X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-oi0-f66.google.com (mail-oi0-f66.google.com [209.85.218.66]) by lists.alpinelinux.org (Postfix) with ESMTP id 87E975C4A91 for ; Thu, 24 Nov 2016 01:59:38 +0000 (GMT) Received: by mail-oi0-f66.google.com with SMTP id u15so2118116oie.3 for ; Wed, 23 Nov 2016 17:59:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id:in-reply-to:references; bh=ZuPdBcZvOKY0WeZpZHUImKSLb5y9IpfXltSjBZY9MTA=; b=ET4muvA6Pz25pfo4i86FYC1TVlCFndYI0SFj4IM1EUsn92gW/SKrhR4gXvK7aN5wq9 kgRVWIlPz+nTzpF6ZVMCp1fNmG86i315q6tw1reqZP37fO/BYQUx1fNVzr6v9S7eBPIB u8DUWA7PatT1EoGKbt1V1mFUp/kM/tF/kgsloRrTl1UHMlmuuwju0g8Z1yG4nw04oiFW gFoCaqpTcOD8X31GzUkRTidJpZdiS3c7v1foJPRwohDnTZb9BGX3gLRB+ifG206BKlvg s08Q4/JyR0EMOdDdDqXIfaYnf/5tngsf+/5vc5e3ryX+bOmOXxIQU3KTBdDIucR8vkbm tDtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=ZuPdBcZvOKY0WeZpZHUImKSLb5y9IpfXltSjBZY9MTA=; b=ITyuvueVNfuJlObXYa22V0Z4xOSBIwQ8dI4cUNFDzV6Zw4xWqEEfnSiq/REgiwfv3P GrIKdX5TPRYvHpUlamomT1rW1xHhsypJSWHM6YDXT41isbD2nUMBrdjywh83j/eyOAqX dUVknI0LFhbC2B3SsnhpR/c8kUaOrJ6WJ2BH1Q/3fEdOydudEgPJt6UYqrLPSHHF2/pj DFzU9ifTtYQxuwunwlu0KRXTtvEmmlzhQMaHuXSx2eicuSN1prsc59O0C9YWBDC8c3Mg 5RnevF11oE7W1glYqKpt4yvxbCmJyhCpneL8JZjuPb86dWnD5EHs6yCbUhZCbArKHXcx A+tQ== X-Gm-Message-State: AKaTC03/wWgEK98DIwCnInmG9pi4dQTG/ITN8giTZRLD4bcVqu0cN4DIM/cL9tw5JOVtOg== X-Received: by 10.202.235.78 with SMTP id j75mr3292611oih.74.1479952778163; Wed, 23 Nov 2016 17:59:38 -0800 (PST) Received: from alp.my.domain ([2600:8807:c246:be00:9eb7:dff:feb2:27a1]) by smtp.gmail.com with ESMTPSA id r34sm11257652otr.12.2016.11.23.17.59.37 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Nov 2016 17:59:37 -0800 (PST) From: Daniel Sabogal To: alpine-aports@lists.alpinelinux.org Subject: [alpine-aports] [PATCH] main/p7zip: security fix for CVE-2016-9296 Date: Wed, 23 Nov 2016 20:59:48 -0500 Message-Id: <20161124015948.20847-2-dsabogalcc@gmail.com> X-Mailer: git-send-email 2.10.2 In-Reply-To: <20161124015948.20847-1-dsabogalcc@gmail.com> References: <20161124015948.20847-1-dsabogalcc@gmail.com> X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: --- main/p7zip/APKBUILD | 29 +++++++++++++++++++---------- main/p7zip/CVE-2016-9296.patch | 12 ++++++++++++ 2 files changed, 31 insertions(+), 10 deletions(-) create mode 100644 main/p7zip/CVE-2016-9296.patch diff --git a/main/p7zip/APKBUILD b/main/p7zip/APKBUILD index 24f1bce..0d5ea43 100644 --- a/main/p7zip/APKBUILD +++ b/main/p7zip/APKBUILD @@ -3,7 +3,7 @@ # Maintainer: Natanael Copa pkgname=p7zip pkgver=16.02 -pkgrel=0 +pkgrel=1 pkgdesc="A command-line port of the 7zip compression utility" url="http://p7zip.sourceforge.net" arch="all" @@ -11,18 +11,24 @@ license="LGPL2+" subpackages="$pkgname-doc" depends="" makedepends="bash