From 69627985551482e085150d040ba6f64dea96f383 Mon Sep 17 00:00:00 2001
From: Sebastien BALLET <slacker6896@gmail.com>
Date: Wed, 1 Jun 2016 07:41:44 +0700
Subject: system/p7zip: Add security patches.

CVE-2015-1038
CVE-2016-2335.

Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
---
 system/p7zip/p7zip.SlackBuild | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

(limited to 'system/p7zip/p7zip.SlackBuild')

diff --git a/system/p7zip/p7zip.SlackBuild b/system/p7zip/p7zip.SlackBuild
index d2753aa927..e9eb5b372c 100644
--- a/system/p7zip/p7zip.SlackBuild
+++ b/system/p7zip/p7zip.SlackBuild
@@ -23,8 +23,8 @@
 # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 PRGNAM=p7zip
-VERSION=9.20.1
-BUILD=${BUILD:-1}
+VERSION=${VERSION:-9.20.1}
+BUILD=${BUILD:-2}
 TAG=${TAG:-_SBo}
 
 if [ -z "$ARCH" ]; then
@@ -70,7 +70,22 @@ find -L . \
  \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
   -o -perm 511 \) -exec chmod 755 {} \; -o \
  \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
- -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
+  -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
+
+# patch to fix security issues :
+#
+#  CVE-2015-1038:
+#   p7zip 9.20.1 allows remote attackers to write to arbitrary files via a symlink attack in an archive.
+#   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1038
+#   https://sourceforge.net/p/p7zip/bugs/147/#2f9c
+#
+#  CVE-2016-2335:
+#    7zip UDF CInArchive::ReadFileItem Code Execution Vulnerability
+#    http://www.talosintel.com/reports/TALOS-2016-0094/
+#    https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/#1dba
+#
+patch -Np1 < $CWD/CVE-2015-1038.patch
+patch -Np1 < $CWD/CVE-2016-2335.patch
 
 make all3 \
   OPTFLAGS="$SLKCFLAGS" \
-- 
cgit v1.2.3-80-g2a13