From patchwork Mon Jul 19 19:21:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Andr=C3=A9_Zwing?= X-Patchwork-Id: 1507216 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=dawncrow.de header.i=@dawncrow.de header.a=rsa-sha256 header.s=strato-dkim-0002 header.b=gOUCViUz; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GTBXx10wPz9sPf for ; Tue, 20 Jul 2021 05:21:35 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 640F760632; Mon, 19 Jul 2021 19:21:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mv30_hoE_sG7; Mon, 19 Jul 2021 19:21:31 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 6088060647; Mon, 19 Jul 2021 19:21:30 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id A6E351BF2A3 for ; Mon, 19 Jul 2021 19:21:19 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 97280837AD for ; Mon, 19 Jul 2021 19:21:19 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp1.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=dawncrow.de Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IrLpjWRtYXc9 for ; Mon, 19 Jul 2021 19:21:18 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 Received: from mo4-p00-ob.smtp.rzone.de (mo4-p00-ob.smtp.rzone.de [85.215.255.21]) by smtp1.osuosl.org (Postfix) with ESMTPS id A80AA8376D for ; Mon, 19 Jul 2021 19:21:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1626722475; s=strato-dkim-0002; d=dawncrow.de; h=Message-Id:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=kMPR6rvFZLpVBypIUpYZ7fdxrrtfXLiWNHSlXPWfSXA=; b=gOUCViUzqEe/5LEzwFAUI/b+qiThQN47xneoszYGZoTuLcxYme1ZuQELf+bU45bOE4 Si5ZwNKT2vyDhahinvNo4gFKyjW1Jr2Z0kJ/YYRbSKlpjIuxMkZUIy1pC6TJsOc1hJAo M3JPfFSzOXEhoBhqIAXJpMA5igLVrrixApi1pT6Z9Y9MVjU9L0812MLMy8dhIkLKROjh I/GDGqna4R61OOl4ksVC0oTgI2fkIRReLnQ03XZu0NZ1EYOSq7Umjwo320i8S55WNX4R AyUzAmC/X90pivj9CVb3IPpCMYtpbLX+j2Qk1noVGGombBNOPZaG+uKeNWBC6FCNEMNh rK+Q== Authentication-Results: strato.com; dkim=none X-RZG-AUTH: ":ImkWY2CseuihIZy6ZWWciR6unPhpN+aXzZGGjY6ptdusOaLnXzn3ovD/FrNZNw==" X-RZG-CLASS-ID: mo00 Received: from tesla.fritz.box by smtp.strato.de (RZmta 47.28.1 DYNA|AUTH) with ESMTPSA id v06a3ax6JJLEI5I (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate) for ; Mon, 19 Jul 2021 21:21:14 +0200 (CEST) From: =?utf-8?q?Andr=C3=A9_Zwing?= To: buildroot@busybox.net Date: Mon, 19 Jul 2021 21:21:12 +0200 Message-Id: <20210719192112.3905400-1-nerv@dawncrow.de> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [Buildroot] [PATCH] package/p7zip: bump to version v17.04 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This new attempt to maintain p7zip is already picked up by Distributions. It fixes CVE-2016-9296, CVE-2017-17969, CVE-2018-5996 and CVE-2018-10115. Note that the version is now prefixed with 'v'. Signed-off-by: André Zwing --- package/p7zip/0001-CVE-2016-9296.patch | 25 -- package/p7zip/0002-CVE-2017-17969.patch | 37 --- package/p7zip/0003-CVE-2018-5996.patch | 223 ------------------ .../p7zip/0004-Fix-build-with-gcc-10.patch | 32 --- package/p7zip/p7zip.hash | 7 +- package/p7zip/p7zip.mk | 12 +- 6 files changed, 4 insertions(+), 332 deletions(-) delete mode 100644 package/p7zip/0001-CVE-2016-9296.patch delete mode 100644 package/p7zip/0002-CVE-2017-17969.patch delete mode 100644 package/p7zip/0003-CVE-2018-5996.patch delete mode 100644 package/p7zip/0004-Fix-build-with-gcc-10.patch diff --git a/package/p7zip/0001-CVE-2016-9296.patch b/package/p7zip/0001-CVE-2016-9296.patch deleted file mode 100644 index 6e6fc9f58f..0000000000 --- a/package/p7zip/0001-CVE-2016-9296.