yasm nasm" -install="" -source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2" +source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2 + CVE-2016-9296.patch" +builddir="$srcdir/${pkgname}_$pkgver" + +# secfixes: +# 16.02-r1: +# - CVE-2016-9296 -_builddir="$srcdir"/${pkgname}_${pkgver} prepare() { + default_prepare || return 1 + local makefile="makefile.linux_any_cpu_gcc_4.X" case "$CARCH" in x86) makefile="makefile.linux_x86_asm_gcc_4.X" ;; x86_64) makefile="makefile.linux_amd64_asm" ;; esac - cd "$_builddir" + cd "$builddir" ln -sf $makefile makefile.machine || return 1 sed -e "s,g++,${CXX:-g++}," -i makefile.machine @@ -30,12 +36,12 @@ prepare() { } build() { - cd "$_builddir" + cd "$builddir" make all3 OPTFLAGS="${CXXFLAGS}" || return 1 } package() { - cd "$_builddir" + cd "$builddir" make install DEST_DIR="$pkgdir" DEST_HOME="/usr" \ DEST_MAN="/usr/share/man" \ DEST_SHARE_DOC="/usr/share/doc/$pkgname" || return 1 @@ -46,6 +52,9 @@ package() { "$pkgdir"/usr/share/man/man1/$pkgname.1 || return 1 } -md5sums="a0128d661cfe7cc8c121e73519c54fbf p7zip_16.02_src_all.tar.bz2" -sha256sums="5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f p7zip_16.02_src_all.tar.bz2" -sha512sums="d2c4d53817f96bb4c7683f42045198d4cd509cfc9c3e2cb85c8d9dc4ab6dfa7496449edeac4e300ecf986a9cbbc90bd8f8feef8156895d94617c04e507add55f p7zip_16.02_src_all.tar.bz2" +md5sums="a0128d661cfe7cc8c121e73519c54fbf p7zip_16.02_src_all.tar.bz2 +0f0535ca888273f3779ca14e8f186813 CVE-2016-9296.patch" +sha256sums="5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f p7zip_16.02_src_all.tar.bz2 +f9bcbf21d4aa8938861a6cba992df13dec19538286e9ed747ccec6d9a4e8f983 CVE-2016-9296.patch" +sha512sums="d2c4d53817f96bb4c7683f42045198d4cd509cfc9c3e2cb85c8d9dc4ab6dfa7496449edeac4e300ecf986a9cbbc90bd8f8feef8156895d94617c04e507add55f p7zip_16.02_src_all.tar.bz2 +7a7fddf4122c3f5d4632640149a94c285a18515f38510388709c2fb9ecd450f9f34ae2e5fe4926c1c68507567b0affa2c8e9194c732673171dd5ee625192b194 CVE-2016-9296.patch" diff --git a/main/p7zip/CVE-2016-9296.patch b/main/p7zip/CVE-2016-9296.patch new file mode 100644 index 0000000..773f92a --- /dev/null +++ b/main/p7zip/CVE-2016-9296.patch @@ -0,0 +1,12 @@ +--- ./CPP/7zip/Archive/7z/7zIn.cpp.orig 2016-11-21 01:42:29.460901230 +0000 ++++ ./CPP/7zip/Archive/7z/7zIn.cpp 2016-11-21 01:42:57.481197725 +0000 +@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS + if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) + ThrowIncorrect(); + } +- HeadersSize += folders.PackPositions[folders.NumPackStreams]; ++ if (folders.PackPositions) ++ HeadersSize += folders.PackPositions[folders.NumPackStreams]; + return S_OK; + } + -- 2.10.2 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---