Update archivers/cabextract to 1.6. The significant change from 1.5 is that it fixes the extraction to absolute file names with invalid UTF-8 characters (CVE-2015-2060). This was already fixed in the port with patch-src_cabextract_c.
Also, the other security patch in the port, patch-mspack_qtmd_c (CVE-2014-9556), was already obsoleted by extended input validation in 1.5. OK? Index: Makefile =================================================================== RCS file: /cvs/ports/archivers/cabextract/Makefile,v retrieving revision 1.15 diff -u -p -r1.15 Makefile --- Makefile 18 Feb 2015 13:04:09 -0000 1.15 +++ Makefile 8 Jun 2015 20:04:47 -0000 @@ -2,8 +2,7 @@ COMMENT= extracts files from Microsoft CAB archives -DISTNAME= cabextract-1.5 -REVISION= 0 +DISTNAME= cabextract-1.6 CATEGORIES= archivers HOMEPAGE= http://www.cabextract.org.uk/ Index: distinfo =================================================================== RCS file: /cvs/ports/archivers/cabextract/distinfo,v retrieving revision 1.10 diff -u -p -r1.10 distinfo --- distinfo 4 Feb 2015 09:51:53 -0000 1.10 +++ distinfo 8 Jun 2015 20:04:47 -0000 @@ -1,2 +1,2 @@ -SHA256 (cabextract-1.5.tar.gz) = I9auP2XNkLA2lY+pX8TZmD+A/e1L2OKtJza6jECVJoo= -SIZE (cabextract-1.5.tar.gz) = 241010 +SHA256 (cabextract-1.6.tar.gz) = zuZhtWVVNQ0mlDxeEn/HXdKQt/dWidXrwfBJV8SvVfs= +SIZE (cabextract-1.6.tar.gz) = 241731 Index: patches/patch-mspack_qtmd_c =================================================================== RCS file: patches/patch-mspack_qtmd_c diff -N patches/patch-mspack_qtmd_c --- patches/patch-mspack_qtmd_c 30 Jan 2015 13:34:40 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,20 +0,0 @@ -$OpenBSD: patch-mspack_qtmd_c,v 1.1 2015/01/30 13:34:40 jasper Exp $ - -Security fix for CVE-2014-9556 -http://anonscm.debian.org/cgit/collab-maint/libmspack.git/tree/debian/patches/qtmd-fix-frame_end-overflow.patch - ---- mspack/qtmd.c.orig Fri Jan 30 15:18:30 2015 -+++ mspack/qtmd.c Fri Jan 30 15:19:11 2015 -@@ -296,9 +296,10 @@ int qtmd_decompress(struct qtmd_stream *qtm, off_t out - - /* decode more, up to the number of bytes needed, the frame boundary, - * or the window boundary, whichever comes first */ -- frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr)); -- if ((window_posn + frame_todo) < frame_end) { -+ if (frame_todo < (out_bytes - (qtm->o_end - qtm->o_ptr))) { - frame_end = window_posn + frame_todo; -+ } else { -+ frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr)); - } - if (frame_end > qtm->window_size) { - frame_end = qtm->window_size; Index: patches/patch-src_cabextract_c =================================================================== RCS file: patches/patch-src_cabextract_c diff -N patches/patch-src_cabextract_c --- patches/patch-src_cabextract_c 18 Feb 2015 13:04:09 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,81 +0,0 @@ -$OpenBSD: patch-src_cabextract_c,v 1.3 2015/02/18 13:04:09 sthen Exp $ - -Prevent leading slashes check being evaded with malformed UTF-8 -http://sourceforge.net/p/libmspack/code/217/ - ---- src/cabextract.c.orig Sat Jan 10 18:13:11 2015 -+++ src/cabextract.c Wed Feb 18 13:01:06 2015 -@@ -738,7 +738,7 @@ static int unix_path_seperators(struct mscabd_file *fi - static char *create_output_name(unsigned char *fname, unsigned char *dir, - int lower, int isunix, int utf8) - { -- unsigned char *p, *name, c, *fe, sep, slash; -+ unsigned char *p, *name, c, *o, *fe, sep, slash; - int x; - - sep = (isunix) ? '/' : '\\'; /* the path-seperator */ -@@ -750,7 +750,7 @@ static char *create_output_name(unsigned char *fname, - if (utf8) x *= 4; - /* length of output directory */ - if (dir) x += strlen((char *) dir); -- x += 2; -+ x += 3; - - if (!(name = malloc(x))) { - fprintf(stderr, "Can't allocate output filename (%u bytes)\n", x); -@@ -766,16 +766,14 @@ static char *create_output_name(unsigned char *fname, - strcat((char *) name, "/"); - } - -- /* remove leading slashes */ -- while (*fname == sep) fname++; -- - /* copy from fi->filename to new name, converting MS-DOS slashes to UNIX - * slashes as we go. Also lowercases characters if needed. - */ -- p = &name[strlen((char *)name)]; /* p = start of output filename */ -+ p = o = &name[strlen((char *)name)]; /* p = o = start of output filename */ - fe = &fname[strlen((char *)fname)]; /* fe = end of input filename */ - - if (utf8) { -+ int first = 1; - /* handle UTF-8 encoded filenames (see RFC 3629). This doesn't reject bad - * UTF-8 with overlong encodings, but does re-encode it as valid UTF-8. - */ -@@ -815,6 +813,10 @@ static char *create_output_name(unsigned char *fname, - x = 0xFFFD; /* invalid code point or cheeky null byte */ - } - -+ /* remove leading slashes */ -+ if (first && x == sep) continue; -+ first = 0; -+ - /* whatever is the path seperator -> '/' - * whatever is the other slash -> '\\' - * otherwise, if lower is set, the lowercase version */ -@@ -851,6 +853,7 @@ static char *create_output_name(unsigned char *fname, - } - else { - /* regular non-utf8 version */ -+ while (*fname == sep) fname++; - do { - c = *fname++; - if (c == sep) c = '/'; -@@ -861,11 +864,16 @@ static char *create_output_name(unsigned char *fname, - - /* search for "../" in cab filename part and change to "xx/". This - * prevents any unintended directory traversal. */ -- for (p = &name[dir ? strlen((char *) dir)+1 : 0]; *p; p++) { -+ for (p = o; *p; p++) { - if ((p[0] == '.') && (p[1] == '.') && (p[2] == '/')) { - p[0] = p[1] = 'x'; - p += 2; - } -+ } -+ -+ /* change filename composed entirely of leading slashes to "x" */ -+ if (strlen(o) == 0) { -+ strcat(o, "x"); - } - - return (char *) name; -- Christian "naddy" Weisgerber na...@mips.inka.de
