* [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296
@ 2020-04-11 13:36 André Hentschel
2020-04-11 13:36 ` [Buildroot] [PATCH 2/3] package/p7zip: fix CVE-2017-17969 André Hentschel
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: André Hentschel @ 2020-04-11 13:36 UTC (permalink / raw)
To: buildroot
Signed-off-by: Andr? Hentschel <nerv@dawncrow.de>
---
package/p7zip/0001-CVE-2016-9296.patch | 25 +++++++++++++++++++++++++
package/p7zip/p7zip.mk | 3 +++
2 files changed, 28 insertions(+)
create mode 100644 package/p7zip/0001-CVE-2016-9296.patch
diff --git a/package/p7zip/0001-CVE-2016-9296.patch b/package/p7zip/0001-CVE-2016-9296.patch
new file mode 100644
index 0000000000..6e6fc9f58f
--- /dev/null
+++ b/package/p7zip/0001-CVE-2016-9296.patch
@@ -0,0 +1,25 @@
+From: Robert Luberda <robert@debian.org>
+Date: Sat, 19 Nov 2016 08:48:08 +0100
+Subject: Fix nullptr dereference (CVE-2016-9296)
+
+Patch taken from https://sourceforge.net/p/p7zip/bugs/185/
+
+Signed-off-by: Andr? Hentschel <nerv@dawncrow.de>
+---
+ CPP/7zip/Archive/7z/7zIn.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CPP/7zip/Archive/7z/7zIn.cpp b/CPP/7zip/Archive/7z/7zIn.cpp
+index b0c6b98..7c6dde2 100644
+--- a/CPP/7zip/Archive/7z/7zIn.cpp
++++ b/CPP/7zip/Archive/7z/7zIn.cpp
+@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedStreams(
+ if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+ ThrowIncorrect();
+ }
+- HeadersSize += folders.PackPositions[folders.NumPackStreams];
++ if (folders.PackPositions)
++ HeadersSize += folders.PackPositions[folders.NumPackStreams];
+ return S_OK;
+ }
+
diff --git a/package/p7zip/p7zip.mk b/package/p7zip/p7zip.mk
index ff0dd01e02..66d3198c17 100644
--- a/package/p7zip/p7zip.mk
+++ b/package/p7zip/p7zip.mk
@@ -10,6 +10,9 @@ P7ZIP_SITE = http://downloads.sourceforge.net/project/p7zip/p7zip/$(P7ZIP_VERSIO
