- Fix buffer overflow (CVE-2015-2782)

- Fix absolute path directory traversal (CVE-2015-0557)
- Fix symlink directory traversal (CVE-2015-0556)
- Fix build on armv6
- Fix parallel build
- Make build reproducible

PR:	221589
Submitted by:	mikael.urankar@gmail.com
Obtained from:	debian patchset 16
Approved by:	garga (maintainer)

7 files changed, 37 insertions, 222 deletions

diff --git a/archivers/arj/Makefile b/archivers/arj/Makefile
index 0a7d21634fdb..571bfee72814 100644
--- a/archivers/arj/Makefile
+++ b/archivers/arj/Makefile
@@ -3,9 +3,12 @@
 
 PORTNAME=	arj
 PORTVERSION=	3.10.22
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	archivers
-MASTER_SITES=	SF/${PORTNAME}/${PORTNAME}/2.78_3.10%20build%2022
+MASTER_SITES=	SF/${PORTNAME}/${PORTNAME}/2.78_3.10%20build%2022:source \
+		DEBIAN_POOL:patch
+DISTFILES=	${PORTNAME}-${PORTVERSION}.tar.gz:source \
+		${PORTNAME}_${PORTVERSION}-16.debian.tar.xz:patch
 
 MAINTAINER=	garga@FreeBSD.org
 COMMENT=	Open source implementation of the ARJ archiver
@@ -14,6 +17,17 @@ LICENSE=	GPLv2
 
 PORTSCOUT=	skipv:3.10g
 
+EXTRA_PATCHES=	${WRKDIR}/debian/patches/*.patch
+IGNORE_PATCHES=	002_no_remove_static_const.patch  \
+		doc_refer_robert_k_jung.patch \
+		gnu_build_cross.patch \
+		gnu_build_fix.patch \
+		gnu_build_flags.patch \
+		gnu_build_pie.patch \
+		gnu_build_strip.patch \
+		hurd_no_fcntl_getlk.patch
+PATCH_STRIP=	-p1
+
 USES=		alias gmake
 USE_AUTOTOOLS=	autoconf
 CONFIGURE_WRKSRC=	${WRKSRC}/gnu
@@ -21,7 +35,6 @@ MAKEFILE=	GNUmakefile
 MAKE_ARGS=	LOCALE="${LANGUAGE}"
 ALL_TARGET=	prepare all
 STRIP=		# empty
-MAKE_JOBS_UNSAFE=	yes
 
