# HG changeset patch # User Lukas Rovensky # Date 1469644348 25200 # Node ID ea93ede4968ec4480f9056363f98919419a1427e # Parent 0901797054b45223f42601e5d5167608006aafd7 23313908 problem in UTILITY/P7ZIP 23313942 problem in UTILITY/P7ZIP 22288416 p7zip 15.14.1 19581879 p7zip 64-bit and ASLR diff -r 0901797054b4 -r ea93ede4968e components/p7zip/Makefile --- a/components/p7zip/Makefile Wed Sep 07 00:15:35 2016 -0700 +++ b/components/p7zip/Makefile Wed Jul 27 11:32:28 2016 -0700 @@ -20,24 +20,29 @@ # # -# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. # +# When building with Studio, p7zip has many warnings about extra semicolons, +# and at least one hard error due to an extra semicolon. It also suffers from +# the pragma pack push/pop problem (15358176). +COMPILER= gcc + include ../../make-rules/shared-macros.mk PATH=$(SPRO_VROOT)/bin:/usr/bin:/usr/gnu/bin COMPONENT_NAME= p7zip -COMPONENT_VERSION= 9.20.1 +COMPONENT_VERSION= 15.14.1 COMPONENT_PROJECT_URL= http://p7zip.sourceforge.net/ COMPONENT_SRC= $(COMPONENT_NAME)_$(COMPONENT_VERSION) COMPONENT_ARCHIVE= $(COMPONENT_SRC)_src_all.tar.bz2 COMPONENT_ARCHIVE_HASH= \ - sha256:49557e7ffca08100f9fc687f4dfc5aea703ca207640c76d9dee7b66f03cb4782 + sha256:699db4da3621904113e040703220abb1148dfef477b55305e2f14a4f1f8f25d4 COMPONENT_ARCHIVE_URL= http://downloads.sourceforge.net/project/p7zip/p7zip/$(COMPONENT_VERSION)/$(COMPONENT_ARCHIVE) COMPONENT_BUGDB= utility/p7zip -TPNO= 20368 +TPNO= 27905 include $(WS_MAKE_RULES)/prep.mk include $(WS_MAKE_RULES)/justmake.mk @@ -47,35 +52,41 @@ COMPONENT_BUILD_TARGETS = all3 COMPONENT_INSTALL_ARGS += DEST_HOME=/usr DEST_DIR=$(PROTO_DIR) -$(SOURCE_DIR)/DOCS/copying.txt $(SOURCE_DIR)/DOCS/unRarLicense.txt: prep +# -Bdirect breaks x86 binaries - exceptions are not caught +LD_B_DIRECT= -$(BUILD_DIR)/%: $(SOURCE_DIR)/DOCS/% +$(SOURCE_DIR)/DOC/copying.txt $(SOURCE_DIR)/DOC/unRarLicense.txt: prep + +$(BUILD_DIR)/%: $(SOURCE_DIR)/DOC/% $(CP) $< $@ -$(BUILD_DIR)/copying.txt: $(SOURCE_DIR)/DOCS/copying.txt - $(CP) $(SOURCE_DIR)/DOCS/copying.txt $@ +$(BUILD_DIR)/copying.txt: $(SOURCE_DIR)/DOC/copying.txt + $(CP) $(SOURCE_DIR)/DOC/copying.txt $@ + +ASLR_MODE = $(ASLR_ENABLE) # common targets -build: $(BUILD_32) +build: $(BUILD_64) EXTRATARGETS = \ $(BUILD_DIR)/copying.txt $(BUILD_DIR)/unRarLicense.txt -install: build $(INSTALL_32) $(EXTRATARGETS) +install: build $(INSTALL_64) $(EXTRATARGETS) # When p7zip's install target is run, it creates all its directories mode 555, # so they're impossible to remove without adding the write bit first. COMPONENT_POST_INSTALL_ACTION += $(CHMOD) -R u+w $(PROTO_DIR) # build does this always -test: $(BUILD_32) - cd $(BUILD_DIR_32) && $(MAKE) -e test P7ZIP_HOME_DIR=$(BUILD_DIR_32)/bin - cd $(BUILD_DIR_32) && $(MAKE) -e test_7z P7ZIP_HOME_DIR=$(BUILD_DIR_32)/bin - cd $(BUILD_DIR_32) && $(MAKE) -e test_7zr P7ZIP_HOME_DIR=$(BUILD_DIR_32)/bin +test: $(BUILD_64) + cd $(BUILD_DIR_64) && $(MAKE) -e test P7ZIP_HOME_DIR=$(BUILD_DIR_64)/bin + cd $(BUILD_DIR_64) && $(MAKE) -e test_7z P7ZIP_HOME_DIR=$(BUILD_DIR_64)/bin + cd $(BUILD_DIR_64) && $(MAKE) -e test_7zr P7ZIP_HOME_DIR=$(BUILD_DIR_64)/bin REQUIRED_PACKAGES += shell/ksh93 REQUIRED_PACKAGES += system/library -REQUIRED_PACKAGES += system/library/c++-runtime +REQUIRED_PACKAGES += system/library/gcc/gcc-c++-runtime +REQUIRED_PACKAGES += system/library/gcc/gcc-c-runtime REQUIRED_PACKAGES += system/library/math diff -r 0901797054b4 -r ea93ede4968e components/p7zip/makefile.solaris --- a/components/p7zip/makefile.solaris Wed Sep 07 00:15:35 2016 -0700 +++ b/components/p7zip/makefile.solaris Wed Jul 27 11:32:28 2016 -0700 @@ -20,30 +20,25 @@ # # -# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. # -OPTFLAGS=-O +OPTFLAGS=-O -s LFS_CFLAGS = $(shell getconf LFS_CFLAGS) -ALLFLAGS=${OPTFLAGS} -s -mt \ +ALLFLAGS=${OPTFLAGS} -m64 \ -DHAVE_LONG_LONG \ $(LFS_CFLAGS) \ -DENV_UNIX \ -DNDEBUG -D_REENTRANT \ + -D_7ZIP_LARGE_PAGES \ $(LOCAL_FLAGS) -CXX=CC $(ALLFLAGS) -CC=cc $(ALLFLAGS) -CC_SHARED=-KPIC -LINK_SHARED=-KPIC -G -LDFLAGS = -norunpath - -LOCAL_LIBS=-lpthread -LOCAL_LIBS_DLL=$(LOCAL_LIBS) - -../../../../bin/Codecs/Rar29.so ../../../../bin/7z.so : LOCAL_LIBS += -lCrun +CXX=g++ +CC=gcc +CC_SHARED=-fPIC +LINK_SHARED=-fPIC -shared OBJ_CRC32=$(OBJ_CRC32_C) diff -r 0901797054b4 -r ea93ede4968e components/p7zip/p7zip.p5m --- a/components/p7zip/p7zip.p5m Wed Sep 07 00:15:35 2016 -0700 +++ b/components/p7zip/p7zip.p5m Wed Jul 27 11:32:28 2016 -0700 @@ -19,7 +19,7 @@ # # -# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved. # default mangler.man.stability uncommitted> @@ -40,66 +40,95 @@ file usr/lib/p7zip/7za path=usr/bin/7za file usr/lib/p7zip/7zr path=usr/bin/7zr file contrib/gzip-like_CLI_wrapper_for_7z/p7zip path=usr/bin/p7zip -dir path=usr/lib/7z -file usr/lib/p7zip/7z.so path=usr/lib/7z/7z.so -dir path=usr/lib/7z/Codecs -file usr/lib/p7zip/Codecs/Rar29.so path=usr/lib/7z/Codecs/Rar29.so -dir path=usr/share/doc/p7zip +# Prevent "64-bit binary in 32-bit path" errors, which don't apply here. +file usr/lib/p7zip/7z.so path=usr/lib/7z/7z.so \ + pkg.linted.userland.action001.2=true +file usr/lib/p7zip/Codecs/Rar.so path=usr/lib/7z/Codecs/Rar.so \ + pkg.linted.userland.action001.2=true file path=usr/share/doc/p7zip/ChangeLog -dir path=usr/share/doc/p7zip/DOCS -file path=usr/share/doc/p7zip/DOCS/7zC.txt -file path=usr/share/doc/p7zip/DOCS/7zFormat.txt -file path=usr/share/doc/p7zip/DOCS/License.txt -dir path=usr/share/doc/p7zip/DOCS/MANUAL -dir path=usr/share/doc/p7zip/DOCS/MANUAL/commands -file path=usr/share/doc/p7zip/DOCS/MANUAL/commands/add.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/commands/bench.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/commands/delete.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/commands/extract.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/commands/extract_full.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/commands/index.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/commands/list.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/commands/style.css -file path=usr/share/doc/p7zip/DOCS/MANUAL/commands/test.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/commands/update.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/exit_codes.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/index.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/style.css -dir path=usr/share/doc/p7zip/DOCS/MANUAL/switches -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/ar_exclude.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/ar_include.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/ar_no.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/charset.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/exclude.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/include.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/index.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/large_pages.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/list_tech.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/method.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/output_dir.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/overwrite.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/password.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/recurse.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/sfx.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/ssc.