Bug 252810 - archivers/p7zip-codec-rar: patch for CVE-2018-10115
Summary: archivers/p7zip-codec-rar: patch for CVE-2018-10115
Status: Closed DUPLICATE of bug 228239
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Raphael Kubo da Costa
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-18 17:58 UTC by Sean Farley
Modified: 2021-01-23 11:09 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (rakuco)


Attachments
Patch to archivers/p7zip-codec-rar (16.46 KB, patch)
2021-01-18 17:58 UTC, Sean Farley
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Farley freebsd_committer 2021-01-18 17:58:04 UTC
Created attachment 221715 [details]
Patch to archivers/p7zip-codec-rar

Apply patch obtained from Debian[1] to fix CVE-2018-10115 vulnerability in the p7zip rar codec handler.

This requires renaming files/patch-CVE-2018-5996 by prepending a zero to the number since 10115 depends upon the prior patch being applied first.

1. https://salsa.debian.org/debian/p7zip-rar/-/blob/cd8c3f633ea94b256fe108bf0b73176bcc0053c0/debian/patches/CVE-2018-10115.patch
Comment 1 Raphael Kubo da Costa freebsd_committer 2021-01-23 11:09:30 UTC
Thanks, Sean. This was tracked in a previous bug that ended up being wrongly closed a while ago. I remember working on this a couple of years ago but ended up not going as far as landing anything.

I'm marking this as a duplicate of the original bug to center the discussion in one place: can you take a look at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228239#c4 and the patch I posted to Debian? If I'm reading my own comments correctly this should allow us to drop the patch for CVE-2018-5996 altogether, but I really don't remember much about this anymore.

*** This bug has been marked as a duplicate of bug 228239 ***