On 2016/05/23 22:03, Josh Grosse wrote:
> CVE-2016-2334 and CVE-2016-2335 affect 7zip, with code shared
> in p7zip that is installed in /usr/local/lib/p7zip/7z.so.
>
> Upstream has not yet applied these fixes to code shared with
> 7zip.
>
> Attached are -current, 5.9, and 5.8 patches.
I don't have time to handle committing this atm, could somebody take
care of it please? OK with me.
> Index: Makefile
> ===================================================================
> RCS file: /systems/cvs/ports/archivers/p7zip/Makefile,v
> retrieving revision 1.34
> diff -u -p -r1.34 Makefile
> --- Makefile 12 Apr 2016 23:13:22 -0000 1.34
> +++ Makefile 24 May 2016 00:31:06 -0000
> @@ -7,7 +7,7 @@ V= 15.14.1
> DISTNAME= p7zip_${V}_src_all
> PKGNAME= p7zip-${V}
> PKGNAME-main= p7zip-${V}
> -REVISION-main= 0
> +REVISION-main= 1
> PKGNAME-rar= p7zip-rar-${V}
> CATEGORIES= archivers
>
> Index: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
> ===================================================================
> RCS file: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
> diff -N patches/patch-CPP_7zip_Archive_HfsHandler_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-CPP_7zip_Archive_HfsHandler_cpp 24 May 2016 00:38:41
> -0000
> @@ -0,0 +1,26 @@
> +$OpenBSD$
> +
> +CVE-2016-2334
> +
> +--- CPP/7zip/Archive/HfsHandler.cpp.orig Fri Jun 19 06:52:08 2015
> ++++ CPP/7zip/Archive/HfsHandler.cpp Mon May 23 20:37:42 2016
> +@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork &fork, cons
> + item.GroupID = Get32(r + 0x24);
> + item.AdminFlags = r[0x28];
> + item.OwnerFlags = r[0x29];
> ++ */
> + item.FileMode = Get16(r + 0x2A);
> ++ /*
> + item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount
> + item.FileType = Get32(r + 0x30);
> + item.FileCreator = Get32(r + 0x34);
> +@@ -1571,6 +1573,9 @@ HRESULT CHandler::ExtractZlibFile(
> + blockSize = (UInt32)rem;
> +
> + UInt32 size = GetUi32(tableBuf + i * 8 + 4);
> ++
> ++ if (size > buf.Size() || size > kCompressionBlockSize + 1)
> ++ return S_FALSE;
> +
> + RINOK(ReadStream_FALSE(inStream, buf, size));
> +
> Index: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
> ===================================================================
> RCS file: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
> diff -N patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp 24 May 2016 00:38:25
> -0000
> @@ -0,0 +1,19 @@
> +$OpenBSD$
> +
> +CVE-2016-2335
> +
> +--- CPP/7zip/Archive/Udf/UdfIn.cpp.orig Fri Nov 20 15:40:08 2015
> ++++ CPP/7zip/Archive/Udf/UdfIn.cpp Mon May 23 20:37:46 2016
> +@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int volIndex, int fsI
> + return S_FALSE;
> + CFile &file = Files.Back();
> + const CLogVol &vol = LogVols[volIndex];
> +- CPartition &partition =
> Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex];
> ++ unsigned partitionRef = lad.Location.PartitionRef;
> ++
> ++ if (partitionRef >= vol.PartitionMaps.Size())
> ++ return S_FALSE;
> ++ CPartition &partition =
> Partitions[vol.PartitionMaps[partitionRef].PartitionIndex];
> +
> + UInt32 key = lad.Location.Pos;
> + UInt32 value;
> Index: Makefile
> ===================================================================
> RCS file: /systems/cvs/ports/archivers/p7zip/Makefile,v
> retrieving revision 1.31
> diff -u -p -r1.31 Makefile
> --- Makefile 4 Feb 2016 10:38:26 -0000 1.31
> +++ Makefile 24 May 2016 00:46:00 -0000
> @@ -6,7 +6,7 @@ COMMENT-main= file archiver with high co
> COMMENT-rar= rar modules for p7zip
>
> V= 15.09
> -REVISION= 4
> +REVISION= 5
> DISTNAME= p7zip_${V}_src_all
> PKGNAME= p7zip-${V}
> PKGNAME-main= p7zip-${V}
> Index: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
> ===================================================================
> RCS file: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
> diff -N patches/patch-CPP_7zip_Archive_HfsHandler_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-CPP_7zip_Archive_HfsHandler_cpp 24 May 2016 00:44:39
> -0000
> @@ -0,0 +1,26 @@
> +$OpenBSD$
> +
> +CVE-2016-2334
> +
> +--- CPP/7zip/Archive/HfsHandler.cpp.orig Fri Jun 19 06:52:08 2015
> ++++ CPP/7zip/Archive/HfsHandler.cpp Mon May 23 20:37:42 2016
> +@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork &fork, cons
> + item.GroupID = Get32(r + 0x24);
> + item.AdminFlags = r[0x28];
