Fri Mar 27 16:49:55 2015 UTC ()

SECURITY: Update cabextract to 1.6.

It fixes CVE-2015-2060, a directory traversal vulnerability.
A CAB file with overlong UTF-8 encodings for "/" can get its files extracted to
an absolute path instead of the current directory. [Debian bug #778753]
Under Cygwin, a CAB file using both "/" and "\" can evade checks for absolute
files and "../" directory traversals and can get its files extracted to any
path.


(bsiegert)

diff -r1.26 -r1.27 pkgsrc/archivers/cabextract/Makefile
diff -r1.14 -r1.15 pkgsrc/archivers/cabextract/distinfo
diff -r1.2 -r0 pkgsrc/archivers/cabextract/patches/patch-mspack_system.h

--- pkgsrc/archivers/cabextract/Makefile 2015/01/29 13:28:28 1.26
+++ pkgsrc/archivers/cabextract/Makefile 2015/03/27 16:49:55 1.27

 @@ -1,15 +1,15 @@
-# $NetBSD: Makefile,v 1.26 2015/01/29 13:28:28 wiz Exp $
+# $NetBSD: Makefile,v 1.27 2015/03/27 16:49:55 bsiegert Exp $
-DISTNAME=	cabextract-1.5
+DISTNAME=	cabextract-1.6
 CATEGORIES=	archivers
 MASTER_SITES=	http://www.cabextract.org.uk/
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.cabextract.org.uk/
 COMMENT=	Microsoft cabinet (.CAB) file extractor
 LICENSE=	gnu-gpl-v3
 USE_TOOLS+=		gmake
 GNU_CONFIGURE=		yes
 .include "../../mk/bsd.pkg.mk"

--- pkgsrc/archivers/cabextract/distinfo 2015/01/29 13:28:28 1.14
+++ pkgsrc/archivers/cabextract/distinfo 2015/03/27 16:49:55 1.15

 @@ -1,6 +1,5 @@
-$NetBSD: distinfo,v 1.14 2015/01/29 13:28:28 wiz Exp $
+$NetBSD: distinfo,v 1.15 2015/03/27 16:49:55 bsiegert Exp $
-SHA1 (cabextract-1.5.tar.gz) = 7ddb31072590a807bef09234f46f940e1ba51067
+SHA1 (cabextract-1.6.tar.gz) = 64f6d5056d3e417a943648c23cb22218b7079ced
-RMD160 (cabextract-1.5.tar.gz) = a1f673aee26b13911eba14fca3b892f8f9cad501
+RMD160 (cabextract-1.6.tar.gz) = 6b693c30aa4d6821b5e83b63a8dc9d58968268b7
-Size (cabextract-1.5.tar.gz) = 241010 bytes
+Size (cabextract-1.6.tar.gz) = 241731 bytes
 SHA1 (patch-mspack_system.h) = e997f6ea664e8fbf7b03ff9fb10fb8adc06d8779