwig.nussel@suse.de>, team@security.debian.org Subject: security issues in libarchive Date: Wed, 11 Jul 2007 10:14:49 -0700 Hi guys, It seems that more linux vendors are distributing libarchive than I expected, so I might as well send the details to vendor-sec rather than sending separate emails to all the individual vendors contacting me. I've attached FreeBSD's draft advisory and patch for libarchive 2.x; I also have a patch for libarchive 1.x which is almost identical aside from cosmetic changes due to API differences, but it sounds like most or all of you are only shipping libarchive 2.x so I haven't attached that. All versions of libarchive are affected by these issues, with the exception of one which was introduced quite recently when a new readline() function was added; if the final hunk of patch does not apply, you probably don't have that recently added code+bug. Tim Kientzle will be publishing an advisory for these issues on the libarchive website and will release version 2.2.4 of libarchive with these issues fixed; I don't know what the final URLs will be, but you should be able to find them from http://people.freebsd.org/~kientzle/libarchive/ once this becomes public. Please do not publish any advisories or mention this publicly until 15:00 UTC on July 12th. Thanks, Colin Percival FreeBSD Security Officer ============================================================================= FreeBSD-SA-07:05.libarchive Security Advisory The FreeBSD Project Topic: Errors handling corrupt tar files in libarchive(3) Category: core Module: libarchive Announced: 2007-07-12 Credits: CPNI, CERT-FI, Tim Kientzle, Colin Percival Affects: FreeBSD 5.3 and later. Corrected: 2007-07-12 15:XX:XX UTC (RELENG_6, 6.2-STABLE) 2007-07-12 15:XX:XX UTC (RELENG_6_2, 6.2-RELEASE-p6) 2007-07-12 15:XX:XX UTC (RELENG_6_1, 6.1-RELEASE-p18) 2007-07-12 15:XX:XX UTC (RELENG_5, 5.5-STABLE) 2007-07-12 15:XX:XX UTC (RELENG_5_5, 5.5-RELEASE-p14) CVE Name: CVE-2007-3641, CVE-2007-3644, CVE-2007-3645 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background The libarchive library provides a flexible interface for reading and writing streaming archive files such as tar and cpio, and has been the basis for FreeBSD's implementation of the tar(1) utility