P7ZIP_LICENSE = LGPL-2.1+ with unRAR restriction
P7ZIP_LICENSE_FILES = DOC/License.txt
+# 0001-CVE-2016-9296.patch
+P7ZIP_IGNORE_CVES += CVE-2016-9296
+
# p7zip buildsystem is a mess: it plays dirty tricks with CFLAGS and
# CXXFLAGS, so we can't pass them. Instead, it accepts ALLFLAGS_C
# and ALLFLAGS_CPP as variables to pass the CFLAGS and CXXFLAGS.
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 2/3] package/p7zip: fix CVE-2017-17969
2020-04-11 13:36 [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296 André Hentschel
@ 2020-04-11 13:36 ` André Hentschel
2020-04-29 21:50 ` Peter Korsgaard
2020-04-11 13:36 ` [Buildroot] [PATCH 3/3] package/p7zip: fix CVE-2018-5996 André Hentschel
` (2 subsequent siblings)
3 siblings, 1 reply; 7+ messages in thread
From: André Hentschel @ 2020-04-11 13:36 UTC (permalink / raw)
To: buildroot
Signed-off-by: Andr? Hentschel <nerv@dawncrow.de>
---
package/p7zip/0002-CVE-2017-17969.patch | 37 +++++++++++++++++++++++++
package/p7zip/p7zip.mk | 2 ++
2 files changed, 39 insertions(+)
create mode 100644 package/p7zip/0002-CVE-2017-17969.patch
diff --git a/package/p7zip/0002-CVE-2017-17969.patch b/package/p7zip/0002-CVE-2017-17969.patch
new file mode 100644
index 0000000000..9198127cb9
--- /dev/null
+++ b/package/p7zip/0002-CVE-2017-17969.patch
@@ -0,0 +1,37 @@
+From: =?utf-8?q?Antoine_Beaupr=C3=A9?= <anarcat@debian.org>
+Date: Fri, 2 Feb 2018 11:11:41 +0100
+Subject: Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp
+
+Origin: vendor, https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/27d7/attachment/CVE-2017-17969.patch
+Forwarded: https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#27d7
+Bug: https://sourceforge.net/p/p7zip/bugs/204/
+Bug-Debian: https://bugs.debian.org/888297
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17969
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2018-02-01
+Applied-Upstream: 18.00-beta
+
+Signed-off-by: Andr? Hentschel <nerv@dawncrow.de>
+---
+ CPP/7zip/Compress/ShrinkDecoder.cpp | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/CPP/7zip/Compress/ShrinkDecoder.cpp b/CPP/7zip/Compress/ShrinkDecoder.cpp
+index 80b7e67..ca37764 100644
+--- a/CPP/7zip/Compress/ShrinkDecoder.cpp
++++ b/CPP/7zip/Compress/ShrinkDecoder.cpp
+@@ -121,8 +121,13 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
+ {
+ _stack[i++] = _suffixes[cur];
+ cur = _parents[cur];
++ if (cur >= kNumItems || i >= kNumItems)
++ break;
+ }
+-
++
++ if (cur >= kNumItems || i >= kNumItems)
++ break;
++
+ _stack[i++] = (Byte)cur;
+ lastChar2 = (Byte)cur;
+
diff --git a/package/p7zip/p7zip.mk b/package/p7zip/p7zip.mk
index 66d3198c17..be95995bab 100644
--- a/package/p7zip/p7zip.mk
+++ b/package/p7zip/p7zip.mk
@@ -12,6 +12,8 @@ P7ZIP_LICENSE_FILES = DOC/License.txt
# 0001-CVE-2016-9296.patch
P7ZIP_IGNORE_CVES += CVE-2016-9296
+# 0002-CVE-2017-17969.patch
+P7ZIP_IGNORE_CVES += CVE-2017-17969
# p7zip buildsystem is a mess: it plays dirty tricks with CFLAGS and
# CXXFLAGS, so we can't pass them. Instead, it accepts ALLFLAGS_C
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 3/3] package/p7zip: fix CVE-2018-5996
2020-04-11 13:36 [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296 André Hentschel
2020-04-11 13:36 ` [Buildroot] [PATCH 2/3] package/p7zip: fix CVE-2017-17969 André Hentschel
@ 2020-04-11 13:36 ` André Hentschel
2020-04-29 21:50 ` Peter Korsgaard
2020-04-12 11:49 ` [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296 Thomas Petazzoni
2020-04-29 21:50 ` Peter Korsgaard
3 siblings, 1 reply; 7+ messages in thread
From: André Hentschel @ 2020-04-11 13:36 UTC (permalink / raw)
To: buildroot
Signed-off-by: Andr? Hentschel <nerv@dawncrow.de>
---
package/p7zip/0003-CVE-2018-5996.patch | 223 +++++++++++++++++++++++++
package/p7zip/p7zip.mk | 2 +
2 files changed, 225 insertions(+)
create mode 100644 package/p7zip/0003-CVE-2018-5996.patch
diff --git a/package/p7zip/0003-CVE-2018-5996.patch b/package/p7zip/0003-CVE-2018-5996.patch
new file mode 100644
index 0000000000..dc3e90ad3a
--- /dev/null
+++ b/package/p7zip/0003-CVE-2018-5996.patch
@@ -0,0 +1,223 @@
+From: Robert Luberda <robert@debian.org>
+Date: Sun, 28 Jan 2018 23:47:40 +0100
+Subject: CVE-2018-5996
+
+Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by
+applying a few changes from 7Zip 18.00-beta.
