From 6fe212475c537f06e48949824b5dc44b63f47872 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Wed, 7 Jun 2023 10:40:28 +0200 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 unzip revision 40ed47221ed2fba016482a67ccc49e15 --- .gitattributes | 23 + CVE-2014-9913.patch | 24 + CVE-2015-7696.patch | 35 ++ CVE-2015-7697.patch | 41 ++ CVE-2016-9844.patch | 24 + CVE-2018-1000035.patch | 39 ++ CVE-2022-0529.patch | 37 ++ CVE-2022-0530.patch | 28 ++ Fix-CVE-2014-8139-unzip.patch | 78 ++++ Fix-CVE-2014-8140-and-CVE-2014-8141.patch | 181 ++++++++ Fix-CVE-2014-9636-unzip-buffer-overflow.patch | 41 ++ _multibuild | 3 + pre_checkin.sh | 10 + unzip-5.52-filename_too_long.patch | 31 ++ unzip-5.52-use_librcc.patch | 176 ++++++++ unzip-dont_call_isprint.patch | 15 + unzip-initialize-the-symlink-flag.patch | 20 + unzip-iso8859_2.patch | 181 ++++++++ unzip-no-build-date.patch | 98 +++++ unzip-no_file_name_translation.patch | 97 +++++ unzip-open_missing_mode.patch | 77 ++++ unzip-optflags.patch | 22 + unzip-rcc.changes | 411 ++++++++++++++++++ unzip-rcc.spec | 188 ++++++++ unzip.changes | 411 ++++++++++++++++++ unzip.dif | 24 + unzip.spec | 188 ++++++++ unzip60-cfactorstr_overflow.patch | 35 ++ unzip60-total_disks_zero.patch | 24 + unzip60.tar.gz | 3 + 30 files changed, 2565 insertions(+) create mode 100644 .gitattributes create mode 100644 CVE-2014-9913.patch create mode 100644 CVE-2015-7696.patch create mode 100644 CVE-2015-7697.patch create mode 100644 CVE-2016-9844.patch create mode 100644 CVE-2018-1000035.patch create mode 100644 CVE-2022-0529.patch create mode 100644 CVE-2022-0530.patch create mode 100644 Fix-CVE-2014-8139-unzip.patch create mode 100644 Fix-CVE-2014-8140-and-CVE-2014-8141.patch create mode 100644 Fix-CVE-2014-9636-unzip-buffer-overflow.patch create mode 100644 _multibuild create mode 100644 pre_checkin.sh create mode 100644 unzip-5.52-filename_too_long.patch create mode 100644 unzip-5.52-use_librcc.patch create mode 100644 unzip-dont_call_isprint.patch create mode 100644 unzip-initialize-the-symlink-flag.patch create mode 100644 unzip-iso8859_2.patch create mode 100644 unzip-no-build-date.patch create mode 100644 unzip-no_file_name_translation.patch create mode 100644 unzip-open_missing_mode.patch create mode 100644 unzip-optflags.patch create mode 100644 unzip-rcc.changes create mode 100644 unzip-rcc.spec create mode 100644 unzip.changes create mode 100644 unzip.dif create mode 100644 unzip.spec create mode 100644 unzip60-cfactorstr_overflow.patch create mode 100644 unzip60-total_disks_zero.patch create mode 100644 unzip60.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/CVE-2014-9913.patch b/CVE-2014-9913.patch new file mode 100644 index 0000000..eca36d0 --- /dev/null +++ b/CVE-2014-9913.patch @@ -0,0 +1,24 @@ +Index: unzip60/list.c +=================================================================== +--- unzip60.orig/list.c ++++ unzip60/list.c +@@ -339,7 +339,18 @@ int list_files(__G) /* return PK-type + G.crec.compression_method == ENHDEFLATED) { + methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; + } else if (methnum >= NUM_METHODS) { +- sprintf(&methbuf[4], "%03u", G.crec.compression_method); ++ /* 2013-02-26 SMS. ++ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913. ++ * Unexpectedly large compression methods overflow ++ * &methbuf[]. Use the old, three-digit decimal format ++ * for values which fit. Otherwise, sacrifice the ++ * colon, and use four-digit hexadecimal. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method); ++ } + } + + #if 0 /* GRR/Euro: add this? */ diff --git a/CVE-2015-7696.patch b/CVE-2015-7696.patch new file mode 100644 index 0000000..0cc9567 --- /dev/null +++ b/CVE-2015-7696.patch @@ -0,0 +1,35 @@ +From: Petr Stodulka +Date: Mon, 14 Sep 2015 18:23:17 +0200 +Subject: Upstream fix for heap overflow +Bug-Debian: https://bugs.debian.org/802162 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002 +Forwarded: yes + +--- + crypt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +Index: unzip60/crypt.c +=================================================================== +--- unzip60.orig/crypt.c ++++ unzip60/crypt.c +@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + } diff --git a/CVE-2015-7697.patch b/CVE-2015-7697.patch new file mode 100644 index 0000000..36fea42 --- /dev/null +++ b/CVE-2015-7697.patch @@ -0,0 +1,41 @@ +From: Kamil Dudka +Date: Mon, 14 Sep 2015 18:24:56 +0200 +Subject: fix infinite loop when extracting empty bzip2 data +Bug-Debian: https://bugs.debian.org/802160 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339 + +--- + extract.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: unzip60/extract.c +=================================================================== +--- unzip60.orig/extract.c ++++ unzip60/extract.c +@@ -2721,6 +2721,12 @@ __GDEF + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; +Index: unzip60/zipinfo.c +=================================================================== +--- unzip60.orig/zipinfo.c ++++ unzip60/zipinfo.c +@@ -1888,7 +1888,7 @@ static int zi_short(__G) /* return PK- + int k, error, error_in_archive=PK_COOL; + unsigned hostnum, hostver, methid, methnum, xattr; + char *p, workspace[12], attribs[16]; +- char methbuf[5]; ++ char methbuf[1+5+1]; /* large enough to hold 1 character + an unsigned short + NUL */ + static ZCONST char dtype[5]="NXFS"; /* normal, maximum, fast, superfast */ + static ZCONST char Far os[NUM_HOSTS+1][4] = { + "fat", "ami", "vms", "unx", "cms", "atr", "hpf", "mac", "zzz", diff --git a/CVE-2016-9844.patch b/CVE-2016-9844.patch new file mode 100644 index 0000000..d19c298 --- /dev/null +++ b/CVE-2016-9844.patch @@ -0,0 +1,24 @@ +Index: unzip60/zipinfo.c +=================================================================== +--- unzip60.orig/zipinfo.c ++++ unzip60/zipinfo.c +@@ -1927,7 +1927,18 @@ static int zi_short(__G) /* return PK- + ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3); + methbuf[3] = dtype[dnum]; + } else if (methnum >= NUM_METHODS) { /* unknown */ +- sprintf(&methbuf[1], "%03u", G.crec.compression_method); ++ /* 2016-12-05 SMS. ++ * https://launchpad.net/bugs/1643750 CVE-2016-9844. ++ * Unexpectedly large compression methods overflow ++ * &methbuf[]. Use the old, three-digit decimal format ++ * for values which fit. Otherwise, sacrifice the "u", ++ * and use four-digit hexadecimal. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method); ++ } + } + + for (k = 0; k < 15; ++k) diff --git a/CVE-2018-1000035.patch b/CVE-2018-1000035.patch new file mode 100644 index 0000000..0a5d026 --- /dev/null +++ b/CVE-2018-1000035.patch @@ -0,0 +1,39 @@ +From: +Date: Thu Feb 8 15:10:03 CET 2018 +Upstream: merged +References: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548 + +Index: fileio.c +=================================================================== +--- fileio.c.orig ++++ fileio.c +@@ -1613,7 +1613,11 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, + int r = IZ_PW_ENTERED; + char *m; + char *prompt; +- ++ char *zfnf; ++ char *efnf; ++ size_t zfnfl; ++ int isOverflow; ++ + #ifndef REENTRANT + /* tell picky compilers to shut up about "unused variable" warnings */ + pG = pG; +@@ -1621,7 +1625,15 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, + + if (*rcnt == 0) { /* First call for current entry */ + *rcnt = 2; +- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) { ++ zfnf = FnFilter1(zfn); ++ efnf = FnFilter2(efn); ++ zfnfl = strlen(zfnf); ++ isOverflow = TRUE; ++ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf)) ++ { ++ isOverflow = FALSE; ++ } ++ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) { + sprintf(prompt, LoadFarString(PasswPrompt), + FnFilter1(zfn), FnFilter2(efn)); + m = prompt; diff --git a/CVE-2022-0529.patch b/CVE-2022-0529.patch new file mode 100644 index 0000000..063310f --- /dev/null +++ b/CVE-2022-0529.patch @@ -0,0 +1,37 @@ +From: Enrico Zini +Subject: Fix wide string conversion +Bug-Debian: https://bugs.debian.org/1010355 +X-Debian-version: 6.0-27 + +--- a/process.c ++++ b/process.c +@@ -2507,13 +2507,15 @@ + char buf[9]; + char *buffer = NULL; + char *local_string = NULL; ++ size_t buffer_size; + + for (wsize = 0; wide_string[wsize]; wsize++) ; + + if (max_bytes < MAX_ESCAPE_BYTES) + max_bytes = MAX_ESCAPE_BYTES; + +- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) { ++ buffer_size = wsize * max_bytes + 1; ++ if ((buffer = (char *)malloc(buffer_size)) == NULL) { + return NULL; + } + +@@ -2552,7 +2554,11 @@ + /* no MB for this wide */ + /* use escape for wide character */ + char *escape_string = wide_to_escape_string(wide_string[i]); +- strcat(buffer, escape_string); ++ size_t buffer_len = strlen(buffer); ++ size_t escape_string_len = strlen(escape_string); ++ if (buffer_len + escape_string_len + 1 > buffer_size) ++ escape_string_len = buffer_size - buffer_len - 1; ++ strncat(buffer, escape_string, escape_string_len); + free(escape_string); + } + } diff --git a/CVE-2022-0530.patch b/CVE-2022-0530.patch new file mode 100644 index 0000000..cb134bb --- /dev/null +++ b/CVE-2022-0530.patch @@ -0,0 +1,28 @@ +From: Enrico Zini +Subject: Fix null pointer dereference on invalid UTF-8 input +Bug-Debian: https://bugs.debian.org/1010355 +X-Debian-version: 6.0-27 + +--- a/fileio.c ++++ b/fileio.c +@@ -2361,6 +2361,9 @@ + /* convert UTF-8 to local character set */ + fn = utf8_to_local_string(G.unipath_filename, + G.unicode_escape_all); ++ if (fn == NULL) ++ return PK_ERR; ++ + /* make sure filename is short enough */ + if (strlen(fn) >= FILNAMSIZ) { + fn[FILNAMSIZ - 1] = '\0'; +--- a/process.c ++++ b/process.c +@@ -2611,6 +2611,8 @@ + int escape_all; + { + zwchar *wide = utf8_to_wide_string(utf8_string); ++ if (wide == NULL) ++ return NULL; + char *loc = wide_to_local_string(wide, escape_all); + free(wide); + return loc; diff --git a/Fix-CVE-2014-8139-unzip.patch b/Fix-CVE-2014-8139-unzip.patch new file mode 100644 index 0000000..37d8393 --- /dev/null +++ b/Fix-CVE-2014-8139-unzip.patch @@ -0,0 +1,78 @@ +diff --git a/extract.c b/extract.c +index 9ef80b3..c741b5f 100644 +--- a/extract.c ++++ b/extract.c +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] = + #ifndef SFX + static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; ++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ ++ EF block length (%u bytes) invalid (< %d)\n"; + static ZCONST char Far InvalidComprDataEAs[] = + " invalid compressed data for EAs\n"; + # if (defined(WIN32) && defined(NTSD_EAS)) +@@ -2020,7 +2022,8 @@ static int TestExtraField(__G__ ef, ef_len) + ebID = makeword(ef); + ebLen = (unsigned)makeword(ef+EB_LEN); + +- if (ebLen > (ef_len - EB_HEADSIZE)) { ++ if (ebLen > (ef_len - EB_HEADSIZE)) ++ { + /* Discovered some extra field inconsistency! */ + if (uO.qflag) + Info(slide, 1, ((char *)slide, "%-22s ", +@@ -2155,11 +2158,29 @@ static int TestExtraField(__G__ ef, ef_len) + } + break; + case EF_PKVMS: +- if (makelong(ef+EB_HEADSIZE) != +- crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), +- (extent)(ebLen-4))) +- Info(slide, 1, ((char *)slide, +- LoadFarString(BadCRC_EAs))); ++ /* 2015-01-30 SMS. Added sufficient-bytes test/message ++ * here. (Removed