CVE-2016-2334 and CVE-2016-2335 affect 7zip, with code shared
in p7zip that is installed in /usr/local/lib/p7zip/7z.so.
Upstream has not yet applied these fixes to code shared with
7zip.
Attached are -current, 5.9, and 5.8 patches.
Index: Makefile
===================================================================
RCS file: /systems/cvs/ports/archivers/p7zip/Makefile,v
retrieving revision 1.34
diff -u -p -r1.34 Makefile
--- Makefile 12 Apr 2016 23:13:22 -0000 1.34
+++ Makefile 24 May 2016 00:31:06 -0000
@@ -7,7 +7,7 @@ V= 15.14.1
DISTNAME= p7zip_${V}_src_all
PKGNAME= p7zip-${V}
PKGNAME-main= p7zip-${V}
-REVISION-main= 0
+REVISION-main= 1
PKGNAME-rar= p7zip-rar-${V}
CATEGORIES= archivers
Index: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
===================================================================
RCS file: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
diff -N patches/patch-CPP_7zip_Archive_HfsHandler_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-CPP_7zip_Archive_HfsHandler_cpp 24 May 2016 00:38:41
-0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+CVE-2016-2334
+
+--- CPP/7zip/Archive/HfsHandler.cpp.orig Fri Jun 19 06:52:08 2015
++++ CPP/7zip/Archive/HfsHandler.cpp Mon May 23 20:37:42 2016
+@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork &fork, cons
+ item.GroupID = Get32(r + 0x24);
+ item.AdminFlags = r[0x28];
+ item.OwnerFlags = r[0x29];
++ */
+ item.FileMode = Get16(r + 0x2A);
++ /*
+ item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount
+ item.FileType = Get32(r + 0x30);
+ item.FileCreator = Get32(r + 0x34);
+@@ -1571,6 +1573,9 @@ HRESULT CHandler::ExtractZlibFile(
+ blockSize = (UInt32)rem;
+
+ UInt32 size = GetUi32(tableBuf + i * 8 + 4);
++
++ if (size > buf.Size() || size > kCompressionBlockSize + 1)
++ return S_FALSE;
+
+ RINOK(ReadStream_FALSE(inStream, buf, size));
+
Index: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
===================================================================
RCS file: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
diff -N patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp 24 May 2016 00:38:25
-0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+
+CVE-2016-2335
+
+--- CPP/7zip/Archive/Udf/UdfIn.cpp.orig Fri Nov 20 15:40:08 2015
++++ CPP/7zip/Archive/Udf/UdfIn.cpp Mon May 23 20:37:46 2016
+@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int volIndex, int fsI
+ return S_FALSE;
+ CFile &file = Files.Back();
+ const CLogVol &vol = LogVols[volIndex];
+- CPartition &partition =
Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex];
++ unsigned partitionRef = lad.Location.PartitionRef;
++
++ if (partitionRef >= vol.PartitionMaps.Size())
++ return S_FALSE;
++ CPartition &partition =
Partitions[vol.PartitionMaps[partitionRef].PartitionIndex];
+
+ UInt32 key = lad.Location.Pos;
+ UInt32 value;
Index: Makefile
===================================================================
RCS file: /systems/cvs/ports/archivers/p7zip/Makefile,v
retrieving revision 1.31
diff -u -p -r1.31 Makefile
--- Makefile 4 Feb 2016 10:38:26 -0000 1.31
+++ Makefile 24 May 2016 00:46:00 -0000
@@ -6,7 +6,7 @@ COMMENT-main= file archiver with high co
COMMENT-rar= rar modules for p7zip
V= 15.09
-REVISION= 4
+REVISION= 5
DISTNAME= p7zip_${V}_src_all
PKGNAME= p7zip-${V}
PKGNAME-main= p7zip-${V}
Index: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
===================================================================
RCS file: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
diff -N patches/patch-CPP_7zip_Archive_HfsHandler_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-CPP_7zip_Archive_HfsHandler_cpp 24 May 2016 00:44:39
-0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+CVE-2016-2334
+
+--- CPP/7zip/Archive/HfsHandler.cpp.orig Fri Jun 19 06:52:08 2015
++++ CPP/7zip/Archive/HfsHandler.cpp Mon May 23 20:37:42 2016
+@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork &fork, cons
+ item.GroupID = Get32(r + 0x24);
+ item.AdminFlags = r[0x28];
+ item.OwnerFlags = r[0x29];
++ */