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Robert Luberda -Date: Sat, 19 Nov 2016 08:48:08 +0100 -Subject: Fix nullptr dereference (CVE-2016-9296) - -Patch taken from https://sourceforge.net/p/p7zip/bugs/185/ - -Signed-off-by: André Hentschel ---- - CPP/7zip/Archive/7z/7zIn.cpp | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/CPP/7zip/Archive/7z/7zIn.cpp b/CPP/7zip/Archive/7z/7zIn.cpp -index b0c6b98..7c6dde2 100644 ---- a/CPP/7zip/Archive/7z/7zIn.cpp -+++ b/CPP/7zip/Archive/7z/7zIn.cpp -@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedStreams( - if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) - ThrowIncorrect(); - } -- HeadersSize += folders.PackPositions[folders.NumPackStreams]; -+ if (folders.PackPositions) -+ HeadersSize += folders.PackPositions[folders.NumPackStreams]; - return S_OK; - } - diff --git a/package/p7zip/0002-CVE-2017-17969.patch b/package/p7zip/0002-CVE-2017-17969.patch deleted file mode 100644 index 9198127cb9..0000000000 --- a/package/p7zip/0002-CVE-2017-17969.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: =?utf-8?q?Antoine_Beaupr=C3=A9?= -Date: Fri, 2 Feb 2018 11:11:41 +0100 -Subject: Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp - -Origin: vendor, https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/27d7/attachment/CVE-2017-17969.patch -Forwarded: https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#27d7 -Bug: https://sourceforge.net/p/p7zip/bugs/204/ -Bug-Debian: https://bugs.debian.org/888297 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17969 -Reviewed-by: Salvatore Bonaccorso -Last-Update: 2018-02-01 -Applied-Upstream: 18.00-beta - -Signed-off-by: André Hentschel ---- - CPP/7zip/Compress/ShrinkDecoder.cpp | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/CPP/7zip/Compress/ShrinkDecoder.cpp b/CPP/7zip/Compress/ShrinkDecoder.cpp -index 80b7e67..ca37764 100644 ---- a/CPP/7zip/Compress/ShrinkDecoder.cpp -+++ b/CPP/7zip/Compress/ShrinkDecoder.cpp -@@ -121,8 +121,13 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * - { - _stack[i++] = _suffixes[cur]; - cur = _parents[cur]; -+ if (cur >= kNumItems || i >= kNumItems) -+ break; - } -- -+ -+ if (cur >= kNumItems || i >= kNumItems) -+ break; -+ - _stack[i++] = (Byte)cur; - lastChar2 = (Byte)cur; - diff --git a/package/p7zip/0003-CVE-2018-5996.patch b/package/p7zip/0003-CVE-2018-5996.patch deleted file mode 100644 index dc3e90ad3a..0000000000 --- a/package/p7zip/0003-CVE-2018-5996.patch +++ /dev/null @@ -1,223 +0,0 @@ -From: Robert Luberda -Date: Sun, 28 Jan 2018 23:47:40 +0100 -Subject: CVE-2018-5996 - -Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by -applying a few changes from 7Zip 18.00-beta. - -Bug-Debian: https://bugs.debian.org/#888314 - -Signed-off-by: André Hentschel ---- - CPP/7zip/Compress/Rar1Decoder.cpp | 13 +++++++++---- - CPP/7zip/Compress/Rar1Decoder.h | 1 + - CPP/7zip/Compress/Rar2Decoder.cpp | 10 +++++++++- - CPP/7zip/Compress/Rar2Decoder.h | 1 + - CPP/7zip/Compress/Rar3Decoder.cpp | 23 ++++++++++++++++++++--- - CPP/7zip/Compress/Rar3Decoder.h | 2 ++ - 6 files changed, 42 insertions(+), 8 deletions(-) - -diff --git a/CPP/7zip/Compress/Rar1Decoder.cpp b/CPP/7zip/Compress/Rar1Decoder.cpp -index 1aaedcc..68030c7 100644 ---- a/CPP/7zip/Compress/Rar1Decoder.cpp -+++ b/CPP/7zip/Compress/Rar1Decoder.cpp -@@ -29,7 +29,7 @@ public: - }; - */ - --CDecoder::CDecoder(): m_IsSolid(false) { } -+CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { } - - void CDecoder::InitStructures() - { -@@ -406,9 +406,14 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * - InitData(); - if (!m_IsSolid) - { -+ _errorMode = false; - InitStructures(); - InitHuff(); - } -+ -+ if (_errorMode) -+ return S_FALSE; -+ - if (m_UnpackSize > 0) - { - GetFlagsBuf(); -@@ -477,9 +482,9 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream - const UInt64 *inSize, const UInt64 *outSize, ICompressProgressInfo *progress) - { - try { return CodeReal(inStream, outStream, inSize, outSize, progress); } -- catch(const CInBufferException &e) { return