defective ebLen test above.) ++ * ++ * If sufficient bytes (EB_PKVMS_MINLEN) are available, ++ * then compare the stored CRC value with the calculated ++ * CRC for the remainder of the data (and complain about ++ * a mismatch). ++ */ ++ if (ebLen < EB_PKVMS_MINLEN) ++ { ++ /* Insufficient bytes available. */ ++ Info( slide, 1, ++ ((char *)slide, LoadFarString( TooSmallEBlength), ++ ebLen, EB_PKVMS_MINLEN)); ++ } ++ else if (makelong(ef+ EB_HEADSIZE) != ++ crc32(CRCVAL_INITIAL, ++ (ef+ EB_HEADSIZE+ EB_PKVMS_MINLEN), ++ (extent)(ebLen- EB_PKVMS_MINLEN))) ++ { ++ Info(slide, 1, ((char *)slide, ++ LoadFarString(BadCRC_EAs))); ++ } + break; + case EF_PKW32: + case EF_PKUNIX: +diff --git a/unzpriv.h b/unzpriv.h +index 005cee0..5c83a6e 100644 +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -1806,6 +1806,8 @@ + #define EB_NTSD_VERSION 4 /* offset of NTSD version byte */ + #define EB_NTSD_MAX_VER (0) /* maximum version # we know how to handle */ + ++#define EB_PKVMS_MINLEN 4 /* minimum data length of PKVMS extra block */ ++ + #define EB_ASI_CRC32 0 /* offset of ASI Unix field's crc32 checksum */ + #define EB_ASI_MODE 4 /* offset of ASI Unix permission mode field */ + diff --git a/Fix-CVE-2014-8140-and-CVE-2014-8141.patch b/Fix-CVE-2014-8140-and-CVE-2014-8141.patch new file mode 100644 index 0000000..c3392de --- /dev/null +++ b/Fix-CVE-2014-8140-and-CVE-2014-8141.patch @@ -0,0 +1,181 @@ +From 3e74a01aec1ab48c3848ac50fc2f8ed8b177b400 Mon Sep 17 00:00:00 2001 +From: Thorsten Behrens +Date: Sat, 20 Dec 2014 01:56:42 +0100 +Subject: [PATCH] Fix CVE-2014-8140 and CVE-2014-8141 + +CVE-2014-8140 unzip: write error (*_8349_*) shows a problem in +extract.c:test_compr_eb() + +CVE-2014-8141 unzip: read errors (*_6430_*, *_3422_*) show problems in +process.c:getZip64Data() +--- + extract.c | 13 +++++++++--- + fileio.c | 9 ++++++++- + process.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++---------------- + 3 files changed, 69 insertions(+), 21 deletions(-) + +diff --git a/extract.c b/extract.c +index 78f637e..5d27e4b 100644 +--- a/extract.c ++++ b/extract.c +@@ -2234,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ + ++ /* Return no/bad-data error status if any problem is found: ++ * 1. eb_size is too small to hold the uncompressed size ++ * (eb_ucsize). (Else extract eb_ucsize.) ++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. ++ * 3. eb_ucsize is positive, but eb_size is too small to hold ++ * the compressed data header. ++ */ + if ((eb_size < (EB_UCSIZE_P + 4)) || +- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && +- eb_size <= (compr_offset + EB_CMPRHEADLEN))) +- return IZ_EF_TRUNC; /* no compressed data! */ ++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || ++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) ++ return IZ_EF_TRUNC; /* no/bad compressed data! */ + + if ( + #ifdef INT_16BIT +diff --git a/fileio.c b/fileio.c +index a381855..de93728 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -181,6 +181,8 @@ static ZCONST char Far FilenameTooLongTrunc[] = + #endif + static ZCONST char Far ExtraFieldTooLong[] = + "warning: extra field too long (%d). Ignoring...\n"; ++static ZCONST char Far ExtraFieldCorrupt[] = ++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; + + #ifdef WINDLL + static ZCONST char Far DiskFullQuery[] = +@@ -2326,7 +2328,12 @@ int do_string(__G__ length, option) /* return PK-type error code */ + if (readbuf(__G__ (char *)G.extra_field, length) == 0) + return PK_EOF; + /* Looks like here is where extra fields are read */ +- getZip64Data(__G__ G.extra_field, length); ++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) ++ { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); ++ error = PK_WARN; ++ } + #ifdef UNICODE_SUPPORT + G.unipath_filename = NULL; + if (G.UzO.U_flag < 2) { +diff --git a/process.c b/process.c +index f1b7602..828c8aa 100644 +--- a/process.c ++++ b/process.c +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -1901,48 +1901,82 @@ int getZip64Data(__G__ ef_buf, ef_len) + and a 4-byte version of disk start number. + Sets both local header and central header fields. Not terribly clever, + but it means that this procedure is only called in one place. ++ ++ 2014-12-05 SMS. ++ Added checks to ensure that enough data are available before calling ++ makeint64() or makelong(). Replaced various sizeof() values with ++ simple ("4" or "8") constants. (The Zip64 structures do not depend ++ on our variable sizes.) Error handling is crude, but we should now ++ stay within the buffer. + ---------------------------------------------------------------------------*/ + ++#define Z64FLGS 0xffff ++#define Z64FLGL 0xffffffff ++ + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; + + Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", + ef_len)); + +- while (ef_len >= EB_HEADSIZE) { ++ while (ef_len >= EB_HEADSIZE) ++ { + eb_id = makeword(EB_ID + ef_buf); + eb_len = makeword(EB_LEN + ef_buf); + +- if (eb_len > (ef_len - EB_HEADSIZE)) { +- /* discovered some extra field inconsistency! */ ++ if (eb_len > (ef_len - EB_HEADSIZE)) ++ { ++ /* Extra block length exceeds remaining extra field length. */ + Trace((stderr, + "getZip64Data: block length %u > rest ef_size %u\n", eb_len, + ef_len - EB_HEADSIZE)); + break; + } +- if (eb_id == EF_PKSZ64) { +- ++ if (eb_id == EF_PKSZ64) ++ { + int offset = EB_HEADSIZE; + +- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ +- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.ucsize); ++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ +- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.csize); ++ ++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.relative_offset_local_header == 0xffffffff){ ++ ++ if (G.crec.relative_offset_local_header == Z64FLGL) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ + G.crec.relative_offset_local_header = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.relative_offset_local_header); ++ offset += 8; + } +- if (G.crec.disk_number_start == 0xffff){ ++ ++ if (G.crec.disk_number_start == Z64FLGS) ++ { ++ if (offset+ 4 > ef_len) ++ return PK_ERR; ++ + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); +- offset += sizeof(G.crec.disk_number_start); ++ offset += 4; + } ++#if 0 ++ break; /* Expect only one EF_PKSZ64 block. */ ++#endif /* 0 */ + } + +- /* Skip this extra field block */ ++ /* Skip this extra field block. */ + ef_buf += (eb_len + EB_HEADSIZE); + ef_len -= (eb_len + EB_HEADSIZE); + } +-- +1.8.4.5 + diff --git a/Fix-CVE-2014-9636-unzip-buffer-overflow.patch b/Fix-CVE-2014-9636-unzip-buffer-overflow.patch new file mode 100644 index 0000000..ba9473e --- /dev/null +++ b/Fix-CVE-2014-9636-unzip-buffer-overflow.patch @@ -0,0 +1,41 @@ +From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001 +From: mancha +Date: Wed, 11 Feb 2015 +Subject: Info-ZIP UnZip buffer overflow + +By carefully crafting a corrupt ZIP archive with "extra fields" that +purport to have compressed blocks larger than the corresponding +uncompressed blocks in STORED no-compression mode, an attacker can +trigger a heap overflow that can result in application crash or +possibly have other unspecified impact. + +This patch ensures that when extra fields use STORED mode, the +"compressed" and uncompressed block sizes match. + +--- + extract.c | 7 +++++++ + 1 file changed, 7 insertions(+) +--- unzip60/extract.c ++++ unzip60/extract.c +@@ -2230,6 +2230,7 @@ static int test_compr_eb(__G__ eb, eb_si + ulg eb_ucsize; + uch *eb_ucptr; + int r; ++ ush method; + + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ +@@ -2246,6 +2247,13 @@ static int test_compr_eb(__G__ eb, eb_si + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) + return IZ_EF_TRUNC; /* no/bad compressed data! */ + ++ method = makeword(eb + (EB_HEADSIZE + compr_offset)); ++ if ((method == STORED) && ++ (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize)) ++ return PK_ERR; /* compressed & uncompressed ++ * should match in STORED ++ * method */ ++ + if ( + #ifdef INT_16BIT + (((ulg)(extent)eb_ucsize) != eb_ucsize) || diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..0a16603 --- /dev/null +++ b/_multibuild @@ -0,0 +1,3 @@ + + unzip-rcc + \ No newline at end of file diff --git a/pre_checkin.sh b/pre_checkin.sh new file mode 100644 index 0000000..f393581 --- /dev/null +++ b/pre_checkin.sh @@ -0,0 +1,10 @@ +#! /bin/sh + +cp unzip.spec unzip-rcc.spec +cp unzip.changes unzip-rcc.changes + +sed -i -e 's,Name: .*,Name: unzip-rcc,' unzip-rcc.spec +sed -i -e 's,%bcond_with rcc,%bcond_without rcc,' unzip-rcc.spec + +osc service localrun format_spec_file + diff --git a/unzip-5.52-filename_too_long.patch b/unzip-5.52-filename_too_long.patch new file mode 100644 index 0000000..eddde60 --- /dev/null +++ b/unzip-5.52-filename_too_long.patch @@ -0,0 +1,31 @@ +Index: process.c +=================================================================== +--- process.c.orig 2009-03-06 02:25:10.000000000 +0100 ++++ process.c 2010-05-21 13:17:28.292590863 +0200 +@@ -203,6 +203,8 @@ static ZCONST char Far Cent64EndSigSearc + #endif + static ZCONST char Far ZipfileCommTrunc1[] = + "\ncaution: zipfile comment truncated\n"; ++static ZCONST char Far FileNameTooLong[] = ++ "%s: error: %s (truncated): %s\n"; + #ifndef NO_ZIPINFO + static ZCONST char Far NoZipfileComment[] = + "There is no zipfile comment.\n"; +@@ -390,6 +392,17 @@ int process_zipfiles(__G) /* return P + + lastzipfn = G.zipfn; + ++ if (strlen(G.wildzipfn) > strlen(G.zipfn)) ++ { ++ Info(slide, 1, ((char *)slide, ++ LoadFarString(FileNameTooLong), ++ uO.zipinfo_mode? LoadFarStringSmall(Zipnfo) : LoadFarStringSmall(Unzip), ++ G.zipfn, strerror(ENAMETOOLONG))); ++ ++ free_G_buffers(__G); ++ return PK_NOZIP; ++ } ++ + /* print a blank line between the output of different zipfiles */ + if (!uO.qflag && error != PK_NOZIP && error != IZ_DIR + #ifdef TIMESTAMP diff --git a/unzip-5.52-use_librcc.patch b/unzip-5.52-use_librcc.patch new file mode 100644 index 0000000..e7b99df --- /dev/null +++ b/unzip-5.52-use_librcc.patch @@ -0,0 +1,176 @@ +Author: Suren A. Chilingaryan +Description: Provides header file + +Index: dsrecode.