since FreeBSD 5.3. II. Problem Description Several problems have been found in the code used to parse the tar and pax interchange formats. These include entering an infinite loop if an archive prematurely ends within a pax extension header or if certain types of corruption occur in pax extension headers [CVE-2007-3644]; dereferencing a NULL pointer if an archive prematurely ends within a tar header immediately following a pax extension header or if certain other types of corruption occur in pax extension headers [CVE-2007-3645]; and miscomputing the length of a buffer resulting in a buffer overflow if yet another type of corruption occurs in a pax extension header [CVE-2007-3641]. III. Impact An attacker who can cause a corrupt archive of his choice to be parsed by libarchive, including by having "tar -x" (extract) or "tar -t" (list entries) run on it, can cause libarchive to enter an infinite loop, to core dump, or possibly to execute arbitrary code provided by the attacker. IV. Workaround No workaround is available, but systems which do not read tar or pax extension archives provided by untrusted sources are not vulnerable. Note that while these issues do not affect libarchive's ability to parse cpio, ISO9660, or zip format archives, libarchive automatically detects the format of an archive, so external metadata (e.g., a file name) is not sufficient to ensure that a file will not be parsed using the vulnerable tar/pax format parser. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.1, and 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 5.5, 6.1, and 6.2] # fetch http://security.FreeBSD.org/patches/SA-07:05/libarchive.patch # fetch http://security.FreeBSD.org/patches/SA-07:05/libarchive.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libarchive # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path ------------------------------------------------------------------------- RELENG_5 src/lib/libarchive/archive_read_support_format_tar.c 1.26.2.8 RELENG_5_5 src/UPDATING 1.342.2.35.2.14 src/sys/conf/newvers.sh 1.62.2.21.2.16 src/lib/libarchive/archive_read_support_format_tar.c 1.26.2.7.2.1 RELENG_6 src/lib/libarchive/archive_read_support_format_tar.c 1.32.2.5 RELENG_6_2 src/UPDATING 1.416.2.29.2.9 src/sys/conf/newvers.sh 1.69.2.13.2.9 src/lib/libarchive/archive_read_support_format_tar.c 1.32.2.2.2.