Fix CVE-2015-1038, bump PKGREVISION

3 files changed, 281 insertions, 2 deletions

diff --git a/archivers/p7zip/Makefile b/archivers/p7zip/Makefile
index 076b1ee8e73..d3821d2e212 100644
--- a/archivers/p7zip/Makefile
+++ b/archivers/p7zip/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.59 2015/12/29 19:39:21 adam Exp $
+# $NetBSD: Makefile,v 1.60 2016/02/14 08:39:47 ryoon Exp $
 
 DISTNAME=	p7zip_15.09_src_all
 PKGNAME=	p7zip-15.09
+PKGREVISION=	1
 CATEGORIES=	archivers
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=p7zip/}
 EXTRACT_SUFX=	.tar.bz2
diff --git a/archivers/p7zip/distinfo b/archivers/p7zip/distinfo
index f0ac9c5d1b2..2b7ad5ebbbd 100644
--- a/archivers/p7zip/distinfo
+++ b/archivers/p7zip/distinfo
@@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.45 2015/12/29 19:39:21 adam Exp $
+$NetBSD: distinfo,v 1.46 2016/02/14 08:39:47 ryoon Exp $
 
 SHA1 (p7zip_15.09_src_all.tar.bz2) = d5d21ac15e7c197f8af0366694ab9a301cfce972
 RMD160 (p7zip_15.09_src_all.tar.bz2) = f9ca03529644f43893f1f1b7ef6d864549e53022
 SHA512 (p7zip_15.09_src_all.tar.bz2) = 4f020b13632ef7a85aa8a98586b59bef2dde3c1cbebdbd17e01f1d09b2e13a56ecfe82546d7efc677c45df67456a71cfdb67826b53ebea4c0fb4878f20c2f6dd
 Size (p7zip_15.09_src_all.tar.bz2) = 4048481 bytes
 SHA1 (patch-CPP_Windows_DLL.cpp) = 12fb3f3cf4d32b8848f741dde6bcb0e56a9c6745
+SHA1 (patch-CVE-2015-1038) = 461acb6f72cb98fe5f8b240c5d6ed4310404263c
 SHA1 (patch-aa) = 9c103fa831cc6ff099e3a604c763ff416f1b48ec
 SHA1 (patch-ab) = c680fb037b9ef5e19e4c8dc71dd710598277a61b
 SHA1 (patch-ac) = a7afeded4aeb5ef230d006d1556ee601a6190063
diff --git a/archivers/p7zip/patches/patch-CVE-2015-1038 b/archivers/p7zip/patches/patch-CVE-2015-1038
new file mode 100644
index 00000000000..ef76893b0bc
--- /dev/null
+++ b/archivers/p7zip/patches/patch-CVE-2015-1038
@@ -0,0 +1,277 @@
+$NetBSD: patch-CVE-2015-1038,v 1.1 2016/02/14 08:39:47 ryoon Exp $
+
+* A patch for CVE-2015-1038
+  http://pkgs.fedoraproject.org/cgit/rpms/p7zip.git/plain/p7zip-15.09-CVE-2015-1038.patch
+
+--- CPP/7zip/UI/Agent/Agent.cpp.orig	2015-09-17 19:02:35.000000000 +0000
++++ CPP/7zip/UI/Agent/Agent.cpp
+@@ -1515,7 +1515,7 @@ STDMETHODIMP CAgentFolder::Extract(const
+   HRESULT result = _agentSpec->GetArchive()->Extract(&realIndices.Front(),
+       realIndices.Size(), testMode, extractCallback);
+   if (result == S_OK)
+-    result = extractCallbackSpec->SetDirsTimes();
++    result = extractCallbackSpec->SetFinalAttribs();
+   return result;
+   COM_TRY_END
+ }
+$NetBSD: patch-CVE-2015-1038,v 1.1 2016/02/14 08:39:47 ryoon Exp $
+
+--- CPP/7zip/UI/Client7z/Client7z.cpp.orig	2015-10-17 14:52:30.000000000 +0000
++++ CPP/7zip/UI/Client7z/Client7z.cpp
+@@ -230,8 +230,11 @@ private:
+   COutFileStream *_outFileStreamSpec;
+   CMyComPtr<ISequentialOutStream> _outFileStream;
+ 
++  CObjectVector<NWindows::NFile::NDir::CDelayedSymLink> _delayedSymLinks;
++
+ public:
+   void Init(IInArchive *archiveHandler, const FString &directoryPath);
++  HRESULT SetFinalAttribs();
+ 
+   UInt64 NumErrors;
+   bool PasswordIsDefined;
+@@ -449,11 +452,23 @@ STDMETHODIMP CArchiveExtractCallback::Se
+   }
+   _outFileStream.Release();
+   if (_extractMode && _processedFileInfo.AttribDefined)
+-    SetFileAttrib(_diskFilePath, _processedFileInfo.Attrib);
++    SetFileAttrib(_diskFilePath, _processedFileInfo.Attrib, &_delayedSymLinks);
+   PrintNewLine();
+   return S_OK;
+ }
+ 
++HRESULT CArchiveExtractCallback::SetFinalAttribs()
++{
++  HRESULT result = S_OK;
++
