Github messages for voidlinux
 help / color / mirror / Atom feed
* [PR PATCH] unzip: fix CVE-2018-18384.
@ 2019-12-26 13:57 voidlinux-github
  2019-12-26 14:13 ` [PR PATCH] [Updated] " voidlinux-github
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: voidlinux-github @ 2019-12-26 13:57 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 352 bytes --]

There is a new pull request by travankor against master on the void-packages repository

https://github.com/travankor/void-packages unzip
https://github.com/void-linux/void-packages/pull/17796

unzip: fix CVE-2018-18384.
Add bsdunzip as a alternative to unzip.

A patch file from https://github.com/void-linux/void-packages/pull/17796.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-unzip-17796.patch --]
[-- Type: text/x-diff, Size: 6499 bytes --]

From d97b263a8bbad92ac3750a75fc6ad9a2aa16ae08 Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Thu, 26 Dec 2019 06:50:22 -0700
Subject: [PATCH 1/3] unzip: fix CVE-2018-18384.

---
 srcpkgs/unzip/patches/CVE-2014-9913.patch | 28 ----------------
 srcpkgs/unzip/patches/patch-list.c.diff   | 40 ++++++++++++++++++++++-
 2 files changed, 39 insertions(+), 29 deletions(-)
 delete mode 100644 srcpkgs/unzip/patches/CVE-2014-9913.patch

diff --git a/srcpkgs/unzip/patches/CVE-2014-9913.patch b/srcpkgs/unzip/patches/CVE-2014-9913.patch
deleted file mode 100644
index 0124b0d62fc..00000000000
--- a/srcpkgs/unzip/patches/CVE-2014-9913.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: "Steven M. Schweda" <sms@antinode.info>
-Subject: Fix CVE-2014-9913, buffer overflow in unzip
-Bug: https://sourceforge.net/p/infozip/bugs/27/
-Bug-Debian: https://bugs.debian.org/847485
-Bug-Ubuntu: https://launchpad.net/bugs/387350
-
---- list.c
-+++ list.c
-@@ -339,7 +339,18 @@
-                 G.crec.compression_method == ENHDEFLATED) {
-                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
-             } else if (methnum >= NUM_METHODS) {
--                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
-+                /* 2013-02-26 SMS.
-+                 * http://sourceforge.net/p/infozip/bugs/27/  CVE-2014-9913.
-+                 * Unexpectedly large compression methods overflow
-+                 * &methbuf[].  Use the old, three-digit decimal format
-+                 * for values which fit.  Otherwise, sacrifice the
-+                 * colon, and use four-digit hexadecimal.
-+                 */
-+                if (G.crec.compression_method <= 999) {
-+                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
-+                } else {
-+                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
-+                }
-             }
- 
- #if 0       /* GRR/Euro:  add this? */
diff --git a/srcpkgs/unzip/patches/patch-list.c.diff b/srcpkgs/unzip/patches/patch-list.c.diff
index 43396fe0684..e0961ec9f13 100644
--- a/srcpkgs/unzip/patches/patch-list.c.diff
+++ b/srcpkgs/unzip/patches/patch-list.c.diff
@@ -1,10 +1,32 @@
-$NetBSD: patch-list.c,v 1.1 2015/01/06 14:12:45 wiz Exp $
+$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $
 
+chunk 1:
+CVE-2018-18384 fix from
+https://sourceforge.net/p/infozip/bugs/53/
+and
+https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/
+
+chunk 2:
 Big-hammer fix for
 http://seclists.org/oss-sec/2014/q4/497
 
+chunk 3:
+CVE-2014-9913 fix from
+https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt
+via
+http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529
+
 --- list.c.orig	2009-02-08 17:11:34.000000000 +0000
 +++ list.c
+@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type
+ {
+     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+-    char sgn, cfactorstr[10];
++    char sgn, cfactorstr[12];
+     int longhdr=(uO.vflag>1);
+ #endif
+     int date_format;
 @@ -116,7 +116,7 @@ int list_files(__G)    /* return PK-type
      ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L;
  #endif
@@ -14,3 +36,19 @@ http://seclists.org/oss-sec/2014/q4/497
      static ZCONST char dtype[]="NXFS";  /* see zi_short() */
      static ZCONST char Far method[NUM_METHODS+1][8] =
          {"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4",
+@@ -339,7 +339,14 @@ int list_files(__G)    /* return PK-type
+                 G.crec.compression_method == ENHDEFLATED) {
+                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+             } else if (methnum >= NUM_METHODS) {
+-                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++                /* Fix for CVE-2014-9913, similar to CVE-2016-9844.
++                 * Use the old decimal format only for values which fit.
++                 */
++                if (G.crec.compression_method <= 999) {
++                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++                } else {
++                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++                }
+             }
+ 
+ #if 0       /* GRR/Euro:  add this? */

From 3c0303927f117423e2bf005f2a4ea8e1c0dcc2dd Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Thu, 26 Dec 2019 06:52:53 -0700
Subject: [PATCH 2/3] unzip: add unzip as an unzip alternative.