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.20 src/sys/conf/newvers.sh 1.69.2.11.2.20 src/lib/libarchive/archive_read_support_format_tar.c 1.32.6.1 ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3641 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3644 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3645 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-07:05.libarchive.asc --- I have the patches, what should I do? Prepare for secret release or? dercorny@gentoo.org 2007-07-12 10:08:33 0000 yes, please provide some ebuilds and attach them here, dont commit yet (unless this goes public faster than you are) flameeyes@gentoo.org 2007-07-12 10:37:53 0000 Created an attachment (id=124629) libarchive-6stable.patch Patch (updated from the second mail, with Matt Dillon's fix). flameeyes@gentoo.org 2007-07-12 10:38:15 0000 Created an attachment (id=124630) bsdtar-2.2.3-r1.ebuild flameeyes@gentoo.org 2007-07-12 17:10:54 0000 *** Bug 185085 has been marked as a duplicate of this bug. *** dercorny@gentoo.org 2007-07-12 17:14:13 0000 public flameeyes@gentoo.org 2007-07-12 17:20:12 0000 I suppose that at this point we could mark 2.2.4 stable and be done with it (I'll add a 2.2.4-r1 to fix a bug, but that's not urgent). dercorny@gentoo.org 2007-07-12 17:34:01 0000 amd64, please test and stable bsdtar-2.2.4 (or, even better, 2.2.4-r1 if it's around when you stable) beandog@gentoo.org 2007-07-13 00:45:07 0000 (In reply to comment #7) > amd64, please test and stable bsdtar-2.2.4 (or, even better, 2.2.4-r1 if it's > around when you stable) > done flameeyes@gentoo.org 2007-07-13 15:16:28 0000 The package was renamed today (to avoid publishing a glsa bound to be invalidated by the move). py@gentoo.org 2007-08-09 07:34:37 0000 that was GLSA 200708-03, thanks everybody! 124629 2007-07-12 10:37 0000 libarchive-6stable.patch libarchive-6stable.patch text/plain SW5kZXg6IGxpYi9saWJhcmNoaXZlL2FyY2hpdmVfcmVhZF9zdXBwb3J0X2Zvcm1hdF90YXIuYwo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09ClJDUyBmaWxlOiAvaG9tZS9uY3ZzL3NyYy9saWIvbGliYXJjaGl2ZS9hcmNoaXZl X3JlYWRfc3VwcG9ydF9mb3JtYXRfdGFyLmMsdgpyZXRyaWV2aW5nIHJldmlzaW9uIDEuNTcKZGlm