X-Original-To: alpine-aports@lists.alpinelinux.org Received: from mail-lf0-f68.google.com (mail-lf0-f68.google.com [209.85.215.68]) by lists.alpinelinux.org (Postfix) with ESMTP id 5D2B05C454D for ; Mon, 5 Dec 2016 20:44:15 +0000 (GMT) Received: by mail-lf0-f68.google.com with SMTP id o141so27010992lff.1 for ; Mon, 05 Dec 2016 12:44:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=Swa1IAWkNy7F0VqesUQ6eJDWlwHZK/xJOV+m/p3s82A=; b=EV//FZiY+e54sxoddir2aiYpXYKH9f75dUgomKrTAEfNjr8xQVbWnU0vqqa29+Qgp8 4nFKWXj6enCL/26x7L2FMJaG5m4KOH6exdZ+iN4zeaxavSIgSWQVhXbrjmyjtAuFCrf4 AeaUxS57nT3CCs6cuqI0vFC+7qoA58Y3Bk6o7qd5xKoSCbQohcj4zvGIadG5VHUxT0Dv ThRkthtBzyA7rYq27B0kNAM2uMjvsTgOxsG9ZU55iduICMY8XsR0n4PzRlFOnaSFwa4Q iCHrkvoTA/au9UeTpvWu/PQ3Qr24yQ0ut9tKP9J/SEK6XGvdaYp0qdS5foIl+lt4MMD8 4vSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Swa1IAWkNy7F0VqesUQ6eJDWlwHZK/xJOV+m/p3s82A=; b=NQ4oVeGKguATMZUUVf/VR42ucTLKsfmTNab3PsO+qOrrpaGYrabKeRqmWQsoereXxQ B1t8V1WiKjKynef14YHL/6fyHxjDoMBruIKjal7ZGcOzm/vRRdmyAs+2XyGN57B+sx3Z YvMrZHyAatJvhf8N6ydnZpI0aQmkGEdEitgV4Fa6wBY4tKd7VLS9DbMipM2KqkWjmEl2 OHtEy+FnXYrowsJpM/36W8d7ybiN5gyt7rCtozWjyT5zO0hDjZ/L7uEdAiOPQc9ujPYC +MMmevJZdeN6pTV8Tv36yCFJuZusO6S4+cuCZPDvBddXxew+S6Udy+xWZU8KRGxKMd3q n0Qw== X-Gm-Message-State: AKaTC01cb8QofW6ee2r1neV2KSggHYJ8geTG0lQKQYCRhA7fQ2S/OqqtOaElwrR74FLfDw== X-Received: by 10.25.125.132 with SMTP id y126mr21331053lfc.86.1480926564820; Mon, 05 Dec 2016 00:29:24 -0800 (PST) Received: from v3-2.util.wtbts.net ([83.145.235.199]) by smtp.gmail.com with ESMTPSA id z26sm2726057lja.49.2016.12.05.00.29.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 05 Dec 2016 00:29:23 -0800 (PST) From: Sergey Lukin To: alpine-aports@lists.alpinelinux.org Cc: Sergey Lukin Subject: [alpine-aports] [PATCH v3.2] main/p7zip: security upgrade - fixes #6513 Date: Mon, 5 Dec 2016 08:29:16 +0000 Message-Id: <1480926556-3253-1-git-send-email-sergej.lukin@gmail.com> X-Mailer: git-send-email 2.4.11 X-Mailinglist: alpine-aports Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: CVE-2016-9296 --- main/p7zip/APKBUILD | 20 ++++++++++++-------- main/p7zip/CVE-2016-9296.patch | 12 ++++++++++++ 2 files changed, 24 insertions(+), 8 deletions(-) create mode 100644 main/p7zip/CVE-2016-9296.patch diff --git a/main/p7zip/APKBUILD b/main/p7zip/APKBUILD index 9415678..15dad05 100644 --- a/main/p7zip/APKBUILD +++ b/main/p7zip/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=p7zip pkgver=9.38.1 -pkgrel=0 +pkgrel=1 pkgdesc="A command-line port of the 7zip compression utility" url="http://p7zip.sourceforge.net" arch="all" @@ -11,18 +11,19 @@ depends= makedepends="bash" #install=p7zip.install source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2 - p7zip-cc-cxx.patch" + p7zip-cc-cxx.patch + CVE-2016-9296.patch" -_builddir="$srcdir"/${pkgname}_${pkgver} +builddir="$srcdir"/${pkgname}_${pkgver} build() { - cd "$_builddir" + cd "$builddir" patch -p1 -i ../p7zip-cc-cxx.patch || return 1 sed -i "s|usr/local|usr|g" makefile make all3 OPTFLAGS="${CXXFLAGS}" || return 1 } package() { - cd "$_builddir" + cd "$builddir" make install DEST_HOME="$pkgdir"/usr DEST_MAN="$pkgdir"/usr/share/man \ DEST_SHARE_DOC="http://www.bugaco.com/7zip" @@ -33,8 +34,11 @@ package() { } md5sums="6cba8402ccab2370d3b70c5e28b3d651 p7zip_9.38.1_src_all.tar.bz2 -57dbabbbf7cafc1322ad7ae354fdabab p7zip-cc-cxx.patch" +57dbabbbf7cafc1322ad7ae354fdabab p7zip-cc-cxx.patch +7d4da958f4df3a20afaec28b63fb19cc CVE-2016-9296.patch" sha256sums="fd5019109c9a1bf34ad3257d37a6853eae8151ff50345f0a3ffba7d8c5fdb995 p7zip_9.38.1_src_all.tar.bz2 -c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b p7zip-cc-cxx.patch" +c19a51d433ba2025953a36a8a86030254c9e33d00aad834a2b33e4426e99979b p7zip-cc-cxx.patch +5a245b332ccdd690dbbdf02b05d5d8b21b35eb628c9fc41e6c6253d0bbf7ab0a CVE-2016-9296.patch" sha512sums="f524ffae54e0d9563a509cc4b243e830d882a925e682eb2e15e2d19cb72c947fddecd72c8507d6c1538b997b240b0827046fc2fb4f5e3f7d49840257c92b9c04 p7zip_9.38.1_src_all.tar.bz2 -10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e p7zip-cc-cxx.patch" +10fad26c7a044ef9750ce7084a5094fc9c70dfb27a7d75f1e66f716f52293d6274e376b7507c513abcd35ad9103433a6abe0eb304ae96593f90eb846b6aa934e p7zip-cc-cxx.patch +8e4756202ad6581f38fb0a8a9fd689f86ad2ffc54a151e70d8580158c49eab3ae2e0480826b9d8f841ff3b92ef8297a4f68fa487dc5ad04743b61aa389cf1fd3 CVE-2016-9296.patch" diff --git a/main/p7zip/CVE-2016-9296.patch b/main/p7zip/CVE-2016-9296.patch new file mode 100644 index 0000000..439f753 --- /dev/null +++ b/main/p7zip/CVE-2016-9296.patch @@ -0,0 +1,12 @@ +--- p7zip_9.38.1.orig/CPP/7zip/Archive/7z/7zIn.cpp 2015-01-05 18:38:01.000000000 +0000 ++++ p7zip_9.38.1/CPP/7zip/Archive/7z/7zIn.cpp 2016-12-05 08:23:08.136926892 +0000 +@@ -1142,7 +1142,8 @@ + if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) + ThrowIncorrect(); + } +- HeadersSize += folders.PackPositions[folders.NumPackStreams]; ++ if (folders.PackPositions) //this line is fixing CVE-2016-9296 (https://sourceforge.net/p/p7zip/bugs/185) ++ HeadersSize += folders.PackPositions[folders.NumPackStreams]; + return S_OK; + } + -- 2.4.11 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---