aboutsummaryrefslogtreecommitdiffstats
path: root/testing/cpio
diff options
context:
space:
mode:
authorStuart Cardall <developer@it-offshore.co.uk>2015-06-26 14:23:13 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2015-06-26 14:55:46 +0000
commitfe594b5019dc0a4d2abd0e30a61d4f695e9737c8 (patch)
treeda2e0f251c5171948fc7b69d0c445adfdb3a632c /testing/cpio
parent22fd2484b4fc9e52d340b65871040d69f7bc2b73 (diff)
downloadaports-fe594b5019dc0a4d2abd0e30a61d4f695e9737c8.tar.bz2
aports-fe594b5019dc0a4d2abd0e30a61d4f695e9737c8.tar.xz
testing/cpio: new aport
Diffstat (limited to 'testing/cpio')
-rw-r--r--testing/cpio/001-cpio-2.11-stdio.in.patch14
-rw-r--r--testing/cpio/002-cpio-2.11-CVE-2014-9112.patch134
-rw-r--r--testing/cpio/003-cpio-2.11-testsuite-CVE-2014-9112.patch31
-rw-r--r--testing/cpio/004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch153
-rw-r--r--testing/cpio/005-cpio-2.11-stdio.in-part2.patch68
-rw-r--r--testing/cpio/APKBUILD68
6 files changed, 468 insertions, 0 deletions
diff --git a/testing/cpio/001-cpio-2.11-stdio.in.patch b/testing/cpio/001-cpio-2.11-stdio.in.patch
new file mode 100644
index 0000000000..bbdaeead3a
--- /dev/null
+++ b/testing/cpio/001-cpio-2.11-stdio.in.patch
@@ -0,0 +1,14 @@
+diff -urNp cpio-2.11-orig/gnu/stdio.in.h cpio-2.11/gnu/stdio.in.h
+--- cpio-2.11-orig/gnu/stdio.in.h 2010-03-10 10:27:03.000000000 +0100
++++ cpio-2.11/gnu/stdio.in.h 2012-06-04 10:23:23.804471185 +0200
+@@ -139,7 +139,9 @@ _GL_WARN_ON_USE (fflush, "fflush is not
+ so any use of gets warrants an unconditional warning. Assume it is
+ always declared, since it is required by C89. */
+ #undef gets
++#if HAVE_RAW_DECL_GETS
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
+
diff --git a/testing/cpio/002-cpio-2.11-CVE-2014-9112.patch b/testing/cpio/002-cpio-2.11-CVE-2014-9112.patch
new file mode 100644
index 0000000000..86ab61af8e
--- /dev/null
+++ b/testing/cpio/002-cpio-2.11-CVE-2014-9112.patch
@@ -0,0 +1,134 @@
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index b3e8e60..cf186da 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -52,6 +52,8 @@ TESTSUITE_AT = \
+ setstat04.at\
+ setstat05.at\
+ symlink.at\
++ symlink-bad-length.at\
++ symlink-long.at\
+ version.at
+
+ TESTSUITE = $(srcdir)/testsuite
+diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
+new file mode 100644
+index 0000000..cbf4aa7
+--- /dev/null
++++ b/tests/symlink-bad-length.at
+@@ -0,0 +1,49 @@
++# Process this file with autom4te to create testsuite. -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11 did segfault with badly set symlink length.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-bad-length])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_DATA([ARCHIVE.base64],
++[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
++JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
++UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
++])
++
++AT_CHECK([
++base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
++cpio -ntv < ARCHIVE
++test $? -eq 2
++],
++[0],
++[-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE
++],[cpio: LINK: stored filename length is out of range
++cpio: premature end of file
++])
++
++AT_CLEANUP
+diff --git a/tests/symlink-long.at b/tests/symlink-long.at
