* [PR PATCH] unzip: fix CVE-2018-18384.
@ 2019-12-26 13:57 voidlinux-github
2019-12-26 14:13 ` [PR PATCH] [Updated] " voidlinux-github
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: voidlinux-github @ 2019-12-26 13:57 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 352 bytes --]
There is a new pull request by travankor against master on the void-packages repository
https://github.com/travankor/void-packages unzip
https://github.com/void-linux/void-packages/pull/17796
unzip: fix CVE-2018-18384.
Add bsdunzip as a alternative to unzip.
A patch file from https://github.com/void-linux/void-packages/pull/17796.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-unzip-17796.patch --]
[-- Type: text/x-diff, Size: 6499 bytes --]
From d97b263a8bbad92ac3750a75fc6ad9a2aa16ae08 Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Thu, 26 Dec 2019 06:50:22 -0700
Subject: [PATCH 1/3] unzip: fix CVE-2018-18384.
---
srcpkgs/unzip/patches/CVE-2014-9913.patch | 28 ----------------
srcpkgs/unzip/patches/patch-list.c.diff | 40 ++++++++++++++++++++++-
2 files changed, 39 insertions(+), 29 deletions(-)
delete mode 100644 srcpkgs/unzip/patches/CVE-2014-9913.patch
diff --git a/srcpkgs/unzip/patches/CVE-2014-9913.patch b/srcpkgs/unzip/patches/CVE-2014-9913.patch
deleted file mode 100644
index 0124b0d62fc..00000000000
--- a/srcpkgs/unzip/patches/CVE-2014-9913.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: "Steven M. Schweda" <sms@antinode.info>
-Subject: Fix CVE-2014-9913, buffer overflow in unzip
-Bug: https://sourceforge.net/p/infozip/bugs/27/
-Bug-Debian: https://bugs.debian.org/847485
-Bug-Ubuntu: https://launchpad.net/bugs/387350
-
---- list.c
-+++ list.c
-@@ -339,7 +339,18 @@
- G.crec.compression_method == ENHDEFLATED) {
- methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
- } else if (methnum >= NUM_METHODS) {
-- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
-+ /* 2013-02-26 SMS.
-+ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
-+ * Unexpectedly large compression methods overflow
-+ * &methbuf[]. Use the old, three-digit decimal format
-+ * for values which fit. Otherwise, sacrifice the
-+ * colon, and use four-digit hexadecimal.
-+ */
-+ if (G.crec.compression_method <= 999) {
-+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
-+ } else {
-+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
-+ }
- }
-
- #if 0 /* GRR/Euro: add this? */
diff --git a/srcpkgs/unzip/patches/patch-list.c.diff b/srcpkgs/unzip/patches/patch-list.c.diff
index 43396fe0684..e0961ec9f13 100644
--- a/srcpkgs/unzip/patches/patch-list.c.diff
+++ b/srcpkgs/unzip/patches/patch-list.c.diff
@@ -1,10 +1,32 @@
-$NetBSD: patch-list.c,v 1.1 2015/01/06 14:12:45 wiz Exp $
+$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $
+chunk 1:
+CVE-2018-18384 fix from
+https://sourceforge.net/p/infozip/bugs/53/
+and
+https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/
+
+chunk 2:
Big-hammer fix for
http://seclists.org/oss-sec/2014/q4/497
+chunk 3:
+CVE-2014-9913 fix from
+https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt
+via
+http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529
+
--- list.c.orig 2009-02-08 17:11:34.000000000 +0000
+++ list.c
+@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type
+ {
+ int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+- char sgn, cfactorstr[10];
++ char sgn, cfactorstr[12];
+ int longhdr=(uO.vflag>1);
+ #endif
+ int date_format;
@@ -116,7 +116,7 @@ int list_files(__G) /* return PK-type
ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L;
#endif
@@ -14,3 +36,19 @@ http://seclists.org/oss-sec/2014/q4/497
static ZCONST char dtype[]="NXFS"; /* see zi_short() */
static ZCONST char Far method[NUM_METHODS+1][8] =
{"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4",
+@@ -339,7 +339,14 @@ int list_files(__G) /* return PK-type
+ G.crec.compression_method == ENHDEFLATED) {
+ methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+ } else if (methnum >= NUM_METHODS) {
+- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++ /* Fix for CVE-2014-9913, similar to CVE-2016-9844.
++ * Use the old decimal format only for values which fit.