ZiAtdSAtSV9fRkJTRElEIC1JJEZyZWVCU0QgLXIxLjU3IGFyY2hpdmVfcmVhZF9zdXBwb3J0X2Zv cm1hdF90YXIuYwotLS0gbGliL2xpYmFyY2hpdmUvYXJjaGl2ZV9yZWFkX3N1cHBvcnRfZm9ybWF0 X3Rhci5jCTEzIEp1biAyMDA3IDAzOjM1OjM3IC0wMDAwCTEuNTcKKysrIGxpYi9saWJhcmNoaXZl L2FyY2hpdmVfcmVhZF9zdXBwb3J0X2Zvcm1hdF90YXIuYwkxMCBKdWwgMjAwNyAwOToxMDoxMCAt MDAwMApAQCAtNjkwLDcgKzY5MCwxMyBAQAogCQl9CiAJfQogCS0tdGFyLT5oZWFkZXJfcmVjdXJz aW9uX2RlcHRoOwotCXJldHVybiAoZXJyKTsKKwkvKiBXZSByZXR1cm4gd2FybmluZ3Mgb3Igc3Vj Y2VzcyBhcy1pcy4gIEFueXRoaW5nIGVsc2UgaXMgZmF0YWwuICovCisJaWYgKGVyciA9PSBBUkNI SVZFX1dBUk4gfHwgZXJyID09IEFSQ0hJVkVfT0spCisJCXJldHVybiAoZXJyKTsKKwlpZiAoZXJy ID09IEFSQ0hJVkVfRU9GKQorCQkvKiBFT0Ygd2hlbiByZWN1cnNpdmVseSByZWFkaW5nIGEgaGVh ZGVyIGlzIGJhZC4gKi8KKwkJYXJjaGl2ZV9zZXRfZXJyb3IoJmEtPmFyY2hpdmUsIEVJTlZBTCwg IkRhbWFnZWQgdGFyIGFyY2hpdmUiKTsKKwlyZXR1cm4gKEFSQ0hJVkVfRkFUQUwpOwogfQogCiAv KgpAQCAtNzYxLDMyICs3NjcsNTUgQEAKIGhlYWRlcl9Tb2xhcmlzX0FDTChzdHJ1Y3QgYXJjaGl2 ZV9yZWFkICphLCBzdHJ1Y3QgdGFyICp0YXIsCiAgICAgc3RydWN0IGFyY2hpdmVfZW50cnkgKmVu dHJ5LCBjb25zdCB2b2lkICpoKQogewotCWludCBlcnIsIGVycjI7Ci0JY2hhciAqcDsKKwljb25z dCBzdHJ1Y3QgYXJjaGl2ZV9lbnRyeV9oZWFkZXJfdXN0YXIgKmhlYWRlcjsKKwlzaXplX3Qgc2l6 ZTsKKwlpbnQgZXJyOworCWNoYXIgKmFjbCwgKnA7CiAJd2NoYXJfdCAqd3A7CiAKKwkvKgorCSAq IHJlYWRfYm9keV90b19zdHJpbmcgYWRkcyBhIE5VTCB0ZXJtaW5hdG9yLCBidXQgd2UgbmVlZCBh IGxpdHRsZQorCSAqIG1vcmUgdG8gbWFrZSBzdXJlIHRoYXQgd2UgZG9uJ3Qgb3ZlcnJ1biBhY2xf dGV4dCBsYXRlci4KKwkgKi8KKwloZWFkZXIgPSAoY29uc3Qgc3RydWN0IGFyY2hpdmVfZW50cnlf aGVhZGVyX3VzdGFyICopaDsKKwlzaXplID0gdGFyX2F0b2woaGVhZGVyLT5zaXplLCBzaXplb2Yo aGVhZGVyLT5zaXplKSk7CiAJZXJyID0gcmVhZF9ib2R5X3RvX3N0cmluZyhhLCB0YXIsICYodGFy LT5hY2xfdGV4dCksIGgpOwotCWVycjIgPSB0YXJfcmVhZF9oZWFkZXIoYSwgdGFyLCBlbnRyeSk7 Ci0JZXJyID0gZXJyX2NvbWJpbmUoZXJyLCBlcnIyKTsKLQotCS8qIFhYWCBFbnN1cmUgcCBkb2Vz bid0IG92ZXJydW4gYWNsX3RleHQgKi8KKwlpZiAoZXJyICE9IEFSQ0hJVkVfT0spCisJCXJldHVy biAoZXJyKTsKKwllcnIgPSB0YXJfcmVhZF9oZWFkZXIoYSwgdGFyLCBlbnRyeSk7CisJaWYgKChl cnIgIT0gQVJDSElWRV9PSykgJiYgKGVyciAhPSBBUkNISVZFX1dBUk4pKQorCQlyZXR1cm4gKGVy cik7CiAKIAkvKiBTa2lwIGxlYWRpbmcgb2N0YWwgbnVtYmVyLiAqLwogCS8qIFhYWCBUT0RPOiBQ YXJzZSB0aGUgb2N0YWwgbnVtYmVyIGFuZCBzYW5pdHktY2hlY2sgaXQuICovCi0JcCA9IHRhci0+ YWNsX3RleHQuczsKLQl3aGlsZSAoKnAgIT0gJ1wwJykKKwlwID0gYWNsID0gdGFyLT5hY2xfdGV4 