Bug 252810

Summary: archivers/p7zip-codec-rar: patch for CVE-2018-10115
Product: Ports & Packages Reporter: Sean Farley <scf>
Component: Individual Port(s)Assignee: Raphael Kubo da Costa <rakuco>
Status: Closed DUPLICATE    
Severity: Affects Only Me Flags: bugzilla: maintainer-feedback? (rakuco)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch to archivers/p7zip-codec-rar none

Description Sean Farley freebsd_committer 2021-01-18 17:58:04 UTC
Created attachment 221715 [details]
Patch to archivers/p7zip-codec-rar

Apply patch obtained from Debian[1] to fix CVE-2018-10115 vulnerability in the p7zip rar codec handler.

This requires renaming files/patch-CVE-2018-5996 by prepending a zero to the number since 10115 depends upon the prior patch being applied first.

1. https://salsa.debian.org/debian/p7zip-rar/-/blob/cd8c3f633ea94b256fe108bf0b73176bcc0053c0/debian/patches/CVE-2018-10115.patch
Comment 1 Raphael Kubo da Costa freebsd_committer 2021-01-23 11:09:30 UTC
Thanks, Sean. This was tracked in a previous bug that ended up being wrongly closed a while ago. I remember working on this a couple of years ago but ended up not going as far as landing anything.

I'm marking this as a duplicate of the original bug to center the discussion in one place: can you take a look at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228239#c4 and the patch I posted to Debian? If I'm reading my own comments correctly this should allow us to drop the patch for CVE-2018-5996 altogether, but I really don't remember much about this anymore.

*** This bug has been marked as a duplicate of bug 228239 ***