++ */
++ if (G.crec.compression_method <= 999) {
++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++ } else {
++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++ }
+ }
+
+ #if 0 /* GRR/Euro: add this? */
From 3c0303927f117423e2bf005f2a4ea8e1c0dcc2dd Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Thu, 26 Dec 2019 06:52:53 -0700
Subject: [PATCH 2/3] unzip: add unzip as an unzip alternative.
---
srcpkgs/unzip/template | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/unzip/template b/srcpkgs/unzip/template
index ec726ea239b..5338161e44b 100644
--- a/srcpkgs/unzip/template
+++ b/srcpkgs/unzip/template
@@ -1,7 +1,7 @@
# Template file for 'unzip'
pkgname=unzip
version=6.0
-revision=12
+revision=13
wrksrc=unzip60
makedepends="bzip2-devel"
short_desc="List, test and extract compressed files in a ZIP archive"
@@ -11,6 +11,10 @@ homepage="http://infozip.sf.net/"
distfiles="${SOURCEFORGE_SITE}/infozip/${pkgname}60.tar.gz"
checksum=036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37
+alternatives="
+ unzip:unzip:/usr/bin/unzip
+ unzip:unzip.1:/usr/share/man/man1/unzip.1"
+
do_build() {
CFLAGS+=" -D_FILE_OFFSET_BITS=64 -DWILD_STOP_AT_DIR -DLARGE_FILE_SUPPORT \
-DUNICODE_SUPPORT -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE \
From a0d560b08c05d65de82e5d424261032d4c8ac96f Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Thu, 26 Dec 2019 06:53:24 -0700
Subject: [PATCH 3/3] bsdunzip: add bsdunzip as an unzip alternative.
---
srcpkgs/bsdunzip/template | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/bsdunzip/template b/srcpkgs/bsdunzip/template
index dd02386b3e0..f851ea1fdf2 100644
--- a/srcpkgs/bsdunzip/template
+++ b/srcpkgs/bsdunzip/template
@@ -1,7 +1,7 @@
# Template file for 'bsdunzip'
pkgname=bsdunzip
version=20160115
-revision=1
+revision=2
build_style=gnu-makefile
makedepends="libarchive-devel"
short_desc="Libarchive(3)-utilizing unzip implementation from FreeBSD"
@@ -11,6 +11,10 @@ homepage="https://github.com/somasis/bsdunzip"
distfiles="https://github.com/somasis/bsdunzip/archive/${version}.tar.gz"
checksum=06c52c77fa518732665aa2daa73f364cd2470a5d47a83c9c79f86f207cf3ecc1
+alternatives="
+ unzip:unzip:/usr/bin/bsdunzip
+ unzip:unzip.1:/usr/share/man/man1/bsdunzip.1"
+
post_install() {
vlicense LICENSE
}
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PR PATCH] [Updated] unzip: fix CVE-2018-18384.
2019-12-26 13:57 [PR PATCH] unzip: fix CVE-2018-18384 voidlinux-github
@ 2019-12-26 14:13 ` voidlinux-github
2019-12-26 14:13 ` voidlinux-github
2019-12-26 21:07 ` [PR PATCH] [Merged]: " voidlinux-github
2 siblings, 0 replies; 4+ messages in thread
From: voidlinux-github @ 2019-12-26 14:13 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 357 bytes --]
There is an updated pull request by travankor against master on the void-packages repository
https://github.com/travankor/void-packages unzip
https://github.com/void-linux/void-packages/pull/17796
unzip: fix CVE-2018-18384.
Add bsdunzip as a alternative to unzip.
A patch file from https://github.com/void-linux/void-packages/pull/17796.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-unzip-17796.patch --]
[-- Type: text/x-diff, Size: 4324 bytes --]
From d97b263a8bbad92ac3750a75fc6ad9a2aa16ae08 Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Thu, 26 Dec 2019 06:50:22 -0700
Subject: [PATCH] unzip: fix CVE-2018-18384.
---
srcpkgs/unzip/patches/CVE-2014-9913.patch | 28 ----------------
srcpkgs/unzip/patches/patch-list.c.diff | 40 ++++++++++++++++++++++-
2 files changed, 39 insertions(+), 29 deletions(-)
delete mode 100644 srcpkgs/unzip/patches/CVE-2014-9913.patch
diff --git a/srcpkgs/unzip/patches/CVE-2014-9913.patch b/srcpkgs/unzip/patches/CVE-2014-9913.patch
deleted file mode 100644
index 0124b0d62fc..00000000000
--- a/srcpkgs/unzip/patches/CVE-2014-9913.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: "Steven M. Schweda" <sms@antinode.info>
-Subject: Fix CVE-2014-9913, buffer overflow in unzip
-Bug: https://sourceforge.net/p/infozip/bugs/27/
-Bug-Debian: https://bugs.debian.org/847485
-Bug-Ubuntu: https://launchpad.net/bugs/387350
-
---- list.c
-+++ list.c
-@@ -339,7 +339,18 @@
- G.crec.compression_method == ENHDEFLATED) {
- methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
- } else if (methnum >= NUM_METHODS) {
-- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
-+ /* 2013-02-26 SMS.