dC5zOworCXdoaWxlICgqcCAhPSAnXDAnICYmIHAgPCBhY2wgKyBzaXplKQogCQlwKys7CiAJcCsr OwogCi0Jd3AgPSAod2NoYXJfdCAqKW1hbGxvYygoc3RybGVuKHApICsgMSkgKiBzaXplb2Yod2No YXJfdCkpOwotCWlmICh3cCAhPSBOVUxMKSB7Ci0JCXV0ZjhfZGVjb2RlKHdwLCBwLCBzdHJsZW4o cCkpOwotCQllcnIyID0gX19hcmNoaXZlX2VudHJ5X2FjbF9wYXJzZV93KGVudHJ5LCB3cCwKLQkJ ICAgIEFSQ0hJVkVfRU5UUllfQUNMX1RZUEVfQUNDRVNTKTsKLQkJZXJyID0gZXJyX2NvbWJpbmUo ZXJyLCBlcnIyKTsKLQkJZnJlZSh3cCk7CisJaWYgKHAgPj0gYWNsICsgc2l6ZSkgeworCQlhcmNo aXZlX3NldF9lcnJvcigmYS0+YXJjaGl2ZSwgQVJDSElWRV9FUlJOT19NSVNDLAorCQkgICAgIk1h bGZvcm1lZCBTb2xhcmlzIEFDTCBhdHRyaWJ1dGUiKTsKKwkJcmV0dXJuKEFSQ0hJVkVfV0FSTik7 CiAJfQogCisJLyogU2tpcCBsZWFkaW5nIG9jdGFsIG51bWJlci4gKi8KKwlzaXplIC09IChwIC0g YWNsKTsKKwlhY2wgPSBwOworCisJd2hpbGUgKCpwICE9ICdcMCcgJiYgcCA8IGFjbCArIHNpemUp CisJCXArKzsKKworCXdwID0gKHdjaGFyX3QgKiltYWxsb2MoKHAgLSBhY2wgKyAxKSAqIHNpemVv Zih3Y2hhcl90KSk7CisJaWYgKHdwID09IE5VTEwpIHsKKwkJYXJjaGl2ZV9zZXRfZXJyb3IoJmEt PmFyY2hpdmUsIEVOT01FTSwKKwkJICAgICJDYW4ndCBhbGxvY2F0ZSB3b3JrIGJ1ZmZlciBmb3Ig QUNMIHBhcnNpbmciKTsKKwkJcmV0dXJuIChBUkNISVZFX0ZBVEFMKTsKKwl9CisJdXRmOF9kZWNv ZGUod3AsIGFjbCwgcCAtIGFjbCk7CisJZXJyID0gX19hcmNoaXZlX2VudHJ5X2FjbF9wYXJzZV93 KGVudHJ5LCB3cCwKKwkgICAgQVJDSElWRV9FTlRSWV9BQ0xfVFlQRV9BQ0NFU1MpOworCWZyZWUo d3ApOwogCXJldHVybiAoZXJyKTsKIH0KIApAQCAtNzk3LDE1ICs4MjYsMTcgQEAKIGhlYWRlcl9s b25nbGluayhzdHJ1Y3QgYXJjaGl2ZV9yZWFkICphLCBzdHJ1Y3QgdGFyICp0YXIsCiAgICAgc3Ry dWN0IGFyY2hpdmVfZW50cnkgKmVudHJ5LCBjb25zdCB2b2lkICpoKQogewotCWludCBlcnIsIGVy cjI7CisJaW50IGVycjsKIAogCWVyciA9IHJlYWRfYm9keV90b19zdHJpbmcoYSwgdGFyLCAmKHRh ci0+bG9uZ2xpbmspLCBoKTsKLQllcnIyID0gdGFyX3JlYWRfaGVhZGVyKGEsIHRhciwgZW50cnkp OwotCWlmIChlcnIgPT0gQVJDSElWRV9PSyAmJiBlcnIyID09IEFSQ0hJVkVfT0spIHsKLQkJLyog U2V0IHN5bWxpbmsgaWYgc3ltbGluayBhbHJlYWR5IHNldCwgZWxzZSBoYXJkbGluay4gKi8KLQkJ YXJjaGl2ZV9lbnRyeV9zZXRfbGluayhlbnRyeSwgdGFyLT5sb25nbGluay5zKTsKLQl9Ci0JcmV0 dXJuIChlcnJfY29tYmluZShlcnIsIGVycjIpKTsKKwlpZiAoZXJyICE9IEFSQ0hJVkVfT0spCisJ CXJldHVybiAoZXJyKTsKKwllcnIgPSB0YXJfcmVhZF9oZWFkZXIoYSwgdGFyLCBlbnRyeSk7CisJ aWYgKChlcnIgIT0gQVJDSElWRV9PSykgJiYgKGVyciAhPSBBUkNISVZFX1dBUk4pKQorCQlyZXR1 cm4gKGVycik7CisJLyogU2V0IHN5bWxpbmsgaWYgc3ltbGluayBhbHJlYWR5IHNldCwgZWxzZSBo YXJkbGluay4gKi8KKwlhcmNoaXZlX2VudHJ5X3NldF9saW5rKGVudHJ5LCB0YXItPmxvbmdsaW5r LnMpOworCXJldHVybiAoQVJDSElWRV9PSyk7CiB9CiAKIC8qCkBAIC04MTUsMTQgKzg0NiwxNyBA