Mail archive
alpine-aports

[alpine-aports] [PATCH v3.3] main/p7zip: security upgrade - CVE-2016-9296 - fixes #6512

From: Sergey Lukin <sergej.lukin_at_gmail.com>
Date: Mon, 5 Dec 2016 08:15:09 +0000

---
 main/p7zip/APKBUILD            | 20 ++++++++++++--------
 main/p7zip/CVE-2016-9296.patch | 12 ++++++++++++
 2 files changed, 24 insertions(+), 8 deletions(-)
 create mode 100644 main/p7zip/CVE-2016-9296.patch
diff --git a/main/p7zip/APKBUILD b/main/p7zip/APKBUILD
index 9415678..e922ccd 100644
--- a/main/p7zip/APKBUILD
+++ b/main/p7zip/APKBUILD
_at_@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=p7zip
 pkgver=9.38.1
-pkgrel=0
+pkgrel=1
 pkgdesc="A command-line port of the 7zip compression utility"
 url="http://p7zip.sourceforge.net"
 arch="all"
_at_@ -11,18 +11,19 @@ depends=
 makedepends="bash"
 #install=p7zip.install
 source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2
-		p7zip-cc-cxx.patch"
+		p7zip-cc-cxx.patch
+                CVE-2016-9296.patch"
 
-_builddir="$srcdir"/${pkgname}_${pkgver}
+builddir="$srcdir"/${pkgname}_${pkgver}
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	patch -p1 -i ../p7zip-cc-cxx.patch || return 1
 	sed -i "s|usr/local|usr|g" makefile
 	make all3 OPTFLAGS="${CXXFLAGS}" || return 1
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make install DEST_HOME="$pkgdir"/usr DEST_MAN="$pkgdir"/usr/share/man \
 		DEST_SHARE_DOC="http://www.bugaco.com/7zip"
 
_at_@ -33,8 +34,11 @@ package() {
 }
 
 md5sums="6cba8402ccab2370d3b70c5e28b3d651  p7zip_9.38.1_src_all.tar.bz2
-57dbabbbf7cafc1322ad7ae354fdabab  p7zip-cc-cxx.patch"
+57dbabbbf7cafc1322ad7ae354fdabab  p7zip-cc-cxx.patch
+0020242cbff6712d614f60a6c6341c78  CVE-2016-9296.patch"
 sha256sums="fd5019109c9a1bf34ad3257d37a6853eae8151ff50345f0a3ffba7d8c5fdb995  p7zip_9.38.1_src_all.tar.bz2
-c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b  p7zip-cc-cxx.patch"
+c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b  p7zip-cc-cxx.patch
+ec76b11d7e41de370f0d226a25142f9a6ca362205b1d4d6356292c2e2714ac5f  CVE-2016-9296.patch"
 sha512sums="f524ffae54e0d9563a509cc4b243e830d882a925e682eb2e15e2d19cb72c947fddecd72c8507d6c1538b997b240b0827046fc2fb4f5e3f7d49840257c92b9c04  p7zip_9.38.1_src_all.tar.bz2
-10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e  p7zip-cc-cxx.patch"
+10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e  p7zip-cc-cxx.patch
+a803ead99841cb4ded5b51613e08b0794ffb496c2ca66d61a49420a2382d54466858a130b1efe58d13de2cb7f5758a0100d24cb8e2d25f972ae8be12d28ff572  CVE-2016-9296.patch"
diff --git a/main/p7zip/CVE-2016-9296.patch b/main/p7zip/CVE-2016-9296.patch
new file mode 100644
index 0000000..442d8fb
--- /dev/null
+++ b/main/p7zip/CVE-2016-9296.patch
_at_@ -0,0 +1,12 @@
+--- p7zip_9.38.1.orig/CPP/7zip/Archive/7z/7zIn.cpp	2015-01-05 18:38:01.000000000 +0000
++++ p7zip_9.38.1/CPP/7zip/Archive/7z/7zIn.cpp	2016-12-05 08:04:52.872042682 +0000
+_at_@ -1142,7 +1142,8 @@
+       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+         ThrowIncorrect();
+   }
+-  HeadersSize += folders.PackPositions[folders.NumPackStreams];
++  if (folders.PackPositions) // this line is fixing CVE-2016-9296 (https://sourceforge.net/p/p7zip/bugs/185)
++    HeadersSize += folders.PackPositions[folders.NumPackStreams];
+   return S_OK;
+ }
+ 
-- 
2.6.6
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Mon Dec 05 2016 - 08:15:09 GMT