Mon Jul 15 14:08:03 2019 UTC ()

unzip: Apply a patch from CVE-2018-18384

from infozip's sourceforge / debian.


(nia)

diff -r1.95 -r1.96 pkgsrc/archivers/unzip/Makefile
diff -r1.30 -r1.31 pkgsrc/archivers/unzip/distinfo
diff -r1.2 -r1.3 pkgsrc/archivers/unzip/patches/patch-list.c

--- pkgsrc/archivers/unzip/Makefile 2017/02/04 23:25:59 1.95
+++ pkgsrc/archivers/unzip/Makefile 2019/07/15 14:08:03 1.96

 @@ -1,18 +1,18 @@
-# $NetBSD: Makefile,v 1.95 2017/02/04 23:25:59 wiz Exp $
+# $NetBSD: Makefile,v 1.96 2019/07/15 14:08:03 nia Exp $
 DISTNAME=	unzip60
 PKGNAME=	unzip-6.0
-PKGREVISION=	8
+PKGREVISION=	9
 CATEGORIES=	archivers
 MASTER_SITES=	ftp://ftp.info-zip.org/pub/infozip/src/
 EXTRACT_SUFX=	.tgz
 MAINTAINER=	wiz@NetBSD.org
 HOMEPAGE=	http://www.info-zip.org/UnZip.html
 COMMENT=	List, test and extract compressed files in a ZIP archive
 LICENSE=	info-zip
 REPLACE_SH=	unix/zipgrep
 USE_TOOLS+=	gmake

--- pkgsrc/archivers/unzip/distinfo 2017/02/04 23:25:59 1.30
+++ pkgsrc/archivers/unzip/distinfo 2019/07/15 14:08:03 1.31

 @@ -1,15 +1,15 @@
-$NetBSD: distinfo,v 1.30 2017/02/04 23:25:59 wiz Exp $
+$NetBSD: distinfo,v 1.31 2019/07/15 14:08:03 nia Exp $
 SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22
 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba
 SHA512 (unzip60.tgz) = 0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d
 Size (unzip60.tgz) = 1376845 bytes
 SHA1 (patch-ab) = 672635c469e0a53ac9808f8155ee38643a8acf69
 SHA1 (patch-ac) = 27b91401d4d5ecc3842c91dc49c08f42c8646154
 SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4
 SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732
 SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534
-SHA1 (patch-list.c) = 56ac008e42570d60d58ca84ea773819640461961
+SHA1 (patch-list.c) = 29e6dc3f5d40bb087a8bff58f75eb02568f3ad87
 SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812
 SHA1 (patch-unix_unxcfg.h) = b2831f38b2245dacedd4eb2eef12ee1e3cf20613
 SHA1 (patch-zipinfo.c) = 0d93fd9b145e7e707762119ee30ddf8eac9c2f31

--- pkgsrc/archivers/unzip/patches/patch-list.c 2017/02/04 23:25:59 1.2
+++ pkgsrc/archivers/unzip/patches/patch-list.c 2019/07/15 14:08:03 1.3

 @@ -1,27 +1,42 @@
-$NetBSD: patch-list.c,v 1.2 2017/02/04 23:25:59 wiz Exp $
+$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $
 chunk 1:
 CVE-2018-18384 fix from
 https://sourceforge.net/p/infozip/bugs/53/
 and
 https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/
 chunk 2:
 Big-hammer fix for
 http://seclists.org/oss-sec/2014/q4/497
-chunk 2:
+chunk 3:
 CVE-2014-9913 fix from
 https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt
 via
 http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529
 --- list.c.orig	2009-02-08 17:11:34.000000000 +0000
 +++ list.c
@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type
+ {
      int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
  #ifndef WINDLL
 -    char sgn, cfactorstr[10];
 +    char sgn, cfactorstr[12];
      int longhdr=(uO.vflag>1);
  #endif
      int date_format;
 @@ -116,7 +116,7 @@ int list_files(__G)    /* return PK-type
      ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L;
  #endif
      min_info info;
 -    char methbuf[8];
 +    char methbuf[80];
      static ZCONST char dtype[]="NXFS";  /* see zi_short() */
      static ZCONST char Far method[NUM_METHODS+1][8] =
          {"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4",
 @@ -339,7 +339,14 @@ int list_files(__G)    /* return PK-type
                  G.crec.compression_method == ENHDEFLATED) {
                  methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
              } else if (methnum >= NUM_METHODS) {