~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[alpine-aports] [PATCH v3.3] main/p7zip: security upgrade - CVE-2016-9296 - fixes #6512

Sergey Lukin <sergej.lukin@gmail.com>
Details
Message ID
<1480925709-3211-1-git-send-email-sergej.lukin@gmail.com>
Sender timestamp
1480925709
DKIM signature
missing
Download raw message
7 years ago
Patch: +24 -8 
---
 main/p7zip/APKBUILD            | 20 ++++++++++++--------
 main/p7zip/CVE-2016-9296.patch | 12 ++++++++++++
 2 files changed, 24 insertions(+), 8 deletions(-)
 create mode 100644 main/p7zip/CVE-2016-9296.patch

diff --git a/main/p7zip/APKBUILD b/main/p7zip/APKBUILD
index 9415678..e922ccd 100644
--- a/main/p7zip/APKBUILD
+++ b/main/p7zip/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=p7zip
pkgver=9.38.1
pkgrel=0
pkgrel=1
pkgdesc="A command-line port of the 7zip compression utility"
url="http://p7zip.sourceforge.net"
arch="all"
@@ -11,18 +11,19 @@ depends=
makedepends="bash"
#install=p7zip.install
source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2
		p7zip-cc-cxx.patch"
		p7zip-cc-cxx.patch
                CVE-2016-9296.patch"

_builddir="$srcdir"/${pkgname}_${pkgver}
builddir="$srcdir"/${pkgname}_${pkgver}
build() {
	cd "$_builddir"
	cd "$builddir"
	patch -p1 -i ../p7zip-cc-cxx.patch || return 1
	sed -i "s|usr/local|usr|g" makefile
	make all3 OPTFLAGS="${CXXFLAGS}" || return 1
}

package() {
	cd "$_builddir"
	cd "$builddir"
	make install DEST_HOME="$pkgdir"/usr DEST_MAN="$pkgdir"/usr/share/man \
		DEST_SHARE_DOC="http://www.bugaco.com/7zip"

@@ -33,8 +34,11 @@ package() {
}

md5sums="6cba8402ccab2370d3b70c5e28b3d651  p7zip_9.38.1_src_all.tar.bz2
57dbabbbf7cafc1322ad7ae354fdabab  p7zip-cc-cxx.patch"
57dbabbbf7cafc1322ad7ae354fdabab  p7zip-cc-cxx.patch
0020242cbff6712d614f60a6c6341c78  CVE-2016-9296.patch"
sha256sums="fd5019109c9a1bf34ad3257d37a6853eae8151ff50345f0a3ffba7d8c5fdb995  p7zip_9.38.1_src_all.tar.bz2
c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b  p7zip-cc-cxx.patch"
c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b  p7zip-cc-cxx.patch
ec76b11d7e41de370f0d226a25142f9a6ca362205b1d4d6356292c2e2714ac5f  CVE-2016-9296.patch"
sha512sums="f524ffae54e0d9563a509cc4b243e830d882a925e682eb2e15e2d19cb72c947fddecd72c8507d6c1538b997b240b0827046fc2fb4f5e3f7d49840257c92b9c04  p7zip_9.38.1_src_all.tar.bz2
10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e  p7zip-cc-cxx.patch"
10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e  p7zip-cc-cxx.patch
a803ead99841cb4ded5b51613e08b0794ffb496c2ca66d61a49420a2382d54466858a130b1efe58d13de2cb7f5758a0100d24cb8e2d25f972ae8be12d28ff572  CVE-2016-9296.patch"
diff --git a/main/p7zip/CVE-2016-9296.patch b/main/p7zip/CVE-2016-9296.patch
new file mode 100644
index 0000000..442d8fb
--- /dev/null
+++ b/main/p7zip/CVE-2016-9296.patch
@@ -0,0 +1,12 @@
--- p7zip_9.38.1.orig/CPP/7zip/Archive/7z/7zIn.cpp	2015-01-05 18:38:01.000000000 +0000
+++ p7zip_9.38.1/CPP/7zip/Archive/7z/7zIn.cpp	2016-12-05 08:04:52.872042682 +0000
@@ -1142,7 +1142,8 @@
       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
         ThrowIncorrect();
   }
-  HeadersSize += folders.PackPositions[folders.NumPackStreams];
+  if (folders.PackPositions) // this line is fixing CVE-2016-9296 (https://sourceforge.net/p/p7zip/bugs/185)
+    HeadersSize += folders.PackPositions[folders.NumPackStreams];
   return S_OK;
 }
 
-- 
2.6.6



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)