From 955701709f8fff53fb0e9b09926b82f91b2f53c8 Mon Sep 17 00:00:00 2001 From: Bart Brouns Date: Thu, 11 Jun 2020 14:29:15 +0200 Subject: [PATCH] p7zip: switch to maintained fork This the fork that true-upstream seems to prefer, see: https://www.7-zip.org/links.html --- .../archivers/p7zip/12-CVE-2016-9296.patch | 23 --------- .../archivers/p7zip/13-CVE-2017-17969.patch | 35 -------------- pkgs/tools/archivers/p7zip/default.nix | 47 +++++++------------ 3 files changed, 16 insertions(+), 89 deletions(-) delete mode 100644 pkgs/tools/archivers/p7zip/12-CVE-2016-9296.patch delete mode 100644 pkgs/tools/archivers/p7zip/13-CVE-2017-17969.patch diff --git a/pkgs/tools/archivers/p7zip/12-CVE-2016-9296.patch b/pkgs/tools/archivers/p7zip/12-CVE-2016-9296.patch deleted file mode 100644 index 42245c92c0aa..000000000000 --- a/pkgs/tools/archivers/p7zip/12-CVE-2016-9296.patch +++ /dev/null @@ -1,23 +0,0 @@ -From: Robert Luberda -Date: Sat, 19 Nov 2016 08:48:08 +0100 -Subject: Fix nullptr dereference (CVE-2016-9296) - -Patch taken from https://sourceforge.net/p/p7zip/bugs/185/ ---- - CPP/7zip/Archive/7z/7zIn.cpp | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/CPP/7zip/Archive/7z/7zIn.cpp b/CPP/7zip/Archive/7z/7zIn.cpp -index b0c6b98..7c6dde2 100644 ---- a/CPP/7zip/Archive/7z/7zIn.cpp -+++ b/CPP/7zip/Archive/7z/7zIn.cpp -@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedStreams( - if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) - ThrowIncorrect(); - } -- HeadersSize += folders.PackPositions[folders.NumPackStreams]; -+ if (folders.PackPositions) -+ HeadersSize += folders.PackPositions[folders.NumPackStreams]; - return S_OK; - } - diff --git a/pkgs/tools/archivers/p7zip/13-CVE-2017-17969.patch b/pkgs/tools/archivers/p7zip/13-CVE-2017-17969.patch deleted file mode 100644 index a9787c4a9088..000000000000 --- a/pkgs/tools/archivers/p7zip/13-CVE-2017-17969.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: =?utf-8?q?Antoine_Beaupr=C3=A9?= -Date: Fri, 2 Feb 2018 11:11:41 +0100 -Subject: Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp - -Origin: vendor, https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/27d7/attachment/CVE-2017-17969.patch -Forwarded: https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#27d7 -Bug: https://sourceforge.net/p/p7zip/bugs/204/ -Bug-Debian: https://bugs.debian.org/888297 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17969 -Reviewed-by: Salvatore Bonaccorso -Last-Update: 2018-02-01 -Applied-Upstream: 18.00-beta ---- - CPP/7zip/Compress/ShrinkDecoder.cpp | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/CPP/7zip/Compress/ShrinkDecoder.cpp b/CPP/7zip/Compress/ShrinkDecoder.cpp -index 80b7e67..ca37764 100644 ---- a/CPP/7zip/Compress/ShrinkDecoder.cpp -+++ b/CPP/7zip/Compress/ShrinkDecoder.cpp -@@ -121,8 +121,13 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * - { - _stack[i++] = _suffixes[cur]; - cur = _parents[cur]; -+ if (cur >= kNumItems || i >= kNumItems) -+ break; - } -- -+ -+ if (cur >= kNumItems || i >= kNumItems) -+ break; -+ - _stack[i++] = (Byte)cur; - lastChar2 = (Byte)cur; - diff --git a/pkgs/tools/archivers/p7zip/default.nix b/pkgs/tools/archivers/p7zip/default.nix index d6ad699eaa8d..773d37f0b758 100644 --- a/pkgs/tools/archivers/p7zip/default.nix +++ b/pkgs/tools/archivers/p7zip/default.nix @@ -1,28 +1,17 @@ -{ stdenv, fetchurl, fetchpatch, lib, enableUnfree ? false }: +{ stdenv, fetchFromGitHub, lib, enableUnfree ? false }: stdenv.mkDerivation rec { pname = "p7zip"; - version = "16.02"; + version = "17.01"; - src = fetchurl { - url = "mirror://sourceforge/p7zip/p7zip_${version}_src_all.tar.bz2"; - sha256 = "5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f"; - }; - patches = [ - ./12-CVE-2016-9296.patch - ./13-CVE-2017-17969.patch - (fetchpatch { - name = "3-CVE-2018-5996.patch"; - url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/3-CVE-2018-5996.patch"; - sha256 = "1zivvkazmza0653i498ccp3zbpbpc7dvxl3zxwllbx41b6n589yp"; - }) - (fetchpatch { - name = "4-CVE-2018-10115.patch"; - url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/4-CVE-2018-10115.patch"; - sha256 = "1cr7q8gnrk9yp6dcvxaqi1yhdbgp964nkv65ls41mw1kdfm44zn6"; - }) - ]; + src = fetchFromGitHub { + owner = "szcnick"; + repo = pname; + rev = "v${version}"; + sha256 = "0gczdmypwbfnxzb11rjrrndjkkb3jzxfby2cchn5j8ysny13mfps"; + } + ; # Default makefile is full of impurities on Darwin. The patch doesn't hurt Linux so I'm leaving it unconditional postPatch = '' @@ -39,14 +28,15 @@ stdenv.mkDerivation rec { # (see DOC/License.txt, https://fedoraproject.org/wiki/Licensing:Unrar) rm -r CPP/7zip/Compress/Rar* find . -name makefile'*' -exec sed -i '/Rar/d' {} + + chmod +x install.sh ''; preConfigure = '' makeFlagsArray=(DEST_HOME=$out) - buildFlags=all3 - '' + stdenv.lib.optionalString stdenv.isDarwin '' - cp makefile.macosx_llvm_64bits makefile.machine - ''; + buildFlags=all3 + '' + stdenv.lib.optionalString stdenv.isDarwin '' + cp makefile.macosx_llvm_64bits makefile.machine +''; enableParallelBuilding = true; @@ -55,15 +45,10 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = stdenv.lib.optionalString stdenv.cc.isClang "-Wno-error=c++11-narrowing"; meta = { - homepage = "http://p7zip.sourceforge.net/"; - description = "A port of the 7-zip archiver"; + homepage = "https://github.com/szcnick/p7zip"; + description = "A new p7zip fork with additional codecs and improvements (forked from https://sourceforge.net/projects/p7zip/)"; platforms = stdenv.lib.platforms.unix; maintainers = [ stdenv.lib.maintainers.raskin ]; - knownVulnerabilities = [ - # p7zip is abandoned, according to this thread on its forums: - # https://sourceforge.net/p/p7zip/discussion/383043/thread/fa143cf2/#1817 - "p7zip is abandoned and may not receive important security fixes" - ]; # RAR code is under non-free UnRAR license, but we remove it license = if enableUnfree then lib.licenses.unfree else lib.licenses.lgpl2Plus; };