+new file mode 100644
+index 0000000..d3def2d
+--- /dev/null
++++ b/tests/symlink-long.at
+@@ -0,0 +1,46 @@
++# Process this file with autom4te to create testsuite. -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11.90 changed the way symlink name is read from archive.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-long])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_CHECK([
++
++# len(dirname) > READBUFSIZE
++dirname=
++for i in {1..52}; do
++ dirname="xxxxxxxxx/$dirname"
++ mkdir "$dirname"
++done
++ln -s "$dirname" x || AT_SKIP_TEST
++
++echo x | cpio -o > ar
++list=`cpio -tv < ar | sed 's|.*-> ||'`
++test "$list" = "$dirname" && echo success || echo fail
++],
++[0],
++[success
++],[2 blocks
++2 blocks
++])
++
++AT_CLEANUP
+diff --git a/tests/testsuite.at b/tests/testsuite.at
+index 8f3330b..590bdcb 100644
+--- a/tests/testsuite.at
++++ b/tests/testsuite.at
+@@ -31,6 +31,8 @@ m4_include([version.at])
+
+ m4_include([inout.at])
+ m4_include([symlink.at])
++m4_include([symlink-bad-length.at])
++m4_include([symlink-long.at])
+ m4_include([interdir.at])
+
+ m4_include([setstat01.at])
+
diff --git a/testing/cpio/003-cpio-2.11-testsuite-CVE-2014-9112.patch b/testing/cpio/003-cpio-2.11-testsuite-CVE-2014-9112.patch
new file mode 100644
index 0000000000..c7dcb03354
--- /dev/null
+++ b/testing/cpio/003-cpio-2.11-testsuite-CVE-2014-9112.patch
@@ -0,0 +1,31 @@
+diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
+index cbf4aa7..d8d250b 100644
+--- a/tests/symlink-bad-length.at
++++ b/tests/symlink-bad-length.at
+@@ -37,13 +37,20 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+
+ AT_CHECK([
+ base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
+-cpio -ntv < ARCHIVE
+-test $? -eq 2
++TZ=UTC cpio -ntv < ARCHIVE 2>stderr
++rc=$?
++cat stderr | grep -v \
++ -e 'stored filename length is out of range' \
++ -e 'premature end of file' \
++ -e 'archive header has reverse byte-order' \
++ -e 'memory exhausted' \
++ >&2
++echo >&2 STDERR
++test "$rc" -ne 0
+ ],
+ [0],
+-[-rw-rw-r-- 1 10029 10031 13 Nov 25 13:52 FILE
+-],[cpio: LINK: stored filename length is out of range
+-cpio: premature end of file
++[-rw-rw-r-- 1 10029 10031 13 Nov 25 11:52 FILE
++],[STDERR
+ ])
+
+ AT_CLEANUP
+
diff --git a/testing/cpio/004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch b/testing/cpio/004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
new file mode 100644
index 0000000000..75a107b23a
--- /dev/null
+++ b/testing/cpio/004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
@@ -0,0 +1,153 @@
+Index: cpio-2.11/src/copyin.c
+===================================================================
+--- cpio-2.11.orig/src/copyin.c 2014-07-01 14:02:39.991007263 +0200
++++ cpio-2.11/src/copyin.c 2014-07-22 16:05:28.171344584 +0200
+@@ -686,6 +686,51 @@ copyin_link(struct cpio_file_stat *file_
+ free (link_name);
+ }
+
++
++static int
++path_contains_symlink(char *path)
++{
++ struct stat st;
++ char *slash;
++ char *nextslash;
++
++ /* we got NULL pointer or empty string */
++ if (!path || !*path) {
++ return false;
++ }
++
++ slash = path;
++
++ while ((nextslash = strchr(slash + 1, '/')) != NULL) {
++ slash = nextslash;
++ *slash = '\0';
++