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ dsrecode.c 2010-05-21 14:25:19.192590879 +0200 +@@ -0,0 +1,137 @@ ++#include ++ ++static rcc_class_default_charset default_oem[] = ++{ ++ { "ru", "IBM866" }, ++ { NULL, NULL } ++}; ++ ++static rcc_class_default_charset default_iso[] = ++{ ++ { "ru", "CP1251" }, ++ { NULL, NULL } ++}; ++ ++#define OEM_CLASS 0 ++#define ISO_CLASS 1 ++#define OUT_CLASS 2 ++static rcc_class classes[] = ++{ ++ { "oem", RCC_CLASS_STANDARD, NULL, default_oem, "OEM_INTERN", 0 }, ++ { "iso", RCC_CLASS_STANDARD, NULL, default_iso, "ISO_INTERN", 0 }, ++ { "out", RCC_CLASS_STANDARD, "LC_CTYPE", NULL, "Output", 0 }, ++ { NULL } ++}; ++ ++int initialized = 0; ++ ++#ifdef RCC_LAZY ++#include ++# define RCC_LIBRARY "librcc.so.0" ++int (*rccInit2)(void); ++int (*rccFree2)(void); ++int (*rccInitDefaultContext2)(const char *locale_variable, ++ unsigned int max_languages, ++ unsigned int max_classes, ++ rcc_class_ptr defclasses, ++ rcc_init_flags flags); ++int (*rccInitDb42)(rcc_context ctx, const char *name, rcc_db4_flags flags); ++char* (*rccSizedRecode2)(rcc_context ctx, rcc_class_id from, rcc_class_id to, ++ const char *buf, size_t len, size_t *rlen); ++int (*rccLoad2)(rcc_context ctx, const char *name); ++ ++ ++static char *rccRecode2(rcc_context ctx, rcc_class_id from, ++ rcc_class_id to, const char *buf) ++{ ++ return rccSizedRecode2(ctx, from, to, buf, 0, NULL); ++} ++ ++void *rcc_handle; ++#else /* RCC_LAZY */ ++#define rccInit2 rccInit ++#define rccFree2 rccFree ++#define rccInitDefaultContext2 rccInitDefaultContext ++#define rccInitDb42 rccInitDb4 ++#define rccRecode2 rccRecode ++#define rccLoad2 rccLoad ++#endif /* RCC_LAZY */ ++ ++static void rccUnzipFree(void) ++{ ++ if (initialized > 0) { ++ rccFree2(); ++#ifdef RCC_LAZY ++ dlclose(rcc_handle); ++#endif /* RCC_LAZY */ ++ initialized = 0; ++ } ++} ++ ++ ++static int rccUnzipInit(void) ++{ ++ if (initialized) return 0; ++ ++#ifdef RCC_LAZY ++ rcc_handle = dlopen(RCC_LIBRARY, RTLD_NOW); ++ if (!rcc_handle) { ++ initialized = -1; ++ return 1; ++ } ++ ++ rccInit2 = dlsym(rcc_handle, "rccInit"); ++ rccFree2 = dlsym(rcc_handle, "rccFree"); ++ rccInitDefaultContext2 = dlsym(rcc_handle, "rccInitDefaultContext"); ++ rccInitDb42 = dlsym(rcc_handle, "rccInitDb4"); ++ rccSizedRecode2 = dlsym(rcc_handle, "rccSizedRecode"); ++ rccLoad2 = dlsym(rcc_handle, "rccLoad"); ++ ++ if ((!rccInit2) || (!rccFree2) || (!rccInitDefaultContext2) || ++ (!rccInitDb42) || (!rccSizedRecode2) || (!rccLoad2)) { ++ dlclose(rcc_handle); ++ initialized = -1; ++ return 1; ++ } ++#endif /* RCC_LAZY */ ++ ++ rccInit2(); ++ rccInitDefaultContext2(NULL, 0, 0, classes, 0); ++ rccLoad2(NULL, "zip"); ++ rccInitDb42(NULL, NULL, 0); ++ atexit(rccUnzipFree); ++ initialized = 1; ++ return 0; ++} ++ ++ ++ ++void _DS_OEM_INTERN(char *string) ++{ ++ char *str; ++ rccUnzipInit(); ++ ++ if (initialized>0) { ++ str = rccRecode2(NULL, OEM_CLASS, OUT_CLASS, string); ++ ++ if (str) { ++ strncpy(string,str,FILNAMSIZ); ++ free(str); ++ } ++ } ++} ++ ++void _DS_ISO_INTERN(char *string) ++{ ++ char *str; ++ rccUnzipInit(); ++ ++ if (initialized>0) { ++ str = rccRecode2(NULL, ISO_CLASS, OUT_CLASS, string); ++ ++ if (str) { ++ strncpy(string,str,FILNAMSIZ); ++ free(str); ++ } ++ } ++} +Index: fileio.c +=================================================================== +--- fileio.c.orig 2010-05-21 14:25:19.172590765 +0200 ++++ fileio.c 2010-05-21 14:25:19.192590879 +0200 +@@ -82,7 +82,7 @@ + # endif + #endif + #include "ebcdic.h" /* definition/initialization of ebcdic[] */ +- ++#include "dsrecode.c" + + /* + Note: Under Windows, the maximum size of the buffer that can be used +Index: unzpriv.h +=================================================================== +--- unzpriv.h.orig 2010-05-21 14:24:55.632590821 +0200 ++++ unzpriv.h 2010-05-21 14:25:19.220590722 +0200 +@@ -3025,10 +3025,11 @@ char *GetLoadPath OF((__GPRO)); + !(((islochdr) || (isuxatt)) && \ + ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \ + (hostnum) == FS_HPFS_ || \ ++ (hostnum) == UNIX_ || \ + ((hostnum) == FS_NTFS_ && (hostver) == 50)) { \ +- _OEM_INTERN((string)); \ ++ _DS_OEM_INTERN((string)); \ + } else { \ +- _ISO_INTERN((string)); \ ++ _DS_ISO_INTERN((string)); \ + }} + #endif + diff --git a/unzip-dont_call_isprint.patch b/unzip-dont_call_isprint.patch new file mode 100644 index 0000000..f76ba7d --- /dev/null +++ b/unzip-dont_call_isprint.patch @@ -0,0 +1,15 @@ +Author: Suren A. Chilingaryan + +Index: extract.c +=================================================================== +--- extract.c.orig 2009-03-14 04:32:52.000000000 +0300 ++++ extract.c 2010-07-07 17:29:52.000000000 +0400 +@@ -2596,7 +2596,7 @@ char *fnfilter(raw, space, size) /* co + */ + # define UZ_FNFILTER_REPLACECHAR '?' + # endif +- if (!isprint(*r)) { ++ if (*r < 32) { //(!isprint(*r)) { + if (*r < 32) { + /* ASCII control codes are escaped as "^{letter}". */ + if (se != NULL && (s > (space + (size-4)))) { diff --git a/unzip-initialize-the-symlink-flag.patch b/unzip-initialize-the-symlink-flag.patch new file mode 100644 index 0000000..11fa0d9 --- /dev/null +++ b/unzip-initialize-the-symlink-flag.patch @@ -0,0 +1,20 @@ +From: Andreas Schwab +Subject: Initialize the symlink flag +Bug-Debian: https://bugs.debian.org/717029 +X-Debian-version: 6.0-10 + +--- a/process.c ++++ b/process.c +@@ -1758,6 +1758,12 @@ + = (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11); + #endif + ++#ifdef SYMLINKS ++ /* Initialize the symlink flag, may be set by the platform-specific ++ mapattr function. */ ++ G.pInfo->symlink = 0; ++#endif ++ + return PK_COOL; + + } /* end function process_cdir_file_hdr() */ diff --git a/unzip-iso8859_2.patch b/unzip-iso8859_2.patch new file mode 100644 index 0000000..d2a6ad6 --- /dev/null +++ b/unzip-iso8859_2.patch @@ -0,0 +1,181 @@ +Index: ebcdic.h +=================================================================== +--- ebcdic.h.orig 2008-03-21 13:04:22.000000000 +0100 ++++ ebcdic.h 2010-05-21 14:07:51.000091055 +0200 +@@ -254,6 +254,25 @@ ZCONST uch Far iso2oem_850[] = { + 0xD0, 0xA4, 0x95, 0xA2, 0x93, 0xE4, 0x94, 0xF6, /* F0 - F7 */ + 0x9B, 0x97, 0xA3, 0x96, 0x81, 0xEC, 0xE7, 0x98 /* F8 - FF */ + }; ++ ++ZCONST uch Far iso2oem_2[] = { ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, ++ 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D, 0x8E, 0x8F, ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, ++ 0x98, 0x99, 0x9A, 0x9B, 0x9C, 0x9D, 0x9E, 0x9F, ++ 0x20, 0xA4, 0xF4, 0x9D, 0xCF, 0x95, 0x97, 0xF5, ++ 0xF9, 0xE6, 0xB8, 0x9B, 0x8D, 0x2D, 0xA6, 0xBD, ++ 0x20, 0xA5, 0xF2, 0x88, 0xEF, 0x96, 0x98, 0xF3, ++ 0xF7, 0xE7, 0xAD, 0x9C, 0xAB, 0xF1, 0xA7, 0xBE, ++ 0xE8, 0xB5, 0xB6, 0xC6, 0x8E, 0x91, 0x8F, 0x80, ++ 0xAC, 0x90, 0xA8, 0xD3, 0xB7, 0xD6, 0xD7, 0xD2, ++ 0xD1, 0xE3, 0xD5, 0xE0, 0xE2, 0x8A, 0x99, 0x9E, ++ 0xFC, 0xDE, 0xE9, 0xEB, 0x9A, 0xED, 0xDD, 0xE1, ++ 0xEA, 0xA0, 0x83, 0xC7, 0x84, 0x92, 0x86, 0x87, ++ 0x9F, 0x82, 0xA9, 0x89, 0xD8, 0xA1, 0x8C, 0xD4, ++ 0xD0, 0xE4, 0xE5, 0xA2, 0x93, 0x8B, 0x94, 0xF6, ++ 0xFD, 0x85, 0xA3, 0xFB, 0x81, 0xEC, 0xEE, 0xFA ++}; + #endif /* IZ_ISO2OEM_ARRAY */ + + #ifdef IZ_OEM2ISO_ARRAY +@@ -275,6 +294,25 @@ ZCONST uch Far oem2iso_850[] = { + 0xAD, 0xB1, 0x3D, 0xBE, 0xB6, 0xA7, 0xF7, 0xB8, /* F0 - F7 */ + 0xB0, 0xA8, 0xB7, 0xB9, 0xB3, 0xB2, 0xA6, 0xA0 /* F8 - FF */ + }; ++ ++ZCONST uch Far oem2iso_2[] = { ++ 0xC7, 0xFC, 0xE9, 0xE2, 0xE4, 0xF9, 0xE6, 0xE7, ++ 0xB3, 0xEB, 0xD5, 0xF5, 0xEE, 0xAC, 0xC4, 0xC6, ++ 0xC9, 0xC5, 0xE5, 0xF4, 0xF6, 0xA5, 0xB5, 0xA6, ++ 0xB6, 0xD6, 0xDC, 0xAB, 0xBB, 0xA3, 0xD7, 0xE8, ++ 0xE1, 0xED, 0xF3, 0xFA, 0xA1, 0xB1, 0xAE, 0xBE, ++ 0xCA, 0xEA, 0xAA, 0xBC, 0xC8, 0xBA, 0x3C, 0x3E, ++ 0xB0, 0xB1, 0xB2, 0xB3, 0xB4, 0xC1, 0xC2, 0xCC, ++ 0xAA, 0xB9, 0xBA, 0xBB, 0xBC, 0xAF, 0xBF, 0xBF, ++ 0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC3, 0xE3, ++ 0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xA4, ++ 0xF0, 0xD0, 0xCF, 0xCB, 0xEF, 0xD2, 0xCD, 0xCE, ++ 0xEC, 0xD9, 0xDA, 0xDB, 0xDC, 0xDE, 0xD9, 0xDF, ++ 0xD3, 0xDF, 0xD4, 0xD1, 0xF1, 0xF2, 0xA9, 0xB9, ++ 0xC0, 0xDA, 0xE0, 0xDB, 0xFD, 0xDD, 0xFE, 0xB4, ++ 0xF0, 0xBD, 0xB2, 0xB7, 0xA2, 0xA7, 0xF7, 0xB8, ++ 0xF8, 0xA8, 0xFF, 0xFB, 0xD8, 0xF8, 0xFE, 0xFF ++}; + #endif /* IZ_OEM2ISO_ARRAY */ + + /* The following pointers to the OEM<-->ISO translation tables are used +Index: man/unzip.1 +=================================================================== +--- man/unzip.1.orig 2009-04-20 02:33:10.000000000 +0200 ++++ man/unzip.1 2010-05-21 14:23:25.824590928 +0200 +@@ -25,7 +25,7 @@ + unzip \- list, test and extract compressed files in a ZIP archive + .PD + .SH SYNOPSIS +-\fBunzip\fP [\fB\-Z\fP] [\fB\-cflptTuvz\fP[\fBabjnoqsCDKLMUVWX$/:^\fP]] ++\fBunzip\fP [\fB\-Z\fP] [\fB\-cflptTuvz\fP[\fBabjnoqsCDKLMOUVWX$/:^\fP]] + \fIfile\fP[\fI.zip\fP] [\fIfile(s)\fP\ .\|.\|.] + [\fB\-x\fP\ \fIxfile(s)\fP\ .\|.\|.] [\fB\-d\fP\ \fIexdir\fP] + .PD +@@ -386,6 +386,9 @@ of \fIzip\fP(1L), which stores filenotes + overwrite existing files without prompting. This is a dangerous option, so + use it with care. (It is often used with \fB\-f\fP, however, and is the only + way to overwrite directory EAs under OS/2.) ++.TP ++.B \-O +++file names will be converted to ISO8859-2 instead of to ISO8859-1 + .IP \fB\-P\fP\ \fIpassword\fP + use \fIpassword\fP to decrypt encrypted zipfile entries (if any). \fBTHIS IS + INSECURE!\fP Many multi-user operating systems provide ways for any user to +Index: unzip.c +=================================================================== +--- unzip.c.orig 2009-04-16 20:26:52.000000000 +0200 ++++ unzip.c 2010-05-21 14:23:25.824590928 +0200 +@@ -1592,6 +1592,12 @@ int uz_opts(__G__ pargc, pargv) + } else + ++uO.overwrite_all; + break; ++ case ('O'): /* spaces in filenames: allow by default */ ++ if (negative) ++ uO.iso8859_2 = FALSE, negative = 0; ++ else ++ uO.iso8859_2 = TRUE; ++ break; + case ('p'): /* pipes: extract to stdout, no messages */ + if (negative) { + uO.cflag = FALSE; +Index: unzip.h +=================================================================== +--- unzip.h.orig 2009-02-15 19:12:54.000000000 +0100 ++++ unzip.h 2010-05-21 14:23:25.824590928 +0200 +@@ -502,6 +502,7 @@ typedef struct _UzpOpts { + int K_flag; /* -K: keep setuid/setgid/tacky permissions */ + #endif + int lflag; /* -12slmv: listing format (zipinfo) */ ++ int iso8859_2; /* -O: ISO8859-2 is used instead ISO8859-1 */ + int L_flag; /* -L: convert filenames from some OSes to lowercase */ + int overwrite_none; /* -n: never overwrite files (no prompting) */ + #ifdef AMIGA +Index: unzpriv.h +=================================================================== +--- unzpriv.h.orig 2009-04-20 01:59:26.000000000 +0200 ++++ unzpriv.h 2010-05-21 14:24:02.641090783 +0200 +@@ -2899,8 +2899,15 @@ char *GetLoadPath OF((__GPRO)); + # define IZ_ISO2OEM_ARRAY + # endif + # define _ISO_INTERN(str1) if (iso2oem) {register uch *p;\ +- for (p=(uch *)(str1); *p; p++)\ +- *p = native((*p & 0x80) ? iso2oem[*p & 0x7f] : *p);} ++ if (uO.iso8859_2 == FALSE) { \ ++ for (p=(uch *)(str1); *p; p++) \ ++ *p = native((*p & 0x80) ? iso2oem[*p & 0x7f] : *p); \ ++ } \ ++ else { \ ++ for (p=(uch *)(str1); *p; p++) \ ++ *p = native((*p & 0x80) ? iso2oem_2[*p & 0x7f] : *p); \ ++ }; \ ++ } + # else + # define _ISO_INTERN(str1) A_TO_N(str1) + # endif +@@ -2914,8 +2921,15 @@ char *GetLoadPath OF((__GPRO)); + # define IZ_OEM2ISO_ARRAY + # endif + # define _OEM_INTERN(str1) if (oem2iso) {register uch *p;\ +- for (p=(uch *)(str1); *p; p++)\ +- *p = native((*p & 0x80) ? oem2iso[*p & 0x7f] : *p);} ++ if (uO.iso8859_2 == FALSE) { \ ++ for (p=(uch *)(str1); *p; p++) \ ++ *p = native((*p & 0x80) ? oem2iso[*p & 0x7f] : *p); \ ++ } \ ++ else { \ ++ for (p=(uch *)(str1); *p; p++) \ ++ *p = native((*p & 0x80) ? oem2iso_2[*p & 0x7f] : *p); \ ++ } \ ++ } + # endif + #endif + +@@ -2942,6 +2956,7 @@ char *GetLoadPath OF((__GPRO)); + /* know: "ASCII" is "OEM" */ + # define ASCII2ISO(c) \ + ((((c) & 0x80) && oem2iso) ? oem2iso[(c) & 0x7f] : (c)) ++ (( ((c) & 0x80) ? ((uO.iso8859_2 == FALSE) ? (oem2iso ? oem2iso[(c) & 0x7f] : (c)) : oem2iso_2[(c) & 0x7f]) : (c)) + # if (defined(NEED_STR2ISO) && !defined(CRYP_USES_OEM2ISO)) + # define CRYP_USES_OEM2ISO + # endif +@@ -2957,8 +2972,9 @@ char *GetLoadPath OF((__GPRO)); + # define ASCII2OEM(c) (c) + # else + /* assume: "ASCII" is "ISO-ANSI" */ +-# define ASCII2OEM(c) \ +- ((((c) & 0x80) && iso2oem) ? iso2oem[(c) & 0x7f] : (c)) ++# define ASCII2OEM(c) (((c) & 0x80) ? \ ++ ((uO.iso8859_2 == FALSE) ? (iso2oem ? iso2oem[(c) & 0x7f] : (c)) : iso2oem_2[(c) & 0x7f]) : \ ++ (c)) + # if (defined(NEED_STR2OEM) && !defined(CRYP_USES_ISO2OEM)) + # define CRYP_USES_ISO2OEM + # endif +@@ -3029,10 +3045,12 @@ char *GetLoadPath OF((__GPRO)); + #endif + #ifdef IZ_ISO2OEM_ARRAY + extern ZCONST uch Far *iso2oem; ++ extern ZCONST uch Far iso2oem_2[]; + extern ZCONST uch Far iso2oem_850[]; + #endif + #ifdef IZ_OEM2ISO_ARRAY + extern ZCONST uch Far *oem2iso; ++ extern ZCONST uch Far oem2iso_2[]; + extern ZCONST uch Far oem2iso_850[]; + #endif + diff --git a/unzip-no-build-date.patch b/unzip-no-build-date.patch new file mode 100644 index 0000000..e9cf141 --- /dev/null +++ b/unzip-no-build-date.patch @@ -0,0 +1,98 @@ +Index: cmsmvs/vmmvs.c +=================================================================== +--- cmsmvs/vmmvs.c.orig ++++ cmsmvs/vmmvs.c +@@ -664,14 +664,6 @@ void version(__G) + + /* Add compile environment */ + platform, +- +- /* Add timestamp */ +-#ifdef __DATE__ +- " on " __DATE__ +-#ifdef __TIME__ +- " at " __TIME__ +-#endif +-#endif + ".