From ${URL} : It was reported [1] that p7zip suffers from a directory traversal flaw. This could for the overwriting of arbitrary files through uncompressing a crafted archive, with the privileges of the user running 7z. For example: $ ln -s /tmp foo $ 7z a test.7z foo $ rm foo $ mkdir foo $ echo hello > foo/test $ 7z a test.7z foo/test $ rm -rf foo $ 7z x test.7z This will create 'foo' as a symlink to /tmp which will in turn contain the file 'test' with the privileges of the user unarchiving 'test.7z'. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774660 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2015-1038 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1038): p7zip 9.20.1 allows remote attackers to write to arbitrary files via a symlink attack in an archive.
I just had a look into the bump. * DOCS was moved to DOC * The three patches with 9.20.1- version are not needed anymore The only issue I don't know how to proceed concerns 9.04-makefile.patch. The source for the diff changed. RAR_OBJS is not defined anymore. If I remove any Rar*.o I come up with this patch: --- CPP/7zip/Bundles/Format7zFree/makefile.list 2015-03-29 15:32:08.556102622 +0200 +++ CPP/7zip/Bundles/Format7zFree/makefile.list.new 2015-03-29 15:31:57.774103350 +0200 @@ -828,7 +828,6 @@ NtfsHandler.o \ PeHandler.o \ PpmdHandler.o \ - RarHandler.o \ RpmHandler.o \ SplitHandler.o \ SquashfsHandler.o \ @@ -931,8 +930,6 @@ MyAesReg.o \ Pbkdf2HmacSha1.o \ RandGen.o \ - Rar20Crypto.o \ - RarAes.o \ Sha1.o \ Sha1Reg.o \ WzAes.o \ The ebuild diff: --- p7zip-9.20.1-r5.ebuild 2015-03-29 14:56:14.152248012 +0200 +++ p7zip-9.38.1.ebuild 2015-03-29 15:35:28.256089146 +0200 @@ -30,11 +30,6 @@ S=${WORKDIR}/${PN}_${PV} src_prepare() { - epatch \ - "${FILESDIR}"/${P}-execstack.patch \ - "${FILESDIR}"/${P}-QA.patch \ - "${FILESDIR}"/${P}-long_rar_pwd.patch - if ! use pch; then sed "s:PRE_COMPILED_HEADER=StdAfx.h.gch:PRE_COMPILED_HEADER=:g" -i makefile.* || die fi @@ -54,7 +49,7 @@ else sed -e '/Rar/d' -i makefile* || die rm -rf CPP/7zip/Compress/Rar || die - epatch "${FILESDIR}"/9.04-makefile.patch + epatch "${FILESDIR}"/${P}-makefile.patch fi sed -i \ @@ -153,7 +148,7 @@ dodoc ChangeLog README TODO if use doc; then - dodoc DOCS/*.txt - dohtml -r DOCS/MANUAL/* + dodoc DOC/*.txt + dohtml -r DOC/MANUAL/* fi } I took the testing -r5 as a base as it already supports multilib-build which just went stable. (not the ebuild but multilib...)
*** Bug 545202 has been marked as a duplicate of this bug. ***
+*p7zip-9.20.1-r5 (16 Jun 2015) + + 16 Jun 2015; Justin Lecher <jlec@gentoo.org> + +files/p7zip-9.20.1-CVE-2015-1038.patch, +p7zip-9.20.1-r5.ebuild: + Import debian patch for CVE-2015-1038, bug #536012; latest version is still + vulnerable + @security, stable is fixed going to be fixed. Still waiting for the patch against latest ~arch version.
@arches, please stable p7zip-9.20.1-r5
amd64 stable
x86 stable
sparc stable
Stable for HPPA.
Stable for PPC64.
alpha stable
+*p7zip-9.38.1-r2 (22 Jun 2015) + + 22 Jun 2015; Justin Lecher <jlec@gentoo.org> + +files/p7zip-9.38.1-CVE-2015-1038.patch, +p7zip-9.38.1-r2.ebuild, + -p7zip-9.38.1-r1.ebuild: + Fix CVE-2015-1038 in latest version, bug #536012 + latest ~arch is now fixed as well. Only remaining stabilizations pending.
ppc stable
I'm using gentoo-prefix on osx 10.10, with use flag "+pch +rar", the patch p7zip-9.38.1-CVE-2015-1038.patch for 9.38.1-r2 cause a build failure: --------------------------------------------- In file included from ../../../../CPP/7zip/UI/Common/Extract.cpp:9: ../../../../CPP/7zip/UI/Common/../../../Windows/FileDir.h:89:3: error: unknown type name 'ino_t' ino_t _ino; ^ --------------------------------------------- I fixed it by add the following line to the patch. +#include <sys/stat.h> like this: --------------------------------------------- --- a/CPP/Windows/FileDir.h +++ b/CPP/Windows/FileDir.h @@ -4,6 +4,8 @@ #define __WINDOWS_FILE_DIR_H #include "../Common/MyString.h" +#include "../Common/MyVector.h" +#include <sys/stat.h> #include "FileIO.h" --------------------------------------------- It's not that proper, but works for me, just for you know
(In reply to Craxy Z from comment #14) > I'm using gentoo-prefix on osx 10.10, with use flag "+pch +rar", > the patch p7zip-9.38.1-CVE-2015-1038.patch for 9.38.1-r2 cause a build > failure: > > --------------------------------------------- > In file included from ../../../../CPP/7zip/UI/Common/Extract.cpp:9: > ../../../../CPP/7zip/UI/Common/../../../Windows/FileDir.h:89:3: error: > unknown type name 'ino_t' > ino_t _ino; > ^ > --------------------------------------------- > > I fixed it by add the following line to the patch. > > +#include <sys/stat.h> > > like this: > --------------------------------------------- > --- a/CPP/Windows/FileDir.h > > +++ b/CPP/Windows/FileDir.h > > @@ -4,6 +4,8 @@ > > #define __WINDOWS_FILE_DIR_H > > > > #include "../Common/MyString.h" > > +#include "../Common/MyVector.h" > > +#include <sys/stat.h> > > > > #include "FileIO.h" > > --------------------------------------------- > > It's not that proper, but works for me, just for you know Please file an additional bug for this. The prefix team needs to take care of it.
ia64 stable Cleanup, please! GLSA vote: no.
+ 30 Jul 2015; Justin Lecher <jlec@gentoo.org> -p7zip-9.20.1-r4.ebuild: + Drop vulnerable version, bug #536012 + cleaned.
Vote: NO.