From afc14499a725d2d7d6f363d6859492dc74b3300b Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Mon, 11 Jul 2016 16:27:58 +0200 Subject: [PATCH] p7zip: add CVE-2016-2334 and CVE-2016-2335 patches Signed-off-by: Arne Fitzenreiter --- lfs/7zip | 6 ++++-- src/patches/p7zip/CVE-2016-2334.patch | 24 ++++++++++++++++++++++++ src/patches/p7zip/CVE-2016-2335.patch | 17 +++++++++++++++++ 3 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 src/patches/p7zip/CVE-2016-2334.patch create mode 100644 src/patches/p7zip/CVE-2016-2335.patch diff --git a/lfs/7zip b/lfs/7zip index e3ac3b35f1..847f89f860 100644 --- a/lfs/7zip +++ b/lfs/7zip @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2015 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2016 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = 7zip -PAK_VER = 5 +PAK_VER = 6 DEPS = "" @@ -77,6 +77,8 @@ dist: $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) patch -Np1 < $(DIR_SRC)/src/patches/p7zip/CVE-2016-2334.patch + cd $(DIR_APP) patch -Np1 < $(DIR_SRC)/src/patches/p7zip/CVE-2016-2335.patch cd $(DIR_APP) && make 7z $(MAKETUNING) cd $(DIR_APP) && make install @rm -rf $(DIR_APP) diff --git a/src/patches/p7zip/CVE-2016-2334.patch b/src/patches/p7zip/CVE-2016-2334.patch new file mode 100644 index 0000000000..1eb5163cb2 --- /dev/null +++ b/src/patches/p7zip/CVE-2016-2334.patch @@ -0,0 +1,24 @@ +Index: p7zip_15.14.1/CPP/7zip/Archive/HfsHandler.cpp +=================================================================== +--- p7zip_15.14.1.orig/CPP/7zip/Archive/HfsHandler.cpp ++++ p7zip_15.14.1/CPP/7zip/Archive/HfsHandler.cpp +@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFo + item.GroupID = Get32(r + 0x24); + item.AdminFlags = r[0x28]; + item.OwnerFlags = r[0x29]; ++ */ + item.FileMode = Get16(r + 0x2A); ++ /* + item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount + item.FileType = Get32(r + 0x30); + item.FileCreator = Get32(r + 0x34); +@@ -1572,6 +1574,9 @@ HRESULT CHandler::ExtractZlibFile( + + UInt32 size = GetUi32(tableBuf + i * 8 + 4); + ++ if (size > buf.Size() || size > kCompressionBlockSize + 1) ++ return S_FALSE; ++ + RINOK(ReadStream_FALSE(inStream, buf, size)); + + if ((buf[0] & 0xF) == 0xF) diff --git a/src/patches/p7zip/CVE-2016-2335.patch b/src/patches/p7zip/CVE-2016-2335.patch new file mode 100644 index 0000000000..a00d6a3862 --- /dev/null +++ b/src/patches/p7zip/CVE-2016-2335.patch @@ -0,0 +1,17 @@ +Index: p7zip_15.14.1/CPP/7zip/Archive/Udf/UdfIn.cpp +=================================================================== +--- p7zip_15.14.1.orig/CPP/7zip/Archive/Udf/UdfIn.cpp ++++ p7zip_15.14.1/CPP/7zip/Archive/Udf/UdfIn.cpp +@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int vol + return S_FALSE; + CFile &file = Files.Back(); + const CLogVol &vol = LogVols[volIndex]; +- CPartition &partition = Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex]; ++ unsigned partitionRef = lad.Location.PartitionRef; ++ ++ if (partitionRef >= vol.PartitionMaps.Size()) ++ return S_FALSE; ++ CPartition &partition = Partitions[vol.PartitionMaps[partitionRef].PartitionIndex]; + + UInt32 key = lad.Location.Pos; + UInt32 value; -- 2.39.2