\n", "", + liblvlmsg + ); +Index: macos/source/sxunzip.c +=================================================================== +--- macos/source/sxunzip.c.orig ++++ macos/source/sxunzip.c +@@ -123,7 +123,7 @@ static char UnZipVersionLocal[50]; + + memset(UnZipVersionLocal,0,sizeof(UnZipVersionLocal)); + +-sprintf(UnZipVersionLocal, "[%s %s]", __DATE__, __TIME__); ++sprintf(UnZipVersionLocal, "[Unknown]"); + + return UnZipVersionLocal; + } +Index: macos/source/macos.c +=================================================================== +--- macos/source/macos.c.orig ++++ macos/source/macos.c +@@ -937,14 +937,11 @@ void version(__G) + ZCONST char Far CompiledWith[] = + "Compiled with %s%s for %s%s%s%s.\n\n"; */ + +-char DateTime[50]; +- + #ifdef __MWERKS__ + char CompVer[10]; + sprintf(CompVer, "%x", __MWERKS__); + #endif + +- sprintf(DateTime,"%s %s",__DATE__, __TIME__); + + sprintf((char *)slide, LoadFarString(CompiledWith), + +@@ -960,13 +957,7 @@ sprintf(CompVer, "%x", __MWERKS__); + #else + " PowerPC Processor", + #endif +- +-#ifdef __DATE__ +- +- "\n compile time: ", DateTime, "" +-#else + "", "", "" +-#endif + ); + + (*G.message)((zvoid *)&G, slide, (ulg)strlen((char *)slide), 0); +Index: amiga/amiga.c +=================================================================== +--- amiga/amiga.c.orig ++++ amiga/amiga.c +@@ -1002,12 +1002,7 @@ void version(__G) + sprintf(buf2,"unknown version"); + # endif + #endif +- +-#ifdef __DATE__ +- sprintf(buf4," on %s",__DATE__); +-#else + strcpy(buf4," unknown date"); +-#endif + + /****** + #ifdef __TIME__ +Index: unix/unix.c +=================================================================== +--- unix/unix.c.orig ++++ unix/unix.c +@@ -1705,11 +1705,7 @@ void version(__G) + #endif /* Sun */ + #endif /* SGI */ + +-#ifdef __DATE__ +- " on ", __DATE__ +-#else + "", "" +-#endif + ); + + (*G.message)((zvoid *)&G, slide, (ulg)strlen((char *)slide), 0); diff --git a/unzip-no_file_name_translation.patch b/unzip-no_file_name_translation.patch new file mode 100644 index 0000000..88b5ca7 --- /dev/null +++ b/unzip-no_file_name_translation.patch @@ -0,0 +1,97 @@ +Index: man/zipinfo.1 +=================================================================== +--- man/zipinfo.1.orig 2010-05-21 14:23:25.824590928 +0200 ++++ man/zipinfo.1 2010-05-21 14:24:41.631590822 +0200 +@@ -114,7 +114,10 @@ useful in cases where the stored filenam + .TP + .B \-s + list zipfile info in short Unix ``\fCls \-l\fR'' format. This is the default +-behavior; see below. ++behavior; see \fB\-m option below. ++.TP ++.B \-S ++suppress the conversion of file name encodings. + .TP + .B \-m + list zipfile info in medium Unix ``\fCls \-l\fR'' format. Identical to the +Index: man/unzip.1 +=================================================================== +--- man/unzip.1.orig 2010-05-21 14:23:25.824590928 +0200 ++++ man/unzip.1 2010-05-21 14:24:41.635590912 +0200 +@@ -25,7 +25,7 @@ + unzip \- list, test and extract compressed files in a ZIP archive + .PD + .SH SYNOPSIS +-\fBunzip\fP [\fB\-Z\fP] [\fB\-cflptTuvz\fP[\fBabjnoqsCDKLMOUVWX$/:^\fP]] ++\fBunzip\fP [\fB\-Z\fP] [\fB\-cflptTuvz\fP[\fBabjnoqsCDKLMOSUVWX$/:^\fP]] + \fIfile\fP[\fI.zip\fP] [\fIfile(s)\fP\ .\|.\|.] + [\fB\-x\fP\ \fIxfile(s)\fP\ .\|.\|.] [\fB\-d\fP\ \fIexdir\fP] + .PD +Index: unzpriv.h +=================================================================== +--- unzpriv.h.orig 2010-05-21 14:24:02.641090783 +0200 ++++ unzpriv.h 2010-05-21 14:24:55.632590821 +0200 +@@ -3020,6 +3020,7 @@ char *GetLoadPath OF((__GPRO)); + */ + #ifndef Ext_ASCII_TO_Native + # define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr) \ ++ if (uO.no_conv_enc == FALSE) { \ + if (((hostnum) == FS_FAT_ && \ + !(((islochdr) || (isuxatt)) && \ + ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \ +@@ -3028,7 +3029,7 @@ char *GetLoadPath OF((__GPRO)); + _OEM_INTERN((string)); \ + } else { \ + _ISO_INTERN((string)); \ +- } ++ }} + #endif + + +Index: zipinfo.c +=================================================================== +--- zipinfo.c.orig 2010-05-21 14:23:25.824590928 +0200 ++++ zipinfo.c 2010-05-21 14:24:41.695590831 +0200 +@@ -527,6 +527,12 @@ int zi_opts(__G__ pargc, pargv) + else + uO.lflag = 3; + break; ++ case 'S': /* suppress encoding conversion */ ++ if (negative) ++ uO.no_conv_enc = FALSE, negative = 0; ++ else ++ uO.no_conv_enc = TRUE; ++ break; + case 't': /* totals line */ + if (negative) + tflag_2v = tflag_slm = FALSE, negative = 0; +Index: unzip.c +=================================================================== +--- unzip.c.orig 2010-05-21 14:23:25.824590928 +0200 ++++ unzip.c 2010-05-21 14:24:41.727590745 +0200 +@@ -1689,6 +1689,13 @@ int uz_opts(__G__ pargc, pargv) + else + uO.S_flag = TRUE; + break; ++#else ++ case ('S'): /* suppress file name encoding conversions */ ++ if (negative) ++ uO.no_conv_enc = FALSE, negative = 0; ++ else ++ uO.no_conv_enc = TRUE; ++ break; + #endif /* VMS */ + case ('t'): + if (negative) +Index: unzip.h +=================================================================== +--- unzip.h.orig 2010-05-21 14:23:25.824590928 +0200 ++++ unzip.h 2010-05-21 14:24:41.731591035 +0200 +@@ -518,6 +518,7 @@ typedef struct _UzpOpts { + #if (defined(MSDOS) || defined(FLEXOS) || defined(OS2) || defined(WIN32)) + int sflag; /* -s: convert spaces in filenames to underscores */ + #endif ++ int no_conv_enc; /* -S: suppress encoding conversion */ + #if (defined(NLM)) + int sflag; /* -s: convert spaces in filenames to underscores */ + #endif diff --git a/unzip-open_missing_mode.patch b/unzip-open_missing_mode.patch new file mode 100644 index 0000000..d34a138 --- /dev/null +++ b/unzip-open_missing_mode.patch @@ -0,0 +1,77 @@ +Index: fileio.c +=================================================================== +--- fileio.c.orig 2009-04-20 02:03:44.000000000 +0200 ++++ fileio.c 2010-06-25 18:32:49.960030697 +0200 +@@ -71,6 +71,11 @@ + #include "crc32.h" + #include "crypt.h" + #include "ttyio.h" ++#include ++#include ++#include ++ ++ + + /* setup of codepage conversion for decryption passwords */ + #if CRYPT +@@ -270,6 +275,7 @@ int open_input_file(__G) /* return 1 + int open_outfile(__G) /* return 1 if fail */ + __GDEF + { ++ int fd; + #ifdef DLL + if (G.redirect_data) + return (redirect_outfile(__G) == FALSE); +@@ -448,23 +454,48 @@ int open_outfile(__G) /* retur + return 1; /* with "./" fix in checkdir(), should never reach here */ + } + #endif /* NOVELL_BUG_FAILSAFE */ +- Trace((stderr, "open_outfile: doing fopen(%s) for writing\n", +- FnFilter1(G.filename))); + { + #if defined(ATH_BE_UNX) || defined(AOS_VS) || defined(QDOS) || defined(TANDEM) + mode_t umask_sav = umask(0077); + #endif ++ ++#if defined(SYMLINKS) || defined(QLZIP) ++ fd = open(G.filename, O_RDWR | O_LARGEFILE | O_CREAT, ++ /* 0644 in portable POSIX notation: */ ++ S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); ++#else ++ fd = open(G.filename, O_WRONLY | O_LARGEFILE | O_CREAT, ++ /* 0644 in portable POSIX notation: */ ++ S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); ++#endif ++ Trace((stderr, "open_outfile: open(%s, O_WRONLY | O_LARGEFILE | O_CREAT) returned %d\n", ++ FnFilter1(G.filename), fd)); ++ ++ if (fd < 0) { ++ Info(slide, 0x401, ((char *)slide, LoadFarString(CannotCreateFile), ++ FnFilter1(G.filename), strerror(errno))); ++ return 1; ++ } + #if defined(SYMLINKS) || defined(QLZIP) + /* These features require the ability to re-read extracted data from + the output files. Output files are created with Read&Write access. + */ +- G.outfile = zfopen(G.filename, FOPWR); ++ ++ G.outfile = zfdopen(fd, FOPWR); ++ ++ Trace((stderr, "open_outfile: doing fdopen(%s, FOPWR) returned %p\n", ++ G.outfile)); + #else +- G.outfile = zfopen(G.filename, FOPW); ++ G.outfile = zfdopen(fd, FOPW); ++ ++ Trace((stderr, "open_outfile: doing fdopen(%s, FOPW) returned %p\n", ++ G.outfile)); + #endif + #if defined(ATH_BE_UNX) || defined(AOS_VS) || defined(QDOS) || defined(TANDEM) + umask(umask_sav); + #endif ++ if (G.outfile == NULL && fd != 0) ++ unlink(G.filename); + } + if (G.outfile == (FILE *)NULL) { + Info(slide, 0x401, ((char *)slide, LoadFarString(CannotCreateFile), diff --git a/unzip-optflags.patch b/unzip-optflags.patch new file mode 100644 index 0000000..975174b --- /dev/null +++ b/unzip-optflags.patch @@ -0,0 +1,22 @@ +Index: unix/Makefile +=================================================================== +--- unix/Makefile.orig 2010-05-21 13:11:26.128591070 +0200 ++++ unix/Makefile 2010-05-21 13:14:45.429090869 +0200 +@@ -809,7 +809,7 @@ isi: unix_make + linux: unix_make + @echo 'NOTE: use linux_noasm target for non-Intel Linux compiles.' + $(MAKE) unzips CC=gcc LD=gcc AS=gcc\ +- CFLAGS="-O3 -Wall -DASM_CRC"\ ++ CFLAGS="$(RPM_OPT_FLAGS) -DASM_CRC"\ + AF="-Di386 $(AF)" CRCA_O=crc_gcc$O + # GRR: this echo is pointless; if user gets this far, no difference to install + # @echo 'Be sure to use the install_asm target rather than the install target' +@@ -819,7 +819,7 @@ linux_asm: linux + # Linux (Posix, approximately SysV): virtually any version since before 0.96, + # for any platform. Change "-O" to "-O3" or whatever, as desired... + linux_noasm: unix_make +- $(MAKE) unzips CC=gcc LD=gcc CFLAGS="-O -Wall" ++ $(MAKE) unzips CC=gcc LD=gcc CF="$(RPM_OPT_FLAGS)" + + # Linux with lcc compiler: __inline__ (stat.h) not recognized, and must edit + # /usr/include/gnu/types.h to get rid of "long long" if __LCC__ defined. -O3 diff --git a/unzip-rcc.changes b/unzip-rcc.changes new file mode 100644 index 0000000..46a246f --- /dev/null +++ b/unzip-rcc.changes @@ -0,0 +1,411 @@ +------------------------------------------------------------------- +Mon Sep 26 09:17:32 UTC 2022 - Danilo Spinella + +- Build unzip-rcc using multibuild and update unzip-rcc.spec file + +------------------------------------------------------------------- +Wed