X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mx2.cde.us.jw.org (unknown [50.56.176.215])
	by lists.alpinelinux.org (Postfix) with ESMTP id 0A57B5C44C4
	for <alpine-aports@lists.alpinelinux.org>; Thu,  1 Dec 2016 08:28:54 +0000 (GMT)
Received: from mx2.cde.us.jw.org (localhost [127.0.0.1])
	by mx2.cde.us.jw.org (Postfix) with ESMTP id A9542DFB1E
	for <alpine-aports@lists.alpinelinux.org>; Thu,  1 Dec 2016 08:28:54 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cde.us.jw.org; h=to:from
	:subject:message-id:date:mime-version:content-type; s=selector1;
	 bh=XpljzSztsNGDDHiYoI+K8jufyxM=; b=FVhVlXYezLXogtBxbAnpnnTHT2lC
	9r1grGnW8NouuQDz5t37QsxB3q3hCTAGBamLS5Je+JkA29jklNNPz5rlor7lMhAh
	fUQLgldfLhDaf3w0cPTSjsTDOP3gAq7Hyx5+bkA2jYLKaNCNRRam/hRoQWda3YwD
	q0e94uT3tVUsu0o=
Received: from [10.252.5.142] (unknown [83.145.235.199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: slukins)
	by mx2.cde.us.jw.org (Postfix) with ESMTPSA id 4A3DCDFB1C
	for <alpine-aports@lists.alpinelinux.org>; Thu,  1 Dec 2016 08:28:54 +0000 (GMT)
To: alpine-aports@lists.alpinelinux.org
From: Sergey Lukin <slukins@cde.us.jw.org>
Subject: [alpine-aports] v3.4 main/p7zip: security fix (CVE-2016-9296) - fixes: #6511
Message-ID: <c5c4072b-f4ec-fe43-a6cd-bc94467df988@cde.us.jw.org>
Date: Thu, 1 Dec 2016 10:28:51 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.5.0
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="------------D8F2EE833B84EF13DEE42A9F"

This is a multi-part message in MIME format.
--------------D8F2EE833B84EF13DEE42A9F
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit



--------------D8F2EE833B84EF13DEE42A9F
Content-Type: text/x-patch;
 name="AL_v3.4-p7zip-security-fix-6511.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="AL_v3.4-p7zip-security-fix-6511.patch"

>From dcdb6ed55ec98b72865b92fbb8a071181485f674 Mon Sep 17 00:00:00 2001
From: Sergey Lukin <sergej.lukin@gmail.com>
Date: Thu, 1 Dec 2016 08:21:07 +0000
Subject: [PATCH] v3.4 main/p7zip: security fix (CVE-2016-9296) - fixes: #6511

---
 main/p7zip/APKBUILD            | 14 +++++++++-----
 main/p7zip/CVE-2016-9296.patch | 12 ++++++++++++
 2 files changed, 21 insertions(+), 5 deletions(-)
 create mode 100644 main/p7zip/CVE-2016-9296.patch

diff --git a/main/p7zip/APKBUILD b/main/p7zip/APKBUILD
index 1b43b2f..1dcc74c 100644
--- a/main/p7zip/APKBUILD
+++ b/main/p7zip/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=p7zip
 pkgver=15.14.1
-pkgrel=0
+pkgrel=1
 pkgdesc="A command-line port of the 7zip compression utility"
 url="http://p7zip.sourceforge.net"
 arch="all"
@@ -12,7 +12,8 @@ subpackages="$pkgname-doc"
 depends=""
 makedepends="bash yasm nasm"
 install=""
-source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2"
+source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2
+         CVE-2016-9296.patch"
 
 _builddir="$srcdir"/${pkgname}_${pkgver}
 prepare() {
@@ -46,6 +47,9 @@ package() {
 		"$pkgdir"/usr/share/man/man1/$pkgname.1 || return 1
 }
 
-md5sums="92cca093312b5a71a7be7dc7d1d32509  p7zip_15.14.1_src_all.tar.bz2"
-sha256sums="699db4da3621904113e040703220abb1148dfef477b55305e2f14a4f1f8f25d4  p7zip_15.14.1_src_all.tar.bz2"
-sha512sums="30d0ef47bd6938cdd5d9d80ec6e7aed972655686a43adb0ae34bb9856ec7cd5a68a05c580352021055cefd6eeceb134ff6402f93686ce46e57f9757798e76abd  p7zip_15.14.1_src_all.tar.bz2"
+md5sums="92cca093312b5a71a7be7dc7d1d32509  p7zip_15.14.1_src_all.tar.bz2
+3290b84b0bc0473358f78394eb410106  CVE-2016-9296.patch"
+sha256sums="699db4da3621904113e040703220abb1148dfef477b55305e2f14a4f1f8f25d4  p7zip_15.14.1_src_all.tar.bz2
+6b448ff7764c21473018425b2bedeee2bf2f3b442c80444c8f1c074dad134009  CVE-2016-9296.patch"
+sha512sums="30d0ef47bd6938cdd5d9d80ec6e7aed972655686a43adb0ae34bb9856ec7cd5a68a05c580352021055cefd6eeceb134ff6402f93686ce46e57f9757798e76abd  p7zip_15.14.1_src_all.tar.bz2
+c7e2bc3b7c0a813cfe65cffbcad669b052436511640bc0e857854ab23e734cbaf80fbc5552e45f6ad2c075d30e16965a3ef53800e38ab8db92bb8004c52c2026  CVE-2016-9296.patch"
diff --git a/main/p7zip/CVE-2016-9296.patch b/main/p7zip/CVE-2016-9296.patch
new file mode 100644
index 0000000..eef25bb
--- /dev/null
+++ b/main/p7zip/CVE-2016-9296.patch
@@ -0,0 +1,12 @@
+--- p7zip_15.14.1/CPP/7zip/Archive/7z/7zIn.cpp	2016-12-01 08:15:42.846399878 +0000
++++ p7zip_15.14.1.orig/CPP/7zip/Archive/7z/7zIn.cpp	2016-02-23 21:50:06.000000000 +0000
+@@ -1091,8 +1091,7 @@
+       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+         ThrowIncorrect();
+   }
+-  if (folders.PackPositions) // this line is fixing CVE-2016-9296
+-    HeadersSize += folders.PackPositions[folders.NumPackStreams];
++  HeadersSize += folders.PackPositions[folders.NumPackStreams];
+   return S_OK;
+ }
+ 
-- 
2.8.3



--------------D8F2EE833B84EF13DEE42A9F--


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---