Fix CVE-2017-17969: https://sourceforge.net/p/p7zip/bugs/204/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969 Patch copied from Debian. Subject: Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp Origin: vendor, https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/27d7/attachment/CVE-2017-17969.patch Forwarded: https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#27d7 Bug: https://sourceforge.net/p/p7zip/bugs/204/ Bug-Debian: https://bugs.debian.org/888297 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17969 Author: Antoine Beaupré Reviewed-by: Salvatore Bonaccorso Last-Update: 2018-02-01 Applied-Upstream: 18.00-beta --- a/CPP/7zip/Compress/ShrinkDecoder.cpp +++ b/CPP/7zip/Compress/ShrinkDecoder.cpp @@ -121,8 +121,13 @@ HRESULT CDecoder::CodeReal(ISequentialIn { _stack[i++] = _suffixes[cur]; cur = _parents[cur]; + if (cur >= kNumItems || i >= kNumItems) + break; } - + + if (cur >= kNumItems || i >= kNumItems) + break; + _stack[i++] = (Byte)cur; lastChar2 = (Byte)cur; s/?id=ab9f9b582e510e3d1133ec29242e70fca1d2997a'>refslogtreecommitdiff
AgeCommit message (Expand)Author
2023-09-28gnu: icecat: Update to 115.3.0-guix0-preview1 [security fixes]....Includes fixes for CVE-2023-5168, CVE-2023-5169, CVE-2023-5171, CVE-2023-5174, and CVE-2023-5176. * gnu/packages/gnuzilla.scm (icu4c-73-promise): New variable. (all-mozilla-locales, %icecat-base-version, %icecat-build-id): Update. (icecat-source): Update gnuzilla commit, base version, and hashes. (icecat-minimal)[inputs]: Use icu4c-73-promise. Remove nss. [native-inputs]: Use rust-cbindgen-0.24, llvm-15, clang-15, and node-lts. [arguments]<configure-flags>: Comment out "--with-system-nss". [description]: "IceCat 102" --> "IceCat 115". (%icecat-locales): Update. (all-mozilla-102-locales, %icecat-102-base-version) (%icecat-102-version, icecat-102-source): New variables bound to the old values, for use by icedove. (icedove-source): Ues 'icecat-102-source'. (make-l10n-package)[arguments]<phases>: Simplify reference to '#$locales, and thereby eliminate the unnecessary dependence on %icedove-locales by icecat-l10n, and similarly on %icecat-locales by icedove-l10n. [native-inputs]: Use node-lts. * gnu/packages/patches/icecat-makeicecat.patch: Adapt to new upstream. * gnu/packages/patches/icecat-102-makeicecat.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Mark H Weaver