Sep 21 09:27:59 UTC 2022 - Danilo Spinella + +- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string + to a local string (CVE-2022-0530, bsc#1196177) + * CVE-2022-0530.patch +- Fix CVE-2022-0529, Heap out-of-bound writes and reads during + conversion of wide string to local string (CVE-2022-0529, bsc#1196180) + * CVE-2022-0529.patch + +------------------------------------------------------------------- +Thu Sep 9 11:30:06 UTC 2021 - John Paul Adrian Glaubitz + +- Add patch to fix issue with some files being incorrectly + detected as symlinks (boo#1190273) + + unzip-initialize-the-symlink-flag.patch + +------------------------------------------------------------------- +Fri May 22 09:27:01 UTC 2020 - Yunhe Guo + +- Change unzip-doc to noarch + +------------------------------------------------------------------- +Thu Oct 11 14:49:01 UTC 2018 - kstreitova@suse.com + +- Add unzip60-cfactorstr_overflow.patch to fix buffer overflow in + list.c [bsc#1110194] [CVE-2018-18384] + +------------------------------------------------------------------- +Wed Jun 27 11:39:10 UTC 2018 - kstreitova@suse.com + +- Add unzip60-total_disks_zero.patch that fixes a bug when unzip is + unable to process Windows zip64 archives because Windows + archivers set total_disks field to 0 but per standard, valid + values are 1 and higher [bnc#910683] +- Add Fix-CVE-2014-9636-unzip-buffer-overflow.patch to fix heap + overflow for STORED field data [bnc#914442] [CVE-2014-9636] + +------------------------------------------------------------------- +Wed May 16 19:44:45 UTC 2018 - antoine.belvire@opensuse.org + +- Fix "remove failed: No such file or directory" warnings upon + package removal: + * Call 'update-alternative --remove' in %postun, not in %preun. + +------------------------------------------------------------------- +Thu Feb 8 14:11:25 UTC 2018 - kbabioch@suse.com + +- Add CVE-2018-1000035.patch: Fix a heap-based buffer overflow in + password protected ZIP archives (CVE-2018-1000035 bsc#1080074) + +------------------------------------------------------------------- +Thu Jul 6 13:25:44 UTC 2017 - nico.kruber@gmail.com + +- Updated Fix-CVE-2014-8139-unzip.patch: the original patch was + causing errors testing valid jar files: + $ unzip -t foo.jar + Archive: foo.jar + testing: META-INF/ bad extra-field entry: + EF block length (0 bytes) invalid (< 4) + testing: META-INF/MANIFEST.MF OK + testing: foo OK + (see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139 + where the updated patch was taken from) + +------------------------------------------------------------------- +Wed Feb 15 08:31:05 UTC 2017 - josef.moellers@suse.com + +- Fixed two potential buffer overflows. + The patches were extracted from + http://antinode.info/ftp/info-zip/unzip60/zipinfo.c and + http://antinode.info/ftp/info-zip/unzip60/list.c + (bsc#1013992, bsc#1013993, CVE-2016-9844, CVE-2014-9913, + CVE-2016-9844.patch, CVE-2014-9913.patch) + +------------------------------------------------------------------- +Wed Oct 12 07:23:03 UTC 2016 - josef.moellers@suse.com + +- When decrypting an encrypted file, + quit early if compressed size < HEAD_LEN. + When extracting avoid an infinite loop + if a file never finishes unzipping. + (bsc#950110, bsc#950111, CVE-2015-7696, CVE-2015-7697, + CVE-2015-7696.patch, CVE-2015-7697.patch) + +------------------------------------------------------------------- +Thu Jun 16 14:58:41 UTC 2016 - tchvatal@suse.com + +- Require properly the update-alternatives to not throw out errors + when installing in OBS chroot + +------------------------------------------------------------------- +Mon Jan 26 13:25:54 UTC 2015 - tbehrens@suse.com + +- Add Fix-CVE-2014-8139-unzip.patch: fix heap overflow condition in + the CRC32 verification (fixes bnc#909214) +- Add Fix-CVE-2014-8140-and-CVE-2014-8141.patch: fix write error + (*_8349_*) shows a problem in extract.c:test_compr_eb(), and: + read errors (*_6430_*, *_3422_*) show problems in + process.c:getZip64Data() (fixes bnc#909214) + +------------------------------------------------------------------- +Sun Dec 21 13:43:32 UTC 2014 - meissner@suse.com + +- build with PIE + +------------------------------------------------------------------- +Fri Aug 2 18:29:07 UTC 2013 - coolo@suse.com + +- fix defaultattr for old distros + +------------------------------------------------------------------- +Fri Aug 2 13:55:08 UTC 2013 - coolo@suse.com + +- split the rcc dependency into a spec file of it's own, we don't + need that complexity during build causing cycles like this: + unzip -> librcc -> libproxy -> libXau -> xorg-x11-proto-devel -> docbook-xsl-stylesheets + +------------------------------------------------------------------- +Fri Apr 5 10:07:44 UTC 2013 - idonmez@suse.com + +- Cleanup spec file +- Add Source URL, see https://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- +Fri Aug 5 13:57:24 CEST 2011 - pth@suse.de + +- Don't call isprint (bnc#620483). + +------------------------------------------------------------------- +Mon May 23 14:21:44 UTC 2011 - lnussel@suse.de + +- remove use of __DATE__ from correct file + +------------------------------------------------------------------- +Sat May 07 23:16:45 UTC 2011 - idoenmez@novell.com + +- Sync our compile time flags with Debian except Acorn stuff, this enables + UTF-8, saves an unrelated warning about lchmod being not implemented. +- Enable make check + +------------------------------------------------------------------- +Fri Jan 28 13:50:13 UTC 2011 - lnussel@suse.de + +- use dlopen for librcc0. A direct requires causes lots of other + packages to get installed such as aspell which bloats a minimal + install. + +------------------------------------------------------------------- +Mon Aug 30 19:44:17 UTC 2010 - cristian.rodriguez@opensuse.org + +- Do not include build host specific info like build dates In + binaries. + +------------------------------------------------------------------- +Fri Jun 25 18:21:34 CEST 2010 - pth@suse.de + +- Doing open(O_WRONLY) and then fdopen("w+") will now fail with + "Invalid Argument" whereas former glibcs would succeed. So now + do open(O_RDWR). +- Print error message when open(2) fails. +- Add debugging traces in open_outfile. + +------------------------------------------------------------------- +Fri May 21 16:39:24 CEST 2010 - pth@suse.de + +- Update to 6.0: + * Support PKWARE ZIP64 extensions, allowing Zip archives and Zip archive + entries larger than 4 GiBytes and more than 65536 entries within a + single Zip archive. This support is currently only available for Unix, + OpenVMS and Win32/Win64. + * Support for bzip2 compression method. + * Support for UTF-8 encoded entry names, both through PKWARE's "General + Purpose Flags Bit 11" indicator and Info-ZIP's new "up" unicode path + extra field. (Currently, on Windows the UTF-8 handling is limited to + the character subset contained in the configured non-unicode "system + code page".) + * Fixed "Time of Creation/Time of Use" vulnerability when setting + attributes of extracted files, for Unix and Unix-like ports. + * Fixed memory leak when processing invalid deflated data. + * Fixed long-standing bug in unshrink (partial_clear), added boundary + checks against invalid compressed data. + * On Unix, keep inherited SGID attribute bit for extracted directories + unless restoration of owner/group id or SUID/SGID/Tacky attributes was + requested. + * On Unix, allow extracted filenames to contain embedded control + characters when explicitly requested by specifying the new command line + option "-^". + * On Unix, support restoration of symbolic link attributes. + * On Unix, support restoration of 32-bit UID/GID data using the new "ux" + IZUNIX3 extra field introduced with Zip 3.0. + * Support symbolic links zipped up on VMS. + * New -D option to suppress restoration of timestamps for extracted + directory entries (on those ports that support setting of directory + timestamps). By specifying "-DD", this new option also allows to + suppress timestamp restoration for ALL extracted files on all UnZip + ports which support restoration of timestamps. On VMS, the default + behaviour is now to skip restoration of directory timestamps; here, + "--D" restores ALL timestamps, "-D" restores none. + * On OS/2, Win32, and Unix, the (previously optional) feature UNIXBACKUP + to allow saving backup copies of overwritten files on extraction is now + enabled by default. + +------------------------------------------------------------------- +Mon May 10 16:39:20 UTC 2010 - pth@suse.de + +- Use librcc to convert russian/slavic file names (bnc#540598). + +------------------------------------------------------------------- +Sun Dec 6 17:51:30 CET 2009 - jengelh@.medozas.de + +- enable parallel building + +------------------------------------------------------------------- +Tue Dec 9 15:53:53 CET 2008 - schwab@suse.de + +- Fix last change. + +------------------------------------------------------------------- +Mon Sep 15 12:32:57 CEST 2008 - ro@suse.de + +- use hardlink instead of softlink + +------------------------------------------------------------------- +Mon Feb 4 13:29:27 CET 2008 - pth@suse.de + +- Add patch to fix erroneous freeing of buffers (bnc#358425) + +------------------------------------------------------------------- +Fri Dec 7 12:52:06 CET 2007 - pth@suse.de + +- Pass file mode when calling open with O_CREAT. + +------------------------------------------------------------------- +Mon Dec 3 13:24:27 CET 2007 - pth@suse.de + +- Add patch to extend the maximum file/archive size to 2^32-8193 + (4294959103) bytes. +- Add patch to fix CVE-2005-2475 (bnc#274156) + +------------------------------------------------------------------- +Thu Jun 21 17:34:10 CEST 2007 - adrian@suse.de + +- fix changelog entry order + +------------------------------------------------------------------- +Thu May 3 15:25:39 CEST 2007 - pth@suse.de + +- Add patch from Takashi Iwai that adds a new option (-S) to + unzip and infozip that disables file name translation (bnc#267901). +- Recompress tarball with bzip2 + +------------------------------------------------------------------- +Fri Jan 27 02:30:41 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Thu Jan 26 15:28:44 CET 2006 - pth@suse.de + +- Reject file names that are too long (bnc#140304) +- Use stack protector. + +------------------------------------------------------------------- +Fri Jan 20 17:41:23 CET 2006 - schwab@suse.de + +- Don't strip binaries. + +------------------------------------------------------------------- +Thu Dec 15 11:31:51 CET 2005 - pth@suse.de + +- Compile with (limited) large file support. This will support + single files exceeding 2 GB as long as the archive stays below + that theshold. + +------------------------------------------------------------------- +Mon Jun 13 22:46:31 CEST 2005 - rommel@suse.de + +- update to version 5.52 (bnc#67279) + +------------------------------------------------------------------- +Sat Aug 7 15:03:23 CEST 2004 - rommel@suse.de + +- update to version 5.51 + (fixes old security bugs, adds PKWARE's compression code