Mail archive
alpine-aports

[alpine-aports] [PATCH v3.2] main/p7zip: security upgrade - fixes #6513

From: Sergey Lukin <sergej.lukin_at_gmail.com>
Date: Mon, 5 Dec 2016 08:29:16 +0000

CVE-2016-9296
---
 main/p7zip/APKBUILD            | 20 ++++++++++++--------
 main/p7zip/CVE-2016-9296.patch | 12 ++++++++++++
 2 files changed, 24 insertions(+), 8 deletions(-)
 create mode 100644 main/p7zip/CVE-2016-9296.patch
diff --git a/main/p7zip/APKBUILD b/main/p7zip/APKBUILD
index 9415678..15dad05 100644
--- a/main/p7zip/APKBUILD
+++ b/main/p7zip/APKBUILD
_at_@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=p7zip
 pkgver=9.38.1
-pkgrel=0
+pkgrel=1
 pkgdesc="A command-line port of the 7zip compression utility"
 url="http://p7zip.sourceforge.net"
 arch="all"
_at_@ -11,18 +11,19 @@ depends=
 makedepends="bash"
 #install=p7zip.install
 source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2
-		p7zip-cc-cxx.patch"
+		p7zip-cc-cxx.patch
+                CVE-2016-9296.patch"
 
-_builddir="$srcdir"/${pkgname}_${pkgver}
+builddir="$srcdir"/${pkgname}_${pkgver}
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	patch -p1 -i ../p7zip-cc-cxx.patch || return 1
 	sed -i "s|usr/local|usr|g" makefile
 	make all3 OPTFLAGS="${CXXFLAGS}" || return 1
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make install DEST_HOME="$pkgdir"/usr DEST_MAN="$pkgdir"/usr/share/man \
 		DEST_SHARE_DOC="http://www.bugaco.com/7zip"
 
_at_@ -33,8 +34,11 @@ package() {
 }
 
 md5sums="6cba8402ccab2370d3b70c5e28b3d651  p7zip_9.38.1_src_all.tar.bz2
-57dbabbbf7cafc1322ad7ae354fdabab  p7zip-cc-cxx.patch"
+57dbabbbf7cafc1322ad7ae354fdabab  p7zip-cc-cxx.patch
+7d4da958f4df3a20afaec28b63fb19cc  CVE-2016-9296.patch"
 sha256sums="fd5019109c9a1bf34ad3257d37a6853eae8151ff50345f0a3ffba7d8c5fdb995  p7zip_9.38.1_src_all.tar.bz2
-c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b  p7zip-cc-cxx.patch"
+c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b  p7zip-cc-cxx.patch
+5a245b332ccdd690dbbdf02b05d5d8b21b35eb628c9fc41e6c6253d0bbf7ab0a  CVE-2016-9296.patch"
 sha512sums="f524ffae54e0d9563a509cc4b243e830d882a925e682eb2e15e2d19cb72c947fddecd72c8507d6c1538b997b240b0827046fc2fb4f5e3f7d49840257c92b9c04  p7zip_9.38.1_src_all.tar.bz2
-10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e  p7zip-cc-cxx.patch"
+10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e  p7zip-cc-cxx.patch
+8e4756202ad6581f38fb0a8a9fd689f86ad2ffc54a151e70d8580158c49eab3ae2e0480826b9d8f841ff3b92ef8297a4f68fa487dc5ad04743b61aa389cf1fd3  CVE-2016-9296.patch"
diff --git a/main/p7zip/CVE-2016-9296.patch b/main/p7zip/CVE-2016-9296.patch
new file mode 100644
index 0000000..439f753
--- /dev/null
+++ b/main/p7zip/CVE-2016-9296.patch
_at_@ -0,0 +1,12 @@
+--- p7zip_9.38.1.orig/CPP/7zip/Archive/7z/7zIn.cpp	2015-01-05 18:38:01.000000000 +0000
++++ p7zip_9.38.1/CPP/7zip/Archive/7z/7zIn.cpp	2016-12-05 08:23:08.136926892 +0000
+_at_@ -1142,7 +1142,8 @@
+       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+         ThrowIncorrect();
+   }
+-  HeadersSize += folders.PackPositions[folders.NumPackStreams];
++  if (folders.PackPositions) //this line is fixing CVE-2016-9296 (https://sourceforge.net/p/p7zip/bugs/185)
++    HeadersSize += folders.PackPositions[folders.NumPackStreams];
+   return S_OK;
+ }
+ 
-- 
2.4.11
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Mon Dec 05 2016 - 08:29:16 GMT