++ if (lstat(path, &st) != 0) {
++ if (errno == ELOOP) {
++ /* ELOOP - too many symlinks */
++ *slash = '/';
++ return true;
++ } else if (errno == ENOMEM) {
++ /* No memory for lstat - terminate */
++ xalloc_die();
++ } else {
++ /* cannot lstat path - give up */
++ *slash = '/';
++ return false;
++ }
++ }
++
++ if (S_ISLNK(st.st_mode)) {
++ *slash = '/';
++ return true;
++ }
++
++ *slash = '/';
++ }
++
++ return false;
++}
++
+ static void
+ copyin_file (struct cpio_file_stat *file_hdr, int in_file_des)
+ {
+@@ -1463,6 +1508,23 @@ process_copy_in ()
+ {
+ /* Copy the input file into the directory structure. */
+
++ /* Can we write files over symlinks? */
++ if (!extract_over_symlinks)
++ {
++ if (path_contains_symlink(file_hdr.c_name))
++ {
++ /* skip the file */
++ /*
++ fprintf(stderr, "Can't write over symlinks. Skipping %s\n", file_hdr.c_name);
++ tape_toss_input (in_file_des, file_hdr.c_filesize);
++ tape_skip_padding (in_file_des, file_hdr.c_filesize);
++ continue;
++ */
++ /* terminate */
++ error (1, 0, _("Can't write over symlinks: %s\n"), file_hdr.c_name);
++ }
++ }
++
+ /* Do we need to rename the file? */
+ if (rename_flag || rename_batch_file)
+ {
+Index: cpio-2.11/src/global.c
+===================================================================
+--- cpio-2.11.orig/src/global.c 2014-07-17 16:33:09.768900927 +0200
++++ cpio-2.11/src/global.c 2014-07-21 17:45:58.563494706 +0200
+@@ -187,6 +187,9 @@ bool to_stdout_option = false;
+ /* The name this program was run with. */
+ char *program_name;
+
++/* Extract files over symbolic links */
++bool extract_over_symlinks;
++
+ /* A pointer to either lstat or stat, depending on whether
+ dereferencing of symlinks is done for input files. */
+ int (*xstat) ();
+Index: cpio-2.11/src/main.c
+===================================================================
+--- cpio-2.11.orig/src/main.c 2014-07-01 14:02:39.840005051 +0200
++++ cpio-2.11/src/main.c 2014-07-17 20:33:47.839215571 +0200
+@@ -57,7 +57,8 @@ enum cpio_options {
+ FORCE_LOCAL_OPTION,
+ DEBUG_OPTION,
+ BLOCK_SIZE_OPTION,
+- TO_STDOUT_OPTION
++ TO_STDOUT_OPTION,
++ EXTRACT_OVER_SYMLINKS
+ };
+
+ const char *program_authors[] =
+@@ -222,6 +223,8 @@ static struct argp_option options[] = {
+ N_("Create leading directories where needed"), GRID+1 },
+ {"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0,
+ N_("Do not change the ownership of the files"), GRID+1 },
++ {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0,
++ N_("Force writing over symbolic links"), GRID+1 },
+ {"unconditional", 'u', NULL, 0,
+ N_("Replace all files unconditionally"), GRID+1 },
+ {"sparse", SPARSE_OPTION, NULL, 0,
+@@ -413,6 +416,10 @@ crc newc odc bin ustar tar (all-caps als
+ no_chown_flag = true;
+ break;
+
++ case EXTRACT_OVER_SYMLINKS: /* --extract-over-symlinks */
++ extract_over_symlinks = true;
++ break;
++
+ case 'o': /* Copy-out mode. */
+ if (copy_function != 0)
+ error (PAXEXIT_FAILURE, 0, _("Mode already defined"));
+Index: cpio-2.11/src/extern.h
+===================================================================
+--- cpio-2.11.orig/src/extern.h 2014-07-01 14:02:39.907006032 +0200
++++ cpio-2.11/src/extern.h 2014-07-17 17:11:20.948908806 +0200
+@@ -95,6 +95,7 @@ extern char input_is_special;
