Created attachment 185526 [details] patch Hi, Most of the patches come from the debian repo [1] * Fix buffer overflow from size under user control. This is causing free() on an invalid pointer. Fixes: CVE-2015-2782 * Fix absolute path directory traversal. Fixes: CVE-2015-0557 * Fix symlink directory traversal. Fixes: CVE-2015-0556 * fix build on armv6 and probably mips. * fix parallel build. * stability fixes. The following patches from [1] were merged: - 001_arches_align.patch (needed for armv6, I get a sigbus without it) - 003_64_bit_clean.patch - 004_parallel_build.patch (slightly modified to fix the parallel build on qemu/armv6) - out-of-bounds-read.patch - security-afl.patch - security-traversal-dir.patch - security-traversal-symlink.patch - security_format.patch I don't think these patches are of any interest to us (and are not merged in my patch): - 005_use_system_strnlen.patch - doc_refer_robert_k_jung.patch - gnu_build_fix.patch - gnu_build_flags.patch - gnu_build_strip.patch - hurd_no_fcntl_getlk.patch These patches are probably interesting, I can merge them if you want: - self_integrity_64bit.patch - 006_use_safe_strcpy.patch poudriere ok on 10.3 i386, 10.3 amd64, 11.1 i386, 11.1 amd64 and 12-current armv6 (I can provide build logs if needed) [1] https://git.hadrons.org/cgit/debian/pkgs/arj.git/tree/debian/patches
ping
monthly ping
ping it blocks 35 ports on armv6
Can you please fetch patches from debian master site and add them as EXTRA_PATCHES instead of storing them in files/ ? See for example https://svnweb.freebsd.org/ports/head/x11/xloadimage/Makefile?revision=451065&view=markup
Created attachment 187288 [details] patch Rework patch based on feedback. I removed a bunch of patch in files/*, they are part of the debian patch. poudriere testport ok on 12armv6, 12armv7, 103amd64, 103i386, 103i386
Alex will take care of it
A commit references this bug: Author: ak Date: Thu Oct 19 13:47:42 UTC 2017 New revision: 452421 URL: https://svnweb.freebsd.org/changeset/ports/452421 Log: - Fix buffer overflow (CVE-2015-2782) - Fix absolute path directory traversal (CVE-2015-0557) - Fix symlink directory traversal (CVE-2015-0556) - Fix build on armv6 - Fix parallel build - Make build reproducible PR: 221589 Submitted by: mikael.urankar@gmail.com Obtained from: debian patchset 16 Approved by: garga (maintainer) Changes: head/archivers/arj/Makefile head/archivers/arj/distinfo head/archivers/arj/files/patch-arj__arcv.c head/archivers/arj/files/patch-arj__proc.c head/archivers/arj/files/patch-arj__proc.h head/archivers/arj/files/patch-arjtypes.c head/archivers/arj/files/patch-fardata.c
A commit references this bug: Author: ak Date: Sat Oct 21 10:48:20 UTC 2017 New revision: 452586 URL: https://svnweb.freebsd.org/changeset/ports/452586 Log: MFH: r452421 - Fix buffer overflow (CVE-2015-2782) - Fix absolute path directory traversal (CVE-2015-0557) - Fix symlink directory traversal (CVE-2015-0556) - Fix build on armv6 - Fix parallel build - Make build reproducible PR: 221589 Submitted by: mikael.urankar@gmail.com Obtained from: debian patchset 16 Approved by: garga (maintainer) Approved by: ports-secteam (security, build fix blanket) Changes: _U branches/2017Q4/ branches/2017Q4/archivers/arj/Makefile branches/2017Q4/archivers/arj/distinfo branches/2017Q4/archivers/arj/files/patch-arj__arcv.c branches/2017Q4/archivers/arj/files/patch-arj__proc.c branches/2017Q4/archivers/arj/files/patch-arj__proc.h branches/2017Q4/archivers/arj/files/patch-arjtypes.c branches/2017Q4/archivers/arj/files/patch-fardata.c