[arch-commits] Commit in p7zip/trunk (CVE-2016-9296.patch PKGBUILD)

Evangelos Foutras foutrelis at archlinux.org
Sun Feb 5 19:09:20 UTC 2017


    Date: Sunday, February 5, 2017 @ 19:09:19
  Author: foutrelis
Revision: 288091

upgpkg: p7zip 16.02-3

Add fix for CVE-2016-9296 (FS#52841).

Added:
  p7zip/trunk/CVE-2016-9296.patch
Modified:
  p7zip/trunk/PKGBUILD

---------------------+
 CVE-2016-9296.patch |   12 ++++++++++++
 PKGBUILD            |   11 ++++++++---
 2 files changed, 20 insertions(+), 3 deletions(-)

Added: CVE-2016-9296.patch
===================================================================
--- CVE-2016-9296.patch	                        (rev 0)
+++ CVE-2016-9296.patch	2017-02-05 19:09:19 UTC (rev 288091)
@@ -0,0 +1,12 @@
+--- ./CPP/7zip/Archive/7z/7zIn.cpp.orig	2016-11-21 01:42:29.460901230 +0000
++++ ./CPP/7zip/Archive/7z/7zIn.cpp	2016-11-21 01:42:57.481197725 +0000
+@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS
+       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+         ThrowIncorrect();
+   }
+-  HeadersSize += folders.PackPositions[folders.NumPackStreams];
++  if (folders.PackPositions)
++      HeadersSize += folders.PackPositions[folders.NumPackStreams];
+   return S_OK;
+ }
+ 

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-02-05 18:35:52 UTC (rev 288090)
+++ PKGBUILD	2017-02-05 19:09:19 UTC (rev 288091)
@@ -8,7 +8,7 @@
 
 pkgname=p7zip
 pkgver=16.02
-pkgrel=2
+pkgrel=3
 pkgdesc="Command-line file archiver with high compression ratio"
 arch=('i686' 'x86_64')
 url="http://p7zip.sourceforge.net/"
@@ -17,12 +17,17 @@
 makedepends_i686=('nasm')
 makedepends_x86_64=('yasm')
 install=$pkgname.install
-source=(https://downloads.sourceforge.net/project/$pkgname/$pkgname/$pkgver/${pkgname}_${pkgver}_src_all.tar.bz2)
-sha256sums=('5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f')
+source=(https://downloads.sourceforge.net/project/$pkgname/$pkgname/$pkgver/${pkgname}_${pkgver}_src_all.tar.bz2
+        CVE-2016-9296.patch)
+sha256sums=('5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f'
+            'f9bcbf21d4aa8938861a6cba992df13dec19538286e9ed747ccec6d9a4e8f983')
 
 prepare() {
   cd "$srcdir/${pkgname}_$pkgver"
 
+  # https://sourceforge.net/p/p7zip/bugs/185/
+  patch -Np1 -i ../CVE-2016-9296.patch
+
   if [[ $CARCH = x86_64 ]]; then
     cp makefile.linux_amd64_asm makefile.machine
   else



More information about the arch-commits mailing list