+ extern char output_is_special;
+ extern char input_is_seekable;
+ extern char output_is_seekable;
++extern bool extract_over_symlinks;
+ extern int (*xstat) ();
+ extern void (*copy_function) ();
+
+Index: cpio-2.11/doc/cpio.1
+===================================================================
+--- cpio-2.11.orig/doc/cpio.1 2009-02-14 19:15:50.000000000 +0100
++++ cpio-2.11/doc/cpio.1 2014-07-21 23:00:33.878746855 +0200
+@@ -22,6 +22,7 @@ cpio \- copy files to and from archives
+ [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message]
+ [\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse]
+ [\-\-only\-verify\-crc] [\-\-to\-stdout] [\-\-quiet] [\-\-rsh-command=command]
++[\-\-extract\-over\-symlinks]
+ [\-\-help] [\-\-version] [pattern...] [< archive]
+
+ .B cpio
+
diff --git a/testing/cpio/005-cpio-2.11-stdio.in-part2.patch b/testing/cpio/005-cpio-2.11-stdio.in-part2.patch
new file mode 100644
index 0000000000..cf7f6e9122
--- /dev/null
+++ b/testing/cpio/005-cpio-2.11-stdio.in-part2.patch
@@ -0,0 +1,68 @@
+--- cpio-2.11/src/copyin.c 2010-02-15 10:02:23.000000000 +0000
++++ cpio-2.11/src/copyin.c.new 2015-06-25 19:16:47.788864922 +0000
+@@ -125,9 +125,29 @@ tape_skip_padding (int in_file_des, off_
+ tape_toss_input (in_file_des, pad);
+ }
+
+-
++static char *
++get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
++{
++ char *link_name;
++
++ if (file_hdr->c_filesize < 0 || file_hdr->c_filesize > SIZE_MAX-1)
++ {
++ error (0, 0, _("%s: stored filename length is out of range"),
++ file_hdr->c_name);
++ link_name = NULL;
++ }
++ else
++ {
++ link_name = xmalloc (file_hdr->c_filesize + 1);
++ tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
++ link_name[file_hdr->c_filesize] = '\0';
++ tape_skip_padding (in_file_des, file_hdr->c_filesize);
++ }
++ return link_name;
++}
++
+ static void
+-list_file(struct cpio_file_stat* file_hdr, int in_file_des)
++list_file (struct cpio_file_stat* file_hdr, int in_file_des)
+ {
+ if (verbose_flag)
+ {
+@@ -136,15 +156,12 @@ list_file(struct cpio_file_stat* file_hd
+ {
+ if (archive_format != arf_tar && archive_format != arf_ustar)
+ {
+- char *link_name = NULL; /* Name of hard and symbolic links. */
+-
+- link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+- link_name[file_hdr->c_filesize] = '\0';
+- tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+- long_format (file_hdr, link_name);
+- free (link_name);
+- tape_skip_padding (in_file_des, file_hdr->c_filesize);
+- return;
++ char *link_name = get_link_name (file_hdr, in_file_des);
++ if (link_name)
++ {
++ long_format (file_hdr, link_name);
++ free (link_name);
++ }
+ }
+ else
+ {
+@@ -650,10 +667,7 @@ copyin_link(struct cpio_file_stat *file_
+
+ if (archive_format != arf_tar && archive_format != arf_ustar)
+ {
+- link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+- link_name[file_hdr->c_filesize] = '\0';
+- tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+- tape_skip_padding (in_file_des, file_hdr->c_filesize);
++ link_name = get_link_name (file_hdr, in_file_des);
+ }
+ else
+ {
diff --git a/testing/cpio/APKBUILD b/testing/cpio/APKBUILD
new file mode 100644
index 0000000000..ee6a0ab051
--- /dev/null
+++ b/testing/cpio/APKBUILD
@@ -0,0 +1,68 @@