 CFLAGS+=	-fPIC
 LANGUAGE?=	en
@@ -30,6 +43,9 @@ PORTDOCS=	*
 
 OPTIONS_DEFINE=	DOCS
 
+pre-patch:
+	@${RM} ${IGNORE_PATCHES:S,^,${WRKDIR}/debian/patches/,}
+
 post-patch:
 	@${REINPLACE_CMD} -e 's!/etc!${LOCALBASE}/etc!' \
 		 ${WRKSRC}/arj.c ${WRKSRC}/file_reg.c ${WRKSRC}/rearj.c
diff --git a/archivers/arj/distinfo b/archivers/arj/distinfo
index f3de09baa6a2..f0a5384650db 100644
--- a/archivers/arj/distinfo
+++ b/archivers/arj/distinfo
@@ -1,2 +1,5 @@
+TIMESTAMP = 1508345026
 SHA256 (arj-3.10.22.tar.gz) = 589e4c9bccc8669e7b6d8d6fcd64e01f6a2c21fe10aad56a83304ecc3b96a7db
 SIZE (arj-3.10.22.tar.gz) = 431467
+SHA256 (arj_3.10.22-16.debian.tar.xz) = 2d9cc5aeb2ac44d000d2e3399846f1c3ce468e17e3af4bfb505b9a6eaf88a502
+SIZE (arj_3.10.22-16.debian.tar.xz) = 19452
diff --git a/archivers/arj/files/patch-arj__arcv.c b/archivers/arj/files/patch-arj__arcv.c
deleted file mode 100644
index 2bfbab86c1e0..000000000000
--- a/archivers/arj/files/patch-arj__arcv.c
+++ /dev/null
@@ -1,60 +0,0 @@
---- arj_arcv.c.orig	2005-06-21 19:53:12 UTC
-+++ arj_arcv.c
-@@ -59,27 +59,27 @@ static char idxid_fault[]="?";
- #define setup_hput(ptr) (tmp_hptr=(ptr))
- 
- #define hget_byte() (*(tmp_hptr++)&0xFF)
--#define hput_byte(c) (*(tmp_hptr++)=(char) (c))
-+#define hput_byte(c) (*(tmp_hptr++)=(uint8_t) (c))
- 
- /* Reads two bytes from the header, incrementing the pointer */
- 
--static unsigned int hget_word()
-+static uint16_t hget_word()
- {
-- unsigned int result;
-+ uint16_t result;
- 
-  result=mget_word(tmp_hptr);
-- tmp_hptr+=sizeof(short);
-+ tmp_hptr+=sizeof(uint16_t);
-  return result;
- }
- 
- /* Reads four bytes from the header, incrementing the pointer */
- 
--static unsigned long hget_longword()
-+static uint32_t hget_longword()
- {
-- unsigned long result;
-+ uint32_t result;
- 
-  result=mget_dword(tmp_hptr);
-- tmp_hptr+=sizeof(unsigned long);
-+ tmp_hptr+=sizeof(uint32_t);
-  return result;
- }
- 
-@@ -87,18 +87,18 @@ static unsigned long hget_longword()
- 
- /* Writes two bytes to the header, incrementing the pointer */
- 
--static void hput_word(unsigned int w)
-+static void hput_word(uint16_t w)
- {
-  mput_word(w,tmp_hptr); 
-- tmp_hptr+=sizeof(unsigned short);
-+ tmp_hptr+=sizeof(uint16_t);
- }
- 
- /* Writes four bytes to the header, incrementing the pointer */
- 
--static void hput_longword(unsigned long l)
-+static void hput_longword(uint32_t l)
- {
-  mput_dword(l,tmp_hptr);
-- tmp_hptr+=sizeof(unsigned long);
-+ tmp_hptr+=sizeof(uint32_t);
- }
- 
- /* Calculates and stores the basic header size */
diff --git a/archivers/arj/files/patch-arj__proc.c b/archivers/arj/files/patch-arj__proc.c
deleted file mode 100644
index b6b733254d00..000000000000
--- a/archivers/arj/files/patch-arj__proc.c
+++ /dev/null
@@ -1,80 +0,0 @@
---- arj_proc.c.orig	2005-06-21 19:53:12 UTC
-+++ arj_proc.c
-@@ -585,7 +585,7 @@ int search_for_extension(char *name, cha
- /* Returns the exact amount of data that could be safely written to the
-    destination volume */
- 
--unsigned long get_volfree(unsigned int increment)
-+unsigned long get_volfree(unsigned long increment)
- {
-  unsigned long pvol;
-  unsigned int arjsec_overhead;
-@@ -605,7 +605,7 @@ unsigned long get_volfree(unsigned int i
-  remain=volume_limit-ftell(aostream)-pvol-(long)arjsec_overhead-
-         (long)out_bytes-(long)cpos-(long)ext_voldata-
-         MULTIVOLUME_RESERVE-t_volume_offset;
-- return((unsigned long)min(remain, (unsigned long)increment));
-+ return((unsigned long)min(remain, increment));
- }
- 
- /* Performs various checks when multivolume data is packed to predict an
-@@ -2466,14 +2466,14 @@ static int get_str_from_jq()
-     *tsptr='\0';
-   endptr=tsptr;
-   tsptr=sptr;
--  while((unsigned int)tsptr<(unsigned int)endptr&&patterns<SEARCH_STR_MAX)
-+  while((intptr_t)tsptr<(intptr_t)endptr&&patterns<SEARCH_STR_MAX)
-   {
-    while(*tsptr=='\0')
-     tsptr++;
--   if((unsigned int)tsptr<(unsigned int)endptr)
-+   if((intptr_t)tsptr<(intptr_t)endptr)
-    {
-     search_str[patterns++]=tsptr;
--    while(*tsptr!='\0'&&(unsigned int)tsptr<(unsigned int)endptr)
-+    while(*tsptr!='\0'&&(intptr_t)tsptr<(intptr_t)endptr)
-      tsptr++;
-    }
-   }
-@@ -2901,9 +2901,9 @@ char *ltrim(char *str)
- #if defined(WORDS_BIGENDIAN)&&!defined(ARJDISP)&&!defined(REGISTER)
- /* Model-independent routine to get 2 bytes from far RAM */
- 
--unsigned int mget_word(char FAR *p)
-+uint16_t mget_word(char FAR *p)
- {
-- unsigned int b0, b1;
-+ uint16_t b0, b1;
- 
-  b0=mget_byte(p);
-  b1=mget_byte(p+1);
