Bug 211114 - archivers/p7zip: update to 15.14.1 (Fixes security vulnerabilities)
Summary: archivers/p7zip: update to 15.14.1 (Fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Some People
Assignee: Raphael Kubo da Costa
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2016-07-14 15:09 UTC by Piotr Kubaj
Modified: 2016-07-15 13:46 UTC (History)
3 users (show)

See Also:
rakuco: maintainer-feedback+
feld: merge-quarterly+


Attachments
v15.14.1 patch (809 bytes, patch)
2016-07-14 15:09 UTC, Piotr Kubaj
rakuco: maintainer-approval-
Details | Diff
Poudriere log (475.85 KB, text/x-log)
2016-07-14 15:10 UTC, Piotr Kubaj
no flags Details
CVE patch (3.01 KB, patch)
2016-07-14 15:41 UTC, Piotr Kubaj
rakuco: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Kubaj freebsd_committer 2016-07-14 15:09:46 UTC
Created attachment 172517 [details]
v15.14.1 patch

The patch is attached. Note that 15.14.1 also fixes CVE-2016-2334 and CVE-2016-2335, so it's also a security patch.
Comment 1 Piotr Kubaj freebsd_committer 2016-07-14 15:10:19 UTC
Created attachment 172518 [details]
Poudriere log
Comment 2 Raphael Kubo da Costa freebsd_committer 2016-07-14 15:30:30 UTC
Thanks for bringing these CVEs up. Unfortunately, 15.14.1 does not fix them.

From 15.14.1's changelog:

> Version 15.14.1
> ===============
> 
>   - patch #32 Compiling in OS X fails with p7zip_15.14

Indeed, `diff -uprN p7zip_15.14 p7zip_15.14.1` shows that it's the only difference between the two releases.

p7zip 16.02 was released just a few hours ago and does contain the patches from  https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/?limit=25#c6ae that several distros had adopted (Debian, OpenSUSE and Arch Linux at least).

The best course of action here is to:
* Backport only those two patches to 15.14 and MFH.
* Optionally update p7zip to 16.02 in trunk.

Let me know if you'd like to take on the first item, otherwise I'll do it later today.
Comment 3 Piotr Kubaj freebsd_committer 2016-07-14 15:41:56 UTC
Created attachment 172520 [details]
CVE patch

I actually have those patches ready, the patch to commit is attached.
Comment 4 Piotr Kubaj freebsd_committer 2016-07-14 15:42:22 UTC
The port with patch compiles fine.
Comment 5 commit-hook freebsd_committer 2016-07-15 11:23:37 UTC
A commit references this bug:

Author: rakuco
Date: Fri Jul 15 11:23:23 UTC 2016
New revision: 418575
URL: https://svnweb.freebsd.org/changeset/ports/418575

Log:
  Document CVE-2016-2334 and CVE-2016-2335 in archivers/p7zip.

  PR:		211114

Changes:
  head/security/vuxml/vuln.xml
Comment 6 commit-hook freebsd_committer 2016-07-15 11:25:40 UTC
A commit references this bug:

Author: rakuco
Date: Fri Jul 15 11:25:07 UTC 2016
New revision: 418576
URL: https://svnweb.freebsd.org/changeset/ports/418576

Log:
  Add patches for CVE-2016-2334 and CVE-2016-2335.

  While here, use PORTREVISION?= instead of PORTREVISION= to avoid needlessly
  bumping PORTREVISION in archivers/p7zip-codec-rar.

  PR:		211114
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl>
  MFH:		2016Q3
  Security:	a9bcaf57-4a7b-11e6-97f7-5453ed2e2b49
  Security:	d706a3a3-4a7c-11e6-97f7-5453ed2e2b49

Changes:
  head/archivers/p7zip/Makefile
  head/archivers/p7zip/files/patch-CPP_7zip_Archive_HfsHandler.cpp
  head/archivers/p7zip/files/patch-CPP_7zip_Archive_Udf_UdfIn.cpp
Comment 7 Raphael Kubo da Costa freebsd_committer 2016-07-15 11:26:49 UTC
Committed, thank you very much for the patch.
Comment 8 commit-hook freebsd_committer 2016-07-15 13:46:49 UTC
A commit references this bug:

Author: feld
Date: Fri Jul 15 13:45:51 UTC 2016
New revision: 418579
URL: https://svnweb.freebsd.org/changeset/ports/418579

Log:
  MFH: r418576

  Add patches for CVE-2016-2334 and CVE-2016-2335.

  While here, use PORTREVISION?= instead of PORTREVISION= to avoid needlessly
  bumping PORTREVISION in archivers/p7zip-codec-rar.

  PR:		211114
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl>
  Security:	a9bcaf57-4a7b-11e6-97f7-5453ed2e2b49
  Security:	d706a3a3-4a7c-11e6-97f7-5453ed2e2b49

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q3/
  branches/2016Q3/archivers/p7zip/Makefile
  branches/2016Q3/archivers/p7zip/files/patch-CPP_7zip_Archive_HfsHandler.cpp
  branches/2016Q3/archivers/p7zip/files/patch-CPP_7zip_Archive_Udf_UdfIn.cpp