[packages/p7zip] - rel 2; SECURITY fixes from FC

arekm arekm at pld-linux.org
Wed Nov 6 14:57:38 CET 2019 

commit ae297d821b329e5b358e829690d7abf883b8227d
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Wed Nov 6 14:57:30 2019 +0100

    - rel 2; SECURITY fixes from FC

 05-hardening-flags.patch | 33 +++++++++++++++++++++++++++++++++
 14-Fix-g++-warning.patch | 24 ++++++++++++++++++++++++
 CVE-2016-9296.patch      | 12 ++++++++++++
 CVE-2017-17969.patch     | 26 ++++++++++++++++++++++++++
 gcc10-conversion.patch   | 26 ++++++++++++++++++++++++++
 p7zip.spec               | 13 ++++++++++++-
 6 files changed, 133 insertions(+), 1 deletion(-)
---
diff --git a/p7zip.spec b/p7zip.spec
index 35e92e2..30a881c 100644
--- a/p7zip.spec
+++ b/p7zip.spec
@@ -2,11 +2,16 @@ Summary:	File archiver with highest compression ratio
 Summary(pl.UTF-8):	Paker plików z najwyższym stopniem kompresji
 Name:		p7zip
 Version:	16.02
-Release:	1
+Release:	2
 License:	LGPL v2.1+
 Group:		Applications/Archiving
 Source0:	http://downloads.sourceforge.net/p7zip/%{name}_%{version}_src_all.tar.bz2
 # Source0-md5:	a0128d661cfe7cc8c121e73519c54fbf
+Patch0:		05-hardening-flags.patch
+Patch1:		14-Fix-g++-warning.patch
+Patch2:		CVE-2016-9296.patch
+Patch3:		CVE-2017-17969.patch
+Patch4:		gcc10-conversion.patch
 URL:		http://p7zip.sourceforge.net/
 BuildRequires:	libstdc++-devel
 BuildRequires:	sed >= 4.0
@@ -54,6 +59,11 @@ wersja obsługująca wtyczki.
 
 %prep
 %setup -q -n %{name}_%{version}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %{__sed} -i -e 's/ -s / /' makefile.machine
 
@@ -64,6 +74,7 @@ find . -name '*.cpp' -exec %{__sed} -i -e 's at getenv("P7ZIP_HOME_DIR")@"%{_libdir
 %{__make} all2 \
 	CC="%{__cc} \$(ALLFLAGS)" \
 	CXX="%{__cxx} \$(ALLFLAGS)" \
+	CPPFLAGS="%{rpmcppflags}" \
 	LDFLAGS="%{rpmldflags}" \
 	OPTFLAGS="%{rpmcxxflags}"
 