+# Contributor: Stuart Cardall <developer@it-offshore.co.uk>
+# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
+pkgname=cpio
+pkgver=2.11
+pkgrel=0
+pkgdesc="A tool to copy files into or out of a cpio or tar archive"
+url="http://www.gnu.org/software/cpio"
+arch="all"
+license="GPL"
+depends="tar"
+depends_dev=""
+makedepends="$depends_dev"
+#install=""
+subpackages="$pkgname-doc"
+source="$pkgname-$pkgver.tar.bz2::http://ftp.snt.utwente.nl/pub/software/gnu/cpio/$pkgname-$pkgver.tar.bz2
+ 001-cpio-2.11-stdio.in.patch
+ 002-cpio-2.11-CVE-2014-9112.patch
+ 003-cpio-2.11-testsuite-CVE-2014-9112.patch
+ 004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
+ 005-cpio-2.11-stdio.in-part2.patch
+ "
+
+_builddir="$srcdir"/$pkgname-$pkgver
+prepare() {
+ local i
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+}
+
+build() {
+ cd "$_builddir"
+ ./configure \
+ --prefix=/usr \
+ --mandir=/usr/share/man \
+ --infodir=/usr/share/info \
+ || return 1
+ make || return 1
+}
+
+package() {
+ cd "$_builddir"
+ make DESTDIR="$pkgdir" install || return 1
+ rm -f "$pkgdir"/usr/lib/charset.alias
+ rm -f "$pkgdir"/usr/libexec/rmt # part of the tar pkg
+}
+
+md5sums="20fc912915c629e809f80b96b2e75d7d cpio-2.11.tar.bz2
+db5b098b6765478a4b62cf42b059248e 001-cpio-2.11-stdio.in.patch
+007485ebf1bc2d8b4a7fd67dce4a9739 002-cpio-2.11-CVE-2014-9112.patch
+af27df259d12ff0414b38e2ab0bef9a9 003-cpio-2.11-testsuite-CVE-2014-9112.patch
+d85769d9b56a27008e0ad246d6e5805a 004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
+d379203af39a48671aede692f1a14c47 005-cpio-2.11-stdio.in-part2.patch"
+sha256sums="bb820bfd96e74fc6ce43104f06fe733178517e7f5d1cdee553773e8eff7d5bbd cpio-2.11.tar.bz2
+7e953ee60878ae1b840cd5dcab36afa80db63bddc86aaab791746108bbd87256 001-cpio-2.11-stdio.in.patch
+ab6d390892e1f61110ad8bfc6554ed2fe9f9b3252ae43a2fe9cd04e110ad9c69 002-cpio-2.11-CVE-2014-9112.patch
+018a183c70d1708f58a0777b77344691d4b621107d669e469dfd180b2386f36a 003-cpio-2.11-testsuite-CVE-2014-9112.patch
+2fc99ca2c86fbbf0b586a8159c459034b1016f0efcd9a02aceaf263840f432b9 004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
+176fda78943be8cdef7fb62dea301020b51681827c91fcf32c42725be255d2eb 005-cpio-2.11-stdio.in-part2.patch"
+sha512sums="b6ccb3e121ea29780219d21c9cd6267c2f7b7ae72fb899bb80e1c54cc33e9eac5363443d93dbfbe37e8e8d295dad2724ac607f0543cc62797919605f68c396aa cpio-2.11.tar.bz2
+9c03762aa7192c888bd2c83238183085d7f8b74c49f7dfc1f67a196a579b0394aa031f3c850bbdd9519515cff987b95c2c835afbffa366c9296e114423daca76 001-cpio-2.11-stdio.in.patch
+2370d376b62cb61513fcf62ae360fa356c63d6272d6f8b412a448df20f86eb98e8121452d602ae5ac87d0e7be3142c38213fecbf9f05ddc2e82da2eaec2ca10f 002-cpio-2.11-CVE-2014-9112.patch
+67d4cd4235674007022381838dd811c4149d8c0a6205ce940d109c26ef72334d0c715605e9ab37e51212061c1c89b053f82b63d4f8a397977ce349d224edaa70 003-cpio-2.11-testsuite-CVE-2014-9112.patch
+5a7c4090bb80fc3591825747c02b3f446c3a4bf58e6be0d4cbcc6ade9c795636add67ea38d4e753c6252b9b7e76370e36b0d5355089cd26a18fcaed6cc9907de 004-cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
+1b3fd9e695314d6d468215bd2fbaadd850ff864502f51d840e1ab8452fea0bc9779fba906559ed4c47a11f909519506cd6fc0a8990248f8c63bc8f1c683108e8 005-cpio-2.11-stdio.in-part2.patch"