SECURITY: Update cabextract to 1.6. It fixes CVE-2015-2060, a directory traversal vulnerability. A CAB file with overlong UTF-8 encodings for "/" can get its files extracted to an absolute path instead of the current directory. [Debian bug #778753] Under Cygwin, a CAB file using both "/" and "\" can evade checks for absolute files and "../" directory traversals and can get its files extracted to any path.diff -r1.26 -r1.27 pkgsrc/archivers/cabextract/Makefile
(bsiegert)
@@ -1,15 +1,15 @@ | @@ -1,15 +1,15 @@ | |||
1 | # $NetBSD: Makefile,v 1.26 2015/01/29 13:28:28 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.27 2015/03/27 16:49:55 bsiegert Exp $ | |
2 | 2 | |||
3 | DISTNAME= cabextract-1.5 | 3 | DISTNAME= cabextract-1.6 | |
4 | CATEGORIES= archivers | 4 | CATEGORIES= archivers | |
5 | MASTER_SITES= http://www.cabextract.org.uk/ | 5 | MASTER_SITES= http://www.cabextract.org.uk/ | |
6 | 6 | |||
7 | MAINTAINER= pkgsrc-users@NetBSD.org | 7 | MAINTAINER= pkgsrc-users@NetBSD.org | |
8 | HOMEPAGE= http://www.cabextract.org.uk/ | 8 | HOMEPAGE= http://www.cabextract.org.uk/ | |
9 | COMMENT= Microsoft cabinet (.CAB) file extractor | 9 | COMMENT= Microsoft cabinet (.CAB) file extractor | |
10 | LICENSE= gnu-gpl-v3 | 10 | LICENSE= gnu-gpl-v3 | |
11 | 11 | |||
12 | USE_TOOLS+= gmake | 12 | USE_TOOLS+= gmake | |
13 | GNU_CONFIGURE= yes | 13 | GNU_CONFIGURE= yes | |
14 | 14 | |||
15 | .include "../../mk/bsd.pkg.mk" | 15 | .include "../../mk/bsd.pkg.mk" |
@@ -1,6 +1,5 @@ | @@ -1,6 +1,5 @@ | |||
1 | $NetBSD: distinfo,v 1.14 2015/01/29 13:28:28 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.15 2015/03/27 16:49:55 bsiegert Exp $ | |
2 | 2 | |||
3 | SHA1 (cabextract-1.5.tar.gz) = 7ddb31072590a807bef09234f46f940e1ba51067 | 3 | SHA1 (cabextract-1.6.tar.gz) = 64f6d5056d3e417a943648c23cb22218b7079ced | |
4 | RMD160 (cabextract-1.5.tar.gz) = a1f673aee26b13911eba14fca3b892f8f9cad501 | 4 | RMD160 (cabextract-1.6.tar.gz) = 6b693c30aa4d6821b5e83b63a8dc9d58968268b7 | |
5 | Size (cabextract-1.5.tar.gz) = 241010 bytes | 5 | Size (cabextract-1.6.tar.gz) = 241731 bytes | |
6 | SHA1 (patch-mspack_system.h) = e997f6ea664e8fbf7b03ff9fb10fb8adc06d8779 |