> + item.OwnerFlags = r[0x29];
> ++ */
> + item.FileMode = Get16(r + 0x2A);
> ++ /*
> + item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount
> + item.FileType = Get32(r + 0x30);
> + item.FileCreator = Get32(r + 0x34);
> +@@ -1571,6 +1573,9 @@ HRESULT CHandler::ExtractZlibFile(
> + blockSize = (UInt32)rem;
> +
> + UInt32 size = GetUi32(tableBuf + i * 8 + 4);
> ++
> ++ if (size > buf.Size() || size > kCompressionBlockSize + 1)
> ++ return S_FALSE;
> +
> + RINOK(ReadStream_FALSE(inStream, buf, size));
> +
> Index: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
> ===================================================================
> RCS file: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
> diff -N patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp 24 May 2016 00:44:39
> -0000
> @@ -0,0 +1,19 @@
> +$OpenBSD$
> +
> +CVE-2016-2335
> +
> +--- CPP/7zip/Archive/Udf/UdfIn.cpp.orig Fri Nov 20 15:40:08 2015
> ++++ CPP/7zip/Archive/Udf/UdfIn.cpp Mon May 23 20:37:46 2016
> +@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int volIndex, int fsI
> + return S_FALSE;
> + CFile &file = Files.Back();
> + const CLogVol &vol = LogVols[volIndex];
> +- CPartition &partition =
> Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex];
> ++ unsigned partitionRef = lad.Location.PartitionRef;
> ++
> ++ if (partitionRef >= vol.PartitionMaps.Size())
> ++ return S_FALSE;
> ++ CPartition &partition =
> Partitions[vol.PartitionMaps[partitionRef].PartitionIndex];
> +
> + UInt32 key = lad.Location.Pos;
> + UInt32 value;
> Index: Makefile
> ===================================================================
> RCS file: /systems/cvs/ports/archivers/p7zip/Makefile,v
> retrieving revision 1.24
> diff -u -p -r1.24 Makefile
> --- Makefile 16 Mar 2015 17:20:40 -0000 1.24
> +++ Makefile 24 May 2016 01:01:41 -0000
> @@ -6,6 +6,7 @@ COMMENT-main= file archiver with high co
> COMMENT-rar= rar modules for p7zip
>
> V= 9.38.1
> +REVISION= 0
> DISTNAME= p7zip_${V}_src_all
> PKGNAME= p7zip-${V}
> PKGNAME-main= p7zip-${V}
> Index: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
> ===================================================================
> RCS file: patches/patch-CPP_7zip_Archive_HfsHandler_cpp
> diff -N patches/patch-CPP_7zip_Archive_HfsHandler_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-CPP_7zip_Archive_HfsHandler_cpp 24 May 2016 01:01:56
> -0000
> @@ -0,0 +1,26 @@
> +$OpenBSD$
> +
> +CVE-2016-2334
> +
> +--- CPP/7zip/Archive/HfsHandler.cpp.orig Fri Jun 19 06:52:08 2015
> ++++ CPP/7zip/Archive/HfsHandler.cpp Mon May 23 20:37:42 2016
> +@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork &fork, cons
> + item.GroupID = Get32(r + 0x24);
> + item.AdminFlags = r[0x28];
> + item.OwnerFlags = r[0x29];
> ++ */
> + item.FileMode = Get16(r + 0x2A);
> ++ /*
> + item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount
> + item.FileType = Get32(r + 0x30);
> + item.FileCreator = Get32(r + 0x34);
> +@@ -1571,6 +1573,9 @@ HRESULT CHandler::ExtractZlibFile(
> + blockSize = (UInt32)rem;
> +
> + UInt32 size = GetUi32(tableBuf + i * 8 + 4);
> ++
> ++ if (size > buf.Size() || size > kCompressionBlockSize + 1)
> ++ return S_FALSE;
> +
> + RINOK(ReadStream_FALSE(inStream, buf, size));
> +
> Index: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
> ===================================================================
> RCS file: patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
> diff -N patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-CPP_7zip_Archive_Udf_UdfIn_cpp 24 May 2016 01:01:56
> -0000
> @@ -0,0 +1,19 @@
> +$OpenBSD$
> +
> +CVE-2016-2335
> +
> +--- CPP/7zip/Archive/Udf/UdfIn.cpp.orig Fri Nov 20 15:40:08 2015
> ++++ CPP/7zip/Archive/Udf/UdfIn.cpp Mon May 23 20:37:46 2016
> +@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int volIndex, int fsI
> + return S_FALSE;
> + CFile &file = Files.Back();
> + const CLogVol &vol = LogVols[volIndex];
> +- CPartition &partition =
> Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex];
> ++ unsigned partitionRef = lad.Location.PartitionRef;
> ++
> ++ if (partitionRef >= vol.PartitionMaps.Size())
> ++ return S_FALSE;
> ++ CPartition &partition =
> Partitions[vol.PartitionMaps[partitionRef].PartitionIndex];
> +
> + UInt32 key = lad.Location.Pos;
> + UInt32 value;
