Received: by mail.netbsd.org (Postfix, from userid 605) id 74EDA84DAD; Mon, 15 Jul 2019 14:08:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id F11DF84D44 for ; Mon, 15 Jul 2019 14:08:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id HN9Nv__MEDZr for ; Mon, 15 Jul 2019 14:08:03 +0000 (UTC) Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id 67FE584D3B for ; Mon, 15 Jul 2019 14:08:03 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id 61D84FBF4; Mon, 15 Jul 2019 14:08:03 +0000 (UTC) Content-Transfer-Encoding: 7bit Content-Type: multipart/mixed; boundary="_----------=_1563199683127890" MIME-Version: 1.0 Date: Mon, 15 Jul 2019 14:08:03 +0000 From: "Nia Alarie" Subject: CVS commit: pkgsrc/archivers/unzip To: pkgsrc-changes@NetBSD.org Reply-To: nia@netbsd.org X-Mailer: log_accum Message-Id: <20190715140803.61D84FBF4@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk List-Unsubscribe: This is a multi-part message in MIME format. --_----------=_1563199683127890 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Module Name: pkgsrc Committed By: nia Date: Mon Jul 15 14:08:03 UTC 2019 Modified Files: pkgsrc/archivers/unzip: Makefile distinfo pkgsrc/archivers/unzip/patches: patch-list.c Log Message: unzip: Apply a patch from CVE-2018-18384 from infozip's sourceforge / debian. To generate a diff of this commit: cvs rdiff -u -r1.95 -r1.96 pkgsrc/archivers/unzip/Makefile cvs rdiff -u -r1.30 -r1.31 pkgsrc/archivers/unzip/distinfo cvs rdiff -u -r1.2 -r1.3 pkgsrc/archivers/unzip/patches/patch-list.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. --_----------=_1563199683127890 Content-Disposition: inline Content-Length: 3031 Content-Transfer-Encoding: binary Content-Type: text/x-diff; charset=us-ascii Modified files: Index: pkgsrc/archivers/unzip/Makefile diff -u pkgsrc/archivers/unzip/Makefile:1.95 pkgsrc/archivers/unzip/Makefile:1.96 --- pkgsrc/archivers/unzip/Makefile:1.95 Sat Feb 4 23:25:59 2017 +++ pkgsrc/archivers/unzip/Makefile Mon Jul 15 14:08:03 2019 @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.95 2017/02/04 23:25:59 wiz Exp $ +# $NetBSD: Makefile,v 1.96 2019/07/15 14:08:03 nia Exp $ DISTNAME= unzip60 PKGNAME= unzip-6.0 -PKGREVISION= 8 +PKGREVISION= 9 CATEGORIES= archivers MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ EXTRACT_SUFX= .tgz Index: pkgsrc/archivers/unzip/distinfo diff -u pkgsrc/archivers/unzip/distinfo:1.30 pkgsrc/archivers/unzip/distinfo:1.31 --- pkgsrc/archivers/unzip/distinfo:1.30 Sat Feb 4 23:25:59 2017 +++ pkgsrc/archivers/unzip/distinfo Mon Jul 15 14:08:03 2019 @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.30 2017/02/04 23:25:59 wiz Exp $ +$NetBSD: distinfo,v 1.31 2019/07/15 14:08:03 nia Exp $ SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba @@ -9,7 +9,7 @@ SHA1 (patch-ac) = 27b91401d4d5ecc3842c91 SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4 SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732 SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534 -SHA1 (patch-list.c) = 56ac008e42570d60d58ca84ea773819640461961 +SHA1 (patch-list.c) = 29e6dc3f5d40bb087a8bff58f75eb02568f3ad87 SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812 SHA1 (patch-unix_unxcfg.h) = b2831f38b2245dacedd4eb2eef12ee1e3cf20613 SHA1 (patch-zipinfo.c) = 0d93fd9b145e7e707762119ee30ddf8eac9c2f31 Index: pkgsrc/archivers/unzip/patches/patch-list.c diff -u pkgsrc/archivers/unzip/patches/patch-list.c:1.2 pkgsrc/archivers/unzip/patches/patch-list.c:1.3 --- pkgsrc/archivers/unzip/patches/patch-list.c:1.2 Sat Feb 4 23:25:59 2017 +++ pkgsrc/archivers/unzip/patches/patch-list.c Mon Jul 15 14:08:03 2019 @@ -1,10 +1,16 @@ -$NetBSD: patch-list.c,v 1.2 2017/02/04 23:25:59 wiz Exp $ +$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $ chunk 1: +CVE-2018-18384 fix from +https://sourceforge.net/p/infozip/bugs/53/ +and +https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/ + +chunk 2: Big-hammer fix for http://seclists.org/oss-sec/2014/q4/497 -chunk 2: +chunk 3: CVE-2014-9913 fix from https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt via @@ -12,6 +18,15 @@ http://www.info-zip.org/phpBB3/viewtopic --- list.c.orig 2009-02-08 17:11:34.000000000 +0000 +++ list.c +@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type + { + int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL; + #ifndef WINDLL +- char sgn, cfactorstr[10]; ++ char sgn, cfactorstr[12]; + int longhdr=(uO.vflag>1); + #endif + int date_format; @@ -116,7 +116,7 @@ int list_files(__G) /* return PK-type ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L; #endif --_----------=_1563199683127890--