---
main/p7zip/APKBUILD | 20 ++++++++++++--------
main/p7zip/CVE-2016-9296.patch | 12 ++++++++++++
2 files changed, 24 insertions(+), 8 deletions(-)
create mode 100644 main/p7zip/CVE-2016-9296.patch
diff --git a/main/p7zip/APKBUILD b/main/p7zip/APKBUILD
index 9415678..e922ccd 100644
--- a/main/p7zip/APKBUILD
+++ b/main/p7zip/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=p7zip
pkgver=9.38.1
-pkgrel=0
+pkgrel=1
pkgdesc="A command-line port of the 7zip compression utility"
url="http://p7zip.sourceforge.net"
arch="all"
@@ -11,18 +11,19 @@ depends=
makedepends="bash"
#install=p7zip.install
source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2
- p7zip-cc-cxx.patch"
+ p7zip-cc-cxx.patch
+ CVE-2016-9296.patch"
-_builddir="$srcdir"/${pkgname}_${pkgver}
+builddir="$srcdir"/${pkgname}_${pkgver}
build() {
- cd "$_builddir"
+ cd "$builddir"
patch -p1 -i ../p7zip-cc-cxx.patch || return 1
sed -i "s|usr/local|usr|g" makefile
make all3 OPTFLAGS="${CXXFLAGS}" || return 1
}
package() {
- cd "$_builddir"
+ cd "$builddir"
make install DEST_HOME="$pkgdir"/usr DEST_MAN="$pkgdir"/usr/share/man \
DEST_SHARE_DOC="http://www.bugaco.com/7zip"
@@ -33,8 +34,11 @@ package() {
}
md5sums="6cba8402ccab2370d3b70c5e28b3d651 p7zip_9.38.1_src_all.tar.bz2
-57dbabbbf7cafc1322ad7ae354fdabab p7zip-cc-cxx.patch"
+57dbabbbf7cafc1322ad7ae354fdabab p7zip-cc-cxx.patch
+0020242cbff6712d614f60a6c6341c78 CVE-2016-9296.patch"
sha256sums="fd5019109c9a1bf34ad3257d37a6853eae8151ff50345f0a3ffba7d8c5fdb995 p7zip_9.38.1_src_all.tar.bz2
-c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b p7zip-cc-cxx.patch"
+c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b p7zip-cc-cxx.patch
+ec76b11d7e41de370f0d226a25142f9a6ca362205b1d4d6356292c2e2714ac5f CVE-2016-9296.patch"
sha512sums="f524ffae54e0d9563a509cc4b243e830d882a925e682eb2e15e2d19cb72c947fddecd72c8507d6c1538b997b240b0827046fc2fb4f5e3f7d49840257c92b9c04 p7zip_9.38.1_src_all.tar.bz2
-10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e p7zip-cc-cxx.patch"
+10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e p7zip-cc-cxx.patch
+a803ead99841cb4ded5b51613e08b0794ffb496c2ca66d61a49420a2382d54466858a130b1efe58d13de2cb7f5758a0100d24cb8e2d25f972ae8be12d28ff572 CVE-2016-9296.patch"
diff --git a/main/p7zip/CVE-2016-9296.patch b/main/p7zip/CVE-2016-9296.patch
new file mode 100644
index 0000000..442d8fb
--- /dev/null
+++ b/main/p7zip/CVE-2016-9296.patch
@@ -0,0 +1,12 @@
+--- p7zip_9.38.1.orig/CPP/7zip/Archive/7z/7zIn.cpp 2015-01-05 18:38:01.000000000 +0000
++++ p7zip_9.38.1/CPP/7zip/Archive/7z/7zIn.cpp 2016-12-05 08:04:52.872042682 +0000
+@@ -1142,7 +1142,8 @@
+ if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+ ThrowIncorrect();
+ }
+- HeadersSize += folders.PackPositions[folders.NumPackStreams];
++ if (folders.PackPositions) // this line is fixing CVE-2016-9296 (https://sourceforge.net/p/p7zip/bugs/185)
++ HeadersSize += folders.PackPositions[folders.NumPackStreams];
+ return S_OK;
+ }
+
--
2.6.6
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---