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/stdin.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/stdout.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/stop_switch.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/style.css -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/type.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/update.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/volume.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/working_dir.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/switches/yes.htm -file path=usr/share/doc/p7zip/DOCS/MANUAL/syntax.htm -file path=usr/share/doc/p7zip/DOCS/Methods.txt -file path=usr/share/doc/p7zip/DOCS/copying.txt -file path=usr/share/doc/p7zip/DOCS/history.txt -file path=usr/share/doc/p7zip/DOCS/lzma.txt -file path=usr/share/doc/p7zip/DOCS/readme.txt -file path=usr/share/doc/p7zip/DOCS/unRarLicense.txt +file path=usr/share/doc/p7zip/DOC/7zC.txt +file path=usr/share/doc/p7zip/DOC/7zFormat.txt +file path=usr/share/doc/p7zip/DOC/License.txt +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/add.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/bench.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/delete.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/extract.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/extract_full.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/hash.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/index.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/list.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/rename.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/style.css +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/test.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/commands/update.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/exit_codes.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/index.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/style.css +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/ar_exclude.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/ar_include.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/ar_no.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/bb.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/bs.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/charset.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/email.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/exclude.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/include.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/index.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/large_pages.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/list_tech.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/method.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/output_dir.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/overwrite.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/password.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/recurse.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/sa.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/scc.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/scrc.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/sdel.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/sfx.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/shared.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/sni.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/sns.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/spf.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/ssc.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/stdin.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/stdout.