QAogaGVhZGVyX2xvbmduYW1lKHN0cnVjdCBhcmNoaXZlX3JlYWQgKmEsIHN0cnVjdCB0YXIgKnRh ciwKICAgICBzdHJ1Y3QgYXJjaGl2ZV9lbnRyeSAqZW50cnksIGNvbnN0IHZvaWQgKmgpCiB7Ci0J aW50IGVyciwgZXJyMjsKKwlpbnQgZXJyOwogCiAJZXJyID0gcmVhZF9ib2R5X3RvX3N0cmluZyhh LCB0YXIsICYodGFyLT5sb25nbmFtZSksIGgpOworCWlmIChlcnIgIT0gQVJDSElWRV9PSykKKwkJ cmV0dXJuIChlcnIpOwogCS8qIFJlYWQgYW5kIHBhcnNlICJyZWFsIiBoZWFkZXIsIHRoZW4gb3Zl cnJpZGUgbmFtZS4gKi8KLQllcnIyID0gdGFyX3JlYWRfaGVhZGVyKGEsIHRhciwgZW50cnkpOwot CWlmIChlcnIgPT0gQVJDSElWRV9PSyAmJiBlcnIyID09IEFSQ0hJVkVfT0spCi0JCWFyY2hpdmVf ZW50cnlfc2V0X3BhdGhuYW1lKGVudHJ5LCB0YXItPmxvbmduYW1lLnMpOwotCXJldHVybiAoZXJy X2NvbWJpbmUoZXJyLCBlcnIyKSk7CisJZXJyID0gdGFyX3JlYWRfaGVhZGVyKGEsIHRhciwgZW50 cnkpOworCWlmICgoZXJyICE9IEFSQ0hJVkVfT0spICYmIChlcnIgIT0gQVJDSElWRV9XQVJOKSkK KwkJcmV0dXJuIChlcnIpOworCWFyY2hpdmVfZW50cnlfc2V0X3BhdGhuYW1lKGVudHJ5LCB0YXIt PmxvbmduYW1lLnMpOworCXJldHVybiAoQVJDSElWRV9PSyk7CiB9CiAKIApAQCAtODU1LDYgKzg4 OSwxMSBAQAogCSh2b2lkKXRhcjsgLyogVU5VU0VEICovCiAJaGVhZGVyID0gKGNvbnN0IHN0cnVj dCBhcmNoaXZlX2VudHJ5X2hlYWRlcl91c3RhciAqKWg7CiAJc2l6ZSAgPSB0YXJfYXRvbChoZWFk ZXItPnNpemUsIHNpemVvZihoZWFkZXItPnNpemUpKTsKKwlpZiAoKHNpemUgPiAxMDQ4NTc2KSB8 fCAoc2l6ZSA8IDApKSB7CisJCWFyY2hpdmVfc2V0X2Vycm9yKCZhLT5hcmNoaXZlLCBFSU5WQUws CisJCSAgICAiU3BlY2lhbCBoZWFkZXIgdG9vIGxhcmdlIik7CisJCXJldHVybiAoQVJDSElWRV9G QVRBTCk7CisJfQogCiAJLyogUmVhZCB0aGUgYm9keSBpbnRvIHRoZSBzdHJpbmcuICovCiAJYXJj aGl2ZV9zdHJpbmdfZW5zdXJlKGFzLCBzaXplKzEpOwpAQCAtODYyLDYgKzkwMSw4IEBACiAJZGVz dCA9IGFzLT5zOwogCXdoaWxlIChwYWRkZWRfc2l6ZSA+IDApIHsKIAkJYnl0ZXNfcmVhZCA9IChh LT5kZWNvbXByZXNzb3ItPnJlYWRfYWhlYWQpKGEsICZzcmMsIHBhZGRlZF9zaXplKTsKKwkJaWYg KGJ5dGVzX3JlYWQgPT0gMCkKKwkJCXJldHVybiAoQVJDSElWRV9FT0YpOwogCQlpZiAoYnl0ZXNf cmVhZCA8IDApCiAJCQlyZXR1cm4gKEFSQ0hJVkVfRkFUQUwpOwogCQlpZiAoYnl0ZXNfcmVhZCA+ IHBhZGRlZF9zaXplKQpAQCAtMTA1MiwxMSArMTA5MywxMyBAQAogaGVhZGVyX3BheF9nbG9iYWwo c3RydWN0IGFyY2hpdmVfcmVhZCAqYSwgc3RydWN0IHRhciAqdGFyLAogICAgIHN0cnVjdCBhcmNo aXZlX2VudHJ5ICplbnRyeSwgY29uc3Qgdm9pZCAqaCkKIHsKLQlpbnQgZXJyLCBlcnIyOworCWlu dCBlcnI7CiAKIAllcnIgPSByZWFkX2JvZHlfdG9fc3RyaW5nKGEsIHRhciwgJih0YXItPnBheF9n bG9iYWwpLCBoKTsKLQllcnIyID0gdGFyX3JlYWRfaGVhZGVyKGEsIHRhciwgZW50cnkpOwotCXJl dHVybiAoZXJyX2NvbWJpbmUoZXJyLCBlcnIyKSk7CisJaWYgKGVyciAhPSBBUkNISVZFX09LKQor