---
 srcpkgs/unzip/template | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/unzip/template b/srcpkgs/unzip/template
index ec726ea239b..5338161e44b 100644
--- a/srcpkgs/unzip/template
+++ b/srcpkgs/unzip/template
@@ -1,7 +1,7 @@
 # Template file for 'unzip'
 pkgname=unzip
 version=6.0
-revision=12
+revision=13
 wrksrc=unzip60
 makedepends="bzip2-devel"
 short_desc="List, test and extract compressed files in a ZIP archive"
@@ -11,6 +11,10 @@ homepage="http://infozip.sf.net/"
 distfiles="${SOURCEFORGE_SITE}/infozip/${pkgname}60.tar.gz"
 checksum=036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37
 
+alternatives="
+ unzip:unzip:/usr/bin/unzip
+ unzip:unzip.1:/usr/share/man/man1/unzip.1"
+
 do_build() {
 	CFLAGS+=" -D_FILE_OFFSET_BITS=64 -DWILD_STOP_AT_DIR -DLARGE_FILE_SUPPORT \
 		-DUNICODE_SUPPORT -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE \

From a0d560b08c05d65de82e5d424261032d4c8ac96f Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Thu, 26 Dec 2019 06:53:24 -0700
Subject: [PATCH 3/3] bsdunzip: add bsdunzip as an unzip alternative.

---
 srcpkgs/bsdunzip/template | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/bsdunzip/template b/srcpkgs/bsdunzip/template
index dd02386b3e0..f851ea1fdf2 100644
--- a/srcpkgs/bsdunzip/template
+++ b/srcpkgs/bsdunzip/template
@@ -1,7 +1,7 @@
 # Template file for 'bsdunzip'
 pkgname=bsdunzip
 version=20160115
-revision=1
+revision=2
 build_style=gnu-makefile
 makedepends="libarchive-devel"
 short_desc="Libarchive(3)-utilizing unzip implementation from FreeBSD"
@@ -11,6 +11,10 @@ homepage="https://github.com/somasis/bsdunzip"
 distfiles="https://github.com/somasis/bsdunzip/archive/${version}.tar.gz"
 checksum=06c52c77fa518732665aa2daa73f364cd2470a5d47a83c9c79f86f207cf3ecc1
 
+alternatives="
+ unzip:unzip:/usr/bin/bsdunzip
+ unzip:unzip.1:/usr/share/man/man1/bsdunzip.1"
+
 post_install() {
 	vlicense LICENSE
 }

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PR PATCH] [Updated] unzip: fix CVE-2018-18384.
  2019-12-26 13:57 [PR PATCH] unzip: fix CVE-2018-18384 voidlinux-github
@ 2019-12-26 14:13 ` voidlinux-github
  2019-12-26 14:13 ` voidlinux-github
  2019-12-26 21:07 ` [PR PATCH] [Merged]: " voidlinux-github
  2 siblings, 0 replies; 4+ messages in thread
From: voidlinux-github @ 2019-12-26 14:13 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 357 bytes --]

There is an updated pull request by travankor against master on the void-packages repository

https://github.com/travankor/void-packages unzip
https://github.com/void-linux/void-packages/pull/17796

unzip: fix CVE-2018-18384.
Add bsdunzip as a alternative to unzip.

A patch file from https://github.com/void-linux/void-packages/pull/17796.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-unzip-17796.patch --]
[-- Type: text/x-diff, Size: 4324 bytes --]

From d97b263a8bbad92ac3750a75fc6ad9a2aa16ae08 Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Thu, 26 Dec 2019 06:50:22 -0700
Subject: [PATCH] unzip: fix CVE-2018-18384.

---
 srcpkgs/unzip/patches/CVE-2014-9913.patch | 28 ----------------
 srcpkgs/unzip/patches/patch-list.c.diff   | 40 ++++++++++++++++++++++-
 2 files changed, 39 insertions(+), 29 deletions(-)
 delete mode 100644 srcpkgs/unzip/patches/CVE-2014-9913.patch

