Bug 221589 - archivers/arj: fix build on armv6, fix multiple vulnerabilities and other improvements
Summary: archivers/arj: fix build on armv6, fix multiple vulnerabilities and other imp...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Alex Kozlov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-17 14:20 UTC by mikael.urankar
Modified: 2017-10-21 10:48 UTC (History)
2 users (show)

See Also:
garga: maintainer-feedback+


Attachments
patch (27.62 KB, patch)
2017-08-17 14:20 UTC, mikael.urankar
no flags Details | Diff
patch (11.59 KB, patch)
2017-10-18 17:30 UTC, mikael.urankar
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description mikael.urankar 2017-08-17 14:20:27 UTC
Created attachment 185526 [details]
patch

Hi,

Most of the patches come from the debian repo [1]

 * Fix buffer overflow from size under user control.
   This is causing free() on an invalid pointer.
   Fixes: CVE-2015-2782
 * Fix absolute path directory traversal.
   Fixes: CVE-2015-0557
 * Fix symlink directory traversal.
   Fixes: CVE-2015-0556
 * fix build on armv6 and probably mips.
 * fix parallel build.
 * stability fixes.


The following patches from [1] were merged:
 - 001_arches_align.patch (needed for armv6, I get a sigbus without it)
 - 003_64_bit_clean.patch
 - 004_parallel_build.patch (slightly modified to fix the parallel build on qemu/armv6)
 - out-of-bounds-read.patch
 - security-afl.patch
 - security-traversal-dir.patch
 - security-traversal-symlink.patch
 - security_format.patch

I don't think these patches are of any interest to us (and are not merged in my patch):
 - 005_use_system_strnlen.patch
 - doc_refer_robert_k_jung.patch
 - gnu_build_fix.patch
 - gnu_build_flags.patch
 - gnu_build_strip.patch
 - hurd_no_fcntl_getlk.patch


These patches are probably interesting, I can merge them if you want:
 - self_integrity_64bit.patch
 - 006_use_safe_strcpy.patch

poudriere ok on 10.3 i386, 10.3 amd64, 11.1 i386, 11.1 amd64 and 12-current armv6
(I can provide build logs if needed)

[1] https://git.hadrons.org/cgit/debian/pkgs/arj.git/tree/debian/patches
Comment 1 mikael.urankar 2017-09-02 09:06:57 UTC
ping
Comment 2 mikael.urankar 2017-09-21 09:48:58 UTC
monthly ping
Comment 3 mikael.urankar 2017-10-11 13:05:49 UTC
ping
it blocks 35 ports on armv6
Comment 4 Alex Kozlov freebsd_committer 2017-10-17 18:28:53 UTC
Can you please fetch patches from debian master site and add them as EXTRA_PATCHES instead of storing them in files/ ?
See for example https://svnweb.freebsd.org/ports/head/x11/xloadimage/Makefile?revision=451065&view=markup
Comment 5 mikael.urankar 2017-10-18 17:30:23 UTC
Created attachment 187288 [details]
patch

Rework patch based on feedback.

I removed a bunch of patch in files/*, they are part of the debian patch.

poudriere testport ok on 12armv6, 12armv7, 103amd64, 103i386, 103i386
Comment 6 Renato Botelho freebsd_committer 2017-10-19 12:17:03 UTC
Alex will take care of it
Comment 7 commit-hook freebsd_committer 2017-10-19 13:48:29 UTC
A commit references this bug:

Author: ak
Date: Thu Oct 19 13:47:42 UTC 2017
New revision: 452421
URL: https://svnweb.freebsd.org/changeset/ports/452421

Log:
  - Fix buffer overflow (CVE-2015-2782)
  - Fix absolute path directory traversal (CVE-2015-0557)
  - Fix symlink directory traversal (CVE-2015-0556)
  - Fix build on armv6
  - Fix parallel build
  - Make build reproducible

  PR:	221589
  Submitted by:	mikael.urankar@gmail.com
  Obtained from:	debian patchset 16
  Approved by:	garga (maintainer)

Changes:
  head/archivers/arj/Makefile
  head/archivers/arj/distinfo
  head/archivers/arj/files/patch-arj__arcv.c
  head/archivers/arj/files/patch-arj__proc.c
  head/archivers/arj/files/patch-arj__proc.h
  head/archivers/arj/files/patch-arjtypes.c
  head/archivers/arj/files/patch-fardata.c
Comment 8 commit-hook freebsd_committer 2017-10-21 10:48:41 UTC
A commit references this bug:

Author: ak
Date: Sat Oct 21 10:48:20 UTC 2017
New revision: 452586
URL: https://svnweb.freebsd.org/changeset/ports/452586

Log:
  MFH: r452421

  - Fix buffer overflow (CVE-2015-2782)
  - Fix absolute path directory traversal (CVE-2015-0557)
  - Fix symlink directory traversal (CVE-2015-0556)
  - Fix build on armv6
  - Fix parallel build
  - Make build reproducible

  PR:	221589
  Submitted by:	mikael.urankar@gmail.com
  Obtained from:	debian patchset 16
  Approved by:	garga (maintainer)

  Approved by:	ports-secteam (security, build fix blanket)

Changes:
_U  branches/2017Q4/
  branches/2017Q4/archivers/arj/Makefile
  branches/2017Q4/archivers/arj/distinfo
  branches/2017Q4/archivers/arj/files/patch-arj__arcv.c
  branches/2017Q4/archivers/arj/files/patch-arj__proc.c
  branches/2017Q4/archivers/arj/files/patch-arj__proc.h
  branches/2017Q4/archivers/arj/files/patch-arjtypes.c
  branches/2017Q4/archivers/arj/files/patch-fardata.c