ports/contrib (3.3): [notify] p7zip: fixes for CVE-2016-9296.patch, CVE-2017-17969.patch, and CVE-2018-5996.patch. Closes FS#1580

commit 62e839b570baa91c51739ac9d6a21849b3c925db Author: Danny Rawlins <monster.romster@gmail.com> Date: Wed Feb 7 18:45:24 2018 +1100 [notify] p7zip: fixes for CVE-2016-9296.patch, CVE-2017-17969.patch, and CVE-2018-5996.patch. Closes FS#1580 diff --git a/p7zip/.md5sum b/p7zip/.md5sum index 424dcc62..7fc47291 100644 --- a/p7zip/.md5sum +++ b/p7zip/.md5sum @@ -1 +1,4 @@ +0f0535ca888273f3779ca14e8f186813 CVE-2016-9296.patch +ede45c239086e0a8fc4c8c3adf380f0d CVE-2017-17969.patch +41e9a16637f6739a46a24fa07d16d94d CVE-2018-5996.patch a0128d661cfe7cc8c121e73519c54fbf p7zip_16.02_src_all.tar.bz2 diff --git a/p7zip/.signature b/p7zip/.signature index 57979791..66f773d1 100644 --- a/p7zip/.signature +++ b/p7zip/.signature @@ -1,5 +1,8 @@ untrusted comment: verify with /etc/ports/contrib.pub -RWSagIOpLGJF3yBK6ONywSal6rNFGEzZ2rY6GD5qWlnKYEb6dbTothOxcXh6SR9irKN1LBTFb75U/+6709nCG2v8D1g/HrIZ2gw= -SHA256 (Pkgfile) = 90154b923ee35c6ffdeea4356b5bd5cd1a2f0580df91c57034405a5fc8827ce0 +RWSagIOpLGJF37IM0ATuRuLIEcxyM86x5S1dKTW0T/IR07nlrE+T9VMB6m2pCG0kIwTO+4b0RWl0Ztpx9PV8Yt97xrbmjx6YQgI= +SHA256 (Pkgfile) = 1e5619ad27fdb542b9ef28032d9df1a7218a60061c6196db0ea0d476832ba7a0 SHA256 (.footprint) = 262106f802932fda3d849240c2989aa139523c2da42d343535491abcc22b26e5 SHA256 (p7zip_16.02_src_all.tar.bz2) = 5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f +SHA256 (CVE-2016-9296.patch) = f9bcbf21d4aa8938861a6cba992df13dec19538286e9ed747ccec6d9a4e8f983 +SHA256 (CVE-2017-17969.patch) = 0027f47eb8633244ac0177c1bb4ed50afa64ab757b34379a4b64ac923b9385b0 +SHA256 (CVE-2018-5996.patch) = 9c92b9060fb0ecc3e754e6440d7773d04bc324d0f998ebcebc263264e5a520df diff --git a/p7zip/CVE-2016-9296.patch b/p7zip/CVE-2016-9296.patch new file mode 100644 index 00000000..773f92a4 --- /dev/null +++ b/p7zip/CVE-2016-9296.patch @@ -0,0 +1,12 @@ +--- ./CPP/7zip/Archive/7z/7zIn.cpp.orig 2016-11-21 01:42:29.460901230 +0000 ++++ ./CPP/7zip/Archive/7z/7zIn.cpp 2016-11-21 01:42:57.481197725 +0000 +@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS + if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) + ThrowIncorrect(); + } +- HeadersSize += folders.PackPositions[folders.NumPackStreams]; ++ if (folders.PackPositions) ++ HeadersSize += folders.PackPositions[folders.NumPackStreams]; + return S_OK; + } + diff --git a/p7zip/CVE-2017-17969.patch b/p7zip/CVE-2017-17969.patch new file mode 100644 index 00000000..9a820af7 --- /dev/null +++ b/p7zip/CVE-2017-17969.patch @@ -0,0 +1,26 @@ +From: =?utf-8?q?Antoine_Beaupr=C3=A9?= <anarcat@debian.org> +Date: Sun, 28 Jan 2018 21:19:50 +0100 +Subject: backport of the CVE-2017-17969 fix from 7zip 18.00-beta + +--- + CPP/7zip/Compress/ShrinkDecoder.cpp | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/CPP/7zip/Compress/ShrinkDecoder.cpp b/CPP/7zip/Compress/ShrinkDecoder.cpp +index 80b7e67..4acdce5 100644 +--- a/CPP/7zip/Compress/ShrinkDecoder.cpp ++++ b/CPP/7zip/Compress/ShrinkDecoder.cpp +@@ -121,7 +121,12 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * + { + _stack[i++] = _suffixes[cur]; + cur = _parents[cur]; +- } ++ if (i >= kNumItems) ++ break; ++ } ++ ++ if (i >= kNumItems) ++ break; + + _stack[i++] = (Byte)cur; + lastChar2 = (Byte)cur; diff --git a/p7zip/CVE-2018-5996.patch b/p7zip/CVE-2018-5996.patch new file mode 100644 index 00000000..6733bff9 --- /dev/null +++ b/p7zip/CVE-2018-5996.patch @@ -0,0 +1,221 @@ +From: Robert Luberda <robert@debian.org> +Date: Sun, 28 Jan 2018 23:47:40 +0100 +Subject: CVE-2018-5996 + +Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by +applying a few changes from 7Zip 18.00-beta. + +Bug-Debian: https://bugs.debian.org/#888314 +--- + CPP/7zip/Compress/Rar1Decoder.cpp | 13 +++++++++---- + CPP/7zip/Compress/Rar1Decoder.h | 1 + + CPP/7zip/Compress/Rar2Decoder.cpp | 10 +++++++++- + CPP/7zip/Compress/Rar2Decoder.h | 1 + + CPP/7zip/Compress/Rar3Decoder.cpp | 23 ++++++++++++++++++++--- + CPP/7zip/Compress/Rar3Decoder.h | 2 ++ + 6 files changed, 42 insertions(+), 8 deletions(-) + +diff --git a/CPP/7zip/Compress/Rar1Decoder.cpp b/CPP/7zip/Compress/Rar1Decoder.cpp +index 1aaedcc..68030c7 100644 +--- a/CPP/7zip/Compress/Rar1Decoder.cpp ++++ b/CPP/7zip/Compress/Rar1Decoder.cpp +@@ -29,7 +29,7 @@ public: + }; + */ + +-CDecoder::CDecoder(): m_IsSolid(false) { } ++CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { } + + void CDecoder::InitStructures() + { +@@ -406,9 +406,14 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * + InitData(); + if (!m_IsSolid) + { ++ _errorMode = false; + InitStructures(); + InitHuff(); + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (m_UnpackSize > 0) + { + GetFlagsBuf(); +@@ -477,9 +482,9 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream + const UInt64 *inSize, const UInt64 *outSize, ICompressProgressInfo *progress) + { + try { return CodeReal(inStream, outStream, inSize, outSize, progress); } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(const CLzOutWindowException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(const CLzOutWindowException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + } + + STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size) +diff --git a/CPP/7zip/Compress/Rar1Decoder.h b/CPP/7zip/Compress/Rar1Decoder.h +index 630f089..01b606b 100644 +--- a/CPP/7zip/Compress/Rar1Decoder.h ++++ b/CPP/7zip/Compress/Rar1Decoder.h +@@ -39,6 +39,7 @@ public: + + Int64 m_UnpackSize; + bool m_IsSolid; ++ bool _errorMode; + + UInt32 ReadBits(int numBits); + HRESULT CopyBlock(UInt32 distance, UInt32 len); +diff --git a/CPP/7zip/Compress/Rar2Decoder.cpp b/CPP/7zip/Compress/Rar2Decoder.cpp +index b3f2b4b..0580c8d 100644 +--- a/CPP/7zip/Compress/Rar2Decoder.cpp ++++ b/CPP/7zip/Compress/Rar2Decoder.cpp +@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 << 20; + static const UInt32 kWindowReservSize = (1 << 22) + 256; + + CDecoder::CDecoder(): +- m_IsSolid(false) ++ m_IsSolid(false), ++ m_TablesOK(false) + { + } + +@@ -100,6 +101,8 @@ UInt32 CDecoder::ReadBits(unsigned numBits) { return m_InBitStream.ReadBits(numB + + bool CDecoder::ReadTables(void) + { ++ m_TablesOK = false; ++ + Byte levelLevels[kLevelTableSize]; + Byte newLevels[kMaxTableSize]; + m_AudioMode = (ReadBits(1) == 1); +@@ -170,6 +173,8 @@ bool CDecoder::ReadTables(void) + } + + memcpy(m_LastLevels, newLevels, kMaxTableSize); ++ m_TablesOK = true; ++ + return true; + } + +@@ -344,6 +349,9 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * + return S_FALSE; + } + ++ if (!m_TablesOK) ++ return S_FALSE; ++ + UInt64 startPos = m_OutWindowStream.GetProcessedSize(); + while (pos < unPackSize) + { +diff --git a/CPP/7zip/Compress/Rar2Decoder.h b/CPP/7zip/Compress/Rar2Decoder.h +index 3a0535c..0e9005f 100644 +--- a/CPP/7zip/Compress/Rar2Decoder.h ++++ b/CPP/7zip/Compress/Rar2Decoder.h +@@ -139,6 +139,7 @@ class CDecoder : + + UInt64 