diff --git a/srcpkgs/unzip/patches/CVE-2014-9913.patch b/srcpkgs/unzip/patches/CVE-2014-9913.patch
deleted file mode 100644
index 0124b0d62fc..00000000000
--- a/srcpkgs/unzip/patches/CVE-2014-9913.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: "Steven M. Schweda" <sms@antinode.info>
-Subject: Fix CVE-2014-9913, buffer overflow in unzip
-Bug: https://sourceforge.net/p/infozip/bugs/27/
-Bug-Debian: https://bugs.debian.org/847485
-Bug-Ubuntu: https://launchpad.net/bugs/387350
-
---- list.c
-+++ list.c
-@@ -339,7 +339,18 @@
-                 G.crec.compression_method == ENHDEFLATED) {
-                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
-             } else if (methnum >= NUM_METHODS) {
--                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
-+                /* 2013-02-26 SMS.
-+                 * http://sourceforge.net/p/infozip/bugs/27/  CVE-2014-9913.
-+                 * Unexpectedly large compression methods overflow
-+                 * &methbuf[].  Use the old, three-digit decimal format
-+                 * for values which fit.  Otherwise, sacrifice the
-+                 * colon, and use four-digit hexadecimal.
-+                 */
-+                if (G.crec.compression_method <= 999) {
-+                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
-+                } else {
-+                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
-+                }
-             }
- 
- #if 0       /* GRR/Euro:  add this? */
diff --git a/srcpkgs/unzip/patches/patch-list.c.diff b/srcpkgs/unzip/patches/patch-list.c.diff
index 43396fe0684..e0961ec9f13 100644
--- a/srcpkgs/unzip/patches/patch-list.c.diff
+++ b/srcpkgs/unzip/patches/patch-list.c.diff
@@ -1,10 +1,32 @@
-$NetBSD: patch-list.c,v 1.1 2015/01/06 14:12:45 wiz Exp $
+$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $
 
+chunk 1:
+CVE-2018-18384 fix from
+https://sourceforge.net/p/infozip/bugs/53/
+and
+https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/
+
+chunk 2:
 Big-hammer fix for
 http://seclists.org/oss-sec/2014/q4/497
 
+chunk 3:
+CVE-2014-9913 fix from
+https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt
+via
+http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529
+
 --- list.c.orig	2009-02-08 17:11:34.000000000 +0000
 +++ list.c
+@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type
+ {
+     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+-    char sgn, cfactorstr[10];
++    char sgn, cfactorstr[12];
+     int longhdr=(uO.vflag>1);
+ #endif
+     int date_format;
 @@ -116,7 +116,7 @@ int list_files(__G)    /* return PK-type
      ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L;
  #endif
@@ -14,3 +36,19 @@ http://seclists.org/oss-sec/2014/q4/497
      static ZCONST char dtype[]="NXFS";  /* see zi_short() */
      static ZCONST char Far method[NUM_METHODS+1][8] =
          {"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4",
+@@ -339,7 +339,14 @@ int list_files(__G)    /* return PK-type
+                 G.crec.compression_method == ENHDEFLATED) {
+                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+             } else if (methnum >= NUM_METHODS) {
+-                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++                /* Fix for CVE-2014-9913, similar to CVE-2016-9844.
++                 * Use the old decimal format only for values which fit.
++                 */
++                if (G.crec.compression_method <= 999) {
++                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++                } else {
++                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++                }
+             }
+ 
+ #if 0       /* GRR/Euro:  add this? */

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PR PATCH] [Updated] unzip: fix CVE-2018-18384.
  2019-12-26 13:57 [PR PATCH] unzip: fix CVE-2018-18384 voidlinux-github
  2019-12-26 14:13 ` [PR PATCH] [Updated] " voidlinux-github
@ 2019-12-26 14:13 ` voidlinux-github
  2019-12-26 21:07 ` [PR PATCH] [Merged]: " voidlinux-github
  2 siblings, 0 replies; 4+ messages in thread
From: voidlinux-github @ 2019-12-26 14:13 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 357 bytes --]

There is an updated pull request by travankor against master on the void-packages repository

https://github.com/travankor/void-packages unzip
https://github.com/void-linux/void-packages/pull/17796

unzip: fix CVE-2018-18384.
Add bsdunzip as a alternative to unzip.

A patch file from https://github.com/void-linux/void-packages/pull/17796.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-unzip-17796.patch --]
[-- Type: text/x-diff, Size: 4745 bytes --]

From 9c1845be93d752c463d7561434a358c19fa272c7 Mon Sep 17 00:00:00 2001
From: travankor <travankor@tuta.io>
Date: Thu, 26 Dec 2019 06:50:22 -0700
Subject: [PATCH] unzip: fix CVE-2018-18384.

