commit p7zip for openSUSE:Factory

h_root Thu, 19 May 2016 03:05:16 -0700

Hello community,

here is the log from the commit of package p7zip for openSUSE:Factory checked 
in at 2016-05-19 12:04:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/p7zip (Old)
 and      /work/SRC/openSUSE:Factory/.p7zip.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "p7zip"

Changes:
--------
--- /work/SRC/openSUSE:Factory/p7zip/p7zip.changes      2016-04-28 
16:51:19.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.p7zip.new/p7zip.changes 2016-05-19 
12:04:17.000000000 +0200
@@ -1,0 +2,21 @@
+Fri May 13 11:40:04 UTC 2016 - [email protected]
+
+- Temporarily disable gui building
+
+-------------------------------------------------------------------
+Fri May 13 08:51:00 UTC 2016 - [email protected]
+
+- Fix security issues:
+  - CVE-2016-2334: 7zip HFS+ NArchive::NHfs::CHandler::ExtractZlibFile
+                   Code Execution Vulnerability (boo#979822)
+  - CVE-2016-2335: 7zip UDF CInArchive::ReadFileItem Code Execution
+                   Vulnerability (boo#979823)
+  (CVE-2016-2334.patch, CVE-2016-2335.patch)
+
+-------------------------------------------------------------------
+Sat Apr 30 15:52:21 UTC 2016 - [email protected]
+
+- Build 7zG (gui for p7zip) and added subpackage p7zip-gui for
+  openSUSE >= 13.2 and Leap 42.1.
+
+-------------------------------------------------------------------

New:
----
  CVE-2016-2334.patch
  CVE-2016-2335.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ p7zip.spec ++++++
--- /var/tmp/diff_new_pack.YG8RaW/_old  2016-05-19 12:04:17.000000000 +0200
+++ /var/tmp/diff_new_pack.YG8RaW/_new  2016-05-19 12:04:17.000000000 +0200
@@ -16,6 +16,9 @@
 #
 
 
+%if 0%{?suse_version} >= 1320 || 0%{?is_opensuse}
+%bcond_with     buildgui
+%endif
 Name:           p7zip
 Version:        15.14.1
 Release:        0
@@ -24,11 +27,20 @@
 Group:          Productivity/Archiving/Compression
 Url:            http://p7zip.sourceforge.net/
 Source:         
http://downloads.sourceforge.net/project/p7zip/p7zip/15.14%20.1/p7zip_%{version}_src_all.tar.bz2
+Patch1:         CVE-2016-2334.patch
+Patch2:         CVE-2016-2335.patch
 BuildRequires:  gcc-c++
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+%if %{with buildgui}
+BuildRequires:  cmake
+BuildRequires:  hicolor-icon-theme
+BuildRequires:  kf5-filesystem
+BuildRequires:  ninja
+BuildRequires:  wxWidgets-devel < 3.0
+%endif
 %ifarch x86_64
 BuildRequires:  yasm
 %endif
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?suse_version} > 1100
 BuildRequires:  fdupes
 %endif
@@ -39,8 +51,28 @@
 highest compression ratio. Since 4.10, p7zip (like 7-zip) supports
 little-endian and big-endian machines.
 
+%if %{with buildgui}
+%package gui
+Summary:        GUI for 7-zip file compression program
+Group:          Productivity/Archiving/Compression
+Requires:       %{name} = %{version}
+Requires:       kf5-filesystem
+Requires(post): hicolor-icon-theme
+Requires(post): update-desktop-files
+Requires(postun): hicolor-icon-theme
+Requires(postun): update-desktop-files
+
+%description gui
+p7zip is a quick port of 7z.exe and 7za.exe (command line version of
+7zip, see www.7-zip.org) for Unix. 7-Zip is a file archiver with
+highest compression ratio. Since 4.10, p7zip (like 7-zip) supports
+little-endian and big-endian machines.
+%endif
+
 %prep
 %setup -q -n %{name}_%{version}
+%patch1 -p1
+%patch2 -p1
 
 %ifarch x86_64
 cp makefile.linux_amd64_asm makefile.machine
@@ -54,12 +86,23 @@
 
 sed -i s,444,644,g install.sh
 sed -i s,555,755,g install.sh
+%if %{with buildgui}
+chmod 755 CPP/7zip/CMAKE/generate.sh
+rm GUI/kde4/p7zip_compress2.desktop
+%endif
 
 perl -pi -e 's/ -s / /' makefile.machine
-perl -pi -e 's/(\$\(LOCAL_FLAGS\))/'"%{optflags}"' \\\n\t$1/' makefile.machine
+perl -pi -e 's/(\$\(LOCAL_FLAGS\))/'"%{optflags} -fno-strict-aliasing"' 
\\\n\t$1/' makefile.machine
 
