3 files changed, 16 insertions, 89 deletions

diff --git a/nixpkgs/pkgs/tools/archivers/p7zip/12-CVE-2016-9296.patch b/nixpkgs/pkgs/tools/archivers/p7zip/12-CVE-2016-9296.patch
deleted file mode 100644
index 42245c92c0aa..000000000000
--- a/nixpkgs/pkgs/tools/archivers/p7zip/12-CVE-2016-9296.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From: Robert Luberda <robert@debian.org>
-Date: Sat, 19 Nov 2016 08:48:08 +0100
-Subject: Fix nullptr dereference (CVE-2016-9296)
-
-Patch taken from https://sourceforge.net/p/p7zip/bugs/185/
----
- CPP/7zip/Archive/7z/7zIn.cpp | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/CPP/7zip/Archive/7z/7zIn.cpp b/CPP/7zip/Archive/7z/7zIn.cpp
-index b0c6b98..7c6dde2 100644
---- a/CPP/7zip/Archive/7z/7zIn.cpp
-+++ b/CPP/7zip/Archive/7z/7zIn.cpp
-@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedStreams(
-       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
-         ThrowIncorrect();
-   }
--  HeadersSize += folders.PackPositions[folders.NumPackStreams];
-+  if (folders.PackPositions)
-+      HeadersSize += folders.PackPositions[folders.NumPackStreams];
-   return S_OK;
- }
- 
diff --git a/nixpkgs/pkgs/tools/archivers/p7zip/13-CVE-2017-17969.patch b/nixpkgs/pkgs/tools/archivers/p7zip/13-CVE-2017-17969.patch
deleted file mode 100644
index a9787c4a9088..000000000000
--- a/nixpkgs/pkgs/tools/archivers/p7zip/13-CVE-2017-17969.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: =?utf-8?q?Antoine_Beaupr=C3=A9?= <anarcat@debian.org>
-Date: Fri, 2 Feb 2018 11:11:41 +0100
-Subject: Heap-based buffer overflow in 7zip/Compress/ShrinkDecoder.cpp
-
-Origin: vendor, https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/27d7/attachment/CVE-2017-17969.patch
-Forwarded: https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/#27d7
-Bug: https://sourceforge.net/p/p7zip/bugs/204/
-Bug-Debian: https://bugs.debian.org/888297
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17969
-Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
-Last-Update: 2018-02-01
-Applied-Upstream: 18.00-beta
----
- CPP/7zip/Compress/ShrinkDecoder.cpp | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/CPP/7zip/Compress/ShrinkDecoder.cpp b/CPP/7zip/Compress/ShrinkDecoder.cpp
-index 80b7e67..ca37764 100644
---- a/CPP/7zip/Compress/ShrinkDecoder.cpp
-+++ b/CPP/7zip/Compress/ShrinkDecoder.cpp
-@@ -121,8 +121,13 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream *
-     {
-       _stack[i++] = _suffixes[cur];
-       cur = _parents[cur];
-+      if (cur >= kNumItems || i >= kNumItems)
-+        break;
-     }
--    
-+
-+    if (cur >= kNumItems || i >= kNumItems)
-+      break;
-+
-     _stack[i++] = (Byte)cur;
-     lastChar2 = (Byte)cur;
- 
diff --git a/nixpkgs/pkgs/tools/archivers/p7zip/default.nix b/nixpkgs/pkgs/tools/archivers/p7zip/default.nix
index d6ad699eaa8d..773d37f0b758 100644
--- a/nixpkgs/pkgs/tools/archivers/p7zip/default.nix
+++ b/nixpkgs/pkgs/tools/archivers/p7zip/default.nix
@@ -1,28 +1,17 @@
-{ stdenv, fetchurl, fetchpatch, lib, enableUnfree ? false }:
+{ stdenv, fetchFromGitHub, lib, enableUnfree ? false }:
 
 stdenv.mkDerivation rec {
   pname = "p7zip";
-  version = "16.02";
+  version = "17.01";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/p7zip/p7zip_${version}_src_all.tar.bz2";
-    sha256 = "5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f";
-  };
 
-  patches = [
-    ./12-CVE-2016-9296.patch
-    ./13-CVE-2017-17969.patch
-    (fetchpatch {
-      name = "3-CVE-2018-5996.patch";
-      url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/3-CVE-2018-5996.patch";
-      sha256 = "1zivvkazmza0653i498ccp3zbpbpc7dvxl3zxwllbx41b6n589yp";
-    })
-    (fetchpatch {
-      name = "4-CVE-2018-10115.patch";
-      url = "https://raw.githubusercontent.com/termux/termux-packages/master/packages/p7zip/4-CVE-2018-10115.patch";
-      sha256 = "1cr7q8gnrk9yp6dcvxaqi1yhdbgp964nkv65ls41mw1kdfm44zn6";
-    })
-  ];
+  src = fetchFromGitHub {
+    owner  = "szcnick";
+    repo   = pname;
+    rev    = "v${version}";
+    sha256 = "0gczdmypwbfnxzb11rjrrndjkkb3jzxfby2cchn5j8ysny13mfps";
+  }
+  ;
 
   # Default makefile is full of impurities on Darwin. The patch doesn't hurt Linux so I'm leaving it unconditional
   postPatch = ''
@@ -39,14 +28,15 @@ stdenv.mkDerivation rec {
     # (see DOC/License.txt, https://fedoraproject.org/wiki/Licensing:Unrar)
     rm -r CPP/7zip/Compress/Rar*
     find . -name makefile'*' -exec sed -i '/Rar/d' {} +
+    chmod +x install.sh
   '';
 
   preConfigure = ''
     makeFlagsArray=(DEST_HOME=$out)
-    buildFlags=all3
-  '' + stdenv.lib.optionalString stdenv.isDarwin ''
-    cp makefile.macosx_llvm_64bits makefile.machine
-  '';
+      buildFlags=all3
+        '' + stdenv.lib.optionalString stdenv.isDarwin ''
+        cp makefile.macosx_llvm_64bits makefile.machine
+'';
 
   enableParallelBuilding = true;
 
@@ -55,15 +45,10 @@ stdenv.mkDerivation rec {
   NIX_CFLAGS_COMPILE = stdenv.lib.optionalString stdenv.cc.isClang "-Wno-error=c++11-narrowing";
 
   meta = {
-    homepage = "http://p7zip.sourceforge.net/";
-    description = "A port of the 7-zip archiver";
+    homepage = "https://github.com/szcnick/p7zip";
+    description = "A new p7zip fork with additional codecs and improvements (forked from https://sourceforge.net/projects/p7zip/)";
     platforms = stdenv.lib.platforms.unix;
     maintainers = [ stdenv.lib.maintainers.raskin ];
-    knownVulnerabilities = [
-      # p7zip is abandoned, according to this thread on its forums:
-      # https://sourceforge.net/p/p7zip/discussion/383043/thread/fa143cf2/#1817
-      "p7zip is abandoned and may not receive important security fixes"
-    ];
     # RAR code is under non-free UnRAR license, but we remove it
     license = if enableUnfree then lib.licenses.unfree else lib.licenses.lgpl2Plus;
   };