Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 17 Aug 2017 14:20:27 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 221589] archivers/arj: fix build on armv6, fix multiple vulnerabilities and other improvements
Message-ID:  <bug-221589-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221589

            Bug ID: 221589
           Summary: archivers/arj: fix build on armv6, fix multiple
                    vulnerabilities and other improvements
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: garga@FreeBSD.org
          Reporter: mikael.urankar@gmail.com
          Assignee: garga@FreeBSD.org
             Flags: maintainer-feedback?(garga@FreeBSD.org)

Created attachment 185526
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D185526&action=
=3Dedit
patch

Hi,

Most of the patches come from the debian repo [1]

 * Fix buffer overflow from size under user control.
   This is causing free() on an invalid pointer.
   Fixes: CVE-2015-2782
 * Fix absolute path directory traversal.
   Fixes: CVE-2015-0557
 * Fix symlink directory traversal.
   Fixes: CVE-2015-0556
 * fix build on armv6 and probably mips.
 * fix parallel build.
 * stability fixes.


The following patches from [1] were merged:
 - 001_arches_align.patch (needed for armv6, I get a sigbus without it)
 - 003_64_bit_clean.patch
 - 004_parallel_build.patch (slightly modified to fix the parallel build on
qemu/armv6)
 - out-of-bounds-read.patch
 - security-afl.patch
 - security-traversal-dir.patch
 - security-traversal-symlink.patch
 - security_format.patch

I don't think these patches are of any interest to us (and are not merged i=
n my
patch):
 - 005_use_system_strnlen.patch
 - doc_refer_robert_k_jung.patch
 - gnu_build_fix.patch
 - gnu_build_flags.patch
 - gnu_build_strip.patch
 - hurd_no_fcntl_getlk.patch


These patches are probably interesting, I can merge them if you want:
 - self_integrity_64bit.patch
 - 006_use_safe_strcpy.patch

poudriere ok on 10.3 i386, 10.3 amd64, 11.1 i386, 11.1 amd64 and 12-current
armv6
(I can provide build logs if needed)

[1] https://git.hadrons.org/cgit/debian/pkgs/arj.git/tree/debian/patches

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-221589-13>