++  for (int i = 0; i != _delayedSymLinks.Size(); ++i)
++    if (!_delayedSymLinks[i].Create())
++      result = E_FAIL;
++
++  _delayedSymLinks.Clear();
++
++  return result;
++}
+ 
+ STDMETHODIMP CArchiveExtractCallback::CryptoGetTextPassword(BSTR *password)
+ {
+@@ -914,6 +929,8 @@ int MY_CDECL main(int numArgs, const cha
+       // extractCallbackSpec->PasswordIsDefined = true;
+       // extractCallbackSpec->Password = L"1";
+       HRESULT result = archive->Extract(NULL, (UInt32)(Int32)(-1), false, extractCallback);
++      if (result == S_OK)
++	result = extractCallbackSpec->SetFinalAttribs();
+       if (result != S_OK)
+       {
+         PrintError("Extract Error");
+$NetBSD: patch-CVE-2015-1038,v 1.1 2016/02/14 08:39:47 ryoon Exp $
+
+--- CPP/7zip/UI/Common/ArchiveExtractCallback.cpp.orig	2015-10-03 08:49:15.000000000 +0000
++++ CPP/7zip/UI/Common/ArchiveExtractCallback.cpp
+@@ -1502,7 +1502,7 @@ STDMETHODIMP CArchiveExtractCallback::Se
+     NumFiles++;
+ 
+   if (!_stdOutMode && _extractMode && _fi.AttribDefined)
+-    SetFileAttrib(_diskFilePath, _fi.Attrib);
++    SetFileAttrib(_diskFilePath, _fi.Attrib, &_delayedSymLinks);
+   
+   RINOK(_extractCallback2->SetOperationResult(opRes, BoolToInt(_encrypted)));
+   
+@@ -1584,8 +1584,9 @@ static unsigned GetNumSlashes(const FCha
+   }
+ }
+ 
+-HRESULT CArchiveExtractCallback::SetDirsTimes()
++HRESULT CArchiveExtractCallback::SetFinalAttribs()
+ {
++  HRESULT result = S_OK;
+   CRecordVector<CExtrRefSortPair> pairs;
+   pairs.ClearAndSetSize(_extractedFolderPaths.Size());
+   unsigned i;
+@@ -1622,5 +1623,12 @@ HRESULT CArchiveExtractCallback::SetDirs
+       (WriteATime && ATimeDefined) ? &ATime : NULL,
+       (WriteMTime && MTimeDefined) ? &MTime : (_arc->MTimeDefined ? &_arc->MTime : NULL));
+   }
+-  return S_OK;
++
++  for (int i = 0; i != _delayedSymLinks.Size(); ++i)
++    if (!_delayedSymLinks[i].Create())
++      result = E_FAIL;
++
++  _delayedSymLinks.Clear();
++
++  return result;
+ }
+$NetBSD: patch-CVE-2015-1038,v 1.1 2016/02/14 08:39:47 ryoon Exp $
+
+--- CPP/7zip/UI/Common/ArchiveExtractCallback.h.orig	2015-10-03 10:29:09.000000000 +0000
++++ CPP/7zip/UI/Common/ArchiveExtractCallback.h
+@@ -6,6 +6,8 @@
+ #include "../../../Common/MyCom.h"
+ #include "../../../Common/Wildcard.h"
+ 
++#include "../../../Windows/FileDir.h"
++
+ #include "../../IPassword.h"
+ 
+ #include "../../Common/FileStreams.h"
+@@ -237,6 +239,8 @@ class CArchiveExtractCallback:
+   bool _saclEnabled;
+   #endif
+ 
++  CObjectVector<NWindows::NFile::NDir::CDelayedSymLink> _delayedSymLinks;
++
+   void CreateComplexDirectory(const UStringVector &dirPathParts, FString &fullPath);
+   HRESULT GetTime(int index, PROPID propID, FILETIME &filetime, bool &filetimeIsDefined);
+   HRESULT GetUnpackSize();
+@@ -330,7 +334,7 @@ public:
+   }
+   #endif
+ 
+-  HRESULT SetDirsTimes();
++  HRESULT SetFinalAttribs();
+ };
+ 
+ bool CensorNode_CheckPath(const NWildcard::CCensorNode &node, const CReadArcItem &item);
+$NetBSD: patch-CVE-2015-1038,v 1.1 2016/02/14 08:39:47 ryoon Exp $
+
+--- CPP/7zip/UI/Common/Extract.cpp.orig	2015-09-07 19:47:32.000000000 +0000
++++ CPP/7zip/UI/Common/Extract.cpp
+@@ -207,7 +207,7 @@ static HRESULT DecompressArchive(
+   else
+     result = archive->Extract(&realIndices.Front(), realIndices.Size(), testMode, ecs);
+   if (result == S_OK && !options.StdInMode)
+-    result = ecs->SetDirsTimes();
++    result = ecs->SetFinalAttribs();
+   return callback->ExtractResult(result);
