X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-wm0-f65.google.com (mail-wm0-f65.google.com [74.125.82.65]) by lists.alpinelinux.org (Postfix) with ESMTP id 2E20E5C452E for ; Mon, 5 Dec 2016 11:19:32 +0000 (GMT) Received: by mail-wm0-f65.google.com with SMTP id g23so15275536wme.1 for ; Mon, 05 Dec 2016 03:19:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=RooeYCRY9cwHGKZZjLGD6HIKnHeGkYC7ZD3LpQKq4ag=; b=NW7e6RL/QPgi418qLQ7SKHFEk7KaxdiTnStYQtLLQWuR3yjSnZlTUMxYScfTkIOKzA q5p103N/F9urcL8xU/2SJN9bdX3amVTllrs/kE7zVjYHwGVq/j/5Hqg3DlUiNynCT3QP tr8IxIkiWW7fLEk03kKH8MSO/3+FYQrrEbblgUI9JXOect6jWo172eFo+ykNCSOTuzJJ HrScii84n5culbjVf2S5oSn5wlWYO8Jhh/q4Ewrn0wQLAQ9tMmG083I8PlHeR4BAE1B0 HNl3Yt84iLji6RzNlkjemgoaOFNX6WhrrApx0w6brpdlKQzUQE9fzBF8boNevqbvzuuo xX3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=RooeYCRY9cwHGKZZjLGD6HIKnHeGkYC7ZD3LpQKq4ag=; b=Jj3qhjPEB1aLxxFBVAMUGslgSyN9L+tccweCAoADmuRmPxVKYcAR1IGL+vbdWU5P0m g1WXSIN0DeuauZRYz9HuDg8wavhul9OLwzLishlUTXxcjnlhODpYE4uLtKCyauk+nBKF USFvEfpdqAFxfjWVuPI8tVs44RV1zoM/u6QY0+wjNvtAuCWOC5+K/MbiissdBN6Mz13P fIZu7TnDYYyJy/wfBzyTrWQVE76EhBZyCw/6dsfIStPsqE0BrYWab1W8REvKJWZZwpR1 5hJqhjinDL+852MtZ2wzRrHuq0uimxhc2q/WU5doZQuRp3qg5HTs5AH3zg5F5t4ROyxO r/Jg== X-Gm-Message-State: AKaTC02m/T1e/35zsgUZ2h/PIp5ptWuxhNnDC+4edcCEQ4PxWteRKCe0FscjQHzV4VI8MA== X-Received: by 10.25.160.21 with SMTP id j21mr20294623lfe.166.1480925723996; Mon, 05 Dec 2016 00:15:23 -0800 (PST) Received: from v3-3.util.wtbts.net ([83.145.235.199]) by smtp.gmail.com with ESMTPSA id g95sm2710513lji.21.2016.12.05.00.15.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 05 Dec 2016 00:15:23 -0800 (PST) From: Sergey Lukin To: alpine-aports@lists.alpinelinux.org Cc: Sergey Lukin Subject: [alpine-aports] [PATCH v3.3] main/p7zip: security upgrade - CVE-2016-9296 - fixes #6512 Date: Mon, 5 Dec 2016 08:15:09 +0000 Message-Id: <1480925709-3211-1-git-send-email-sergej.lukin@gmail.com> X-Mailer: git-send-email 2.6.6 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: --- main/p7zip/APKBUILD | 20 ++++++++++++-------- main/p7zip/CVE-2016-9296.patch | 12 ++++++++++++ 2 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 main/p7zip/CVE-2016-9296.patch diff --git a/main/p7zip/APKBUILD b/main/p7zip/APKBUILD index 9415678..e922ccd 100644 --- a/main/p7zip/APKBUILD +++ b/main/p7zip/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=p7zip pkgver=9.38.1 -pkgrel=0 +pkgrel=1 pkgdesc="A command-line port of the 7zip compression utility" url="http://p7zip.sourceforge.net" arch="all" @@ -11,18 +11,19 @@ depends= makedepends="bash" #install=p7zip.install source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2 - p7zip-cc-cxx.patch" + p7zip-cc-cxx.patch + CVE-2016-9296.patch" -_builddir="$srcdir"/${pkgname}_${pkgver} +builddir="$srcdir"/${pkgname}_${pkgver} build() { - cd "$_builddir" + cd "$builddir" patch -p1 -i ../p7zip-cc-cxx.patch || return 1 sed -i "s|usr/local|usr|g" makefile make all3 OPTFLAGS="${CXXFLAGS}" || return 1 } package() { - cd "$_builddir" + cd "$builddir" make install DEST_HOME="$pkgdir"/usr DEST_MAN="$pkgdir"/usr/share/man \ DEST_SHARE_DOC="http://www.bugaco.com/7zip" @@ -33,8 +34,11 @@ package() { } md5sums="6cba8402ccab2370d3b70c5e28b3d651 p7zip_9.38.1_src_all.tar.bz2 -57dbabbbf7cafc1322ad7ae354fdabab p7zip-cc-cxx.patch" +57dbabbbf7cafc1322ad7ae354fdabab p7zip-cc-cxx.patch +0020242cbff6712d614f60a6c6341c78 CVE-2016-9296.patch" sha256sums="fd5019109c9a1bf34ad3257d37a6853eae8151ff50345f0a3ffba7d8c5fdb995 p7zip_9.38.1_src_all.tar.bz2 -c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b p7zip-cc-cxx.patch" +c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b p7zip-cc-cxx.patch +ec76b11d7e41de370f0d226a25142f9a6ca362205b1d4d6356292c2e2714ac5f CVE-2016-9296.patch" sha512sums="f524ffae54e0d9563a509cc4b243e830d882a925e682eb2e15e2d19cb72c947fddecd72c8507d6c1538b997b240b0827046fc2fb4f5e3f7d49840257c92b9c04 p7zip_9.38.1_src_all.tar.bz2 -10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e p7zip-cc-cxx.patch" +10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e p7zip-cc-cxx.patch +a803ead99841cb4ded5b51613e08b0794ffb496c2ca66d61a49420a2382d54466858a130b1efe58d13de2cb7f5758a0100d24cb8e2d25f972ae8be12d28ff572 CVE-2016-9296.patch" diff --git a/main/p7zip/CVE-2016-9296.patch b/main/p7zip/CVE-2016-9296.patch new file mode 100644 index 0000000..442d8fb --- /dev/null +++ b/main/p7zip/CVE-2016-9296.patch @@ -0,0 +1,12 @@ +--- p7zip_9.38.1.orig/CPP/7zip/Archive/7z/7zIn.cpp 2015-01-05 18:38:01.000000000 +0000 ++++ p7zip_9.38.1/CPP/7zip/Archive/7z/7zIn.cpp 2016-12-05 08:04:52.872042682 +0000 +@@ -1142,7 +1142,8 @@ + if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) + ThrowIncorrect(); + } +- HeadersSize += folders.PackPositions[folders.NumPackStreams]; ++ if (folders.PackPositions) // this line is fixing CVE-2016-9296 (https://sourceforge.net/p/p7zip/bugs/185) ++ HeadersSize += folders.PackPositions[folders.NumPackStreams]; + return S_OK; + } + -- 2.6.6 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---