p7zip: add CVE-2016-2334 and CVE-2016-2335 patches

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/lfs/7zip b/lfs/7zip
index e3ac3b35f1673e867bd9ccbf981086881eadc1cd..847f89f8607713c7559a8167bb711dbcc00c6d92 100644 (file)
--- a/lfs/7zip
+++ b/lfs/7zip
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2015  Michael Tremer & Christian Schmidt                      #
+# Copyright (C) 2007-2016  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = 7zip
-PAK_VER    = 5
+PAK_VER    = 6
 
 DEPS       = ""
 
@@ -77,6 +77,8 @@ dist:
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
+       cd $(DIR_APP) patch -Np1 < $(DIR_SRC)/src/patches/p7zip/CVE-2016-2334.patch
+       cd $(DIR_APP) patch -Np1 < $(DIR_SRC)/src/patches/p7zip/CVE-2016-2335.patch
        cd $(DIR_APP) && make 7z $(MAKETUNING)
        cd $(DIR_APP) && make install
        @rm -rf $(DIR_APP)

diff --git a/src/patches/p7zip/CVE-2016-2334.patch b/src/patches/p7zip/CVE-2016-2334.patch
new file mode 100644 (file)
index 0000000..1eb5163
--- /dev/null
+++ b/src/patches/p7zip/CVE-2016-2334.patch
@@ -0,0 +1,24 @@
+Index: p7zip_15.14.1/CPP/7zip/Archive/HfsHandler.cpp
+===================================================================
+--- p7zip_15.14.1.orig/CPP/7zip/Archive/HfsHandler.cpp
++++ p7zip_15.14.1/CPP/7zip/Archive/HfsHandler.cpp
+@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFo
+       item.GroupID = Get32(r + 0x24);
+       item.AdminFlags = r[0x28];
+       item.OwnerFlags = r[0x29];
++      */
+       item.FileMode = Get16(r + 0x2A);
++      /*
+       item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount
+       item.FileType = Get32(r + 0x30);
+       item.FileCreator = Get32(r + 0x34);
+@@ -1572,6 +1574,9 @@ HRESULT CHandler::ExtractZlibFile(
+ 
+     UInt32 size = GetUi32(tableBuf + i * 8 + 4);
+ 
++    if (size > buf.Size() || size > kCompressionBlockSize + 1)
++        return S_FALSE;
++
+     RINOK(ReadStream_FALSE(inStream, buf, size));
+ 
+     if ((buf[0] & 0xF) == 0xF)

diff --git a/src/patches/p7zip/CVE-2016-2335.patch b/src/patches/p7zip/CVE-2016-2335.patch
new file mode 100644 (file)
index 0000000..a00d6a3
--- /dev/null
+++ b/src/patches/p7zip/CVE-2016-2335.patch
@@ -0,0 +1,17 @@
+Index: p7zip_15.14.1/CPP/7zip/Archive/Udf/UdfIn.cpp
+===================================================================
+--- p7zip_15.14.1.orig/CPP/7zip/Archive/Udf/UdfIn.cpp
++++ p7zip_15.14.1/CPP/7zip/Archive/Udf/UdfIn.cpp
+@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int vol
+     return S_FALSE;
+   CFile &file = Files.Back();
+   const CLogVol &vol = LogVols[volIndex];
+-  CPartition &partition = Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex];
++  unsigned partitionRef = lad.Location.PartitionRef;
++
++  if (partitionRef >= vol.PartitionMaps.Size())
++      return S_FALSE;
++  CPartition &partition = Partitions[vol.PartitionMaps[partitionRef].PartitionIndex];
+ 
+   UInt32 key = lad.Location.Pos;
+   UInt32 value;