+
+Bug-Debian: https://bugs.debian.org/#888314
+
+Signed-off-by: Andr? Hentschel <nerv@dawncrow.de>
+---
+ CPP/7zip/Compress/Rar1Decoder.cpp | 13 +++++++++----
+ CPP/7zip/Compress/Rar1Decoder.h | 1 +
+ CPP/7zip/Compress/Rar2Decoder.cpp | 10 +++++++++-
+ CPP/7zip/Compress/Rar2Decoder.h | 1 +
+ CPP/7zip/Compress/Rar3Decoder.cpp | 23 ++++++++++++++++++++---
+ CPP/7zip/Compress/Rar3Decoder.h | 2 ++
+ 6 files changed, 42 insertions(+), 8 deletions(-)
+
+diff --git a/CPP/7zip/Compress/Rar1Decoder.cpp b/CPP/7zip/Compress/Rar1Decoder.cpp
+index 1aaedcc..68030c7 100644
+--- a/CPP/7zip/Compress/Rar1Decoder.cpp
++++ b/CPP/7zip/Compress/Rar1Decoder.cpp
+@@ -29,7 +29,7 @@ public:
+ };
+ */
+
+-CDecoder::CDecoder(): m_IsSolid(false) { }
++CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { }
+
+ void CDecoder::InitStructures()
+ {
+@@ -406,9 +406,14 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
+ InitData();
+ if (!m_IsSolid)
+ {
++ _errorMode = false;
+ InitStructures();
+ InitHuff();
+ }
++
++ if (_errorMode)
++ return S_FALSE;
++
+ if (m_UnpackSize > 0)
+ {
+ GetFlagsBuf();
+@@ -477,9 +482,9 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream
+ const UInt64 *inSize, const UInt64 *outSize, ICompressProgressInfo *progress)
+ {
+ try { return CodeReal(inStream, outStream, inSize, outSize, progress); }
+- catch(const CInBufferException &e) { return e.ErrorCode; }
+- catch(const CLzOutWindowException &e) { return e.ErrorCode; }
+- catch(...) { return S_FALSE; }
++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; }
++ catch(const CLzOutWindowException &e) { _errorMode = true; return e.ErrorCode; }
++ catch(...) { _errorMode = true; return S_FALSE; }
+ }
+
+ STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size)
+diff --git a/CPP/7zip/Compress/Rar1Decoder.h b/CPP/7zip/Compress/Rar1Decoder.h
+index 630f089..01b606b 100644
+--- a/CPP/7zip/Compress/Rar1Decoder.h
++++ b/CPP/7zip/Compress/Rar1Decoder.h
+@@ -39,6 +39,7 @@ public:
+
+ Int64 m_UnpackSize;
+ bool m_IsSolid;
++ bool _errorMode;
+
+ UInt32 ReadBits(int numBits);
+ HRESULT CopyBlock(UInt32 distance, UInt32 len);
+diff --git a/CPP/7zip/Compress/Rar2Decoder.cpp b/CPP/7zip/Compress/Rar2Decoder.cpp
+index b3f2b4b..0580c8d 100644
+--- a/CPP/7zip/Compress/Rar2Decoder.cpp
++++ b/CPP/7zip/Compress/Rar2Decoder.cpp
+@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 << 20;
+ static const UInt32 kWindowReservSize = (1 << 22) + 256;
+
+ CDecoder::CDecoder():
+- m_IsSolid(false)
++ m_IsSolid(false),
++ m_TablesOK(false)
+ {
+ }
+
+@@ -100,6 +101,8 @@ UInt32 CDecoder::ReadBits(unsigned numBits) { return m_InBitStream.ReadBits(numB
+
+ bool CDecoder::ReadTables(void)
+ {
++ m_TablesOK = false;
++
+ Byte levelLevels[kLevelTableSize];
+ Byte newLevels[kMaxTableSize];