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/stl.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/stop_switch.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/stx.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/style.css +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/type.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/update.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/volume.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/working_dir.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/switches/yes.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/cmdline/syntax.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/fm/about.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/fm/benchmark.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/fm/index.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/fm/menu.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/fm/options.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/fm/plugins/7-zip/add.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/fm/plugins/7-zip/extract.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/fm/plugins/7-zip/index.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/fm/plugins/7-zip/style.css +file path=usr/share/doc/p7zip/DOC/MANUAL/fm/style.css +file path=usr/share/doc/p7zip/DOC/MANUAL/general/7z.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/general/faq.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/general/formats.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/general/index.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/general/performance.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/general/style.css +file path=usr/share/doc/p7zip/DOC/MANUAL/general/thanks.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/start.htm +file path=usr/share/doc/p7zip/DOC/MANUAL/style.css +file path=usr/share/doc/p7zip/DOC/Methods.txt +file path=usr/share/doc/p7zip/DOC/copying.txt +file path=usr/share/doc/p7zip/DOC/lzma.txt +file path=usr/share/doc/p7zip/DOC/readme.txt +file path=usr/share/doc/p7zip/DOC/src-history.txt +file path=usr/share/doc/p7zip/DOC/unRarLicense.txt file path=usr/share/doc/p7zip/README -dir path=usr/share/man/man1 file usr/man/man1/7z.1 path=usr/share/man/man1/7z.1 \ mangler.man.stability=Committed file usr/man/man1/7za.1 path=usr/share/man/man1/7za.1 diff -r 0901797054b4 -r ea93ede4968e components/p7zip/patches/CVE-2015-1038.patch --- a/components/p7zip/patches/CVE-2015-1038.patch Wed Sep 07 00:15:35 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,326 +0,0 @@ -This patch fixes CVE-2015-1038, filed upstream as - - http://sourceforge.net/p/p7zip/bugs/147/ - -The patch contents come from - - http://sourceforge.net/p/p7zip/bugs/_discuss/thread/17901103/2f9c/attachment/CVE-2015-1038.patch - -This will presumably be fixed upstream at some point after 9.38.1. - -====================================================================== - -Author: Ben Hutchings -Date: Tue, 19 May 2015 02:38:40 +0100 -Description: Delay creation of symlinks to prevent arbitrary file writes (CVE-2015-1038) -Bug-Debian: https://bugs.debian.org/774660 - -Alexander Cherepanov discovered that 7zip is susceptible to a -directory traversal vulnerability. While extracting an archive, it -will extract symlinks and then follow them if they are referenced in -further entries. This can be exploited by a rogue archive to write -files outside the current directory. - -We have to create placeholder files (which we already do) and delay -creating symlinks until the end of extraction. - -Due to the possibility of anti-items (deletions) in the archive, it is -possible for placeholders to be deleted