From 3a6d849f8193c697661d87d9c9911f8275ba1886f83ba1a6cb61fe1956254c8f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= <ismail@i10z.com>
Date: Wed, 15 Feb 2017 08:59:36 +0000
Subject: [PATCH] Accepting request 457352 from
 home:jmoellers:branches:Archiving

OBS-URL: https://build.opensuse.org/request/show/457352
OBS-URL: https://build.opensuse.org/package/show/Archiving/unzip?expand=0&rev=39
---
 CVE-2014-9913.patch | 24 ++++++++++++++++++++++++
 CVE-2015-7697.patch | 13 +++++++++++++
 CVE-2016-9844.patch | 24 ++++++++++++++++++++++++
 unzip-rcc.changes   | 12 +++++++++++-
 unzip-rcc.spec      |  6 +++++-
 unzip.changes       | 10 ++++++++++
 unzip.spec          |  6 +++++-
 7 files changed, 92 insertions(+), 3 deletions(-)
 create mode 100644 CVE-2014-9913.patch
 create mode 100644 CVE-2016-9844.patch

diff --git a/CVE-2014-9913.patch b/CVE-2014-9913.patch
new file mode 100644
index 0000000..07a4ebb
--- /dev/null
+++ b/CVE-2014-9913.patch
@@ -0,0 +1,24 @@
+Index: unzip60/list.c
+===================================================================
+--- unzip60.orig/list.c
++++ unzip60/list.c
+@@ -339,7 +339,18 @@ int list_files(__G)    /* return PK-type
+                 G.crec.compression_method == ENHDEFLATED) {
+                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+             } else if (methnum >= NUM_METHODS) {
+-                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++		/* 2013-02-26 SMS.
++		 * http://sourceforge.net/p/infozip/bugs/27/  CVE-2014-9913.
++		 * Unexpectedly large compression methods overflow
++		 * &methbuf[].  Use the old, three-digit decimal format
++		 * for values which fit.  Otherwise, sacrifice the
++		 * colon, and use four-digit hexadecimal.
++		 */
++		if (G.crec.compression_method <= 999) {
++		    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++		} else {
++		    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++		}
+             }
+ 
+ #if 0       /* GRR/Euro:  add this? */
diff --git a/CVE-2015-7697.patch b/CVE-2015-7697.patch
index 91eba93..fb751e8 100644
--- a/CVE-2015-7697.patch
+++ b/CVE-2015-7697.patch
@@ -26,3 +26,16 @@ Index: unzip60/extract.c
  #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
      if (G.redirect_slide)
          wsize = G.redirect_size, redirSlide = G.redirect_buffer;
+Index: unzip60/zipinfo.c
+===================================================================
+--- unzip60.orig/zipinfo.c
++++ unzip60/zipinfo.c
+@@ -1888,7 +1888,7 @@ static int zi_short(__G)   /* return PK-
+     int         k, error, error_in_archive=PK_COOL;
+     unsigned    hostnum, hostver, methid, methnum, xattr;
+     char        *p, workspace[12], attribs[16];
+-    char        methbuf[5];
++    char        methbuf[1+5+1];	/* large enough to hold 1 character + an unsigned short + NUL */
+     static ZCONST char dtype[5]="NXFS"; /* normal, maximum, fast, superfast */
+     static ZCONST char Far os[NUM_HOSTS+1][4] = {
+         "fat", "ami", "vms", "unx", "cms", "atr", "hpf", "mac", "zzz",
diff --git a/CVE-2016-9844.patch b/CVE-2016-9844.patch
new file mode 100644
index 0000000..d180282
--- /dev/null
+++ b/CVE-2016-9844.patch
@@ -0,0 +1,24 @@
+Index: unzip60/zipinfo.c
+===================================================================
+--- unzip60.orig/zipinfo.c
++++ unzip60/zipinfo.c
+@@ -1927,7 +1927,18 @@ static int zi_short(__G)   /* return PK-
+         ush  dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
+         methbuf[3] = dtype[dnum];
+     } else if (methnum >= NUM_METHODS) {   /* unknown */
+-        sprintf(&methbuf[1], "%03u", G.crec.compression_method);
++	/* 2016-12-05 SMS.
++	 * https://launchpad.net/bugs/1643750  CVE-2016-9844.
++	 * Unexpectedly large compression methods overflow
++	 * &methbuf[].  Use the old, three-digit decimal format
++	 * for values which fit.  Otherwise, sacrifice the "u",
++	 * and use four-digit hexadecimal.
++	 */
++	if (G.crec.compression_method <= 999) {
++	    sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
++	} else {
++	    sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
++	}
+     }
+ 
+     for (k = 0;  k < 15;  ++k)
diff --git a/unzip-rcc.changes b/unzip-rcc.changes
index 4e5df31..bf3e7a9 100644
--- a/unzip-rcc.changes
+++ b/unzip-rcc.changes
@@ -1,5 +1,15 @@
 -------------------------------------------------------------------
-Wed Oct 12 07:24:12 UTC 2016 - josef.moellers@suse.com
+Wed Feb 15 08:31:05 UTC 2017 - josef.moellers@suse.com
+
+- Fixed two potential buffer overflows.
+  The patches were extracted from
+  http://antinode.info/ftp/info-zip/unzip60/zipinfo.c and
+  http://antinode.info/ftp/info-zip/unzip60/list.c
+  (bsc#1013992, bsc#1013993, CVE-2016-9844, CVE-2014-9913,
+  CVE-2016-9844.patch, CVE-2014-9913)
+
+-------------------------------------------------------------------
+Wed Oct 12 07:23:03 UTC 2016 - josef.moellers@suse.com
 
