From ae297d821b329e5b358e829690d7abf883b8227d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Wed, 6 Nov 2019 14:57:30 +0100 Subject: [PATCH] - rel 2; SECURITY fixes from FC --- 05-hardening-flags.patch | 33 +++++++++++++++++++++++++++++++++ 14-Fix-g++-warning.patch | 24 ++++++++++++++++++++++++ CVE-2016-9296.patch | 12 ++++++++++++ CVE-2017-17969.patch | 26 ++++++++++++++++++++++++++ gcc10-conversion.patch | 26 ++++++++++++++++++++++++++ p7zip.spec | 13 ++++++++++++- 6 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 05-hardening-flags.patch create mode 100644 14-Fix-g++-warning.patch create mode 100644 CVE-2016-9296.patch create mode 100644 CVE-2017-17969.patch create mode 100644 gcc10-conversion.patch diff --git a/05-hardening-flags.patch b/05-hardening-flags.patch new file mode 100644 index 0000000..aa42431 --- /dev/null +++ b/05-hardening-flags.patch @@ -0,0 +1,33 @@ +From: Robert Luberda +Date: Fri, 22 Jan 2016 00:53:09 +0100 +Subject: Hardening flags + +Add support for $(CPPFLAGS) and do not override $(CXXFLAGS) +and $(CFLAGS) + +Bug-Debian: https://bugs.debian.org/#682167 +--- + makefile.glb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/makefile.glb b/makefile.glb +index fb001d5..e10ae03 100644 +--- a/makefile.glb ++++ b/makefile.glb +@@ -1,14 +1,14 @@ + + RM=rm -f + +-CFLAGS=-c -I. \ ++CFLAGS+=$(CPPFLAGS) -c -I. \ + -I../../../../C \ + -I../../../../CPP/myWindows \ + -I../../../../CPP/include_windows \ + -I../../../../CPP \ + $(ALLFLAGS) $(ALLFLAGS_C) + +-CXXFLAGS=-c -I. \ ++CXXFLAGS+=$(CPPFLAGS) -c -I. \ + -I../../../../C \ + -I../../../../CPP/myWindows \ + -I../../../../CPP/include_windows \ diff --git a/14-Fix-g++-warning.patch b/14-Fix-g++-warning.patch new file mode 100644 index 0000000..226e239 --- /dev/null +++ b/14-Fix-g++-warning.patch @@ -0,0 +1,24 @@ +From: Robert Luberda +Date: Sun, 28 Jan 2018 22:19:13 +0100 +Subject: Fix g++ warning + +Fix for "use of an operand of type 'bool' in 'operator++' +is deprecated [-Wdeprecated]" warning taken from 7zip 18.00.beta +package. +--- + CPP/7zip/Archive/Wim/WimHandler.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CPP/7zip/Archive/Wim/WimHandler.cpp b/CPP/7zip/Archive/Wim/WimHandler.cpp +index 27d3298..4ff5cfe 100644 +--- a/CPP/7zip/Archive/Wim/WimHandler.cpp ++++ b/CPP/7zip/Archive/Wim/WimHandler.cpp +@@ -298,7 +298,7 @@ STDMETHODIMP CHandler::GetArchiveProperty(PROPID propID, PROPVARIANT *value) + + AString res; + +- bool numMethods = 0; ++ unsigned numMethods = 0; + for (unsigned i = 0; i < ARRAY_SIZE(k_Methods); i++) + { + if (methodMask & ((UInt32)1 << i)) diff --git a/CVE-2016-9296.patch b/CVE-2016-9296.patch new file mode 100644 index 0000000..773f92a --- /dev/null +++ b/CVE-2016-9296.patch @@ -0,0 +1,12 @@ +--- ./CPP/7zip/Archive/7z/7zIn.cpp.orig 2016-11-21 01:42:29.460901230 +0000 ++++ ./CPP/7zip/Archive/7z/7zIn.cpp 2016-11-21 01:42:57.481197725 +0000 +@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS + if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) + ThrowIncorrect(); + } +- HeadersSize += folders.PackPositions[folders.NumPackStreams]; ++ if (folders.PackPositions) ++ HeadersSize += folders.PackPositions[folders.NumPackStreams]; + return S_OK; + } + diff --git a/CVE-2017-17969.patch b/CVE-2017-17969.patch new file mode 100644 index 0000000..ebc0ac9 --- /dev/null +++ b/CVE-2017-17969.patch @@ -0,0 +1,26 @@ +From 79bca880ce7bcf07216c45f93afea545e0344418 Mon Sep 17 00:00:00 2001 +From: aone +Date: Mon, 5 Feb 2018 13:01:09 +0100 +Subject: [PATCH] Security fix CVE-2017-17969 + +--- + CPP/7zip/Compress/ShrinkDecoder.