---
 srcpkgs/unzip/patches/CVE-2014-9913.patch | 28 ----------------
 srcpkgs/unzip/patches/patch-list.c.diff   | 40 ++++++++++++++++++++++-
 srcpkgs/unzip/template                    |  2 +-
 3 files changed, 40 insertions(+), 30 deletions(-)
 delete mode 100644 srcpkgs/unzip/patches/CVE-2014-9913.patch

diff --git a/srcpkgs/unzip/patches/CVE-2014-9913.patch b/srcpkgs/unzip/patches/CVE-2014-9913.patch
deleted file mode 100644
index 0124b0d62fc..00000000000
--- a/srcpkgs/unzip/patches/CVE-2014-9913.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: "Steven M. Schweda" <sms@antinode.info>
-Subject: Fix CVE-2014-9913, buffer overflow in unzip
-Bug: https://sourceforge.net/p/infozip/bugs/27/
-Bug-Debian: https://bugs.debian.org/847485
-Bug-Ubuntu: https://launchpad.net/bugs/387350
-
---- list.c
-+++ list.c
-@@ -339,7 +339,18 @@
-                 G.crec.compression_method == ENHDEFLATED) {
-                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
-             } else if (methnum >= NUM_METHODS) {
--                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
-+                /* 2013-02-26 SMS.
-+                 * http://sourceforge.net/p/infozip/bugs/27/  CVE-2014-9913.
-+                 * Unexpectedly large compression methods overflow
-+                 * &methbuf[].  Use the old, three-digit decimal format
-+                 * for values which fit.  Otherwise, sacrifice the
-+                 * colon, and use four-digit hexadecimal.
-+                 */
-+                if (G.crec.compression_method <= 999) {
-+                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
-+                } else {
-+                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
-+                }
-             }
- 
- #if 0       /* GRR/Euro:  add this? */
diff --git a/srcpkgs/unzip/patches/patch-list.c.diff b/srcpkgs/unzip/patches/patch-list.c.diff
index 43396fe0684..e0961ec9f13 100644
--- a/srcpkgs/unzip/patches/patch-list.c.diff
+++ b/srcpkgs/unzip/patches/patch-list.c.diff
@@ -1,10 +1,32 @@
-$NetBSD: patch-list.c,v 1.1 2015/01/06 14:12:45 wiz Exp $
+$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $
 
+chunk 1:
+CVE-2018-18384 fix from
+https://sourceforge.net/p/infozip/bugs/53/
+and
+https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/
+
+chunk 2:
 Big-hammer fix for
 http://seclists.org/oss-sec/2014/q4/497
 
+chunk 3:
+CVE-2014-9913 fix from
+https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt
+via
+http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529
+
 --- list.c.orig	2009-02-08 17:11:34.000000000 +0000
 +++ list.c
+@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type
+ {
+     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+-    char sgn, cfactorstr[10];
++    char sgn, cfactorstr[12];
+     int longhdr=(uO.vflag>1);
+ #endif
+     int date_format;
 @@ -116,7 +116,7 @@ int list_files(__G)    /* return PK-type
      ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L;
  #endif
@@ -14,3 +36,19 @@ http://seclists.org/oss-sec/2014/q4/497
      static ZCONST char dtype[]="NXFS";  /* see zi_short() */
      static ZCONST char Far method[NUM_METHODS+1][8] =
          {"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4",
+@@ -339,7 +339,14 @@ int list_files(__G)    /* return PK-type
+                 G.crec.compression_method == ENHDEFLATED) {
+                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+             } else if (methnum >= NUM_METHODS) {
+-                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++                /* Fix for CVE-2014-9913, similar to CVE-2016-9844.
++                 * Use the old decimal format only for values which fit.
++                 */
++                if (G.crec.compression_method <= 999) {
++                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++                } else {
++                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++                }
+             }
+ 
+ #if 0       /* GRR/Euro:  add this? */
diff --git a/srcpkgs/unzip/template b/srcpkgs/unzip/template
index ec726ea239b..c01fca22768 100644
--- a/srcpkgs/unzip/template
+++ b/srcpkgs/unzip/template
@@ -1,7 +1,7 @@
 # Template file for 'unzip'
 pkgname=unzip
 version=6.0
-revision=12
+revision=13
 wrksrc=unzip60
 makedepends="bzip2-devel"
 short_desc="List, test and extract compressed files in a ZIP archive"

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PR PATCH] [Merged]: unzip: fix CVE-2018-18384.
  2019-12-26 13:57 [PR PATCH] unzip: fix CVE-2018-18384 voidlinux-github
  2019-12-26 14:13 ` [PR PATCH] [Updated] " voidlinux-github
  2019-12-26 14:13 ` voidlinux-github
@ 2019-12-26 21:07 ` voidlinux-github
  2 siblings, 0 replies; 4+ messages in thread
From: voidlinux-github @ 2019-12-26 21:07 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 160 bytes --]

There's a merged pull request on the void-packages repository

unzip: fix CVE-2018-18384.
https://github.com/void-linux/void-packages/pull/17796

Description:


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-12-26 21:07 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-26 13:57 [PR PATCH] unzip: fix CVE-2018-18384 voidlinux-github
2019-12-26 14:13 ` [PR PATCH] [Updated] " voidlinux-github
2019-12-26 14:13 ` voidlinux-github
2019-12-26 21:07 ` [PR PATCH] [Merged]: " voidlinux-github

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).