-+ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
-+ * Unexpectedly large compression methods overflow
-+ * &methbuf[]. Use the old, three-digit decimal format
-+ * for values which fit. Otherwise, sacrifice the
-+ * colon, and use four-digit hexadecimal.
-+ */
-+ if (G.crec.compression_method <= 999) {
-+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
-+ } else {
-+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
-+ }
- }
-
- #if 0 /* GRR/Euro: add this? */
diff --git a/srcpkgs/unzip/patches/patch-list.c.diff b/srcpkgs/unzip/patches/patch-list.c.diff
index 43396fe0684..e0961ec9f13 100644
--- a/srcpkgs/unzip/patches/patch-list.c.diff
+++ b/srcpkgs/unzip/patches/patch-list.c.diff
@@ -1,10 +1,32 @@
-$NetBSD: patch-list.c,v 1.1 2015/01/06 14:12:45 wiz Exp $
+$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $
+chunk 1:
+CVE-2018-18384 fix from
+https://sourceforge.net/p/infozip/bugs/53/
+and
+https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/
+
+chunk 2:
Big-hammer fix for
http://seclists.org/oss-sec/2014/q4/497
+chunk 3:
+CVE-2014-9913 fix from
+https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt
+via
+http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529
+
--- list.c.orig 2009-02-08 17:11:34.000000000 +0000
+++ list.c
+@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type
+ {
+ int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+- char sgn, cfactorstr[10];
++ char sgn, cfactorstr[12];
+ int longhdr=(uO.vflag>1);
+ #endif
+ int date_format;
@@ -116,7 +116,7 @@ int list_files(__G) /* return PK-type
ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L;
#endif
@@ -14,3 +36,19 @@ http://seclists.org/oss-sec/2014/q4/497
static ZCONST char dtype[]="NXFS"; /* see zi_short() */
static ZCONST char Far method[NUM_METHODS+1][8] =
{"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4",
+@@ -339,7 +339,14 @@ int list_files(__G) /* return PK-type
+ G.crec.compression_method == ENHDEFLATED) {
+ methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+ } else if (methnum >= NUM_METHODS) {
+- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++ /* Fix for CVE-2014-9913, similar to CVE-2016-9844.
++ * Use the old decimal format only for values which fit.
++ */
++ if (G.crec.compression_method <= 999) {
++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++ } else {
++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++ }
+ }
+
+ #if 0 /* GRR/Euro: add this? */
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PR PATCH] [Updated] unzip: fix CVE-2018-18384.
2019-12-26 13:57 [PR PATCH] unzip: fix CVE-2018-18384 voidlinux-github
2019-12-26 14:13 ` [PR PATCH] [Updated] " voidlinux-github
@ 2019-12-26 14:13 ` voidlinux-github
2019-12-26 21:07 ` [PR PATCH] [Merged]: " voidlinux-github
2 siblings, 0 replies; 4+ messages in thread
From: voidlinux-github @ 2019-12-26 14:13 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 357 bytes --]
There is an updated pull request by travankor against master on the void-packages repository
https://github.com/travankor/void-packages unzip
https://github.com/void-linux/void-packages/pull/17796
unzip: fix CVE-2018-18384.
Add bsdunzip as a alternative to unzip.
A patch file from https://github.com/void-linux/void-packages/pull/17796.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-unzip-17796.patch --]
[-- Type: text/x-diff, Size: 4745 bytes --]
From 9c1845be93d752c463d7561434a358c19fa272c7 Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Thu, 26 Dec 2019 06:50:22 -0700
Subject: [PATCH] unzip: fix CVE-2018-18384.