CQlyZXR1cm4gKGVycik7CisJZXJyID0gdGFyX3JlYWRfaGVhZGVyKGEsIHRhciwgZW50cnkpOwor CXJldHVybiAoZXJyKTsKIH0KIAogc3RhdGljIGludApAQCAtMTA2NSwxMCArMTEwOCwxNCBAQAog ewogCWludCBlcnIsIGVycjI7CiAKLQlyZWFkX2JvZHlfdG9fc3RyaW5nKGEsIHRhciwgJih0YXIt PnBheF9oZWFkZXIpLCBoKTsKKwllcnIgPSByZWFkX2JvZHlfdG9fc3RyaW5nKGEsIHRhciwgJih0 YXItPnBheF9oZWFkZXIpLCBoKTsKKwlpZiAoZXJyICE9IEFSQ0hJVkVfT0spCisJCXJldHVybiAo ZXJyKTsKIAogCS8qIFBhcnNlIHRoZSBuZXh0IGhlYWRlci4gKi8KIAllcnIgPSB0YXJfcmVhZF9o ZWFkZXIoYSwgdGFyLCBlbnRyeSk7CisJaWYgKChlcnIgIT0gQVJDSElWRV9PSykgJiYgKGVyciAh PSBBUkNISVZFX1dBUk4pKQorCQlyZXR1cm4gKGVycik7CiAKIAkvKgogCSAqIFRPRE86IFBhcnNl IGdsb2JhbC9kZWZhdWx0IG9wdGlvbnMgaW50byAnZW50cnknIHN0cnVjdCBoZXJlCkBAIC0xMTY1 LDggKzEyMTIsMTEgQEAKIAkJCQlsLS07CiAJCQkJYnJlYWs7CiAJCQl9Ci0JCQlpZiAoKnAgPCAn MCcgfHwgKnAgPiAnOScpCi0JCQkJcmV0dXJuICgtMSk7CisJCQlpZiAoKnAgPCAnMCcgfHwgKnAg PiAnOScpIHsKKwkJCQlhcmNoaXZlX3NldF9lcnJvcigmYS0+YXJjaGl2ZSwgQVJDSElWRV9FUlJO T19NSVNDLAorCQkJCSAgICAiSWdub3JpbmcgbWFsZm9ybWVkIHBheCBleHRlbmRlZCBhdHRyaWJ1 dGVzIik7CisJCQkJcmV0dXJuIChBUkNISVZFX1dBUk4pOworCQkJfQogCQkJbGluZV9sZW5ndGgg Kj0gMTA7CiAJCQlsaW5lX2xlbmd0aCArPSAqcCAtICcwJzsKIAkJCWlmIChsaW5lX2xlbmd0aCA+ IDk5OTk5OSkgewpAQCAtMTE3OCw4ICsxMjI4LDE5IEBACiAJCQlsLS07CiAJCX0KIAotCQlpZiAo bGluZV9sZW5ndGggPiBhdHRyX2xlbmd0aCkKLQkJCXJldHVybiAoMCk7CisJCS8qCisJCSAqIFBh cnNlZCBsZW5ndGggbXVzdCBiZSBubyBiaWdnZXIgdGhhbiBhdmFpbGFibGUgZGF0YSwKKwkJICog YXQgbGVhc3QgMSwgYW5kIHRoZSBsYXN0IGNoYXJhY3RlciBvZiB0aGUgbGluZSBtdXN0CisJCSAq IGJlICdcbicuCisJCSAqLworCQlpZiAobGluZV9sZW5ndGggPiBhdHRyX2xlbmd0aAorCQkgICAg fHwgbGluZV9sZW5ndGggPCAxCisJCSAgICB8fCBhdHRyW2xpbmVfbGVuZ3RoIC0gMV0gIT0gJ1xu JykKKwkJeworCQkJYXJjaGl2ZV9zZXRfZXJyb3IoJmEtPmFyY2hpdmUsIEFSQ0hJVkVfRVJSTk9f TUlTQywKKwkJCSAgICAiSWdub3JpbmcgbWFsZm9ybWVkIHBheCBleHRlbmRlZCBhdHRyaWJ1dGUi KTsKKwkJCXJldHVybiAoQVJDSElWRV9XQVJOKTsKKwkJfQogCiAJCS8qIEVuc3VyZSBwYXhfZW50 cnkgYnVmZmVyIGlzIGJpZyBlbm91Z2guICovCiAJCWlmICh0YXItPnBheF9lbnRyeV9sZW5ndGgg PD0gbGluZV9sZW5ndGgpIHsK 124630 2007-07-12 10:38 0000 bsdtar-2.2.3-r1.ebuild bsdtar-2.2.3-r1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA3IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L2FwcC1hcmNoL2JzZHRhci9ic2R0YXItMi4yLjMu ZWJ1aWxkLHYgMS4xIDIwMDcvMDUvMjcgMTU6Mjg6MjggZmxhbWVleWVzIEV4cCAkCgppbmhlcml0 