+ m_AudioMode = (ReadBits(1) == 1);
+@@ -170,6 +173,8 @@ bool CDecoder::ReadTables(void)
+ }
+
+ memcpy(m_LastLevels, newLevels, kMaxTableSize);
++ m_TablesOK = true;
++
+ return true;
+ }
+
+@@ -344,6 +349,9 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
+ return S_FALSE;
+ }
+
++ if (!m_TablesOK)
++ return S_FALSE;
++
+ UInt64 startPos = m_OutWindowStream.GetProcessedSize();
+ while (pos < unPackSize)
+ {
+diff --git a/CPP/7zip/Compress/Rar2Decoder.h b/CPP/7zip/Compress/Rar2Decoder.h
+index 3a0535c..0e9005f 100644
+--- a/CPP/7zip/Compress/Rar2Decoder.h
++++ b/CPP/7zip/Compress/Rar2Decoder.h
+@@ -139,6 +139,7 @@ class CDecoder :
+
+ UInt64 m_PackSize;
+ bool m_IsSolid;
++ bool m_TablesOK;
+
+ void InitStructures();
+ UInt32 ReadBits(unsigned numBits);
+diff --git a/CPP/7zip/Compress/Rar3Decoder.cpp b/CPP/7zip/Compress/Rar3Decoder.cpp
+index 3bf2513..6cb8a6a 100644
+--- a/CPP/7zip/Compress/Rar3Decoder.cpp
++++ b/CPP/7zip/Compress/Rar3Decoder.cpp
+@@ -92,7 +92,8 @@ CDecoder::CDecoder():
+ _writtenFileSize(0),
+ _vmData(0),
+ _vmCode(0),
+- m_IsSolid(false)
++ m_IsSolid(false),
++ _errorMode(false)
+ {
+ Ppmd7_Construct(&_ppmd);
+ }
+@@ -545,6 +546,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing)
+ return InitPPM();
+ }
+
++ TablesRead = false;
++ TablesOK = false;
++
+ _lzMode = true;
+ PrevAlignBits = 0;
+ PrevAlignCount = 0;
+@@ -606,6 +610,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing)
+ }
+ }
+ }
++ if (InputEofError())
++ return S_FALSE;
++
+ TablesRead = true;
+
+ // original code has check here:
+@@ -623,6 +630,9 @@ HRESULT CDecoder::ReadTables(bool &keepDecompressing)
+ RIF(m_LenDecoder.Build(&newLevels[kMainTableSize + kDistTableSize + kAlignTableSize]));
+
+ memcpy(m_LastLevels, newLevels, kTablesSizesSum);
++
++ TablesOK = true;
++
+ return S_OK;
+ }
+
+@@ -824,7 +834,12 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress)
+ PpmEscChar = 2;
+ PpmError = true;
+ InitFilters();
++ _errorMode = false;
+ }
++
++ if (_errorMode)
++ return S_FALSE;
++
+ if (!m_IsSolid || !TablesRead)
+ {
+ bool keepDecompressing;
+@@ -838,6 +853,8 @@ HRESULT CDecoder::CodeReal(ICompressProgressInfo *progress)
+ bool keepDecompressing;
+ if (_lzMode)
+ {
++ if (!TablesOK)
++ return S_FALSE;
+ RINOK(DecodeLZ(keepDecompressing))
+ }
+ else
+@@ -901,8 +918,8 @@ STDMETHODIMP CDecoder::Code(ISequentialInStream *inStream, ISequentialOutStream
+ _unpackSize = outSize ? *outSize : (UInt64)(Int64)-1;
+ return CodeReal(progress);
+ }
+- catch(const CInBufferException &e) { return e.ErrorCode; }
+- catch(...) { return S_FALSE; }
++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; }
++ catch(...) { _errorMode = true; return S_FALSE; }
+ // CNewException is possible here. But probably CNewException is caused
+ // by error in data stream.