+ item.FileMode = Get16(r + 0x2A);
++ /*
+ item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount
+ item.FileType = Get32(r + 0x30);
+ item.FileCreator = Get32(r + 0x34);
+@@ -1571,6 +1573,9 @@ HRESULT CHandler::ExtractZlibFile(
+ blockSize = (UInt32)rem;
+
+ UInt32 size = GetUi32(tableBuf + i * 8 + 4);
++
++ if (size > buf.Size() || size > kCompressionBlockSize + 1)
++ return S_FALSE;
+
+ RINOK(ReadStream_FALSE(inStream, buf, size));
+
Index: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
===================================================================
RCS file: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
diff -N patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp 24 May 2016 00:44:39
-0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+
+CVE-2016-2335
+
+--- CPP/7zip/Archive/Udf/UdfIn.cpp.orig Fri Nov 20 15:40:08 2015
++++ CPP/7zip/Archive/Udf/UdfIn.cpp Mon May 23 20:37:46 2016
+@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int volIndex, int fsI
+ return S_FALSE;
+ CFile &file = Files.Back();
+ const CLogVol &vol = LogVols[volIndex];
+- CPartition &partition =
Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex];
++ unsigned partitionRef = lad.Location.PartitionRef;
++
++ if (partitionRef >= vol.PartitionMaps.Size())
++ return S_FALSE;
++ CPartition &partition =
Partitions[vol.PartitionMaps[partitionRef].PartitionIndex];
+
+ UInt32 key = lad.Location.Pos;
+ UInt32 value;
Index: Makefile
===================================================================
RCS file: /systems/cvs/ports/archivers/p7zip/Makefile,v
retrieving revision 1.24
diff -u -p -r1.24 Makefile
--- Makefile 16 Mar 2015 17:20:40 -0000 1.24
+++ Makefile 24 May 2016 01:01:41 -0000
@@ -6,6 +6,7 @@ COMMENT-main= file archiver with high co
COMMENT-rar= rar modules for p7zip
V= 9.38.1
+REVISION= 0
DISTNAME= p7zip_${V}_src_all
PKGNAME= p7zip-${V}
PKGNAME-main= p7zip-${V}
Index: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
===================================================================
RCS file: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
diff -N patches/patch-CPP_7zip_Archive_HfsHandler_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-CPP_7zip_Archive_HfsHandler_cpp 24 May 2016 01:01:56
-0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+CVE-2016-2334
+
+--- CPP/7zip/Archive/HfsHandler.cpp.orig Fri Jun 19 06:52:08 2015
++++ CPP/7zip/Archive/HfsHandler.cpp Mon May 23 20:37:42 2016
+@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork &fork, cons
+ item.GroupID = Get32(r + 0x24);
+ item.AdminFlags = r[0x28];
+ item.OwnerFlags = r[0x29];
++ */
+ item.FileMode = Get16(r + 0x2A);
++ /*
+ item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount
+ item.FileType = Get32(r + 0x30);
+ item.FileCreator = Get32(r + 0x34);
+@@ -1571,6 +1573,9 @@ HRESULT CHandler::ExtractZlibFile(
+ blockSize = (UInt32)rem;
+
+ UInt32 size = GetUi32(tableBuf + i * 8 + 4);
++
++ if (size > buf.Size() || size > kCompressionBlockSize + 1)
++ return S_FALSE;
+
+ RINOK(ReadStream_FALSE(inStream, buf, size));
+
Index: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
===================================================================
RCS file: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
diff -N patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp 24 May 2016 01:01:56
-0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+
+CVE-2016-2335
+
+--- CPP/7zip/Archive/Udf/UdfIn.cpp.orig Fri Nov 20 15:40:08 2015
++++ CPP/7zip/Archive/Udf/UdfIn.cpp Mon May 23 20:37:46 2016
+@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int volIndex, int fsI
+ return S_FALSE;
+ CFile &file = Files.Back();
+ const CLogVol &vol = LogVols[volIndex];
+- CPartition &partition =
Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex];
++ unsigned partitionRef = lad.Location.PartitionRef;
++
++ if (partitionRef >= vol.PartitionMaps.Size())
++ return S_FALSE;
++ CPartition &partition =
Partitions[vol.PartitionMaps[partitionRef].PartitionIndex];
+
+ UInt32 key = lad.Location.Pos;
+ UInt32 value;
