On Tue, Jun 19, 2018 at 11:25:01AM +0100, Stuart Henderson wrote: > On 2018/06/19 05:15, Josh Grosse wrote: > > A patch for CVE-2018-10115 was posted May 8, no comments received. > > > > https://marc.info/?l=openbsd-ports&m=152581494615299&w=2 > > > > A patch for CVE-2017-17969 has been added to the attached diff. > > It's a bit tricky to review the code changes directly, can you send some > links/information for the CVE-2018-10115 ones like you have for the > CVE-2017-17969 one so we at least have a better idea of provenance?
Sorry, Stuart, for missing that. The patch was obtained here: https://sourceforge.net/p/p7zip/discussion/383043/thread/5dd56271/ > Seems there is also CVE-2018-5996 which looks fairly nasty. Yes. Robert Luberda (Debian's robert@) had worked up a revision which I found last night. It was listed as a "hopeful" fix and I would like to discuss with him before attempting to integrate it with the 10115 patches, as there are conflicts. FreeBSD has applied it, but they have not added 10115. It is unfortunate that the p7zip project has apparently abandoned interest in addressing any CVEs. It leaves the various downstream ports to haphazardly apply what they feel would be most helpful, and there is no consistency in approach. We could follow Redhat's lead and eliminate the -rar subpackage, and that would eliminate needing to deal with either 5996 or 10115.
