Version in base suite: 1.26.0-1+deb12u1 Base version: engrampa_1.26.0-1+deb12u1 Target version: engrampa_1.26.0-1+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/engrampa/engrampa_1.26.0-1+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/e/engrampa/engrampa_1.26.0-1+deb12u2.dsc changelog | 8 + patches/0006_use-unar-instead-of-cpio-for-CPIO-archives.patch | 46 ++++++++++ patches/series | 1 3 files changed, 55 insertions(+) diff -Nru engrampa-1.26.0/debian/changelog engrampa-1.26.0/debian/changelog --- engrampa-1.26.0/debian/changelog 2023-12-29 07:13:22.000000000 +0000 +++ engrampa-1.26.0/debian/changelog 2024-02-13 06:44:28.000000000 +0000 @@ -1,3 +1,11 @@ +engrampa (1.26.0-1+deb12u2) bookworm-security; urgency=medium + + * debian/patches: + + CVE-2023-52138: Add 0006_use-unar-instead-of-cpio-for-CPIO-archives.patch. + Use unar instead of cpio for CPIO archives. (Closes: #1063494). + + -- Mike Gabriel Tue, 13 Feb 2024 07:44:28 +0100 + engrampa (1.26.0-1+deb12u1) bookworm; urgency=medium * debian/patches: diff -Nru engrampa-1.26.0/debian/patches/0006_use-unar-instead-of-cpio-for-CPIO-archives.patch engrampa-1.26.0/debian/patches/0006_use-unar-instead-of-cpio-for-CPIO-archives.patch --- engrampa-1.26.0/debian/patches/0006_use-unar-instead-of-cpio-for-CPIO-archives.patch 1970-01-01 00:00:00.000000000 +0000 +++ engrampa-1.26.0/debian/patches/0006_use-unar-instead-of-cpio-for-CPIO-archives.patch 2024-02-13 06:44:28.000000000 +0000 @@ -0,0 +1,46 @@ +From 8cd485a58d865d89d71931b66d7e2cb2202fc1be Mon Sep 17 00:00:00 2001 +From: Colomban Wendling +Date: Wed, 17 Jan 2024 11:57:48 +0100 +Subject: [PATCH] Use unar instead of cpio for CPIO archives + +--- + src/fr-command-cpio.c | 6 +++--- + src/fr-command-unarchiver.c | 1 + + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/fr-command-cpio.c b/src/fr-command-cpio.c +index 1b380ad83..31bd069c2 100644 +--- a/src/fr-command-cpio.c ++++ b/src/fr-command-cpio.c +@@ -224,7 +224,7 @@ fr_command_cpio_extract (FrCommand *comm, + } + + +-const char *cpio_mime_type[] = { "application/x-cpio", NULL }; ++const char *cpio_mime_type[] = { /*"application/x-cpio",*/ NULL }; + + + static const char ** +@@ -242,8 +242,8 @@ fr_command_cpio_get_capabilities (FrCommand *comm, + FrCommandCap capabilities; + + capabilities = FR_COMMAND_CAN_ARCHIVE_MANY_FILES; +- if (is_program_available (CPIO_PATH, check_command)) +- capabilities |= FR_COMMAND_CAN_READ; ++/* if (is_program_available (CPIO_PATH, check_command)) ++ capabilities |= FR_COMMAND_CAN_READ;*/ + + return capabilities; + } +diff --git a/src/fr-command-unarchiver.c b/src/fr-command-unarchiver.c +index 0a40e6b04..8bc9c75ef 100644 +--- a/src/fr-command-unarchiver.c ++++ b/src/fr-command-unarchiver.c +@@ -255,6 +255,7 @@ fr_command_unarchiver_handle_error (FrCommand *comm, + const char *unarchiver_mime_type[] = { "application/zip", + "application/x-cbr", + "application/x-rar", ++ "application/x-cpio", + NULL }; + + diff -Nru engrampa-1.26.0/debian/patches/series engrampa-1.26.0/debian/patches/series --- engrampa-1.26.0/debian/patches/series 2023-12-29 07:13:22.000000000 +0000 +++ engrampa-1.26.0/debian/patches/series 2024-02-13 06:44:28.000000000 +0000 @@ -3,3 +3,4 @@ 0003_file-data-fix-memory-leak.patch 0004_Fix-archive-file-save-as-function.patch 0005_fr-process-fix-memory-leak.patch +0006_use-unar-instead-of-cpio-for-CPIO-archives.patch