 - When decrypting an encrypted file,
   quit early if compressed size < HEAD_LEN.
diff --git a/unzip-rcc.spec b/unzip-rcc.spec
index 7afd381..0d9fa17 100644
--- a/unzip-rcc.spec
+++ b/unzip-rcc.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package unzip-rcc
 #
-# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -53,6 +53,8 @@ Patch13:        Fix-CVE-2014-8139-unzip.patch
 Patch14:        Fix-CVE-2014-8140-and-CVE-2014-8141.patch
 Patch15:        CVE-2015-7696.patch
 Patch16:        CVE-2015-7697.patch
+Patch17:        CVE-2016-9844.patch
+Patch18:        CVE-2014-9913.patch
 Requires(post): update-alternatives
 Requires(preun): update-alternatives
 Recommends:     %{_name}-doc
@@ -93,6 +95,8 @@ functionality. This version can also extract encrypted archives.
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
+%patch18 -p1
 
 %build
 export RPM_OPT_FLAGS="%{optflags} \
diff --git a/unzip.changes b/unzip.changes
index 6a2ba1d..bf3e7a9 100644
--- a/unzip.changes
+++ b/unzip.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Feb 15 08:31:05 UTC 2017 - josef.moellers@suse.com
+
+- Fixed two potential buffer overflows.
+  The patches were extracted from
+  http://antinode.info/ftp/info-zip/unzip60/zipinfo.c and
+  http://antinode.info/ftp/info-zip/unzip60/list.c
+  (bsc#1013992, bsc#1013993, CVE-2016-9844, CVE-2014-9913,
+  CVE-2016-9844.patch, CVE-2014-9913)
+
 -------------------------------------------------------------------
 Wed Oct 12 07:23:03 UTC 2016 - josef.moellers@suse.com
 
diff --git a/unzip.spec b/unzip.spec
index a599059..e3e442f 100644
--- a/unzip.spec
+++ b/unzip.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package unzip
 #
-# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -53,6 +53,8 @@ Patch13:        Fix-CVE-2014-8139-unzip.patch
 Patch14:        Fix-CVE-2014-8140-and-CVE-2014-8141.patch
 Patch15:        CVE-2015-7696.patch
 Patch16:        CVE-2015-7697.patch
+Patch17:        CVE-2016-9844.patch
+Patch18:        CVE-2014-9913.patch
 Requires(post): update-alternatives
 Requires(preun): update-alternatives
 Recommends:     %{_name}-doc
@@ -93,6 +95,8 @@ functionality. This version can also extract encrypted archives.
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
+%patch18 -p1
 
 %build
 export RPM_OPT_FLAGS="%{optflags} \