unzip: Apply a patch from CVE-2018-18384 from infozip's sourceforge / debian.diff -r1.95 -r1.96 pkgsrc/archivers/unzip/Makefile
(nia)
@@ -1,18 +1,18 @@ | @@ -1,18 +1,18 @@ | |||
1 | # $NetBSD: Makefile,v 1.95 2017/02/04 23:25:59 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.96 2019/07/15 14:08:03 nia Exp $ | |
2 | 2 | |||
3 | DISTNAME= unzip60 | 3 | DISTNAME= unzip60 | |
4 | PKGNAME= unzip-6.0 | 4 | PKGNAME= unzip-6.0 | |
5 | PKGREVISION= 8 | 5 | PKGREVISION= 9 | |
6 | CATEGORIES= archivers | 6 | CATEGORIES= archivers | |
7 | MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ | 7 | MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ | |
8 | EXTRACT_SUFX= .tgz | 8 | EXTRACT_SUFX= .tgz | |
9 | 9 | |||
10 | MAINTAINER= wiz@NetBSD.org | 10 | MAINTAINER= wiz@NetBSD.org | |
11 | HOMEPAGE= http://www.info-zip.org/UnZip.html | 11 | HOMEPAGE= http://www.info-zip.org/UnZip.html | |
12 | COMMENT= List, test and extract compressed files in a ZIP archive | 12 | COMMENT= List, test and extract compressed files in a ZIP archive | |
13 | LICENSE= info-zip | 13 | LICENSE= info-zip | |
14 | 14 | |||
15 | REPLACE_SH= unix/zipgrep | 15 | REPLACE_SH= unix/zipgrep | |
16 | 16 | |||
17 | USE_TOOLS+= gmake | 17 | USE_TOOLS+= gmake | |
18 | 18 |
@@ -1,15 +1,15 @@ | @@ -1,15 +1,15 @@ | |||
1 | $NetBSD: distinfo,v 1.30 2017/02/04 23:25:59 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.31 2019/07/15 14:08:03 nia Exp $ | |
2 | 2 | |||
3 | SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22 | 3 | SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22 | |
4 | RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba | 4 | RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba | |
5 | SHA512 (unzip60.tgz) = 0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d | 5 | SHA512 (unzip60.tgz) = 0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d | |
6 | Size (unzip60.tgz) = 1376845 bytes | 6 | Size (unzip60.tgz) = 1376845 bytes | |
7 | SHA1 (patch-ab) = 672635c469e0a53ac9808f8155ee38643a8acf69 | 7 | SHA1 (patch-ab) = 672635c469e0a53ac9808f8155ee38643a8acf69 | |
8 | SHA1 (patch-ac) = 27b91401d4d5ecc3842c91dc49c08f42c8646154 | 8 | SHA1 (patch-ac) = 27b91401d4d5ecc3842c91dc49c08f42c8646154 | |
9 | SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4 | 9 | SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4 | |
10 | SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732 | 10 | SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732 | |
11 | SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534 | 11 | SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534 | |
12 | SHA1 (patch-list.c) = 56ac008e42570d60d58ca84ea773819640461961 | 12 | SHA1 (patch-list.c) = 29e6dc3f5d40bb087a8bff58f75eb02568f3ad87 | |
13 | SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812 | 13 | SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812 | |
14 | SHA1 (patch-unix_unxcfg.h) = b2831f38b2245dacedd4eb2eef12ee1e3cf20613 | 14 | SHA1 (patch-unix_unxcfg.h) = b2831f38b2245dacedd4eb2eef12ee1e3cf20613 | |
15 | SHA1 (patch-zipinfo.c) = 0d93fd9b145e7e707762119ee30ddf8eac9c2f31 | 15 | SHA1 (patch-zipinfo.c) = 0d93fd9b145e7e707762119ee30ddf8eac9c2f31 |
@@ -1,27 +1,42 @@ | @@ -1,27 +1,42 @@ | |||
1 | $NetBSD: patch-list.c,v 1.2 2017/02/04 23:25:59 wiz Exp $ | 1 | $NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $ | |
2 | 2 | |||
3 | chunk 1: | 3 | chunk 1: | |
4 | CVE-2018-18384 fix from | |||
5 | https://sourceforge.net/p/infozip/bugs/53/ | |||
6 | and | |||
7 | https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/ | |||
8 | ||||
9 | chunk 2: | |||
4 | Big-hammer fix for | 10 | Big-hammer fix for | |
5 | http://seclists.org/oss-sec/2014/q4/497 | 11 | http://seclists.org/oss-sec/2014/q4/497 | |
6 | 12 | |||
7 | chunk 2: | 13 | chunk 3: | |
8 | CVE-2014-9913 fix from | 14 | CVE-2014-9913 fix from | |
9 | https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt | 15 | https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt | |
10 | via | 16 | via | |
11 | http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529 | 17 | http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529 | |
12 | 18 | |||
13 | --- list.c.orig 2009-02-08 17:11:34.000000000 +0000 | 19 | --- list.c.orig 2009-02-08 17:11:34.000000000 +0000 | |
14 | +++ list.c | 20 | +++ list.c | |
21 | @@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type | |||
22 | { | |||
23 | int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL; | |||
24 | #ifndef WINDLL | |||
25 | - char sgn, cfactorstr[10]; | |||
26 | + char sgn, cfactorstr[12]; | |||
27 | int longhdr=(uO.vflag>1); | |||
28 | #endif | |||
29 | int date_format; | |||
15 | @@ -116,7 +116,7 @@ int list_files(__G) /* return PK-type | 30 | @@ -116,7 +116,7 @@ int list_files(__G) /* return PK-type | |
16 | ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L; | 31 | ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L; | |
17 | #endif | 32 | #endif | |
18 | min_info info; | 33 | min_info info; | |
19 | - char methbuf[8]; | 34 | - char methbuf[8]; | |
20 | + char methbuf[80]; | 35 | + char methbuf[80]; | |
21 | static ZCONST char dtype[]="NXFS"; /* see zi_short() */ | 36 | static ZCONST char dtype[]="NXFS"; /* see zi_short() */ | |
22 | static ZCONST char Far method[NUM_METHODS+1][8] = | 37 | static ZCONST char Far method[NUM_METHODS+1][8] = | |
23 | {"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4", | 38 | {"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4", | |
24 | @@ -339,7 +339,14 @@ int list_files(__G) /* return PK-type | 39 | @@ -339,7 +339,14 @@ int list_files(__G) /* return PK-type | |
25 | G.crec.compression_method == ENHDEFLATED) { | 40 | G.crec.compression_method == ENHDEFLATED) { | |
26 | methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; | 41 | methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; | |
27 | } else if (methnum >= NUM_METHODS) { | 42 | } else if (methnum >= NUM_METHODS) { |