Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id E94537A269 for ; Mon, 6 Feb 2017 09:10:47 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 94111855C7; Mon, 6 Feb 2017 09:10:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 25791855AA for ; Mon, 6 Feb 2017 09:10:47 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 1ww-u4RvWCoR for ; Mon, 6 Feb 2017 09:10:46 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.netbsd.org [199.233.217.197]) by mail.netbsd.org (Postfix) with ESMTP id 7EAE9855A1 for ; Mon, 6 Feb 2017 09:10:46 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 75877FBE4; Mon, 6 Feb 2017 09:10:46 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1486372246287040" MIME-Version: 1.0 Date: Mon, 6 Feb 2017 09:10:46 +0000 From: "Benny Siegert" Subject: CVS commit: [pkgsrc-2016Q4] pkgsrc/archivers/unzip To: pkgsrc-changes@NetBSD.org Reply-To: bsiegert@netbsd.org X-Mailer: log_accum Message-Id: <20170206091046.75877FBE4@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk This is a multi-part message in MIME format. --_----------=_1486372246287040 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: bsiegert Date: Mon Feb 6 09:10:46 UTC 2017 Modified Files: pkgsrc/archivers/unzip [pkgsrc-2016Q4]: Makefile distinfo pkgsrc/archivers/unzip/patches [pkgsrc-2016Q4]: patch-list.c Added Files: pkgsrc/archivers/unzip/patches [pkgsrc-2016Q4]: patch-zipinfo.c Log Message: Pullup ticket #5207 - requested by wiz archivers/unzip: security fix Revisions pulled up: - archivers/unzip/Makefile 1.95 - archivers/unzip/distinfo 1.30 - archivers/unzip/patches/patch-list.c 1.2 - archivers/unzip/patches/patch-zipinfo.c 1.1 --- Module Name: pkgsrc Committed By: wiz Date: Sat Feb 4 23:25:59 UTC 2017 Modified Files: pkgsrc/archivers/unzip: Makefile distinfo pkgsrc/archivers/unzip/patches: patch-list.c Added Files: pkgsrc/archivers/unzip/patches: patch-zipinfo.c Log Message: Add patches for CVE-2014-9913 and CVE-2016-9844. Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.94 -r1.94.4.1 pkgsrc/archivers/unzip/Makefile cvs rdiff -u -r1.29 -r1.29.10.1 pkgsrc/archivers/unzip/distinfo cvs rdiff -u -r1.1 -r1.1.16.1 pkgsrc/archivers/unzip/patches/patch-list.c cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/archivers/unzip/patches/patch-zipinfo.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1486372246287040 Content-Disposition: inline Content-Length: 5037 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/archivers/unzip/Makefile diff -u pkgsrc/archivers/unzip/Makefile:1.94 pkgsrc/archivers/unzip/Makefile:1.94.4.1 --- pkgsrc/archivers/unzip/Makefile:1.94 Tue Sep 13 14:49:16 2016 +++ pkgsrc/archivers/unzip/Makefile Mon Feb 6 09:10:46 2017 @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.94 2016/09/13 14:49:16 jperkin Exp $ +# $NetBSD: Makefile,v 1.94.4.1 2017/02/06 09:10:46 bsiegert Exp $ DISTNAME= unzip60 PKGNAME= unzip-6.0 -PKGREVISION= 7 +PKGREVISION= 8 CATEGORIES= archivers MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ EXTRACT_SUFX= .tgz Index: pkgsrc/archivers/unzip/distinfo diff -u pkgsrc/archivers/unzip/distinfo:1.29 pkgsrc/archivers/unzip/distinfo:1.29.10.1 --- pkgsrc/archivers/unzip/distinfo:1.29 Wed Nov 11 12:47:26 2015 +++ pkgsrc/archivers/unzip/distinfo Mon Feb 6 09:10:46 2017 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.29 2015/11/11 12:47:26 wiz Exp $ +$NetBSD: distinfo,v 1.29.10.1 2017/02/06 09:10:46 bsiegert Exp $ SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba @@ -9,6 +9,7 @@ SHA1 (patch-ac) = 27b91401d4d5ecc3842c91 SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4 SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732 SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534 -SHA1 (patch-list.c) = 7aa261ecef5e5cc14ad387070560730ff419d635 +SHA1 (patch-list.c) = 56ac008e42570d60d58ca84ea773819640461961 SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812 SHA1 (patch-unix_unxcfg.h) = b2831f38b2245dacedd4eb2eef12ee1e3cf20613 +SHA1 (patch-zipinfo.c) = 0d93fd9b145e7e707762119ee30ddf8eac9c2f31 Index: pkgsrc/archivers/unzip/patches/patch-list.c diff -u pkgsrc/archivers/unzip/patches/patch-list.c:1.1 pkgsrc/archivers/unzip/patches/patch-list.c:1.1.16.1 --- pkgsrc/archivers/unzip/patches/patch-list.c:1.1 Tue Jan 6 14:12:45 2015 +++ pkgsrc/archivers/unzip/patches/patch-list.c Mon Feb 6 09:10:46 2017 @@ -1,8 +1,15 @@ -$NetBSD: patch-list.c,v 1.1 2015/01/06 14:12:45 wiz Exp $ +$NetBSD: patch-list.c,v 1.1.16.1 2017/02/06 09:10:46 bsiegert Exp $ +chunk 1: Big-hammer fix for http://seclists.org/oss-sec/2014/q4/497 +chunk 2: +CVE-2014-9913 fix from +https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt +via +http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529 + --- list.c.orig 2009-02-08 17:11:34.000000000 +0000 +++ list.c @@ -116,7 +116,7 @@ int list_files(__G) /* return PK-type @@ -14,3 +21,19 @@ http://seclists.org/oss-sec/2014/q4/497 static ZCONST char dtype[]="NXFS"; /* see zi_short() */ static ZCONST char Far method[NUM_METHODS+1][8] = {"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4", +@@ -339,7 +339,14 @@ int list_files(__G) /* return PK-type + G.crec.compression_method == ENHDEFLATED) { + methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; + } else if (methnum >= NUM_METHODS) { +- sprintf(&methbuf[4], "%03u", G.crec.compression_method); ++ /* Fix for CVE-2014-9913, similar to CVE-2016-9844. ++ * Use the old decimal format only for values which fit. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method); ++ } + } + + #if 0 /* GRR/Euro: add this? */ Added files: Index: pkgsrc/archivers/unzip/patches/patch-zipinfo.c diff -u /dev/null pkgsrc/archivers/unzip/patches/patch-zipinfo.c:1.1.2.2 --- /dev/null Mon Feb 6 09:10:46 2017 +++ pkgsrc/archivers/unzip/patches/patch-zipinfo.c Mon Feb 6 09:10:46 2017 @@ -0,0 +1,27 @@ +$NetBSD: patch-zipinfo.c,v 1.1.2.2 2017/02/06 09:10:46 bsiegert Exp $ + +Fix crash in zipinfo, CVE-2016-9844. +http://www.openwall.com/lists/oss-security/2016/12/05/19 + +--- zipinfo.c.orig 2009-02-08 17:04:30.000000000 +0000 ++++ zipinfo.c +@@ -1921,7 +1921,18 @@ static int zi_short(__G) /* return PK- + ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3); + methbuf[3] = dtype[dnum]; + } else if (methnum >= NUM_METHODS) { /* unknown */ +- sprintf(&methbuf[1], "%03u", G.crec.compression_method); ++ /* 2016-12-05 SMS. ++ * https://launchpad.net/bugs/1643750 ++ * Unexpectedly large compression methods overflow ++ * &methbuf[]. Use the old, three-digit decimal format ++ * for values which fit. Otherwise, sacrifice the "u", ++ * and use four-digit hexadecimal. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method); ++ } + } + + for (k = 0; k < 15; ++k) --_----------=_1486372246287040--