Deflate64) + +------------------------------------------------------------------- +Wed May 19 18:36:21 CEST 2004 - ro@suse.de + +- added -fno-strict-aliasing +- really use RPM_OPT_FLAGS + +------------------------------------------------------------------- +Sun Jan 11 13:00:23 CET 2004 - adrian@suse.de + +- build as user + +------------------------------------------------------------------- +Tue Sep 23 16:53:44 CEST 2003 - rommel@suse.de + +- replaced fix for ../ exploit with a fix both for + the ../ exploit and '/' exploit (Bugzilla #29311) + +------------------------------------------------------------------- +Thu Jul 3 12:57:38 CEST 2003 - rommel@suse.de + +- added fix for ../ exploit (Bugzilla #27667) + +------------------------------------------------------------------- +Fri Jan 17 14:42:19 CET 2003 - rommel@suse.de + +- fixed Summary: to be more verbose about what this package does + +------------------------------------------------------------------- +Wed Sep 18 00:57:21 CEST 2002 - ro@suse.de + +- removed bogus self-provides + +------------------------------------------------------------------- +Fri Jul 5 11:09:32 CEST 2002 - kukuk@suse.de + +- Use %ix86 macro + +------------------------------------------------------------------- +Mon Mar 11 2002 - rommel@suse.de + +- Update to 5.50 +- took over parts of pmladek's patch (see below) + +------------------------------------------------------------------- +Thu Jan 24 13:43:46 CET 2002 - grimmer@suse.de + +- added unzip-5.42-iso8859_2.patch to fix coding conversion + between Microsoft and Linux file names + (originally from http://www.axis.cz/linux/zip_unzip.php3, + enhanced to support both ISO8859-1 and ISO8859-2 by Petr Mladek + ) + +------------------------------------------------------------------- +Mon Apr 9 13:42:07 CEST 2001 - grimmer@suse.de + +- Update to 5.42 +- file list fixes (new license file, documentation renames) + +------------------------------------------------------------------- +Wed Dec 13 17:49:59 CET 2000 - grimmer@suse.de + +- Update to 5.41 (now includes decryption support) +- now Provides and Obsoletes crunzip +- bzipped sources +- use BuildRoot + +------------------------------------------------------------------- +Tue Feb 29 18:33:38 CET 2000 - schwab@suse.de + +- Add support for ia64. +- /usr/man -> /usr/share/man + +------------------------------------------------------------------- +Wed Dec 22 16:19:18 MET 1999 - grimmer@suse.de + +- Added "Conflicts: crzip" to spec file +- cleaned up Provides: tag + +------------------------------------------------------------------- +Fri Dec 17 16:40:10 MET 1999 - grimmer@suse.de + +- Spec file cleanups + +------------------------------------------------------------------- +Sat Nov 27 15:03:07 MET 1999 - kukuk@suse.de + +- Use linux_noasm Makefile target on SPARC + +------------------------------------------------------------------- +Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de + +- ran old prepare_spec on spec file to switch to new prepare_spec. + +------------------------------------------------------------------- +Wed Sep 8 16:34:57 CEST 1999 - uli@suse.de + +- uses target linux_noasm for PPC + +------------------------------------------------------------------- +Wed Feb 24 09:42:16 MET 1999 - grimmer@suse.de + +- new version (5.40) +- specfile modifications +- added french description + +------------------------------------------------------------------- +Mon Jan 11 14:29:14 MET 1999 - ro@suse.de + +- use target linux_noasm for alpha + +------------------------------------------------------------------- +Fri Jan 23 15:03:52 MET 1998 - rj@suse.de + +- version 5.32 +------------------------------------------------------------------- +Thu Feb 6 11:56:09 CET 1997 - rj@suse.de + +- version 5.12 +- new test/changes/plist files + diff --git a/unzip-rcc.spec b/unzip-rcc.spec new file mode 100644 index 0000000..4c41d18 --- /dev/null +++ b/unzip-rcc.spec @@ -0,0 +1,188 @@ +# +# spec file for package unzip-rcc +# +# Copyright (c) 2022 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define _name unzip +%define fileversion 60 +%bcond_without rcc +%if %{with rcc} +%define update_weight 20 +%define _suffix rcc +BuildRequires: librcc-devel +Suggests: librcc0 +Provides: %{_name} = %{version} +%else +%define update_weight 10 +%define _suffix plain +%endif +# NOTE: unzip.spec is the major file, if you want to update unzip-rcc.spec +# call pre_checkin.sh after editing unzip.spec +Name: unzip-rcc +Version: 6.00 +Release: 0 +Summary: A program to unpack compressed files +License: BSD-3-Clause +Group: Productivity/Archiving/Compression +URL: http://www.info-zip.org/ +Source: http://sourceforge.net/projects/infozip/files/UnZip%%206.x%%20%%28latest%%29/UnZip%%206.0/%{_name}%{fileversion}.tar.gz +Source1: pre_checkin.sh +Patch0: unzip.dif +Patch1: unzip-iso8859_2.patch +Patch3: unzip-optflags.patch +Patch4: unzip-5.52-filename_too_long.patch +Patch5: unzip-no_file_name_translation.patch +Patch8: unzip-open_missing_mode.patch +Patch10: unzip-5.52-use_librcc.patch +Patch11: unzip-no-build-date.patch +Patch12: unzip-dont_call_isprint.patch +Patch13: Fix-CVE-2014-8139-unzip.patch +# http://pkgs.fedoraproject.org/cgit/rpms/unzip.git/plain/unzip-6.0-cve-2014-8139.patch +Patch14: Fix-CVE-2014-8140-and-CVE-2014-8141.patch +Patch15: CVE-2015-7696.patch +Patch16: CVE-2015-7697.patch +Patch17: CVE-2016-9844.patch +Patch18: CVE-2014-9913.patch +Patch19: CVE-2018-1000035.patch +Patch20: Fix-CVE-2014-9636-unzip-buffer-overflow.patch +Patch21: unzip60-total_disks_zero.patch +Patch22: unzip60-cfactorstr_overflow.patch +Patch23: unzip-initialize-the-symlink-flag.patch +# PATCH-FIX-UPSTREAM danilo.spinella@suse.com CVE-2022-0530 bsc#1196177 +Patch24: CVE-2022-0530.patch +# PATCH-FIX-UPSTREAM danilo.spinella@suse.com CVE-2022-0529 bsc#1196180 +Patch25: CVE-2022-0529.patch +Requires(post): update-alternatives +Requires(postun):update-alternatives +Recommends: %{_name}-doc +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +UnZip is an extraction utility for archives compressed in .zip format +(known as "zip files"). Although highly compatible both with PKWARE's +PKZIP(tm) and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip +program, our primary objectives have been portability and non-MS-DOS +functionality. This version can also extract encrypted archives. + +%package doc +Summary: Documentation files for unzip +Group: Productivity/Archiving/Compression +BuildArch: noarch + +%description doc +UnZip is an extraction utility for archives compressed in .zip format +(known as "zip files"). Although highly compatible both with PKWARE's +PKZIP(tm) and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip +program, our primary objectives have been portability and non-MS-DOS +functionality. This version can also extract encrypted archives. + +%prep +%setup -q -n %{_name}%{fileversion} +%patch0 +%patch1 +%patch3 +%patch4 +%patch5 +%patch8 +%if %{with rcc} +%patch10 +%endif +%patch11 +%patch12 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p0 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 + +%build +export RPM_OPT_FLAGS="%{optflags} \ +-D_GNU_SOURCE -DRCC_LAZY -DWILD_STOP_AT_DIR \ +-DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT \ +-DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE -DNO_LCHMOD \ +-DDATE_FORMAT=DF_YMD -I. -fstack-protector -fno-strict-aliasing -fPIE" + +make %{?_smp_mflags} -f unix/Makefile LF2="-ldl -pie" linux_noasm + +%check +make %{?_smp_mflags} -f unix/Makefile check + +%install +mkdir -p %{buildroot}%{_sysconfdir}/alternatives +mkdir -p %{buildroot}{%{_bindir},%{_mandir}/man1} +for i in unzip funzip unzipsfx; do + install $i "%{buildroot}%{_bindir}/$i-"%{_suffix} +done +ln -s unzip %{buildroot}%{_bindir}/zipinfo +install unix/zipgrep "%{buildroot}%{_bindir}/zipgrep-"%{_suffix} +for i in unzip funzip unzipsfx zipgrep; do + touch %{buildroot}%{_sysconfdir}/alternatives/$i + ln -s %{_sysconfdir}/alternatives/$i %{buildroot}%{_bindir}/$i +done + +# do not have the docu in both packages +%if %{without rcc} + for i in man/*.1; do + install -m 644 $i %{buildroot}%{_mandir}/man1/ + done +%endif + +%post +for bin in unzip funzip unzipsfx zipgrep; do + %{_sbindir}/update-alternatives --install %{_bindir}/$bin $bin "%{_bindir}/$bin-"%{_suffix} %{update_weight} +done + +%postun +if [ "$1" = 0 ] ; then + for bin in unzip funzip unzipsfx zipgrep; do + %{_sbindir}/update-alternatives --remove $bin "%{_bindir}/$bin"-%{_suffix} + done +fi + +%files +%defattr(-,root,root) +%ghost %{_sysconfdir}/alternatives/unzip +%{_bindir}/unzip +%{_bindir}/unzip-%{_suffix} +%ghost %{_sysconfdir}/alternatives/funzip +%{_bindir}/funzip +%{_bindir}/funzip-%{_suffix} +%ghost %{_sysconfdir}/alternatives/unzipsfx +%{_bindir}/unzipsfx +%{_bindir}/unzipsfx-%{_suffix} +%{_bindir}/zipinfo +%ghost %{_sysconfdir}/alternatives/zipgrep +%{_bindir}/zipgrep +%{_bindir}/zipgrep-%{_suffix} + +%if %{without rcc} +%files doc +%defattr(-,root,root) +%{_mandir}/man1/* +%doc BUGS Contents History.* LICENSE README ToDo WHERE +%doc *.txt proginfo + +%endif + +%changelog diff --git a/unzip.changes b/unzip.changes new file mode 100644 index 0000000..46a246f --- /dev/null +++ b/unzip.changes @@ -0,0 +1,411 @@ +------------------------------------------------------------------- +Mon Sep 26 09:17:32 UTC 2022 - Danilo Spinella + +- Build unzip-rcc using multibuild and update unzip-rcc.spec file + +------------------------------------------------------------------- +Wed Sep 21 09:27:59 UTC 2022 - Danilo Spinella + +- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string + to a local string (CVE-2022-0530, bsc#1196177) + * CVE-2022-0530.patch +- Fix CVE-2022-0529, Heap out-of-bound writes and reads during + conversion of wide string to local string (CVE-2022-0529, bsc#1196180) + * CVE-2022-0529.patch + +------------------------------------------------------------------- +Thu Sep 9 11:30:06 UTC 2021 - John Paul Adrian Glaubitz + +- Add patch to fix issue with some files being incorrectly + detected as symlinks (boo#1190273) + + unzip-initialize-the-symlink-flag.patch + +------------------------------------------------------------------- +Fri May 22 09:27:01 UTC 2020 - Yunhe Guo + +- Change unzip-doc to noarch + +------------------------------------------------------------------- +Thu Oct 11 14:49:01 UTC 2018 - kstreitova@suse.com + +- Add unzip60-cfactorstr_overflow.patch to fix buffer overflow in + list.c [bsc#1110194] [CVE-2018-18384] + +------------------------------------------------------------------- +Wed Jun 27 11:39:10 UTC 2018 - kstreitova@suse.com + +- Add unzip60-total_disks_zero.patch that fixes a bug when unzip is + unable to process Windows zip64 archives because Windows + archivers set total_disks field to 0 but per standard, valid + values are 1 and higher [bnc#910683] +- Add Fix-CVE-2014-9636-unzip-buffer-overflow.patch to fix heap + overflow for STORED field data [bnc#914442] [CVE-2014-9636] + +------------------------------------------------------------------- +Wed May 16 19:44:45 UTC 2018 - antoine.belvire@opensuse.org + +- Fix "remove failed: No such file or directory" warnings