-@@ -2912,9 +2912,9 @@ unsigned int mget_word(char FAR *p)
- 
- /* Model-independent routine to get 4 bytes from far RAM */
- 
--unsigned long mget_dword(char FAR *p)
-+uint32_t mget_dword(char FAR *p)
- {
-- unsigned long w0, w1;
-+ uint32_t w0, w1;
- 
-  w0=mget_word(p);
-  w1=mget_word(p+2);
-@@ -2923,7 +2923,7 @@ unsigned long mget_dword(char FAR *p)
- 
- /* Model-independent routine to store 2 bytes in far RAM */
- 
--void mput_word(unsigned int w, char FAR *p)
-+void mput_word(uint16_t w, char FAR *p)
- {
-  mput_byte(w&0xFF, p);
-  mput_byte(w>>8  , p+1);
-@@ -2931,7 +2931,7 @@ void mput_word(unsigned int w, char FAR 
- 
- /* Model-independent routine to store 4 bytes in far RAM */
- 
--void mput_dword(unsigned long d, char FAR *p)
-+void mput_dword(uint32_t d, char FAR *p)
- {
-  mput_word(d&0xFFFF, p);
-  mput_word(d>>16   , p+2);
diff --git a/archivers/arj/files/patch-arj__proc.h b/archivers/arj/files/patch-arj__proc.h
deleted file mode 100644
index 11dda85fa14d..000000000000
--- a/archivers/arj/files/patch-arj__proc.h
+++ /dev/null
@@ -1,50 +0,0 @@
---- arj_proc.h.orig	2004-01-25 10:39:30 UTC
-+++ arj_proc.h
-@@ -8,15 +8,17 @@
- #ifndef ARJ_PROC_INCLUDED
- #define ARJ_PROC_INCLUDED
- 
-+#include <stdint.h>
-+
- /* Helper macros */
- 
--#define mget_byte(p) (*(unsigned char FAR *)(p)&0xFF)
--#define mput_byte(c, p) *(unsigned char FAR *)(p)=(unsigned char)(c)
-+#define mget_byte(p) (*(uint8_t FAR *)(p)&0xFF)
-+#define mput_byte(c, p) *(uint8_t FAR *)(p)=(uint8_t)(c)
- #ifndef WORDS_BIGENDIAN
--#define mget_word(p) (*(unsigned short *)(p)&0xFFFF)
--#define mput_word(w,p) (*(unsigned short *)(p)=(unsigned short)(w))
--#define mget_dword(p) (*(unsigned long *)(p))
--#define mput_dword(w,p) (*(unsigned long *)(p)=(unsigned long)(w))
-+#define mget_word(p) (*(uint16_t *)(p)&0xFFFF)
-+#define mput_word(w,p) (*(uint16_t *)(p)=(uint16_t)(w))
-+#define mget_dword(p) (*(uint32_t *)(p))
-+#define mput_dword(w,p) (*(uint32_t *)(p)=(uint32_t)(w))
- #endif
- 
- /* Prototypes */
-@@ -31,7 +33,7 @@ void copy_bytes(unsigned long nbytes);
- int translate_path(char *name);
- void restart_proc(char *dest);
- int search_for_extension(char *name, char *ext_list);
--unsigned long get_volfree(unsigned int increment);
-+unsigned long get_volfree(unsigned long increment);
- unsigned int check_multivolume(unsigned int increment);
- void store();
- void hollow_encode();
-@@ -61,10 +63,10 @@ void unpack_mem(struct mempack *mempack)
- void strip_lf(char *str);
- char *ltrim(char *str);
- #ifdef WORDS_BIGENDIAN
--unsigned int mget_word(char FAR *p);
--unsigned long mget_dword(char FAR *p);
--void mput_word(unsigned int w, char FAR *p);
--void mput_dword(unsigned long d, char FAR *p);
-+uint16_t mget_word(char FAR *p);
-+uint32_t mget_dword(char FAR *p);
-+void mput_word(uint16_t w, char FAR *p);
-+void mput_dword(uint32_t d, char FAR *p);
- #endif
- 
- #endif
diff --git a/archivers/arj/files/patch-arjtypes.c b/archivers/arj/files/patch-arjtypes.c
new file mode 100644
index 000000000000..c0aad52e404b
--- /dev/null
+++ b/archivers/arj/files/patch-arjtypes.c
@@ -0,0 +1,15 @@
+--- arjtypes.c	2005-06-23 UTC
++++ arjtypes.c
+@@ -138,8 +138,11 @@ static int isleapyear(int year)
+ static unsigned long ts_unix2dos(const long ts)
+ {
+  struct tm *stm;
++ time_t _ts;
+ 
+- stm=arj_localtime((time_t*)&ts);
++ _ts = ts;
++
++ stm=arj_localtime(&_ts);
+  return(get_tstamp(stm->tm_year+1900, stm->tm_mon+1, stm->tm_mday,
+         stm->tm_hour, stm->tm_min, stm->tm_sec));
+ }
diff --git a/archivers/arj/files/patch-fardata.c b/archivers/arj/files/patch-fardata.c
deleted file mode 100644
index 1ce033fd6123..000000000000
--- a/archivers/arj/files/patch-fardata.c
+++ /dev/null
@@ -1,29 +0,0 @@
---- fardata.c.orig	2004-04-17 11:39:42 UTC
-+++ fardata.c
-@@ -190,7 +190,7 @@ int msg_sprintf(char *str, FMSG *fmt, ..
- 
- /* Length-limited strlen() */
- 
--static int strnlen(const char FAR *s, int count)
-+static int _strnlen(const char FAR *s, int count)
- {
-  const char FAR *sc;
- 
-@@ -569,7 +569,7 @@ int vcprintf(int ccode, FMSG *fmt, va_li
-     if(!s)
-      s="(null)";
- #endif
--    len=strnlen(s, precision);
-+    len=_strnlen(s, precision);
-     if(!(flags&LEFT))
-     {
-      while(len<field_width--)
-@@ -655,7 +655,7 @@ int vcprintf(int ccode, FMSG *fmt, va_li
-     num=va_arg(args, unsigned long);
-    else if(qualifier=='h')
-    {
--#ifdef __linux__
-+#if defined(__linux__) || defined(__FreeBSD__)
-     if (flags&SIGN)
-      num=va_arg(args, int);             /* num=va_arg(args, short);      */
-     else