 %build
-make %{?_smp_mflags} OPTFLAGS="%{optflags} -Wl,-z,now -fPIC -pie" all2
+%if %{with buildgui}
+pushd CPP/7zip/CMAKE/
+./generate.sh
+popd
+make %{?_smp_mflags} OPTFLAGS="%{optflags} -fno-strict-aliasing -Wl,-z,now 
-fPIC -pie" all2 7zG
+%else
+make %{?_smp_mflags} OPTFLAGS="%{optflags} -fno-strict-aliasing -Wl,-z,now 
-fPIC -pie" all2
+%endif
 
 %install
 mkdir -p %{buildroot}/%{_bindir}
@@ -70,6 +113,16 @@
     %{_mandir} \
     %{_defaultdocdir}/%{name} \
     %{buildroot}
+%if %{with buildgui}
+mkdir -p %{buildroot}%{_kf5_servicesdir}/ServiceMenus
+for i in 16x16 32x32; do
+  mkdir -p %{buildroot}%{_datadir}/icons/hicolor/$i/apps
+done
+install -m644 GUI/kde4/*.desktop %{buildroot}%{_kf5_servicesdir}/ServiceMenus
+install -m644 GUI/p7zip_16.png 
%{buildroot}%{_datadir}/icons/hicolor/16x16/apps/p7zip.png
+install -m644 GUI/p7zip_32.png 
%{buildroot}%{_datadir}/icons/hicolor/32x32/apps/p7zip.png
+chmod 755 %{buildroot}%{_bindir}/p7zipForFilemanager
+%endif
 %if 0%{?suse_version} > 1100
 %fdupes -s %{buildroot}
 %endif
@@ -80,6 +133,16 @@
 make %{?_smp_mflags} test_7z
 %endif
 
+%if %{with buildgui}
+%post gui
+%desktop_database_post
+%icon_theme_cache_post
+
+%postun gui
+%desktop_database_postun
+%icon_theme_cache_postun
+%endif
+
 %files
 %defattr(-,root,root)
 %dir %{_libdir}/%{name}
@@ -90,5 +153,22 @@
 %{_bindir}/7za
 %doc ChangeLog DOC/*.txt
 %{_mandir}/man1/*
+%if %{with buildgui}
+%exclude %{_libdir}/%{name}/7zG
+%endif
+
+%if %{with buildgui}
+%files gui
+%defattr(-,root,root)
+%{_bindir}/7zG
+%{_bindir}/p7zipForFilemanager
+%{_libdir}/%{name}/7zG
+%dir %{_libdir}/%{name}/Lang
+%{_libdir}/%{name}/Lang/*.txt
+%{_libdir}/%{name}/Lang/en.ttt
+%{_datadir}/icons/hicolor/*/apps/p7zip.png
+%dir %{_kf5_servicesdir}/ServiceMenus
+%{_kf5_servicesdir}/ServiceMenus/*.desktop
+%endif
 
 %changelog

++++++ CVE-2016-2334.patch ++++++
Index: p7zip_15.14.1/CPP/7zip/Archive/HfsHandler.cpp
===================================================================
--- p7zip_15.14.1.orig/CPP/7zip/Archive/HfsHandler.cpp
+++ p7zip_15.14.1/CPP/7zip/Archive/HfsHandler.cpp
@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFo
       item.GroupID = Get32(r + 0x24);
       item.AdminFlags = r[0x28];
       item.OwnerFlags = r[0x29];
+      */
       item.FileMode = Get16(r + 0x2A);
+      /*
       item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount
       item.FileType = Get32(r + 0x30);
       item.FileCreator = Get32(r + 0x34);
@@ -1572,6 +1574,9 @@ HRESULT CHandler::ExtractZlibFile(
 
     UInt32 size = GetUi32(tableBuf + i * 8 + 4);
 
+    if (size > buf.Size() || size > kCompressionBlockSize + 1)
+        return S_FALSE;
+
     RINOK(ReadStream_FALSE(inStream, buf, size));
 
     if ((buf[0] & 0xF) == 0xF)
++++++ CVE-2016-2335.patch ++++++
Index: p7zip_15.14.1/CPP/7zip/Archive/Udf/UdfIn.cpp
===================================================================
--- p7zip_15.14.1.orig/CPP/7zip/Archive/Udf/UdfIn.cpp
+++ p7zip_15.14.1/CPP/7zip/Archive/Udf/UdfIn.cpp
@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int vol
     return S_FALSE;
   CFile &file = Files.Back();
   const CLogVol &vol = LogVols[volIndex];
-  CPartition &partition = 
Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex];
+  unsigned partitionRef = lad.Location.PartitionRef;
+
+  if (partitionRef >= vol.PartitionMaps.Size())
+       return S_FALSE;
+  CPartition &partition = 
Partitions[vol.PartitionMaps[partitionRef].PartitionIndex];
 
   UInt32 key = lad.Location.Pos;
   UInt32 value;

commit p7zip for openSUSE:Factory

Reply via email to