upon + package removal: + * Call 'update-alternative --remove' in %postun, not in %preun. + +------------------------------------------------------------------- +Thu Feb 8 14:11:25 UTC 2018 - kbabioch@suse.com + +- Add CVE-2018-1000035.patch: Fix a heap-based buffer overflow in + password protected ZIP archives (CVE-2018-1000035 bsc#1080074) + +------------------------------------------------------------------- +Thu Jul 6 13:25:44 UTC 2017 - nico.kruber@gmail.com + +- Updated Fix-CVE-2014-8139-unzip.patch: the original patch was + causing errors testing valid jar files: + $ unzip -t foo.jar + Archive: foo.jar + testing: META-INF/ bad extra-field entry: + EF block length (0 bytes) invalid (< 4) + testing: META-INF/MANIFEST.MF OK + testing: foo OK + (see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139 + where the updated patch was taken from) + +------------------------------------------------------------------- +Wed Feb 15 08:31:05 UTC 2017 - josef.moellers@suse.com + +- Fixed two potential buffer overflows. + The patches were extracted from + http://antinode.info/ftp/info-zip/unzip60/zipinfo.c and + http://antinode.info/ftp/info-zip/unzip60/list.c + (bsc#1013992, bsc#1013993, CVE-2016-9844, CVE-2014-9913, + CVE-2016-9844.patch, CVE-2014-9913.patch) + +------------------------------------------------------------------- +Wed Oct 12 07:23:03 UTC 2016 - josef.moellers@suse.com + +- When decrypting an encrypted file, + quit early if compressed size < HEAD_LEN. + When extracting avoid an infinite loop + if a file never finishes unzipping. + (bsc#950110, bsc#950111, CVE-2015-7696, CVE-2015-7697, + CVE-2015-7696.patch, CVE-2015-7697.patch) + +------------------------------------------------------------------- +Thu Jun 16 14:58:41 UTC 2016 - tchvatal@suse.com + +- Require properly the update-alternatives to not throw out errors + when installing in OBS chroot + +------------------------------------------------------------------- +Mon Jan 26 13:25:54 UTC 2015 - tbehrens@suse.com + +- Add Fix-CVE-2014-8139-unzip.patch: fix heap overflow condition in + the CRC32 verification (fixes bnc#909214) +- Add Fix-CVE-2014-8140-and-CVE-2014-8141.patch: fix write error + (*_8349_*) shows a problem in extract.c:test_compr_eb(), and: + read errors (*_6430_*, *_3422_*) show problems in + process.c:getZip64Data() (fixes bnc#909214) + +------------------------------------------------------------------- +Sun Dec 21 13:43:32 UTC 2014 - meissner@suse.com + +- build with PIE + +------------------------------------------------------------------- +Fri Aug 2 18:29:07 UTC 2013 - coolo@suse.com + +- fix defaultattr for old distros + +------------------------------------------------------------------- +Fri Aug 2 13:55:08 UTC 2013 - coolo@suse.com + +- split the rcc dependency into a spec file of it's own, we don't + need that complexity during build causing cycles like this: + unzip -> librcc -> libproxy -> libXau -> xorg-x11-proto-devel -> docbook-xsl-stylesheets + +------------------------------------------------------------------- +Fri Apr 5 10:07:44 UTC 2013 - idonmez@suse.com + +- Cleanup spec file +- Add Source URL, see https://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- +Fri Aug 5 13:57:24 CEST 2011 - pth@suse.de + +- Don't call isprint (bnc#620483). + +------------------------------------------------------------------- +Mon May 23 14:21:44 UTC 2011 - lnussel@suse.de + +- remove use of __DATE__ from correct file + +------------------------------------------------------------------- +Sat May 07 23:16:45 UTC 2011 - idoenmez@novell.com + +- Sync our compile time flags with Debian except Acorn stuff, this enables + UTF-8, saves an unrelated warning about lchmod being not implemented. +- Enable make check + +------------------------------------------------------------------- +Fri Jan 28 13:50:13 UTC 2011 - lnussel@suse.de + +- use dlopen for librcc0. A direct requires causes lots of other + packages to get installed such as aspell which bloats a minimal + install. + +------------------------------------------------------------------- +Mon Aug 30 19:44:17 UTC 2010 - cristian.rodriguez@opensuse.org + +- Do not include build host specific info like build dates In + binaries. + +------------------------------------------------------------------- +Fri Jun 25 18:21:34 CEST 2010 - pth@suse.de + +- Doing open(O_WRONLY) and then fdopen("w+") will now fail with + "Invalid Argument" whereas former glibcs would succeed. So now + do open(O_RDWR). +- Print error message when open(2) fails. +- Add debugging traces in open_outfile. + +------------------------------------------------------------------- +Fri May 21 16:39:24 CEST 2010 - pth@suse.de + +- Update to 6.0: + * Support PKWARE ZIP64 extensions, allowing Zip archives and Zip archive + entries larger than 4 GiBytes and more than 65536 entries within a + single Zip archive. This support is currently only available for Unix, + OpenVMS and Win32/Win64. + * Support for bzip2 compression method. + * Support for UTF-8 encoded entry names, both through PKWARE's "General + Purpose Flags Bit 11" indicator and Info-ZIP's new "up" unicode path + extra field. (Currently, on Windows the UTF-8 handling is limited to + the character subset contained in the configured non-unicode "system + code page".) + * Fixed "Time of Creation/Time of Use" vulnerability when setting + attributes of extracted files, for Unix and Unix-like ports. + * Fixed memory leak when processing invalid deflated data. + * Fixed long-standing bug in unshrink (partial_clear), added boundary + checks against invalid compressed data. + * On Unix, keep inherited SGID attribute bit for extracted directories + unless restoration of owner/group id or SUID/SGID/Tacky attributes was + requested. + * On Unix, allow extracted filenames to contain embedded control + characters when explicitly requested by specifying the new command line + option "-^". + * On Unix, support restoration of symbolic link attributes. + * On Unix, support restoration of 32-bit UID/GID data using the new "ux" + IZUNIX3 extra field introduced with Zip 3.0. + * Support symbolic links zipped up on VMS. + * New -D option to suppress restoration of timestamps for extracted + directory entries (on those ports that support setting of directory + timestamps). By specifying "-DD", this new option also allows to + suppress timestamp restoration for ALL extracted files on all UnZip + ports which support restoration of timestamps. On VMS, the default + behaviour is now to skip restoration of directory timestamps; here, + "--D" restores ALL timestamps, "-D" restores none. + * On OS/2, Win32, and Unix, the (previously optional) feature UNIXBACKUP + to allow saving backup copies of overwritten files on extraction is now + enabled by default. + +------------------------------------------------------------------- +Mon May 10 16:39:20 UTC 2010 - pth@suse.de + +- Use librcc to convert russian/slavic file names (bnc#540598). + +------------------------------------------------------------------- +Sun Dec 6 17:51:30 CET 2009 - jengelh@.medozas.de + +- enable parallel building + +------------------------------------------------------------------- +Tue Dec 9 15:53:53 CET 2008 - schwab@suse.de + +- Fix last change. + +------------------------------------------------------------------- +Mon Sep 15 12:32:57 CEST 2008 - ro@suse.de + +- use hardlink instead of softlink + +------------------------------------------------------------------- +Mon Feb 4 13:29:27 CET 2008 - pth@suse.de + +- Add patch to fix erroneous freeing of buffers (bnc#358425) + +------------------------------------------------------------------- +Fri Dec 7 12:52:06 CET 2007 - pth@suse.de + +- Pass file mode when calling open with O_CREAT. + +------------------------------------------------------------------- +Mon Dec 3 13:24:27 CET 2007 - pth@suse.de + +- Add patch to extend the maximum file/archive size to 2^32-8193 + (4294959103) bytes. +- Add patch to fix CVE-2005-2475 (bnc#274156) + +------------------------------------------------------------------- +Thu Jun 21 17:34:10 CEST 2007 - adrian@suse.de + +- fix changelog entry order + +------------------------------------------------------------------- +Thu May 3 15:25:39 CEST 2007 - pth@suse.de + +- Add patch from Takashi Iwai that adds a new option (-S) to + unzip and infozip that disables file name translation (bnc#267901). +- Recompress tarball with bzip2 + +------------------------------------------------------------------- +Fri Jan 27 02:30:41 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Thu Jan 26 15:28:44 CET 2006 - pth@suse.de + +- Reject file names that are too long (bnc#140304) +- Use stack protector. + +------------------------------------------------------------------- +Fri Jan 20 17:41:23 CET 2006 - schwab@suse.de + +- Don't strip binaries. + +------------------------------------------------------------------- +Thu Dec 15 11:31:51 CET 2005 - pth@suse.de + +- Compile with (limited) large file support. This will support + single files exceeding 2 GB as long as the archive stays below + that theshold. + +------------------------------------------------------------------- +Mon Jun 13 22:46:31 CEST 2005 - rommel@suse.de + +- update to version 5.52 (bnc#67279) + +------------------------------------------------------------------- +Sat Aug 7 15:03:23 CEST 2004 - rommel@suse.de + +- update to version 5.51 + (fixes old security bugs, adds PKWARE's compression code Deflate64) + +------------------------------------------------------------------- +Wed May 19 18:36:21 CEST 2004 - ro@suse.de + +- added -fno-strict-aliasing +- really use RPM_OPT_FLAGS + +------------------------------------------------------------------- +Sun Jan 11 13:00:23 CET 2004 - adrian@suse.de + +- build as user + +------------------------------------------------------------------- +Tue Sep 23 16:53:44 CEST 2003 - rommel@suse.de + +- replaced fix for ../ exploit with a fix both for + the ../ exploit and '/' exploit (Bugzilla #29311) + +------------------------------------------------------------------- +Thu Jul 3 12:57:38 CEST 2003 - rommel@suse.de + +- added fix for ../ exploit (Bugzilla #27667) + +------------------------------------------------------------------- +Fri Jan 17 14:42:19 CET 2003 - rommel@suse.de + +- fixed Summary: to be more verbose about what this package does + +------------------------------------------------------------------- +Wed Sep 18 00:57:21 CEST 2002 - ro@suse.de + +- removed bogus self-provides + +------------------------------------------------------------------- +Fri Jul 5 11:09:32 CEST 2002 - kukuk@suse.de + +- Use %ix86 macro + +------------------------------------------------------------------- +Mon Mar 11 2002 - rommel@suse.de + +- Update to 5.50 +- took over parts of pmladek's patch (see below) + +------------------------------------------------------------------- +Thu Jan 24 13:43:46 CET 2002 - grimmer@suse.de + +- added unzip-5.42-iso8859_2.patch to fix coding conversion + between Microsoft and Linux file names + (originally from http://www.axis.cz/linux/zip_unzip.php3, + enhanced to support both ISO8859-1 and