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/CPP/7zip/Compress/ShrinkDecoder.cpp b/CPP/7zip/Compress/ShrinkDecoder.cpp +index 80b7e67..5bb0559 100644 +--- a/CPP/7zip/Compress/ShrinkDecoder.cpp ++++ b/CPP/7zip/Compress/ShrinkDecoder.cpp +@@ -121,7 +121,12 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * + { + _stack[i++] = _suffixes[cur]; + cur = _parents[cur]; ++ if (cur >= kNumItems || i >= kNumItems) ++ break; + } ++ ++ if (cur >= kNumItems || i >= kNumItems) ++ break; + + _stack[i++] = (Byte)cur; + lastChar2 = (Byte)cur; diff --git a/gcc10-conversion.patch b/gcc10-conversion.patch new file mode 100644 index 0000000..45f9f84 --- /dev/null +++ b/gcc10-conversion.patch @@ -0,0 +1,26 @@ +diff -Nrup a/CPP/Windows/ErrorMsg.cpp b/CPP/Windows/ErrorMsg.cpp +--- a/CPP/Windows/ErrorMsg.cpp 2015-01-18 11:20:28.000000000 -0700 ++++ b/CPP/Windows/ErrorMsg.cpp 2019-09-24 13:01:18.887289152 -0600 +@@ -14,14 +14,14 @@ UString MyFormatMessage(DWORD errorCode) + AString msg; + + switch(errorCode) { +- case ERROR_NO_MORE_FILES : txt = "No more files"; break ; +- case E_NOTIMPL : txt = "E_NOTIMPL"; break ; +- case E_NOINTERFACE : txt = "E_NOINTERFACE"; break ; +- case E_ABORT : txt = "E_ABORT"; break ; +- case E_FAIL : txt = "E_FAIL"; break ; +- case STG_E_INVALIDFUNCTION : txt = "STG_E_INVALIDFUNCTION"; break ; +- case E_OUTOFMEMORY : txt = "E_OUTOFMEMORY"; break ; +- case E_INVALIDARG : txt = "E_INVALIDARG"; break ; ++ case unsigned (ERROR_NO_MORE_FILES) : txt = "No more files"; break ; ++ case unsigned (E_NOTIMPL) : txt = "E_NOTIMPL"; break ; ++ case unsigned (E_NOINTERFACE) : txt = "E_NOINTERFACE"; break ; ++ case unsigned (E_ABORT) : txt = "E_ABORT"; break ; ++ case unsigned (E_FAIL) : txt = "E_FAIL"; break ; ++ case unsigned (STG_E_INVALIDFUNCTION) : txt = "STG_E_INVALIDFUNCTION"; break ; ++ case unsigned (E_OUTOFMEMORY) : txt = "E_OUTOFMEMORY"; break ; ++ case unsigned (E_INVALIDARG) : txt = "E_INVALIDARG"; break ; + case ERROR_DIRECTORY : txt = "Error Directory"; break ; + default: + txt = strerror(errorCode); diff --git a/p7zip.spec b/p7zip.spec index 35e92e2..30a881c 100644 --- a/p7zip.spec +++ b/p7zip.spec @@ -2,11 +2,16 @@ Summary: File archiver with highest compression ratio Summary(pl.UTF-8): Paker plików z najwyższym stopniem kompresji Name: p7zip Version: 16.02 -Release: 1 +Release: 2 License: LGPL v2.1+ Group: Applications/Archiving Source0: http://downloads.sourceforge.net/p7zip/%{name}_%{version}_src_all.tar.bz2 # Source0-md5: a0128d661cfe7cc8c121e73519c54fbf +Patch0: 05-hardening-flags.patch +Patch1: 14-Fix-g++-warning.patch +Patch2: CVE-2016-9296.patch +Patch3: CVE-2017-17969.patch +Patch4: gcc10-conversion.patch URL: http://p7zip.sourceforge.net/ BuildRequires: libstdc++-devel BuildRequires: sed >= 4.0 @@ -54,6 +59,11 @@ wersja obsługująca wtyczki. %prep %setup -q -n %{name}_%{version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %{__sed} -i -e 's/ -s / /' makefile.machine @@ -64,6 +74,7 @@ find . -name '*.cpp' -exec %{__sed} -i -e 's@getenv("P7ZIP_HOME_DIR")@"%{_libdir %{__make} all2 \ CC="%{__cc} \$(ALLFLAGS)" \ CXX="%{__cxx} \$(ALLFLAGS)" \ + CPPFLAGS="%{rpmcppflags}" \ LDFLAGS="%{rpmldflags}" \ OPTFLAGS="%{rpmcxxflags}" -- 2.44.0