[patch] archivers/p7zip

Josh Grosse Sun, 20 Nov 2016 09:28:01 -0800

This patch addresses CVE-2016-9296.  Diffs attached for both
-current and 6.0-stable.  The CVE mentions only version 16.02, but
it also affects 15.14 (6.0-stable).


The patch comes from upstream's upstream, the developer of 7zip.
Tested on amd64 and i386.

Index: Makefile
===================================================================
RCS file: /systems/cvs/ports/archivers/p7zip/Makefile,v
retrieving revision 1.36
diff -u -p -r1.36 Makefile
--- Makefile    14 Aug 2016 16:29:20 -0000      1.36
+++ Makefile    20 Nov 2016 14:55:07 -0000
@@ -4,6 +4,7 @@ COMMENT-main=   file archiver with high co
 COMMENT-rar=   rar modules for p7zip
 
 V=             16.02
+REVISION-main= 0
 DISTNAME=      p7zip_${V}_src_all
 PKGNAME=       p7zip-${V}
 PKGNAME-main=  p7zip-${V}
Index: patches/patch-CPP_7zip_Archive_7z_7zIn_cpp
===================================================================
RCS file: patches/patch-CPP_7zip_Archive_7z_7zIn_cpp
diff -N patches/patch-CPP_7zip_Archive_7z_7zIn_cpp
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-CPP_7zip_Archive_7z_7zIn_cpp  20 Nov 2016 14:44:15 -0000
@@ -0,0 +1,16 @@
+$OpenBSD$
+
+For CVE-2016-9296, from 7zip's developer Igor Pavlov  
+
+--- CPP/7zip/Archive/7z/7zIn.cpp.orig  Sun Nov 20 09:29:41 2016
++++ CPP/7zip/Archive/7z/7zIn.cpp       Sun Nov 20 09:31:22 2016
+@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedStreams(
+       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+         ThrowIncorrect();
+   }
+-  HeadersSize += folders.PackPositions[folders.NumPackStreams];
++  if (folders.PackPositions)
++      HeadersSize += folders.PackPositions[folders.NumPackStreams];
+   return S_OK;
+ }
+

Index: Makefile
===================================================================
RCS file: /systems/cvs/ports/archivers/p7zip/Makefile,v
retrieving revision 1.35
diff -u -p -r1.35 Makefile
--- Makefile    30 May 2016 21:22:50 -0000      1.35
+++ Makefile    20 Nov 2016 15:00:07 -0000
@@ -7,7 +7,7 @@ V=              15.14.1
 DISTNAME=      p7zip_${V}_src_all
 PKGNAME=       p7zip-${V}
 PKGNAME-main=  p7zip-${V}
-REVISION-main= 1
+REVISION-main= 2
 PKGNAME-rar=   p7zip-rar-${V}
 CATEGORIES=    archivers
 
Index: patches/patch-CPP_7zip_Archive_7z_7zIn_cpp
===================================================================
RCS file: patches/patch-CPP_7zip_Archive_7z_7zIn_cpp
diff -N patches/patch-CPP_7zip_Archive_7z_7zIn_cpp
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-CPP_7zip_Archive_7z_7zIn_cpp  20 Nov 2016 15:00:07 -0000
@@ -0,0 +1,16 @@
+$OpenBSD$
+
+For CVE-2016-9296, from 7zip's developer Igor Pavlov  
+
+--- CPP/7zip/Archive/7z/7zIn.cpp.orig  Sun Nov 20 09:29:41 2016
++++ CPP/7zip/Archive/7z/7zIn.cpp       Sun Nov 20 09:31:22 2016
+@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedStreams(
+       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+         ThrowIncorrect();
+   }
+-  HeadersSize += folders.PackPositions[folders.NumPackStreams];
++  if (folders.PackPositions)
++      HeadersSize += folders.PackPositions[folders.NumPackStreams];
+   return S_OK;
+ }
+

[patch] archivers/p7zip

Reply via email to