IGV1dGlscyBhdXRvdG9vbHMgdG9vbGNoYWluLWZ1bmNzIGZsYWctby1tYXRpYwoKTVlfUD0ibGli YXJjaGl2ZS0ke1BWL19iZXRhL2J9IgoKREVTQ1JJUFRJT049IkJTRCB0YXIgY29tbWFuZCIKSE9N RVBBR0U9Imh0dHA6Ly9wZW9wbGUuZnJlZWJzZC5vcmcvfmtpZW50emxlL2xpYmFyY2hpdmUvIgpT UkNfVVJJPSJodHRwOi8vcGVvcGxlLmZyZWVic2Qub3JnL35raWVudHpsZS9saWJhcmNoaXZlL3Ny Yy8ke01ZX1B9LnRhci5neiIKCkxJQ0VOU0U9IkJTRCIKU0xPVD0iMCIKS0VZV09SRFM9In5hbWQ2 NCB+aHBwYSB+cHBjIH5zcGFyYy1mYnNkIH54ODYgfng4Ni1mYnNkIgpJVVNFPSJidWlsZCBzdGF0 aWMgYWNsIHhhdHRyIgoKUkRFUEVORD0iIWRldi1saWJzL2xpYmFyY2hpdmUKCWtlcm5lbF9saW51 eD8gKAoJCWFjbD8gKCBzeXMtYXBwcy9hY2wgKQoJCXhhdHRyPyAoIHN5cy1hcHBzL2F0dHIgKQoJ KQoJIXN0YXRpYz8gKCAhYnVpbGQ/ICgKCQlhcHAtYXJjaC9iemlwMgoJCXN5cy1saWJzL3psaWIg KSApIgpERVBFTkQ9IiR7UkRFUEVORH0KCWtlcm5lbF9saW51eD8gKCBzeXMtZnMvZTJmc3Byb2dz CgkJdmlydHVhbC9vcy1oZWFkZXJzICkiCgpTPSIke1dPUktESVJ9LyR7TVlfUH0iCgpzcmNfdW5w YWNrKCkgewoJdW5wYWNrICR7QX0KCWNkICIke1N9IgoKCWVwYXRjaCAiJHtGSUxFU0RJUn0iL2xp YmFyY2hpdmUtMi4xLjktc3RhdGljLnBhdGNoCgllcGF0Y2ggIiR7RklMRVNESVJ9Ii9saWJhcmNo aXZlLTIuMS41LWFjbC5wYXRjaAoJZXBhdGNoICIke0ZJTEVTRElSfSIvbGliYXJjaGl2ZS02c3Rh YmxlLnBhdGNoCgoJZWF1dG9yZWNvbmYKCWVwdW50X2N4eAp9CgpzcmNfY29tcGlsZSgpIHsKCWxv Y2FsIG15Y29uZgoKCWlmIHVzZSBzdGF0aWMgfHwgdXNlIGJ1aWxkIDsgdGhlbgoJCW15Y29uZj0i JHtteWNvbmZ9IC0tZW5hYmxlLXN0YXRpYy1ic2R0YXIiCgllbHNlCgkJbXljb25mPSIke215Y29u Zn0gLS1kaXNhYmxlLXN0YXRpYy1ic2R0YXIiCglmaQoKCSMgVXBzdHJlYW0gZG9lc24ndCBzZWVt IHRvIGNhcmUgdG8gZml4IHRoZSBwcm9ibGVtcwoJIyBhbmQgSSBkb24ndCB3YW50IHRvIGNvbnRp bnVlIHJ1bm5pbmcgYWZ0ZXIgdGhlbS4KCWFwcGVuZC1mbGFncyAtZm5vLXN0cmljdC1hbGlhc2lu ZwoKCWVjb25mIFwKCQktLWJpbmRpcj0vYmluIFwKCQkkKHVzZV9lbmFibGUgYWNsKSBcCgkJJCh1 c2VfZW5hYmxlIHhhdHRyKSBcCgkJJHtteWNvbmZ9IHx8IGRpZSAiZWNvbmYgZmFpbGVkIgoJZW1h a2UgfHwgZGllICJlbWFrZSBmYWlsZWQiCn0KCnNyY19pbnN0YWxsKCkgewoJZW1ha2UgLWoxIERF U1RESVI9IiR7RH0iIGluc3RhbGwgfHwgZGllICJlbWFrZSBpbnN0YWxsIGZhaWxlZCIKCgkjIENy ZWF0ZSB0YXIgc3ltbGluayBmb3IgRnJlZUJTRAoJaWYgW1sgJHtDSE9TVH0gPT0gKi1mcmVlYnNk KiBdXTsgdGhlbgoJCWRvc3ltIGJzZHRhciAvYmluL3RhcgoJCWRvc3ltIGJzZHRhci4xIC91c3Iv c2hhcmUvbWFuL21hbjEvdGFyLjEKCWZpCgoJaWYgdXNlIGJ1aWxkOyB0aGVuCgkJcm0gLXJmICIk e0R9Ii91c3IKCQlybSAtcmYgIiR7RH0iL2xpYi8qLnNvKgoJCXJldHVybiAwCglmaQoKCWRvZGly IC8kKGdldF9saWJkaXIpCgltdiAiJHtEfSIvdXNyLyQoZ2V0X2xpYmRpcikvKi5zbyogIiR7RH0i LyQoZ2V0X2xpYmRpcikKCWdlbl91c3JfbGRzY3JpcHQgbGliYXJjaGl2ZS5zbwp9Cg==