Mail archive
alpine-aports

[alpine-aports] [PATCH] main/p7zip: security fix for CVE-2017-17969, modernize

From: Daniel Sabogal <dsabogalcc_at_gmail.com>
Date: Tue, 6 Feb 2018 09:53:48 -0500

---
 main/p7zip/APKBUILD             | 31 ++++++++++++++++++-------------
 main/p7zip/CVE-2017-17969.patch | 16 ++++++++++++++++
 2 files changed, 34 insertions(+), 13 deletions(-)
 create mode 100644 main/p7zip/CVE-2017-17969.patch
diff --git a/main/p7zip/APKBUILD b/main/p7zip/APKBUILD
index 55f38372b2..722f7a4bf9 100644
--- a/main/p7zip/APKBUILD
+++ b/main/p7zip/APKBUILD
_at_@ -3,7 +3,7 @@
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=p7zip
 pkgver=16.02
-pkgrel=1
+pkgrel=2
 pkgdesc="A command-line port of the 7zip compression utility"
 url="http://p7zip.sourceforge.net"
 arch="all"
_at_@ -12,15 +12,18 @@ subpackages="$pkgname-doc"
 depends=""
 makedepends="bash yasm nasm"
 source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2
-	CVE-2016-9296.patch"
+	CVE-2016-9296.patch
+	CVE-2017-17969.patch"
 builddir="$srcdir/${pkgname}_$pkgver"
 
 # secfixes:
 #   16.02-r1:
 #   - CVE-2016-9296
+#   16.02-r2:
+#   - CVE-2017-17969
 
 prepare() {
-	default_prepare || return 1
+	default_prepare
 
 	local makefile="makefile.linux_any_cpu_gcc_4.X"
 	case "$CARCH" in
_at_@ -29,32 +32,34 @@ prepare() {
 	esac
 
 	cd "$builddir"
-	ln -sf $makefile makefile.machine || return 1
+	ln -sf $makefile makefile.machine
 
 	sed -e "s,g++,${CXX:-g++}," -i makefile.machine
 	sed -e "s,gcc,${CC:-gcc}," -i makefile.machine
 }
 
+check() {
+	cd "$builddir"
+	make test
+}
+
 build() {
 	cd "$builddir"
-	make all3 OPTFLAGS="${CXXFLAGS}" || return 1
+	make all3 OPTFLAGS="${CXXFLAGS}"
 }
 
 package() {
 	cd "$builddir"
 	make install DEST_DIR="$pkgdir" DEST_HOME="/usr" \
 		DEST_MAN="/usr/share/man" \
-		DEST_SHARE_DOC="/usr/share/doc/$pkgname" || return 1
+		DEST_SHARE_DOC="/usr/share/doc/$pkgname"
 
 	install -Dm755 contrib/gzip-like_CLI_wrapper_for_7z/$pkgname \
-		"$pkgdir"/usr/bin/$pkgname || return 1
+		"$pkgdir"/usr/bin/$pkgname
 	install -Dm644 contrib/gzip-like_CLI_wrapper_for_7z/man1/$pkgname.1 \
-		"$pkgdir"/usr/share/man/man1/$pkgname.1 || return 1
+		"$pkgdir"/usr/share/man/man1/$pkgname.1
 }
 
-md5sums="a0128d661cfe7cc8c121e73519c54fbf  p7zip_16.02_src_all.tar.bz2
-0f0535ca888273f3779ca14e8f186813  CVE-2016-9296.patch"
-sha256sums="5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f  p7zip_16.02_src_all.tar.bz2
-f9bcbf21d4aa8938861a6cba992df13dec19538286e9ed747ccec6d9a4e8f983  CVE-2016-9296.patch"
 sha512sums="d2c4d53817f96bb4c7683f42045198d4cd509cfc9c3e2cb85c8d9dc4ab6dfa7496449edeac4e300ecf986a9cbbc90bd8f8feef8156895d94617c04e507add55f  p7zip_16.02_src_all.tar.bz2
-7a7fddf4122c3f5d4632640149a94c285a18515f38510388709c2fb9ecd450f9f34ae2e5fe4926c1c68507567b0affa2c8e9194c732673171dd5ee625192b194  CVE-2016-9296.patch"
+7a7fddf4122c3f5d4632640149a94c285a18515f38510388709c2fb9ecd450f9f34ae2e5fe4926c1c68507567b0affa2c8e9194c732673171dd5ee625192b194  CVE-2016-9296.patch
+22b6437770f2fb70675ed6971239ec3d40d5b9c7e1c5aa28c670d082bd2e7d861863f2f00feacec759eab216081dc49544b980b2ebe9fe40c7d0d1ca1dfc3069  CVE-2017-17969.patch"
diff --git a/main/p7zip/CVE-2017-17969.patch b/main/p7zip/CVE-2017-17969.patch
new file mode 100644
index 0000000000..af9e03931f
--- /dev/null
+++ b/main/p7zip/CVE-2017-17969.patch
_at_@ -0,0 +1,16 @@
+--- p7zip_16.02/CPP/7zip/Compress/ShrinkDecoder.cpp.orig
++++ p7zip_16.02/CPP/7zip/Compress/ShrinkDecoder.cpp
+_at_@ -121,7 +121,12 @@
+     {
+       _stack[i++] = _suffixes[cur];
+       cur = _parents[cur];
+-    }
++      if (i >= kNumItems)
++        break;
++     }
++
++    if (i >= kNumItems)
++      break;
+     
+     _stack[i++] = (Byte)cur;
+     lastChar2 = (Byte)cur;
-- 
2.16.1
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Tue Feb 06 2018 - 09:53:48 GMT