ISO8859-2 by Petr Mladek + ) + +------------------------------------------------------------------- +Mon Apr 9 13:42:07 CEST 2001 - grimmer@suse.de + +- Update to 5.42 +- file list fixes (new license file, documentation renames) + +------------------------------------------------------------------- +Wed Dec 13 17:49:59 CET 2000 - grimmer@suse.de + +- Update to 5.41 (now includes decryption support) +- now Provides and Obsoletes crunzip +- bzipped sources +- use BuildRoot + +------------------------------------------------------------------- +Tue Feb 29 18:33:38 CET 2000 - schwab@suse.de + +- Add support for ia64. +- /usr/man -> /usr/share/man + +------------------------------------------------------------------- +Wed Dec 22 16:19:18 MET 1999 - grimmer@suse.de + +- Added "Conflicts: crzip" to spec file +- cleaned up Provides: tag + +------------------------------------------------------------------- +Fri Dec 17 16:40:10 MET 1999 - grimmer@suse.de + +- Spec file cleanups + +------------------------------------------------------------------- +Sat Nov 27 15:03:07 MET 1999 - kukuk@suse.de + +- Use linux_noasm Makefile target on SPARC + +------------------------------------------------------------------- +Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de + +- ran old prepare_spec on spec file to switch to new prepare_spec. + +------------------------------------------------------------------- +Wed Sep 8 16:34:57 CEST 1999 - uli@suse.de + +- uses target linux_noasm for PPC + +------------------------------------------------------------------- +Wed Feb 24 09:42:16 MET 1999 - grimmer@suse.de + +- new version (5.40) +- specfile modifications +- added french description + +------------------------------------------------------------------- +Mon Jan 11 14:29:14 MET 1999 - ro@suse.de + +- use target linux_noasm for alpha + +------------------------------------------------------------------- +Fri Jan 23 15:03:52 MET 1998 - rj@suse.de + +- version 5.32 +------------------------------------------------------------------- +Thu Feb 6 11:56:09 CET 1997 - rj@suse.de + +- version 5.12 +- new test/changes/plist files + diff --git a/unzip.dif b/unzip.dif new file mode 100644 index 0000000..1595626 --- /dev/null +++ b/unzip.dif @@ -0,0 +1,24 @@ +Index: unix/Makefile +=================================================================== +--- unix/Makefile.orig 2009-01-18 23:41:18.000000000 +0100 ++++ unix/Makefile 2010-05-21 14:06:56.192590841 +0200 +@@ -64,8 +64,8 @@ FL2 = $(LF2) + + # general-purpose stuff + #CP = cp +-CP = ln +-LN = ln ++CP = cp ++LN = ln -s + RM = rm -f + CHMOD = chmod + BINPERMS = 755 +@@ -121,7 +121,7 @@ INSTALL_PROGRAM = $(INSTALL) + INSTALL_D = mkdir -p + # on some systems, manext=l and MANDIR=/usr/man/man$(manext) may be appropriate + manext = 1 +-prefix = /usr/local ++prefix = /usr + BINDIR = $(prefix)/bin# where to install executables + MANDIR = $(prefix)/man/man$(manext)# where to install man pages + INSTALLEDBIN = $(BINDIR)/funzip$E $(BINDIR)/unzip$E $(BINDIR)/unzipsfx$E \ diff --git a/unzip.spec b/unzip.spec new file mode 100644 index 0000000..3f0a62a --- /dev/null +++ b/unzip.spec @@ -0,0 +1,188 @@ +# +# spec file for package unzip +# +# Copyright (c) 2022 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define _name unzip +%define fileversion 60 +%bcond_with rcc +%if %{with rcc} +%define update_weight 20 +%define _suffix rcc +BuildRequires: librcc-devel +Suggests: librcc0 +Provides: %{_name} = %{version} +%else +%define update_weight 10 +%define _suffix plain +%endif +# NOTE: unzip.spec is the major file, if you want to update unzip-rcc.spec +# call pre_checkin.sh after editing unzip.spec +Name: unzip +Version: 6.00 +Release: 0 +Summary: A program to unpack compressed files +License: BSD-3-Clause +Group: Productivity/Archiving/Compression +URL: http://www.info-zip.org/ +Source: http://sourceforge.net/projects/infozip/files/UnZip%%206.x%%20%%28latest%%29/UnZip%%206.0/%{_name}%{fileversion}.tar.gz +Source1: pre_checkin.sh +Patch0: unzip.dif +Patch1: unzip-iso8859_2.patch +Patch3: unzip-optflags.patch +Patch4: unzip-5.52-filename_too_long.patch +Patch5: unzip-no_file_name_translation.patch +Patch8: unzip-open_missing_mode.patch +Patch10: unzip-5.52-use_librcc.patch +Patch11: unzip-no-build-date.patch +Patch12: unzip-dont_call_isprint.patch +Patch13: Fix-CVE-2014-8139-unzip.patch +# http://pkgs.fedoraproject.org/cgit/rpms/unzip.git/plain/unzip-6.0-cve-2014-8139.patch +Patch14: Fix-CVE-2014-8140-and-CVE-2014-8141.patch +Patch15: CVE-2015-7696.patch +Patch16: CVE-2015-7697.patch +Patch17: CVE-2016-9844.patch +Patch18: CVE-2014-9913.patch +Patch19: CVE-2018-1000035.patch +Patch20: Fix-CVE-2014-9636-unzip-buffer-overflow.patch +Patch21: unzip60-total_disks_zero.patch +Patch22: unzip60-cfactorstr_overflow.patch +Patch23: unzip-initialize-the-symlink-flag.patch +# PATCH-FIX-UPSTREAM danilo.spinella@suse.com CVE-2022-0530 bsc#1196177 +Patch24: CVE-2022-0530.patch +# PATCH-FIX-UPSTREAM danilo.spinella@suse.com CVE-2022-0529 bsc#1196180 +Patch25: CVE-2022-0529.patch +Requires(post): update-alternatives +Requires(postun):update-alternatives +Recommends: %{_name}-doc +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +UnZip is an extraction utility for archives compressed in .zip format +(known as "zip files"). Although highly compatible both with PKWARE's +PKZIP(tm) and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip +program, our primary objectives have been portability and non-MS-DOS +functionality. This version can also extract encrypted archives. + +%package doc +Summary: Documentation files for unzip +Group: Productivity/Archiving/Compression +BuildArch: noarch + +%description doc +UnZip is an extraction utility for archives compressed in .zip format +(known as "zip files"). Although highly compatible both with PKWARE's +PKZIP(tm) and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip +program, our primary objectives have been portability and non-MS-DOS +functionality. This version can also extract encrypted archives. + +%prep +%setup -q -n %{_name}%{fileversion} +%patch0 +%patch1 +%patch3 +%patch4 +%patch5 +%patch8 +%if %{with rcc} +%patch10 +%endif +%patch11 +%patch12 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p0 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 + +%build +export RPM_OPT_FLAGS="%{optflags} \ +-D_GNU_SOURCE -DRCC_LAZY -DWILD_STOP_AT_DIR \ +-DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT \ +-DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE -DNO_LCHMOD \ +-DDATE_FORMAT=DF_YMD -I. -fstack-protector -fno-strict-aliasing -fPIE" + +make %{?_smp_mflags} -f unix/Makefile LF2="-ldl -pie" linux_noasm + +%check +make %{?_smp_mflags} -f unix/Makefile check + +%install +mkdir -p %{buildroot}%{_sysconfdir}/alternatives +mkdir -p %{buildroot}{%{_bindir},%{_mandir}/man1} +for i in unzip funzip unzipsfx; do + install $i "%{buildroot}%{_bindir}/$i-"%{_suffix} +done +ln -s unzip %{buildroot}%{_bindir}/zipinfo +install unix/zipgrep "%{buildroot}%{_bindir}/zipgrep-"%{_suffix} +for i in unzip funzip unzipsfx zipgrep; do + touch %{buildroot}%{_sysconfdir}/alternatives/$i + ln -s %{_sysconfdir}/alternatives/$i %{buildroot}%{_bindir}/$i +done + +# do not have the docu in both packages +%if %{without rcc} + for i in man/*.1; do + install -m 644 $i %{buildroot}%{_mandir}/man1/ + done +%endif + +%post +for bin in unzip funzip unzipsfx zipgrep; do + %{_sbindir}/update-alternatives --install %{_bindir}/$bin $bin "%{_bindir}/$bin-"%{_suffix} %{update_weight} +done + +%postun +if [ "$1" = 0 ] ; then + for bin in unzip funzip unzipsfx zipgrep; do + %{_sbindir}/update-alternatives --remove $bin "%{_bindir}/$bin"-%{_suffix} + done +fi + +%files +%defattr(-,root,root) +%ghost %{_sysconfdir}/alternatives/unzip +%{_bindir}/unzip +%{_bindir}/unzip-%{_suffix} +%ghost %{_sysconfdir}/alternatives/funzip +%{_bindir}/funzip +%{_bindir}/funzip-%{_suffix} +%ghost %{_sysconfdir}/alternatives/unzipsfx +%{_bindir}/unzipsfx +%{_bindir}/unzipsfx-%{_suffix} +%{_bindir}/zipinfo +%ghost %{_sysconfdir}/alternatives/zipgrep +%{_bindir}/zipgrep +%{_bindir}/zipgrep-%{_suffix} + +%if %{without rcc} +%files doc +%defattr(-,root,root) +%{_mandir}/man1/* +%doc BUGS Contents History.* LICENSE README ToDo WHERE +%doc *.txt proginfo + +%endif + +%changelog diff --git a/unzip60-cfactorstr_overflow.patch b/unzip60-cfactorstr_overflow.patch new file mode 100644 index 0000000..e9320e1 --- /dev/null +++ b/unzip60-cfactorstr_overflow.patch @@ -0,0 +1,35 @@ +--- unzip60/list.c ++++ unzip60/list.c +@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type + { + int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL; + #ifndef WINDLL +- char sgn, cfactorstr[10]; ++ char sgn, cfactorstr[1+10+1+1]; /* %NUL */ + int longhdr=(uO.vflag>1); + #endif + int date_format; +@@ -389,9 +389,9 @@ int list_files(__G) /* return PK-type + } + #else /* !WINDLL */ + if (cfactor == 100) +- sprintf(cfactorstr, LoadFarString(CompFactor100)); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100)); + else +- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor); + if (longhdr) + Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats), + FmZofft(G.crec.ucsize, "8", "u"), methbuf, +@@ -471,9 +471,9 @@ int list_files(__G) /* return PK-type + + #else /* !WINDLL */ + if (cfactor == 100) +- sprintf(cfactorstr, LoadFarString(CompFactor100)); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100)); + else +- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor); + if (longhdr) { + Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer), + FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"), diff --git a/unzip60-total_disks_zero.patch b/unzip60-total_disks_zero.patch new file mode 100644 index 0000000..c33c1af --- /dev/null +++ b/unzip60-total_disks_zero.patch @@ -0,0 +1,24 @@ +Index: unzip60/process.c +=================================================================== +--- unzip60.orig/process.c ++++ unzip60/process.c +@@ -1286,7 +1286,8 @@ static int find_ecrec64(__G__ searchlen) + G.ecrec.number_this_disk, ecloc64_total_disks); fflush(stdout); + #endif + if ((G.ecrec.number_this_disk != 0xFFFF) && +- (G.ecrec.number_this_disk != ecloc64_total_disks - 1)) { ++ (G.ecrec.number_this_disk != ecloc64_total_disks - 1) && ++ (ecloc64_total_disks != 0)) { + /* Note: For some unknown reason, the developers at PKWARE decided to + store the "zip64 total disks" value as a counter starting from 1, + whereas all other "split/span volume" related fields use 0-based +@@ -1296,6 +1297,9 @@ static int find_ecrec64(__G__ searchlen) + When this is not the case, the found ecrec64 locator cannot be valid. + -> This is not a Zip64 archive. + */ ++ /* There are archive creators that put 0 in total disks when it should ++ be 1. We should handle this. This is done by the added check above. ++ */ + Trace((stderr, + "\ninvalid ECLOC64, differing disk# (ECR %u, ECL64 %lu)\n", + G.ecrec.number_this_disk, ecloc64_total_disks - 1)); diff --git a/unzip60.tar.gz b/unzip60.tar.gz new file mode 100644 index 0000000..737b957 --- /dev/null +++ b/unzip60.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 +size 1376845