m_PackSize; + bool m_IsSolid; ++ bool m_TablesOK; + + void InitStructures(); + UInt32 ReadBits(unsigned numBits); +diff --git a/CPP/7zip/Compress/Rar3Decoder.cpp b/CPP/7zip/Compress/Rar3Decoder.cpp +index 3bf2513..6cb8a6a 100644 +--- a/CPP/7zip/Compress/Rar3Decoder.cpp ++++ b/CPP/7zip/Compress/Rar3Decoder.cpp +@@ -92,7 +92,8 @@ CDecoder::CDecoder(): + _writtenFileSize(0), + _vmData(0), + _vmCode(0), +- m_IsSolid(false) ++ m_IsSolid(false), ++ _errorMode(false) + { + Ppmd7_Construct(&_ppmd); + } +@@ -545,6 +546,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing) + return InitPPM(); + } + ++ TablesRead = false; ++ TablesOK = false; ++ + _lzMode = true; + PrevAlignBits = 0; + PrevAlignCount = 0; +@@ -606,6 +610,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing) + } + } + } ++ if (InputEofError()) ++ return S_FALSE; ++ + TablesRead = true; + + // original code has check here: +@@ -623,6 +630,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing) + RIF(m_LenDecoder.Build(&newLevels[kMainTableSize + kDistTableSize + kAlignTableSize])); + + memcpy(m_LastLevels, newLevels, kTablesSizesSum); ++ ++ TablesOK = true; ++ + return S_OK; + } + +@@ -824,7 +834,12 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress) + PpmEscChar = 2; + PpmError = true; + InitFilters(); ++ _errorMode = false; + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (!m_IsSolid || !TablesRead) + { + bool keepDecompressing; +@@ -838,6 +853,8 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress) + bool keepDecompressing; + if (_lzMode) + { ++ if (!TablesOK) ++ return S_FALSE; + RINOK(DecodeLZ(keepDecompressing)) + } + else +@@ -901,8 +918,8 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream + _unpackSize = outSize ? *outSize : (UInt64)(Int64)-1; + return CodeReal(progress); + } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + // CNewException is possible here. But probably CNewException is caused + // by error in data stream. + } +diff --git a/CPP/7zip/Compress/Rar3Decoder.h b/CPP/7zip/Compress/Rar3Decoder.h +index c130cec..2f72d7d 100644 +--- a/CPP/7zip/Compress/Rar3Decoder.h ++++ b/CPP/7zip/Compress/Rar3Decoder.h +@@ -192,6 +192,7 @@ class CDecoder: + UInt32 _lastFilter; + + bool m_IsSolid; ++ bool _errorMode; + + bool _lzMode; + bool _unsupportedFilter; +@@ -200,6 +201,7 @@ class CDecoder: + UInt32 PrevAlignCount; + + bool TablesRead; ++ bool TablesOK; + + CPpmd7 _ppmd; + int PpmEscChar; diff --git a/p7zip/Pkgfile b/p7zip/Pkgfile index f032e566..fefb6770 100644 --- a/p7zip/Pkgfile +++ b/p7zip/Pkgfile @@ -1,17 +1,28 @@ # Description: A port of 7-zip for POSIX systems. # URL: http://p7zip.sourceforge.net/ # Maintainer: Danny Rawlins, crux at romster dot me -# Packager: Matt Housh, jaeger at crux dot nu # Depends on: yasm name=p7zip version=16.02 -release=1 -source=(http://downloads.sourceforge.net/project/$name/$name/$version/${name}_${version}_src_all.tar.bz2) +release=2 +source=(https://downloads.sourceforge.net/project/$name/$name/$version/${name}_${version}_src_all.tar.bz2 + CVE-2016-9296.patch + CVE-2017-17969.patch + CVE-2018-5996.patch) build() { cd ${name}_$version + # https://nvd.nist.gov/vuln/detail/CVE-2016-9296 + patch -p1 -i $SRC/CVE-2016-9296.patch + + # https://nvd.nist.gov/vuln/detail/CVE-2017-17969 + patch -p1 -i $SRC/CVE-2017-17969.patch + + # https://nvd.nist.gov/vuln/detail/CVE-2018-5996 + patch -p1 -i $SRC/CVE-2018-5996.patch + cp makefile.linux_amd64_asm makefile.machine make all3 OPTFLAGS="$CFLAGS"