e.ErrorCode; } -- catch(const CLzOutWindowException &e) { return e.ErrorCode; } -- catch(...) { return S_FALSE; } -+ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } -+ catch(const CLzOutWindowException &e) { _errorMode = true; return e.ErrorCode; } -+ catch(...) { _errorMode = true; return S_FALSE; } - } - - STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size) -diff --git a/CPP/7zip/Compress/Rar1Decoder.h b/CPP/7zip/Compress/Rar1Decoder.h -index 630f089..01b606b 100644 ---- a/CPP/7zip/Compress/Rar1Decoder.h -+++ b/CPP/7zip/Compress/Rar1Decoder.h -@@ -39,6 +39,7 @@ public: - - Int64 m_UnpackSize; - bool m_IsSolid; -+ bool _errorMode; - - UInt32 ReadBits(int numBits); - HRESULT CopyBlock(UInt32 distance, UInt32 len); -diff --git a/CPP/7zip/Compress/Rar2Decoder.cpp b/CPP/7zip/Compress/Rar2Decoder.cpp -index b3f2b4b..0580c8d 100644 ---- a/CPP/7zip/Compress/Rar2Decoder.cpp -+++ b/CPP/7zip/Compress/Rar2Decoder.cpp -@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 << 20; - static const UInt32 kWindowReservSize = (1 << 22) + 256; - - CDecoder::CDecoder(): -- m_IsSolid(false) -+ m_IsSolid(false), -+ m_TablesOK(false) - { - } - -@@ -100,6 +101,8 @@ UInt32 CDecoder::ReadBits(unsigned numBits) { return m_InBitStream.ReadBits(numB - - bool CDecoder::ReadTables(void) - { -+ m_TablesOK = false; -+ - Byte levelLevels[kLevelTableSize]; - Byte newLevels[kMaxTableSize]; - m_AudioMode = (ReadBits(1) == 1); -@@ -170,6 +173,8 @@ bool CDecoder::ReadTables(void) - } - - memcpy(m_LastLevels, newLevels, kMaxTableSize); -+ m_TablesOK = true; -+ - return true; - } - -@@ -344,6 +349,9 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * - return S_FALSE; - } - -+ if (!m_TablesOK) -+ return S_FALSE; -+ - UInt64 startPos = m_OutWindowStream.GetProcessedSize(); - while (pos < unPackSize) - { -diff --git a/CPP/7zip/Compress/Rar2Decoder.h b/CPP/7zip/Compress/Rar2Decoder.h -index 3a0535c..0e9005f 100644 ---- a/CPP/7zip/Compress/Rar2Decoder.h -+++ b/CPP/7zip/Compress/Rar2Decoder.h -@@ -139,6 +139,7 @@ class CDecoder : - - UInt64 m_PackSize; - bool m_IsSolid; -+ bool m_TablesOK; - - void InitStructures(); - UInt32 ReadBits(unsigned numBits); -diff --git a/CPP/7zip/Compress/Rar3Decoder.cpp b/CPP/7zip/Compress/Rar3Decoder.cpp -index 3bf2513..6cb8a6a 100644 ---- a/CPP/7zip/Compress/Rar3Decoder.cpp -+++ b/CPP/7zip/Compress/Rar3Decoder.cpp -@@ -92,7 +92,8 @@ CDecoder::CDecoder(): - _writtenFileSize(0), - _vmData(0), - _vmCode(0), -- m_IsSolid(false) -+ m_IsSolid(false), -+ _errorMode(false) - { - Ppmd7_Construct(&_ppmd); - } -@@ -545,6 +546,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing) - return InitPPM(); - } - -+ TablesRead = false; -+ TablesOK = false; -+ - _lzMode = true; - PrevAlignBits = 0; - PrevAlignCount = 0; -@@ -606,6 +610,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing) - } - } - } -+ if (InputEofError()) -+ return S_FALSE; -+ - TablesRead = true; - - // original code has check here: -@@ -623,6 +630,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing) - RIF(m_LenDecoder.Build(&newLevels[kMainTableSize + kDistTableSize + kAlignTableSize])); - - memcpy(m_LastLevels, newLevels, kTablesSizesSum); -+ -+ TablesOK = true; -+ - return S_OK; - } - -@@ -824,7 +834,12 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress) - PpmEscChar = 2; - PpmError = true; - InitFilters(); -+ _errorMode = false; - } -+ -+ if (_errorMode) -+ return S_FALSE; -+ - if (!m_IsSolid || !TablesRead) - { - bool keepDecompressing; -@@ -838,6 +853,8 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress) - bool keepDecompressing; - if (_lzMode) - { -+ if (!TablesOK) -+ return S_FALSE; - RINOK(DecodeLZ(keepDecompressing)) - } - else -@@ -901,8 +918,8 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream - _unpackSize = outSize ? *outSize : (UInt64)(Int64)-1; - return CodeReal(progress); - } -- catch(const CInBufferException &e) { return e.ErrorCode; } -- catch(...) { return S_FALSE; } -+ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } -+ catch(...) { _errorMode = true; return S_FALSE; } - // CNewException is possible here. But probably CNewException is caused - // by error in data stream. - } -diff --git a/CPP/7zip/Compress/Rar3Decoder.h b/CPP/7zip/Compress/Rar3Decoder.h -index c130cec..2f72d7d 100644 ---- a/CPP/7zip/Compress/Rar3Decoder.h -+++ b/CPP/7zip/Compress/Rar3Decoder.h -@@ -192,6 +192,7 @@ class CDecoder: - UInt32 _lastFilter; - - bool m_IsSolid; -+ bool _errorMode; - - bool _lzMode; - bool _unsupportedFilter; -@@ -200,6 +201,7 @@ class CDecoder: - UInt32 PrevAlignCount; - - bool TablesRead; -+ bool TablesOK; - - CPpmd7 _ppmd; - int PpmEscChar; diff --git a/package/p7zip/0004-Fix-build-with-gcc-10.patch b/package/p7zip/0004-Fix-build-with-gcc-10.patch deleted file mode 100644 index b01833db29..0000000000 --- a/package/p7zip/0004-Fix-build-with-gcc-10.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 78b760eae21d7b340c69e8abab8ca706e1e00adc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Stefan=20S=C3=B8rensen?= -Date: Mon, 4 May 2020 09:19:46 +0200 -Subject: [PATCH] Fix build with gcc 10. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add cast to code that mixes HRESULT (aka long) and DWORD (aka unsigned -int) which causes an narrowing error with gcc 10. - -Signed-off-by: Stefan Sørensen ---- - CPP/Windows/ErrorMsg.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/CPP/Windows/ErrorMsg.cpp b/CPP/Windows/ErrorMsg.cpp -index 99684ae..ab48352 100644 ---- a/CPP/Windows/ErrorMsg.cpp -+++ b/CPP/Windows/ErrorMsg.cpp -@@ -13,7 +13,7 @@ UString MyFormatMessage(DWORD errorCode) - const char * txt = 0; - AString msg; - -- switch(errorCode) { -+ switch((HRESULT)errorCode) { - case ERROR_NO_MORE_FILES : txt = "No more files"; break ; - case E_NOTIMPL : txt = "E_NOTIMPL"; break ; - case E_NOINTERFACE : txt = "E_NOINTERFACE"; break ; --- -2.26.2 - diff --git a/package/p7zip/p7zip.hash b/package/p7zip/p7zip.hash index a63a0b4a97..7b5e7f6ca8 100644 --- a/package/p7zip/p7zip.hash +++ b/package/p7zip/p7zip.hash @@ -1,6 +1,3 @@ -# From https://sourceforge.net/projects/p7zip/files/p7zip/16.02/ -md5 a0128d661cfe7cc8c121e73519c54fbf p7zip_16.02_src_all.tar.bz2 -sha1 e8819907132811aa1afe5ef296181d3a15cc8f22 p7zip_16.02_src_all.tar.bz2 -# Locally computed -sha256 5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f p7zip_16.02_src_all.tar.bz2 +# Locally calculated +sha256 ea029a2e21d2d6ad0a156f6679bd66836204aa78148a4c5e498fe682e77127ef p7zip-v17.04.tar.gz sha256 555806657dcf0f1e720b581c52643c195ec86ae3f00bd18cc66d2e0f88ffa210 DOC/License.txt diff --git a/package/p7zip/p7zip.mk b/package/p7zip/p7zip.mk index 43fbe775dc..f054fb5766 100644 --- a/package/p7zip/p7zip.mk +++ b/package/p7zip/p7zip.mk @@ -4,20 +4,12 @@ # ################################################################################ -P7ZIP_VERSION = 16.02 -P7ZIP_SOURCE = p7zip_$(P7ZIP_VERSION)_src_all.tar.bz2 -P7ZIP_SITE = http://downloads.sourceforge.net/project/p7zip/p7zip/$(P7ZIP_VERSION) +P7ZIP_VERSION = v17.04 +P7ZIP_SITE = $(call github,jinfeihan57,p7zip,$(P7ZIP_VERSION)) P7ZIP_LICENSE = LGPL-2.1+ with unRAR restriction P7ZIP_LICENSE_FILES = DOC/License.txt P7ZIP_CPE_ID_VENDOR = 7-zip -# 0001-CVE-2016-9296.patch -P7ZIP_IGNORE_CVES += CVE-2016-9296 -# 0002-CVE-2017-17969.patch -P7ZIP_IGNORE_CVES += CVE-2017-17969 -# 0003-CVE-2018-5996.patch -P7ZIP_IGNORE_CVES += CVE-2018-5996 - # p7zip buildsystem is a mess: it plays dirty tricks with CFLAGS and # CXXFLAGS, so we can't pass them. Instead, it accepts ALLFLAGS_C # and ALLFLAGS_CPP as variables to pass the CFLAGS and CXXFLAGS.