---
srcpkgs/unzip/patches/CVE-2014-9913.patch | 28 ----------------
srcpkgs/unzip/patches/patch-list.c.diff | 40 ++++++++++++++++++++++-
srcpkgs/unzip/template | 2 +-
3 files changed, 40 insertions(+), 30 deletions(-)
delete mode 100644 srcpkgs/unzip/patches/CVE-2014-9913.patch
diff --git a/srcpkgs/unzip/patches/CVE-2014-9913.patch b/srcpkgs/unzip/patches/CVE-2014-9913.patch
deleted file mode 100644
index 0124b0d62fc..00000000000
--- a/srcpkgs/unzip/patches/CVE-2014-9913.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: "Steven M. Schweda" <sms@antinode.info>
-Subject: Fix CVE-2014-9913, buffer overflow in unzip
-Bug: https://sourceforge.net/p/infozip/bugs/27/
-Bug-Debian: https://bugs.debian.org/847485
-Bug-Ubuntu: https://launchpad.net/bugs/387350
-
---- list.c
-+++ list.c
-@@ -339,7 +339,18 @@
- G.crec.compression_method == ENHDEFLATED) {
- methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
- } else if (methnum >= NUM_METHODS) {
-- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
-+ /* 2013-02-26 SMS.
-+ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
-+ * Unexpectedly large compression methods overflow
-+ * &methbuf[]. Use the old, three-digit decimal format
-+ * for values which fit. Otherwise, sacrifice the
-+ * colon, and use four-digit hexadecimal.
-+ */
-+ if (G.crec.compression_method <= 999) {
-+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
-+ } else {
-+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
-+ }
- }
-
- #if 0 /* GRR/Euro: add this? */
diff --git a/srcpkgs/unzip/patches/patch-list.c.diff b/srcpkgs/unzip/patches/patch-list.c.diff
index 43396fe0684..e0961ec9f13 100644
--- a/srcpkgs/unzip/patches/patch-list.c.diff
+++ b/srcpkgs/unzip/patches/patch-list.c.diff
@@ -1,10 +1,32 @@
-$NetBSD: patch-list.c,v 1.1 2015/01/06 14:12:45 wiz Exp $
+$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $
+chunk 1:
+CVE-2018-18384 fix from
+https://sourceforge.net/p/infozip/bugs/53/
+and
+https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/
+
+chunk 2:
Big-hammer fix for
http://seclists.org/oss-sec/2014/q4/497
+chunk 3:
+CVE-2014-9913 fix from
+https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt
+via
+http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529
+
--- list.c.orig 2009-02-08 17:11:34.000000000 +0000
+++ list.c
+@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type
+ {
+ int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+- char sgn, cfactorstr[10];
++ char sgn, cfactorstr[12];
+ int longhdr=(uO.vflag>1);
+ #endif
+ int date_format;
@@ -116,7 +116,7 @@ int list_files(__G) /* return PK-type
ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L;
#endif
@@ -14,3 +36,19 @@ http://seclists.org/oss-sec/2014/q4/497
static ZCONST char dtype[]="NXFS"; /* see zi_short() */
static ZCONST char Far method[NUM_METHODS+1][8] =
{"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4",
+@@ -339,7 +339,14 @@ int list_files(__G) /* return PK-type
+ G.crec.compression_method == ENHDEFLATED) {
+ methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+ } else if (methnum >= NUM_METHODS) {
+- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++ /* Fix for CVE-2014-9913, similar to CVE-2016-9844.
++ * Use the old decimal format only for values which fit.
++ */
++ if (G.crec.compression_method <= 999) {
++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++ } else {
++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++ }
+ }
+
+ #if 0 /* GRR/Euro: add this? */
diff --git a/srcpkgs/unzip/template b/srcpkgs/unzip/template
index ec726ea239b..c01fca22768 100644
--- a/srcpkgs/unzip/template
+++ b/srcpkgs/unzip/template
@@ -1,7 +1,7 @@
# Template file for 'unzip'
pkgname=unzip
version=6.0
-revision=12
+revision=13
wrksrc=unzip60
makedepends="bzip2-devel"
short_desc="List, test and extract compressed files in a ZIP archive"
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PR PATCH] [Merged]: unzip: fix CVE-2018-18384.
2019-12-26 13:57 [PR PATCH] unzip: fix CVE-2018-18384 voidlinux-github
2019-12-26 14:13 ` [PR PATCH] [Updated] " voidlinux-github
2019-12-26 14:13 ` voidlinux-github
@ 2019-12-26 21:07 ` voidlinux-github
2 siblings, 0 replies; 4+ messages in thread
From: voidlinux-github @ 2019-12-26 21:07 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 160 bytes --]
There's a merged pull request on the void-packages repository
unzip: fix CVE-2018-18384.
https://github.com/void-linux/void-packages/pull/17796
Description:
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-12-26 21:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-26 13:57 [PR PATCH] unzip: fix CVE-2018-18384 voidlinux-github
2019-12-26 14:13 ` [PR PATCH] [Updated] " voidlinux-github
2019-12-26 14:13 ` voidlinux-github
2019-12-26 21:07 ` [PR PATCH] [Merged]: " voidlinux-github
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).