Bug 221589

Summary:

archivers/arj: fix build on armv6, fix multiple vulnerabilities and other improvements

Product:

Ports & Packages

Reporter:

Mikael Urankar <mikael>

Component:

Individual Port(s)

Assignee:

Alex Kozlov <ak>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

ak, garga

Priority:

---

Flags:

garga: maintainer-feedback+

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
patch	none
patch	none

Description Mikael Urankar freebsd_committer

2017-08-17 14:20:27 UTC

Created attachment 185526 [details]
patch

Hi,

Most of the patches come from the debian repo [1]

 * Fix buffer overflow from size under user control.
   This is causing free() on an invalid pointer.
   Fixes: CVE-2015-2782
 * Fix absolute path directory traversal.
   Fixes: CVE-2015-0557
 * Fix symlink directory traversal.
   Fixes: CVE-2015-0556
 * fix build on armv6 and probably mips.
 * fix parallel build.
 * stability fixes.


The following patches from [1] were merged:
 - 001_arches_align.patch (needed for armv6, I get a sigbus without it)
 - 003_64_bit_clean.patch
 - 004_parallel_build.patch (slightly modified to fix the parallel build on qemu/armv6)
 - out-of-bounds-read.patch
 - security-afl.patch
 - security-traversal-dir.patch
 - security-traversal-symlink.patch
 - security_format.patch

I don't think these patches are of any interest to us (and are not merged in my patch):
 - 005_use_system_strnlen.patch
 - doc_refer_robert_k_jung.patch
 - gnu_build_fix.patch
 - gnu_build_flags.patch
 - gnu_build_strip.patch
 - hurd_no_fcntl_getlk.patch


These patches are probably interesting, I can merge them if you want:
 - self_integrity_64bit.patch
 - 006_use_safe_strcpy.patch

poudriere ok on 10.3 i386, 10.3 amd64, 11.1 i386, 11.1 amd64 and 12-current armv6
(I can provide build logs if needed)

[1] https://git.hadrons.org/cgit/debian/pkgs/arj.git/tree/debian/patches

Comment 1 Mikael Urankar freebsd_committer

2017-09-02 09:06:57 UTC

ping

Comment 2 Mikael Urankar freebsd_committer

2017-09-21 09:48:58 UTC

monthly ping

Comment 3 Mikael Urankar freebsd_committer

2017-10-11 13:05:49 UTC

ping
it blocks 35 ports on armv6

Comment 4 Alex Kozlov freebsd_committer

2017-10-17 18:28:53 UTC

Can you please fetch patches from debian master site and add them as EXTRA_PATCHES instead of storing them in files/ ?
See for example https://svnweb.freebsd.org/ports/head/x11/xloadimage/Makefile?revision=451065&view=markup

Comment 5 Mikael Urankar freebsd_committer

2017-10-18 17:30:23 UTC

Created attachment 187288 [details]
patch

Rework patch based on feedback.

I removed a bunch of patch in files/*, they are part of the debian patch.

poudriere testport ok on 12armv6, 12armv7, 103amd64, 103i386, 103i386

Comment 6 Renato Botelho freebsd_committer

2017-10-19 12:17:03 UTC

Alex will take care of it

Comment 7 commit-hook freebsd_committer

2017-10-19 13:48:29 UTC

A commit references this bug:

Author: ak
Date: Thu Oct 19 13:47:42 UTC 2017
New revision: 452421
URL: https://svnweb.freebsd.org/changeset/ports/452421

Log:
  - Fix buffer overflow (CVE-2015-2782)
  - Fix absolute path directory traversal (CVE-2015-0557)
  - Fix symlink directory traversal (CVE-2015-0556)
  - Fix build on armv6
  - Fix parallel build
  - Make build reproducible

  PR:	221589
  Submitted by:	mikael.urankar@gmail.com
  Obtained from:	debian patchset 16
  Approved by:	garga (maintainer)

Changes:
  head/archivers/arj/Makefile
  head/archivers/arj/distinfo
  head/archivers/arj/files/patch-arj__arcv.c
  head/archivers/arj/files/patch-arj__proc.c
  head/archivers/arj/files/patch-arj__proc.h
  head/archivers/arj/files/patch-arjtypes.c
  head/archivers/arj/files/patch-fardata.c

Comment 8 commit-hook freebsd_committer

2017-10-21 10:48:41 UTC

A commit references this bug:

Author: ak
Date: Sat Oct 21 10:48:20 UTC 2017
New revision: 452586
URL: https://svnweb.freebsd.org/changeset/ports/452586

Log:
  MFH: r452421

  - Fix buffer overflow (CVE-2015-2782)
  - Fix absolute path directory traversal (CVE-2015-0557)
  - Fix symlink directory traversal (CVE-2015-0556)
  - Fix build on armv6
  - Fix parallel build
  - Make build reproducible

  PR:	221589
  Submitted by:	mikael.urankar@gmail.com
  Obtained from:	debian patchset 16
  Approved by:	garga (maintainer)

  Approved by:	ports-secteam (security, build fix blanket)

Changes:
_U  branches/2017Q4/
  branches/2017Q4/archivers/arj/Makefile
  branches/2017Q4/archivers/arj/distinfo
  branches/2017Q4/archivers/arj/files/patch-arj__arcv.c
  branches/2017Q4/archivers/arj/files/patch-arj__proc.c
  branches/2017Q4/archivers/arj/files/patch-arj__proc.h
  branches/2017Q4/archivers/arj/files/patch-arjtypes.c
  branches/2017Q4/archivers/arj/files/patch-fardata.c