[Bug 221589] archivers/arj: fix build on armv6, fix multiple vulnerabilities and other improvements

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Aug 17 14:20:28 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221589

            Bug ID: 221589
           Summary: archivers/arj: fix build on armv6, fix multiple
                    vulnerabilities and other improvements
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: garga at FreeBSD.org
          Reporter: mikael.urankar at gmail.com
          Assignee: garga at FreeBSD.org
             Flags: maintainer-feedback?(garga at FreeBSD.org)

Created attachment 185526
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=185526&action=edit
patch

Hi,

Most of the patches come from the debian repo [1]

 * Fix buffer overflow from size under user control.
   This is causing free() on an invalid pointer.
   Fixes: CVE-2015-2782
 * Fix absolute path directory traversal.
   Fixes: CVE-2015-0557
 * Fix symlink directory traversal.
   Fixes: CVE-2015-0556
 * fix build on armv6 and probably mips.
 * fix parallel build.
 * stability fixes.


The following patches from [1] were merged:
 - 001_arches_align.patch (needed for armv6, I get a sigbus without it)
 - 003_64_bit_clean.patch
 - 004_parallel_build.patch (slightly modified to fix the parallel build on
qemu/armv6)
 - out-of-bounds-read.patch
 - security-afl.patch
 - security-traversal-dir.patch
 - security-traversal-symlink.patch
 - security_format.patch

I don't think these patches are of any interest to us (and are not merged in my
patch):
 - 005_use_system_strnlen.patch
 - doc_refer_robert_k_jung.patch
 - gnu_build_fix.patch
 - gnu_build_flags.patch
 - gnu_build_strip.patch
 - hurd_no_fcntl_getlk.patch


These patches are probably interesting, I can merge them if you want:
 - self_integrity_64bit.patch
 - 006_use_safe_strcpy.patch

poudriere ok on 10.3 i386, 10.3 amd64, 11.1 i386, 11.1 amd64 and 12-current
armv6
(I can provide build logs if needed)

[1] https://git.hadrons.org/cgit/debian/pkgs/arj.git/tree/debian/patches

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list