+ }
+ 
+$NetBSD: patch-CVE-2015-1038,v 1.1 2016/02/14 08:39:47 ryoon Exp $
+
+--- CPP/Windows/FileDir.cpp.orig	2015-10-10 12:37:41.000000000 +0000
++++ CPP/Windows/FileDir.cpp
+@@ -347,7 +347,8 @@ static int convert_to_symlink(const char
+   return -1;
+ }
+ 
+-bool SetFileAttrib(CFSTR fileName, DWORD fileAttributes)
++bool SetFileAttrib(CFSTR fileName, DWORD fileAttributes,
++		   CObjectVector<CDelayedSymLink> *delayedSymLinks)
+ {
+   if (!fileName) {
+     SetLastError(ERROR_PATH_NOT_FOUND);
+@@ -379,7 +380,9 @@ bool SetFileAttrib(CFSTR fileName, DWORD
+      stat_info.st_mode = fileAttributes >> 16;
+ #ifdef ENV_HAVE_LSTAT
+      if (S_ISLNK(stat_info.st_mode)) {
+-        if ( convert_to_symlink(name) != 0) {
++        if (delayedSymLinks)
++          delayedSymLinks->Add(CDelayedSymLink(name));
++        else if ( convert_to_symlink(name) != 0) {
+           TRACEN((printf("SetFileAttrib(%s,%d) : false-3\n",(const char *)name,fileAttributes)))
+           return false;
+         }
+@@ -814,6 +817,43 @@ bool CTempDir::Remove()
+   return !_mustBeDeleted;
+ }
+ 
++#ifdef ENV_UNIX
++
++CDelayedSymLink::CDelayedSymLink(const char * source)
++  : _source(source)
++{
++  struct stat st;
++
++  if (lstat(_source, &st) == 0) {
++    _dev = st.st_dev;
++    _ino = st.st_ino;
++  } else {
++    _dev = 0;
++  }
++}
++
++bool CDelayedSymLink::Create()
++{
++  struct stat st;
++
++  if (_dev == 0) {
++    errno = EPERM;
++    return false;
++  }
++  if (lstat(_source, &st) != 0)
++    return false;
++  if (_dev != st.st_dev || _ino != st.st_ino) {
++    // Placeholder file has been overwritten or moved by another
++    // symbolic link creation
++    errno = EPERM;
++    return false;
++  }
++
++  return convert_to_symlink(_source) == 0;
++}
++
++#endif // ENV_UNIX
++
+ }}}
+ 
+ #ifndef _SFX
+$NetBSD: patch-CVE-2015-1038,v 1.1 2016/02/14 08:39:47 ryoon Exp $
+
+--- CPP/Windows/FileDir.h.orig	2015-06-19 10:52:06.000000000 +0000
++++ CPP/Windows/FileDir.h
+@@ -4,6 +4,7 @@
+ #define __WINDOWS_FILE_DIR_H
+ 
+ #include "../Common/MyString.h"
++#include "../Common/MyVector.h"
+ 
+ #include "FileIO.h"
+ 
+@@ -11,11 +12,14 @@ namespace NWindows {
+ namespace NFile {
+ namespace NDir {
+ 
++class CDelayedSymLink;
++
+ bool GetWindowsDir(FString &path);
+ bool GetSystemDir(FString &path);
+ 
+ bool SetDirTime(CFSTR path, const FILETIME *cTime, const FILETIME *aTime, const FILETIME *mTime);
+-bool SetFileAttrib(CFSTR path, DWORD attrib);
++bool SetFileAttrib(CFSTR path, DWORD attrib,
++		   CObjectVector<CDelayedSymLink> *delayedSymLinks = 0);
+ bool MyMoveFile(CFSTR existFileName, CFSTR newFileName);
+ 
+ #ifndef UNDER_CE
+@@ -76,6 +80,31 @@ public:
+   bool Remove();
+ };
+ 
++// Symbolic links must be created last so that they can't be used to
++// create or overwrite files above the extraction directory.
++class CDelayedSymLink
++{
++#ifdef ENV_UNIX
++  // Where the symlink should be created.  The target is specified in
++  // the placeholder file.
++  AString _source;
++
++  // Device and inode of the placeholder file.  Before creating the
++  // symlink, we must check that these haven't been changed by creation
++  // of another symlink.
++  dev_t _dev;
++  ino_t _ino;
++
++public:
++  explicit CDelayedSymLink(const char * source);
++  bool Create();
++#else // !ENV_UNIX
++public:
++  CDelayedSymLink(const char * source) {}
++  bool Create() { return true; }
++#endif // ENV_UNIX
++};
++
+ #if !defined(UNDER_CE)
+ class CCurrentDirRestorer
+ {