Created attachment 221715 [details] Patch to archivers/p7zip-codec-rar Apply patch obtained from Debian[1] to fix CVE-2018-10115 vulnerability in the p7zip rar codec handler. This requires renaming files/patch-CVE-2018-5996 by prepending a zero to the number since 10115 depends upon the prior patch being applied first. 1. https://salsa.debian.org/debian/p7zip-rar/-/blob/cd8c3f633ea94b256fe108bf0b73176bcc0053c0/debian/patches/CVE-2018-10115.patch
Thanks, Sean. This was tracked in a previous bug that ended up being wrongly closed a while ago. I remember working on this a couple of years ago but ended up not going as far as landing anything. I'm marking this as a duplicate of the original bug to center the discussion in one place: can you take a look at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228239#c4 and the patch I posted to Debian? If I'm reading my own comments correctly this should allow us to drop the patch for CVE-2018-5996 altogether, but I really don't remember much about this anymore. *** This bug has been marked as a duplicate of bug 228239 ***