update to 15.14.1 (Fixes security vulnerabilities) (original) (raw)

Description Piotr Kubaj freebsd_committer freebsd_triage 2016-07-14 15:09:46 UTC

Created attachment 172517 [details] v15.14.1 patch

The patch is attached. Note that 15.14.1 also fixes CVE-2016-2334 and CVE-2016-2335, so it's also a security patch.

Comment 2 Raphael Kubo da Costa freebsd_committer freebsd_triage 2016-07-14 15:30:30 UTC

Thanks for bringing these CVEs up. Unfortunately, 15.14.1 does not fix them.

From 15.14.1's changelog:

Version 15.14.1

patch #32 Compiling in OS X fails with p7zip_15.14

Indeed, diff -uprN p7zip_15.14 p7zip_15.14.1 shows that it's the only difference between the two releases.

p7zip 16.02 was released just a few hours ago and does contain the patches from https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/?limit=25#c6ae that several distros had adopted (Debian, OpenSUSE and Arch Linux at least).

The best course of action here is to:

Backport only those two patches to 15.14 and MFH.
Optionally update p7zip to 16.02 in trunk.

Let me know if you'd like to take on the first item, otherwise I'll do it later today.

Comment 4 Piotr Kubaj freebsd_committer freebsd_triage 2016-07-14 15:42:22 UTC

The port with patch compiles fine.

Comment 5 commit-hook freebsd_committer freebsd_triage 2016-07-15 11:23:37 UTC

A commit references this bug:

Author: rakuco Date: Fri Jul 15 11:23:23 UTC 2016 New revision: 418575 URL: https://svnweb.freebsd.org/changeset/ports/418575

Log: Document CVE-2016-2334 and CVE-2016-2335 in archivers/p7zip.

PR: 211114

Changes: head/security/vuxml/vuln.xml

Comment 6 commit-hook freebsd_committer freebsd_triage 2016-07-15 11:25:40 UTC

A commit references this bug:

Author: rakuco Date: Fri Jul 15 11:25:07 UTC 2016 New revision: 418576 URL: https://svnweb.freebsd.org/changeset/ports/418576

Log: Add patches for CVE-2016-2334 and CVE-2016-2335.

While here, use PORTREVISION?= instead of PORTREVISION= to avoid needlessly bumping PORTREVISION in archivers/p7zip-codec-rar.

PR: 211114 Submitted by: Piotr Kubaj <pkubaj@anongoth.pl> MFH: 2016Q3 Security: a9bcaf57-4a7b-11e6-97f7-5453ed2e2b49 Security: d706a3a3-4a7c-11e6-97f7-5453ed2e2b49

Changes: head/archivers/p7zip/Makefile head/archivers/p7zip/files/patch-CPP_7zip_Archive_HfsHandler.cpp head/archivers/p7zip/files/patch-CPP_7zip_Archive_Udf_UdfIn.cpp

Comment 7 Raphael Kubo da Costa freebsd_committer freebsd_triage 2016-07-15 11:26:49 UTC

Committed, thank you very much for the patch.

Comment 8 commit-hook freebsd_committer freebsd_triage 2016-07-15 13:46:49 UTC

A commit references this bug:

Author: feld Date: Fri Jul 15 13:45:51 UTC 2016 New revision: 418579 URL: https://svnweb.freebsd.org/changeset/ports/418579

Log: MFH: r418576

Add patches for CVE-2016-2334 and CVE-2016-2335.

While here, use PORTREVISION?= instead of PORTREVISION= to avoid needlessly bumping PORTREVISION in archivers/p7zip-codec-rar.

PR: 211114 Submitted by: Piotr Kubaj <pkubaj@anongoth.pl> Security: a9bcaf57-4a7b-11e6-97f7-5453ed2e2b49 Security: d706a3a3-4a7c-11e6-97f7-5453ed2e2b49

Approved by: ports-secteam (with hat)

Changes: _U branches/2016Q3/ branches/2016Q3/archivers/p7zip/Makefile branches/2016Q3/archivers/p7zip/files/patch-CPP_7zip_Archive_HfsHandler.cpp branches/2016Q3/archivers/p7zip/files/patch-CPP_7zip_Archive_Udf_UdfIn.cpp