and replaced before we create -the symlinks. It's not clear that this can be used for mischief, but -GNU tar guards against similar problems by checking that the placeholder -still exists and is the same inode. XXX It also checks 'birth time' but -this isn't portable. We can probably get away with comparing ctime -since we don't support hard links. - ---- a/CPP/7zip/UI/Agent/Agent.cpp -+++ b/CPP/7zip/UI/Agent/Agent.cpp -@@ -424,6 +424,8 @@ STDMETHODIMP CAgentFolder::Extract(const - CMyComPtr extractCallback = extractCallbackSpec; - UStringVector pathParts; - CProxyFolder *currentProxyFolder = _proxyFolderItem; -+ HRESULT res; -+ - while (currentProxyFolder->Parent) - { - pathParts.Insert(0, currentProxyFolder->Name); -@@ -445,8 +447,11 @@ STDMETHODIMP CAgentFolder::Extract(const - (UInt64)(Int64)-1); - CUIntVector realIndices; - GetRealIndices(indices, numItems, realIndices); -- return _agentSpec->GetArchive()->Extract(&realIndices.Front(), -+ res = _agentSpec->GetArchive()->Extract(&realIndices.Front(), - realIndices.Size(), testMode, extractCallback); -+ if (res == S_OK && !extractCallbackSpec->CreateSymLinks()) -+ res = E_FAIL; -+ return res; - COM_TRY_END - } - ---- a/CPP/7zip/UI/Agent/ArchiveFolder.cpp -+++ b/CPP/7zip/UI/Agent/ArchiveFolder.cpp -@@ -20,6 +20,8 @@ STDMETHODIMP CAgentFolder::CopyTo(const - CMyComPtr extractCallback = extractCallbackSpec; - UStringVector pathParts; - CProxyFolder *currentProxyFolder = _proxyFolderItem; -+ HRESULT res; -+ - while (currentProxyFolder->Parent) - { - pathParts.Insert(0, currentProxyFolder->Name); -@@ -46,8 +48,11 @@ STDMETHODIMP CAgentFolder::CopyTo(const - (UInt64)(Int64)-1); - CUIntVector realIndices; - GetRealIndices(indices, numItems, realIndices); -- return _agentSpec->GetArchive()->Extract(&realIndices.Front(), -+ res = _agentSpec->GetArchive()->Extract(&realIndices.Front(), - realIndices.Size(), BoolToInt(false), extractCallback); -+ if (res == S_OK && !extractCallbackSpec->CreateSymLinks()) -+ res = E_FAIL; -+ return res; - COM_TRY_END - } - ---- a/CPP/7zip/UI/Client7z/Client7z.cpp -+++ b/CPP/7zip/UI/Client7z/Client7z.cpp -@@ -197,8 +197,11 @@ private: - COutFileStream *_outFileStreamSpec; - CMyComPtr _outFileStream; - -+ CObjectVector _delayedSymLinks; -+ - public: - void Init(IInArchive *archiveHandler, const UString &directoryPath); -+ bool CreateSymLinks(); - - UInt64 NumErrors; - bool PasswordIsDefined; -@@ -392,11 +395,22 @@ STDMETHODIMP CArchiveExtractCallback::Se - } - _outFileStream.Release(); - if (_extractMode && _processedFileInfo.AttribDefined) -- NFile::NDirectory::MySetFileAttributes(_diskFilePath, _processedFileInfo.Attrib); -+ NFile::NDirectory::MySetFileAttributes(_diskFilePath, _processedFileInfo.Attrib, &_delayedSymLinks); - PrintNewLine(); - return S_OK; - } - -+bool CArchiveExtractCallback::CreateSymLinks() -+{ -+ bool success = true; -+ -+ for (int i = 0; i != _delayedSymLinks.Size(); ++i) -+ success &= _delayedSymLinks[i].Create(); -+ -+ _delayedSymLinks.Clear(); -+ -+ return success; -+} - - STDMETHODIMP CArchiveExtractCallback::CryptoGetTextPassword(BSTR *password) - { ---- a/CPP/7zip/UI/Common/ArchiveExtractCallback.cpp -+++ b/CPP/7zip/UI/Common/ArchiveExtractCallback.cpp -@@ -453,12 +453,24 @@ STDMETHODIMP CArchiveExtractCallback::Se - NumFiles++; - - if (_extractMode && _fi.AttribDefined) -- NFile::NDirectory::MySetFileAttributes(_diskFilePath, _fi.Attrib); -+ NFile::NDirectory::MySetFileAttributes(_diskFilePath, _fi.Attrib, &_delayedSymLinks); - RINOK(_extractCallback2->SetOperationResult(operationResult, _encrypted)); - return S_OK; - COM_TRY_END - } - -+bool CArchiveExtractCallback::CreateSymLinks() -+{ -+ bool success = true; -+ -+ for (int i = 0; i != _delayedSymLinks.Size(); ++i) -+ success &= _delayedSymLinks[i].Create(); -+ -+ _delayedSymLinks.Clear(); -+ -+ return success; -+} -+ - /* - STDMETHODIMP CArchiveExtractCallback::GetInStream( - const wchar_t *name, ISequentialInStream **inStream) ---- a/CPP/7zip/UI/Common/ArchiveExtractCallback.h -+++ b/CPP/7zip/UI/Common/ArchiveExtractCallback.h -@@ -6,6 +6,8 @@ - #include "Common/MyCom.h" - #include "Common/Wildcard.h" - -+#include "Windows/FileDir.h" -+ - #include "../../IPassword.h" - - #include "../../Common/FileStreams.h" -@@ -83,6 +85,8 @@ class CArchiveExtractCallback: - UInt64 _packTotal; - UInt64 _unpTotal; - -+ CObjectVector _delayedSymLinks; -+ - void CreateComplexDirectory(const UStringVector &dirPathParts, UString &fullPath); - HRESULT GetTime(int index, PROPID propID, FILETIME &filetime, bool &filetimeIsDefined); - HRESULT GetUnpackSize(); -@@ -138,6 +142,7 @@ public: - const UStringVector &removePathParts, - UInt64 packSize); - -+ bool CreateSymLinks(); - }; - - #endif ---- a/CPP/7zip/UI/Common/Extract.cpp -+++ b/CPP/7zip/UI/Common/Extract.cpp -@@ -96,6 +96,9 @@ static HRESULT DecompressArchive( - else - result = archive->Extract(&realIndices.Front(), realIndices.Size(), testMode, extractCallbackSpec); - -+ if (result == S_OK && !extractCallbackSpec->CreateSymLinks()) -+ result = E_FAIL; -+ - return callback->ExtractResult(result); - } - ---- a/CPP/Windows/FileDir.cpp -+++ b/CPP/Windows/FileDir.cpp -@@ -453,9 +453,10 @@ bool SetDirTime(LPCWSTR fileName, const - } - - #ifndef _UNICODE --bool MySetFileAttributes(LPCWSTR fileName, DWORD fileAttributes) -+bool MySetFileAttributes(LPCWSTR fileName, DWORD fileAttributes, -+ CObjectVector *delayedSymLinks) - { -- return MySetFileAttributes(UnicodeStringToMultiByte(fileName, CP_ACP), fileAttributes); -+ return MySetFileAttributes(UnicodeStringToMultiByte(fileName, CP_ACP), fileAttributes, delayedSymLinks); - } - - bool MyRemoveDirectory(LPCWSTR pathName) -@@ -488,7 +489,8 @@ static int convert_to_symlink(const char - return -1; - } - --bool MySetFileAttributes(LPCTSTR fileName, DWORD fileAttributes) -+bool MySetFileAttributes(LPCTSTR fileName, DWORD fileAttributes, -+ CObjectVector *delayedSymLinks) - { - if (!fileName) { - SetLastError(ERROR_PATH_NOT_FOUND); -@@ -520,7 +522,9 @@ bool MySetFileAttributes(LPCTSTR fileNam - stat_info.st_mode = fileAttributes >> 16; - #ifdef ENV_HAVE_LSTAT - if (S_ISLNK(stat_info.st_mode)) { -- if ( convert_to_symlink(name) != 0) { -+ if (delayedSymLinks) -+ delayedSymLinks->Add(CDelayedSymLink(name)); -+ else if ( convert_to_symlink(name) != 0) { - TRACEN((printf("MySetFileAttributes(%s,%d) : false-3\n",name,fileAttributes))) - return false; - } -@@ -924,4 +928,41 @@ bool CTempDirectory::Create(LPCTSTR pref - } - - -+#ifdef ENV_UNIX -+ -+CDelayedSymLink::CDelayedSymLink(LPCSTR source) -+ : _source(source) -+{ -+ struct stat st; -+ -+ if (lstat(_source, &st) == 0) { -+ _dev = st.st_dev; -+ _ino = st.st_ino; -+ } else { -+ _dev = 0; -+ } -+} -+ -+bool CDelayedSymLink::Create() -+{ -+ struct stat st; -+ -+ if (_dev == 0) { -+ errno = EPERM; -+ return false; -+ } -+ if (lstat(_source, &st) != 0) -+ return false; -+ if (_dev != st.st_dev || _ino != st.st_ino) { -+ // Placeholder file has been overwritten or moved by another -+ // symbolic link creation -+ errno = EPERM; -+ return false; -+ } -+ -+ return convert_to_symlink(_source) == 0; -+} -+ -+#endif // ENV_UNIX -+ - }}} ---- a/CPP/Windows/FileDir.h -+++ b/CPP/Windows/FileDir.h -@@ -4,6 +4,7 @@ - #define __WINDOWS_FILEDIR_H - - #include "../Common/MyString.h" -+#include "../Common/MyVector.h" - #include "Defs.h" - - /* GetFullPathName for 7zAES.cpp */ -@@ -13,11 +14,15 @@ namespace NWindows { - namespace NFile { - namespace NDirectory { - -+class CDelayedSymLink; -+ - bool SetDirTime(LPCWSTR fileName, const FILETIME *creationTime, const FILETIME *lastAccessTime, const FILETIME *lastWriteTime); - --bool MySetFileAttributes(LPCTSTR fileName, DWORD fileAttributes); -+bool MySetFileAttributes(LPCTSTR fileName, DWORD fileAttributes, -+ CObjectVector *delayedSymLinks = 0); - #ifndef _UNICODE --bool MySetFileAttributes(LPCWSTR fileName, DWORD fileAttributes); -+bool MySetFileAttributes(LPCWSTR fileName, DWORD fileAttributes, -+ CObjectVector *delayedSymLinks = 0); - #endif - - bool MyMoveFile(LPCTSTR existFileName, LPCTSTR newFileName); -@@ -80,6 +85,31 @@ public: - bool Remove(); - }; - -+// Symbolic links must be created last so that they can't be used to -+// create or overwrite files above the extraction directory. -+class CDelayedSymLink -+{ -+#ifdef ENV_UNIX -+ // Where the symlink should be created. The target is specified in -+ // the placeholder file. -+ AString _source; -+ -+ // Device and inode of the placeholder file. Before creating the -+ // symlink, we must check that these haven't been changed by creation -+ // of another symlink. -+ dev_t _dev; -+ ino_t _ino; -+ -+public: -+ explicit CDelayedSymLink(LPCSTR source); -+ bool Create(); -+#else // !ENV_UNIX -+public: -+ CDelayedSymLink(LPCSTR source) {} -+ bool Create() { return true; } -+#endif // ENV_UNIX -+}; -+ - #ifdef _UNICODE - typedef CTempFile CTempFileW; - #endif diff -r 0901797054b4 -r ea93ede4968e components/p7zip/patches/CVE-2016-2334.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/p7zip/patches/CVE-2016-2334.patch Wed Jul 27 11:32:28 2016 -0700 @@ -0,0 +1,30 @@ +This patch was pulled from the p7zip forums at: + +https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/1dba/attachment/CVE-2016-2334.patch + +This should be part of p7zip 16, once it ships. + +Index: p7zip_15.14.1/CPP/7zip/Archive/HfsHandler.cpp +=================================================================== +--- p7zip_15.14.1.orig/CPP/7zip/Archive/HfsHandler.cpp ++++ p7zip_15.14.1/CPP/7zip/Archive/HfsHandler.cpp +@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFo + item.GroupID = Get32(r + 0x24); + item.AdminFlags = r[0x28]; + item.OwnerFlags = r[0x29]; ++ */ + item.FileMode = Get16(r + 0x2A); ++ /* + item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount + item.FileType = Get32(r + 0x30); + item.FileCreator = Get32(r + 0x34); +@@ -1572,6 +1574,9 @@ HRESULT CHandler::ExtractZlibFile( + + UInt32 size = GetUi32(tableBuf + i * 8 + 4); + ++ if (size > buf.Size() || size > kCompressionBlockSize + 1) ++ return S_FALSE; ++ + RINOK(ReadStream_FALSE(inStream, buf, size)); + + if ((buf[0] & 0xF) == 0xF) diff -r 0901797054b4 -r ea93ede4968e components/p7zip/patches/CVE-2016-2335.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/p7zip/patches/CVE-2016-2335.patch Wed Jul 27 11:32:28 2016 -0700 @@ -0,0 +1,23 @@ +This patch was pulled from the p7zip forums at: + +https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/1dba/attachment/CVE-2016-2335.patch + +This should be part of p7zip 16, once it ships. + +Index: p7zip_15.14.1/CPP/7zip/Archive/Udf/UdfIn.cpp +=================================================================== +--- p7zip_15.14.1.orig/CPP/7zip/Archive/Udf/UdfIn.cpp ++++ p7zip_15.14.1/CPP/7zip/Archive/Udf/UdfIn.cpp +@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int vol + return S_FALSE; + CFile &file = Files.Back(); + const CLogVol &vol = LogVols[volIndex]; +- CPartition &partition = Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex]; ++ unsigned partitionRef = lad.Location.PartitionRef; ++ ++ if (partitionRef >= vol.PartitionMaps.Size()) ++ return S_FALSE; ++ CPartition &partition = Partitions[vol.PartitionMaps[partitionRef].PartitionIndex]; + + UInt32 key = lad.Location.Pos; + UInt32 value; diff -r 0901797054b4 -r ea93ede4968e components/p7zip/patches/compile.patch --- a/components/p7zip/patches/compile.patch Wed Sep 07 00:15:35 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,14 +0,0 @@ -The "const" changes the function signature, preventing 7z.so from loading -because of a missing symbol. - ---- p7zip_9.20.1/CPP/7zip/Archive/Wim/WimIn.cpp.orig Mon Jul 18 14:37:02 2011 -+++ p7zip_9.20.1/CPP/7zip/Archive/Wim/WimIn.cpp Mon Jul 18 14:37:20 2011 -@@ -278,7 +278,7 @@ - - static const wchar_t *kLongPath = L"[LongPath]"; - --UString CDatabase::GetItemPath(const int index1) const -+UString CDatabase::GetItemPath(int index1) const - { - int size = 0; - int index = index1; diff -r 0901797054b4 -r ea93ede4968e components/p7zip/patches/getpassphrase.patch --- a/components/p7zip/patches/getpassphrase.patch Wed Sep 07 00:15:35 2016 -0700 +++ b/components/p7zip/patches/getpassphrase.patch Wed Jul 27 11:32:28 2016 -0700 @@ -1,17 +1,17 @@ ---- p7zip_9.20.1/CPP/7zip/UI/Console/UserInputUtils.cpp.orig 2012-02-15 10:43:48.907800737 -0800 -+++ p7zip_9.20.1/CPP/7zip/UI/Console/UserInputUtils.cpp 2012-02-15 10:44:21.754378258 -0800 -@@ -78,12 +78,12 @@ +--- p7zip_15.14.1/CPP/7zip/UI/Console/UserInputUtils.cpp Fri Jun 19 09:25:18 2015 ++++ p7zip_15.14.1/CPP/7zip/UI/Console/UserInputUtils.cpp Tue Apr 19 13:43:59 2016 +@@ -89,12 +89,12 @@ + outStream->Flush(); + } #ifdef ENV_HAVE_GETPASS - (*outStream) << "\nEnter password (will not be echoed) :"; - outStream->Flush(); - AString oemPassword = getpass(""); + AString oemPassword = getpassphrase(""); - if (verify) + if ( (verify) && (outStream) ) { (*outStream) << "Verify password (will not be echoed) :"; - outStream->Flush(); + outStream->Flush(); - AString oemPassword2 = getpass(""); + AString oemPassword2 = getpassphrase(""); if (oemPassword != oemPassword2) throw "password verification failed"; } - #else + return MultiByteToUnicodeString(oemPassword, CP_OEMCP); diff -r 0901797054b4 -r ea93ede4968e components/p7zip/patches/pragmapack.patch --- a/components/p7zip/patches/pragmapack.patch Wed Sep 07 00:15:35 2016 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,24 +0,0 @@ -The Studio compilers don't have support for a stack of structure packing, -but we don't need full stack support here; just the original switch and -back again. - ---- p7zip_9.20.1/C/Ppmd.h.orig Sat Jan 22 11:32:30 2011 -+++ p7zip_9.20.1/C/Ppmd.h Mon Jul 18 11:38:47 2011 -@@ -29,7 +29,7 @@ - #define PPMD_N4 ((128 + 3 - 1 * PPMD_N1 - 2 * PPMD_N2 - 3 * PPMD_N3) / 4) - #define PPMD_NUM_INDEXES (PPMD_N1 + PPMD_N2 + PPMD_N3 + PPMD_N4) - --#pragma pack(push,1) -+#pragma pack(1) - - /* SEE-contexts for PPM-contexts with masked symbols */ - typedef struct -@@ -50,7 +50,7 @@ - UInt16 SuccessorHigh; - } CPpmd_State; - --#pragma pack(pop) -+#pragma pack() - - typedef - #ifdef PPMD_32BIT diff -r 0901797054b4 -r ea93ede4968e components/p7zip/patches/sparc-64bit.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/p7zip/patches/sparc-64bit.patch Wed Jul 27 11:32:28 2016 -0700 @@ -0,0 +1,18 @@ +SPARC should be recognized as a 64-bit CPU. Nothing seems to break with or +without this patch, but a few dictionary sizes are bigger with it, and the +banner changes to indicate the 64-bitness. + +This is suitable for passing upstream. + +--- p7zip_15.14.1/C/CpuArch.h 2016-02-16 22:27:16.000000000 -0800 ++++ p7zip_15.14.1/C/CpuArch.h 2016-04-22 17:34:27.655604054 -0700 +@@ -27,7 +27,8 @@ + #if defined(MY_CPU_AMD64) \ + || defined(_M_IA64) \ + || defined(__AARCH64EL__) \ +- || defined(__AARCH64EB__) ++ || defined(__AARCH64EB__) \ ++ || defined(__sparcv9) + #define MY_CPU_64BIT + #endif +