Mail archive
alpine-aports

[alpine-aports] [PATCH] main/p7zip: security fix for CVE-2016-9296

From: Daniel Sabogal <dsabogalcc_at_gmail.com>
Date: Wed, 23 Nov 2016 20:59:48 -0500

---
 main/p7zip/APKBUILD            | 29 +++++++++++++++++++----------
 main/p7zip/CVE-2016-9296.patch | 12 ++++++++++++
 2 files changed, 31 insertions(+), 10 deletions(-)
 create mode 100644 main/p7zip/CVE-2016-9296.patch
diff --git a/main/p7zip/APKBUILD b/main/p7zip/APKBUILD
index 24f1bce..0d5ea43 100644
--- a/main/p7zip/APKBUILD
+++ b/main/p7zip/APKBUILD
_at_@ -3,7 +3,7 @@
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=p7zip
 pkgver=16.02
-pkgrel=0
+pkgrel=1
 pkgdesc="A command-line port of the 7zip compression utility"
 url="http://p7zip.sourceforge.net"
 arch="all"
_at_@ -11,18 +11,24 @@ license="LGPL2+"
 subpackages="$pkgname-doc"
 depends=""
 makedepends="bash yasm nasm"
-install=""
-source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2"
+source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2
+	CVE-2016-9296.patch"
+builddir="$srcdir/${pkgname}_$pkgver"
+
+# secfixes:
+#   16.02-r1:
+#   - CVE-2016-9296
 
-_builddir="$srcdir"/${pkgname}_${pkgver}
 prepare() {
+	default_prepare || return 1
+
 	local makefile="makefile.linux_any_cpu_gcc_4.X"
 	case "$CARCH" in
 		x86)    makefile="makefile.linux_x86_asm_gcc_4.X" ;;
 		x86_64) makefile="makefile.linux_amd64_asm" ;;
 	esac
 
-	cd "$_builddir"
+	cd "$builddir"
 	ln -sf $makefile makefile.machine || return 1
 
 	sed -e "s,g++,${CXX:-g++}," -i makefile.machine
_at_@ -30,12 +36,12 @@ prepare() {
 }
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	make all3 OPTFLAGS="${CXXFLAGS}" || return 1
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make install DEST_DIR="$pkgdir" DEST_HOME="/usr" \
 		DEST_MAN="/usr/share/man" \
 		DEST_SHARE_DOC="/usr/share/doc/$pkgname" || return 1
_at_@ -46,6 +52,9 @@ package() {
 		"$pkgdir"/usr/share/man/man1/$pkgname.1 || return 1
 }
 
-md5sums="a0128d661cfe7cc8c121e73519c54fbf  p7zip_16.02_src_all.tar.bz2"
-sha256sums="5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f  p7zip_16.02_src_all.tar.bz2"
-sha512sums="d2c4d53817f96bb4c7683f42045198d4cd509cfc9c3e2cb85c8d9dc4ab6dfa7496449edeac4e300ecf986a9cbbc90bd8f8feef8156895d94617c04e507add55f  p7zip_16.02_src_all.tar.bz2"
+md5sums="a0128d661cfe7cc8c121e73519c54fbf  p7zip_16.02_src_all.tar.bz2
+0f0535ca888273f3779ca14e8f186813  CVE-2016-9296.patch"
+sha256sums="5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f  p7zip_16.02_src_all.tar.bz2
+f9bcbf21d4aa8938861a6cba992df13dec19538286e9ed747ccec6d9a4e8f983  CVE-2016-9296.patch"
+sha512sums="d2c4d53817f96bb4c7683f42045198d4cd509cfc9c3e2cb85c8d9dc4ab6dfa7496449edeac4e300ecf986a9cbbc90bd8f8feef8156895d94617c04e507add55f  p7zip_16.02_src_all.tar.bz2
+7a7fddf4122c3f5d4632640149a94c285a18515f38510388709c2fb9ecd450f9f34ae2e5fe4926c1c68507567b0affa2c8e9194c732673171dd5ee625192b194  CVE-2016-9296.patch"
diff --git a/main/p7zip/CVE-2016-9296.patch b/main/p7zip/CVE-2016-9296.patch
new file mode 100644
index 0000000..773f92a
--- /dev/null
+++ b/main/p7zip/CVE-2016-9296.patch
_at_@ -0,0 +1,12 @@
+--- ./CPP/7zip/Archive/7z/7zIn.cpp.orig	2016-11-21 01:42:29.460901230 +0000
++++ ./CPP/7zip/Archive/7z/7zIn.cpp	2016-11-21 01:42:57.481197725 +0000
+_at_@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS
+       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+         ThrowIncorrect();
+   }
+-  HeadersSize += folders.PackPositions[folders.NumPackStreams];
++  if (folders.PackPositions)
++      HeadersSize += folders.PackPositions[folders.NumPackStreams];
+   return S_OK;
+ }
+ 
-- 
2.10.2
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Wed Nov 23 2016 - 20:59:48 GMT