Bug 214940 - archivers/p7zip: Security vulnerability (CVE-2016-9296)
Summary: archivers/p7zip: Security vulnerability (CVE-2016-9296)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Some People
Assignee: Raphael Kubo da Costa
URL: https://sourceforge.net/p/p7zip/bugs/...
Keywords: security
Depends on:
Blocks:
 
Reported: 2016-11-30 00:54 UTC by Sevan Janiyan
Modified: 2016-12-01 23:15 UTC (History)
2 users (show)

See Also:
rakuco: maintainer-feedback+
junovitch: merge-quarterly+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2016-11-30 00:54:02 UTC
Missing vuxml entry & patch (not new release yet)

Patch:
https://sourceforge.net/p/p7zip/bugs/185/
Comment 1 Raphael Kubo da Costa freebsd_committer 2016-11-30 10:33:03 UTC
Thanks for the heads-up; I'm on it.
Comment 2 commit-hook freebsd_committer 2016-11-30 10:50:37 UTC
A commit references this bug:

Author: rakuco
Date: Wed Nov 30 10:50:13 UTC 2016
New revision: 427417
URL: https://svnweb.freebsd.org/changeset/ports/427417

Log:
  Import upstream patch to fix CVE-2016-9296

  Null pointer dereference can cause 7z to crash.

  PR:		214940
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  MFH:		2016Q4
  Security:	48e83187-b6e9-11e6-b6cf-5453ed2e2b49
  Security:	CVE-2016-9296

Changes:
  head/archivers/p7zip/Makefile
  head/archivers/p7zip/files/patch-CPP_7zip_Archive_7z_7zIn.cpp
Comment 3 Raphael Kubo da Costa freebsd_committer 2016-11-30 10:52:19 UTC
Thanks again. I updated vuln.xml in ports r427416 but forgot to reference this PR. I'm closing it, and will merge the fix to the 2016Q4 branch as soon as it is approved.
Comment 4 commit-hook freebsd_committer 2016-12-01 09:19:46 UTC
A commit references this bug:

Author: rakuco
Date: Thu Dec  1 09:19:09 UTC 2016
New revision: 427480
URL: https://svnweb.freebsd.org/changeset/ports/427480

Log:
  MFH: r427417

  Import upstream patch to fix CVE-2016-9296

  Null pointer dereference can cause 7z to crash.

  PR:		214940
  Reported by:	Sevan Janiyan <venture37@geeklan.co.uk>
  Security:	48e83187-b6e9-11e6-b6cf-5453ed2e2b49
  Security:	CVE-2016-9296

  Approved by:	ports-secteam (junovitch)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/archivers/p7zip/Makefile
  branches/2016Q4/archivers/p7zip/files/patch-CPP_7zip_Archive_7z_7zIn.cpp