+ }
+diff --git a/CPP/7zip/Compress/Rar3Decoder.h b/CPP/7zip/Compress/Rar3Decoder.h
+index c130cec..2f72d7d 100644
+--- a/CPP/7zip/Compress/Rar3Decoder.h
++++ b/CPP/7zip/Compress/Rar3Decoder.h
+@@ -192,6 +192,7 @@ class CDecoder:
+ UInt32 _lastFilter;
+
+ bool m_IsSolid;
++ bool _errorMode;
+
+ bool _lzMode;
+ bool _unsupportedFilter;
+@@ -200,6 +201,7 @@ class CDecoder:
+ UInt32 PrevAlignCount;
+
+ bool TablesRead;
++ bool TablesOK;
+
+ CPpmd7 _ppmd;
+ int PpmEscChar;
diff --git a/package/p7zip/p7zip.mk b/package/p7zip/p7zip.mk
index be95995bab..59cd9b7e95 100644
--- a/package/p7zip/p7zip.mk
+++ b/package/p7zip/p7zip.mk
@@ -14,6 +14,8 @@ P7ZIP_LICENSE_FILES = DOC/License.txt
P7ZIP_IGNORE_CVES += CVE-2016-9296
# 0002-CVE-2017-17969.patch
P7ZIP_IGNORE_CVES += CVE-2017-17969
+# 0003-CVE-2018-5996.patch
+P7ZIP_IGNORE_CVES += CVE-2018-5996
# p7zip buildsystem is a mess: it plays dirty tricks with CFLAGS and
# CXXFLAGS, so we can't pass them. Instead, it accepts ALLFLAGS_C
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296
2020-04-11 13:36 [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296 André Hentschel
2020-04-11 13:36 ` [Buildroot] [PATCH 2/3] package/p7zip: fix CVE-2017-17969 André Hentschel
2020-04-11 13:36 ` [Buildroot] [PATCH 3/3] package/p7zip: fix CVE-2018-5996 André Hentschel
@ 2020-04-12 11:49 ` Thomas Petazzoni
2020-04-29 21:50 ` Peter Korsgaard
3 siblings, 0 replies; 7+ messages in thread
From: Thomas Petazzoni @ 2020-04-12 11:49 UTC (permalink / raw)
To: buildroot
On Sat, 11 Apr 2020 15:36:14 +0200
Andr? Hentschel <nerv@dawncrow.de> wrote:
> Signed-off-by: Andr? Hentschel <nerv@dawncrow.de>
> ---
> package/p7zip/0001-CVE-2016-9296.patch | 25 +++++++++++++++++++++++++
> package/p7zip/p7zip.mk | 3 +++
> 2 files changed, 28 insertions(+)
> create mode 100644 package/p7zip/0001-CVE-2016-9296.patch
Series applied. Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296
2020-04-11 13:36 [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296 André Hentschel
` (2 preceding siblings ...)
2020-04-12 11:49 ` [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296 Thomas Petazzoni
@ 2020-04-29 21:50 ` Peter Korsgaard
3 siblings, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2020-04-29 21:50 UTC (permalink / raw)
To: buildroot
>>>>> "Andr?" == Andr? Hentschel <nerv@dawncrow.de> writes:
> Signed-off-by: Andr? Hentschel <nerv@dawncrow.de>
Committed to 2020.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 2/3] package/p7zip: fix CVE-2017-17969
2020-04-11 13:36 ` [Buildroot] [PATCH 2/3] package/p7zip: fix CVE-2017-17969 André Hentschel
@ 2020-04-29 21:50 ` Peter Korsgaard
0 siblings, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2020-04-29 21:50 UTC (permalink / raw)
To: buildroot
>>>>> "Andr?" == Andr? Hentschel <nerv@dawncrow.de> writes:
> Signed-off-by: Andr? Hentschel <nerv@dawncrow.de>
Committed to 2020.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 3/3] package/p7zip: fix CVE-2018-5996
2020-04-11 13:36 ` [Buildroot] [PATCH 3/3] package/p7zip: fix CVE-2018-5996 André Hentschel
@ 2020-04-29 21:50 ` Peter Korsgaard
0 siblings, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2020-04-29 21:50 UTC (permalink / raw)
To: buildroot
>>>>> "Andr?" == Andr? Hentschel <nerv@dawncrow.de> writes:
> Signed-off-by: Andr? Hentschel <nerv@dawncrow.de>
Committed to 2020.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-04-29 21:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-11 13:36 [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296 André Hentschel
2020-04-11 13:36 ` [Buildroot] [PATCH 2/3] package/p7zip: fix CVE-2017-17969 André Hentschel
2020-04-29 21:50 ` Peter Korsgaard
2020-04-11 13:36 ` [Buildroot] [PATCH 3/3] package/p7zip: fix CVE-2018-5996 André Hentschel
2020-04-29 21:50 ` Peter Korsgaard
2020-04-12 11:49 ` [Buildroot] [PATCH 1/3] package/p7zip: fix CVE-2016-9296 Thomas Petazzoni
2020-04-29 21:50 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.