diff --git a/05-hardening-flags.patch b/05-hardening-flags.patch
new file mode 100644
index 0000000..aa42431
--- /dev/null
+++ b/05-hardening-flags.patch
@@ -0,0 +1,33 @@
+From: Robert Luberda <robert at debian.org>
+Date: Fri, 22 Jan 2016 00:53:09 +0100
+Subject: Hardening flags
+
+Add support for $(CPPFLAGS) and do not override $(CXXFLAGS)
+and $(CFLAGS)
+
+Bug-Debian: https://bugs.debian.org/#682167
+---
+ makefile.glb | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/makefile.glb b/makefile.glb
+index fb001d5..e10ae03 100644
+--- a/makefile.glb
++++ b/makefile.glb
+@@ -1,14 +1,14 @@
+ 
+ RM=rm -f
+ 
+-CFLAGS=-c -I. \
++CFLAGS+=$(CPPFLAGS) -c -I. \
+ -I../../../../C \
+ -I../../../../CPP/myWindows \
+ -I../../../../CPP/include_windows \
+ -I../../../../CPP \
+ $(ALLFLAGS) $(ALLFLAGS_C)
+ 
+-CXXFLAGS=-c -I. \
++CXXFLAGS+=$(CPPFLAGS) -c -I. \
+ -I../../../../C \
+ -I../../../../CPP/myWindows \
+ -I../../../../CPP/include_windows \
diff --git a/14-Fix-g++-warning.patch b/14-Fix-g++-warning.patch
new file mode 100644
index 0000000..226e239
--- /dev/null
+++ b/14-Fix-g++-warning.patch
@@ -0,0 +1,24 @@
+From: Robert Luberda <robert at debian.org>
+Date: Sun, 28 Jan 2018 22:19:13 +0100
+Subject: Fix g++ warning
+
+Fix for "use of an operand of type 'bool' in 'operator++'
+is deprecated [-Wdeprecated]" warning taken from 7zip 18.00.beta
+package.
+---
+ CPP/7zip/Archive/Wim/WimHandler.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CPP/7zip/Archive/Wim/WimHandler.cpp b/CPP/7zip/Archive/Wim/WimHandler.cpp
+index 27d3298..4ff5cfe 100644
+--- a/CPP/7zip/Archive/Wim/WimHandler.cpp
++++ b/CPP/7zip/Archive/Wim/WimHandler.cpp
+@@ -298,7 +298,7 @@ STDMETHODIMP CHandler::GetArchiveProperty(PROPID propID, PROPVARIANT *value)
+ 
+       AString res;
+ 
+-      bool numMethods = 0;
++      unsigned numMethods = 0;
+       for (unsigned i = 0; i < ARRAY_SIZE(k_Methods); i++)
+       {
+         if (methodMask & ((UInt32)1 << i))
diff --git a/CVE-2016-9296.patch b/CVE-2016-9296.patch
new file mode 100644
index 0000000..773f92a
--- /dev/null
+++ b/CVE-2016-9296.patch
@@ -0,0 +1,12 @@
+--- ./CPP/7zip/Archive/7z/7zIn.cpp.orig	2016-11-21 01:42:29.460901230 +0000
++++ ./CPP/7zip/Archive/7z/7zIn.cpp	2016-11-21 01:42:57.481197725 +0000
+@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS
+       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+         ThrowIncorrect();
+   }
+-  HeadersSize += folders.PackPositions[folders.NumPackStreams];
++  if (folders.PackPositions)
++      HeadersSize += folders.PackPositions[folders.NumPackStreams];
+   return S_OK;
+ }
+ 
diff --git a/CVE-2017-17969.patch b/CVE-2017-17969.patch
new file mode 100644
index 0000000..ebc0ac9
--- /dev/null
+++ b/CVE-2017-17969.patch
@@ -0,0 +1,26 @@
+From 79bca880ce7bcf07216c45f93afea545e0344418 Mon Sep 17 00:00:00 2001
+From: aone <aone at keka.io>
+Date: Mon, 5 Feb 2018 13:01:09 +0100
+Subject: [PATCH] Security fix CVE-2017-17969
+
+---
+ CPP/7zip/Compress/ShrinkDecoder.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/CPP/7zip/Compress/ShrinkDecoder.cpp b/CPP/7zip/Compress/ShrinkDecoder.cpp
+index 80b7e67..5bb0559 100644
+--- a/CPP/7zip/Compress/ShrinkDecoder.cpp
++++ b/CPP/7zip/Compress/ShrinkDecoder.cpp
+@@ -121,7 +121,12 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
+     {
+       _stack[i++] = _suffixes[cur];
+       cur = _parents[cur];
++	  if (cur >= kNumItems || i >= kNumItems)
++	  	break;
+     }
++	
++	if (cur >= kNumItems || i >= kNumItems)
++		break;
+     
+     _stack[i++] = (Byte)cur;
+     lastChar2 = (Byte)cur;
diff --git a/gcc10-conversion.patch b/gcc10-conversion.patch
new file mode 100644
index 0000000..45f9f84
--- /dev/null
+++ b/gcc10-conversion.patch
@@ -0,0 +1,26 @@
+diff -Nrup a/CPP/Windows/ErrorMsg.cpp b/CPP/Windows/ErrorMsg.cpp
+--- a/CPP/Windows/ErrorMsg.cpp	2015-01-18 11:20:28.000000000 -0700
++++ b/CPP/Windows/ErrorMsg.cpp	2019-09-24 13:01:18.887289152 -0600
+@@ -14,14 +14,14 @@ UString MyFormatMessage(DWORD errorCode)
+   AString msg;
+ 
+   switch(errorCode) {
+-    case ERROR_NO_MORE_FILES   : txt = "No more files"; break ;
+-    case E_NOTIMPL             : txt = "E_NOTIMPL"; break ;
+-    case E_NOINTERFACE         : txt = "E_NOINTERFACE"; break ;
+-    case E_ABORT               : txt = "E_ABORT"; break ;
+-    case E_FAIL                : txt = "E_FAIL"; break ;
+-    case STG_E_INVALIDFUNCTION : txt = "STG_E_INVALIDFUNCTION"; break ;
+-    case E_OUTOFMEMORY         : txt = "E_OUTOFMEMORY"; break ;
+-    case E_INVALIDARG          : txt = "E_INVALIDARG"; break ;
++    case unsigned (ERROR_NO_MORE_FILES)   : txt = "No more files"; break ;
++    case unsigned (E_NOTIMPL)             : txt = "E_NOTIMPL"; break ;
++    case unsigned (E_NOINTERFACE)         : txt = "E_NOINTERFACE"; break ;
++    case unsigned (E_ABORT)               : txt = "E_ABORT"; break ;
++    case unsigned (E_FAIL)                : txt = "E_FAIL"; break ;
++    case unsigned (STG_E_INVALIDFUNCTION) : txt = "STG_E_INVALIDFUNCTION"; break ;
++    case unsigned (E_OUTOFMEMORY)         : txt = "E_OUTOFMEMORY"; break ;
++    case unsigned (E_INVALIDARG)          : txt = "E_INVALIDARG"; break ;
+     case ERROR_DIRECTORY          : txt = "Error Directory"; break ;
+     default:
+       txt = strerror(errorCode);
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/p7zip.git/commitdiff/ae297d821b329e5b358e829690d7abf883b8227d

More information about the pld-cvs-commit mailing list