Revision: 149394 https://trac.macports.org/changeset/149394 Author: mps@macports.org Date: 2016-06-16 06:42:14 -0700 (Thu, 16 Jun 2016) Log Message: ----------- p7zip: patches for CVE-2016-2334 and CVE-2016-2335 Added Paths: ----------- trunk/dports/archivers/p7zip/files/ trunk/dports/archivers/p7zip/files/CVE-2016-2334.patch trunk/dports/archivers/p7zip/files/CVE-2016-2335.patch Added: trunk/dports/archivers/p7zip/files/CVE-2016-2334.patch =================================================================== --- trunk/dports/archivers/p7zip/files/CVE-2016-2334.patch (rev 0) +++ trunk/dports/archivers/p7zip/files/CVE-2016-2334.patch 2016-06-16 13:42:14 UTC (rev 149394) @@ -0,0 +1,38 @@ +From: Robert Luberda <robert@debian.org> +Date: Sun, 15 May 2016 11:15:02 +0200 +Subject: CVE-2016-2334 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Patch for the Heap buffer overflow in HFS handler vulnerability +(CVE-2016-2334) as posted by İsmail Dönmez to +https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/#1dba +--- + CPP/7zip/Archive/HfsHandler.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/CPP/7zip/Archive/HfsHandler.cpp b/CPP/7zip/Archive/HfsHandler.cpp +index 8459280..47b8303 100644 +--- CPP/7zip/Archive/HfsHandler.cpp ++++ CPP/7zip/Archive/HfsHandler.cpp +@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork &fork, const CObjectVector<CIdExtents + item.GroupID = Get32(r + 0x24); + item.AdminFlags = r[0x28]; + item.OwnerFlags = r[0x29]; ++ */ + item.FileMode = Get16(r + 0x2A); ++ /* + item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount + item.FileType = Get32(r + 0x30); + item.FileCreator = Get32(r + 0x34); +@@ -1572,6 +1574,9 @@ HRESULT CHandler::ExtractZlibFile( + + UInt32 size = GetUi32(tableBuf + i * 8 + 4); + ++ if (size > buf.Size() || size > kCompressionBlockSize + 1) ++ return S_FALSE; ++ + RINOK(ReadStream_FALSE(inStream, buf, size)); + + if ((buf[0] & 0xF) == 0xF) Added: trunk/dports/archivers/p7zip/files/CVE-2016-2335.patch =================================================================== --- trunk/dports/archivers/p7zip/files/CVE-2016-2335.patch (rev 0) +++ trunk/dports/archivers/p7zip/files/CVE-2016-2335.patch 2016-06-16 13:42:14 UTC (rev 149394) @@ -0,0 +1,31 @@ +From: Robert Luberda <robert@debian.org> +Date: Sun, 15 May 2016 11:15:06 +0200 +Subject: CVE-2016-2335 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Patch for the Out of bounds read in UDF handler vulnerability +(CVE-2016-2335) as posted by İsmail Dönmez to +https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/#1dba +--- + CPP/7zip/Archive/Udf/UdfIn.cpp | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/CPP/7zip/Archive/Udf/UdfIn.cpp b/CPP/7zip/Archive/Udf/UdfIn.cpp +index a051a27..5f2acb0 100644 +--- CPP/7zip/Archive/Udf/UdfIn.cpp ++++ CPP/7zip/Archive/Udf/UdfIn.cpp +@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int volIndex, int fsIndex, const CLongAllocDesc + return S_FALSE; + CFile &file = Files.Back(); + const CLogVol &vol = LogVols[volIndex]; +- CPartition &partition = Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex]; ++ unsigned partitionRef = lad.Location.PartitionRef; ++ ++ if (partitionRef >= vol.PartitionMaps.Size()) ++ return S_FALSE; ++ CPartition &partition = Partitions[vol.PartitionMaps[partitionRef].PartitionIndex]; + + UInt32 key = lad.Location.Pos; + UInt32 value;