From d97b263a8bbad92ac3750a75fc6ad9a2aa16ae08 Mon Sep 17 00:00:00 2001 From: travankor Date: Thu, 26 Dec 2019 06:50:22 -0700 Subject: [PATCH 1/3] unzip: fix CVE-2018-18384. --- srcpkgs/unzip/patches/CVE-2014-9913.patch | 28 ---------------- srcpkgs/unzip/patches/patch-list.c.diff | 40 ++++++++++++++++++++++- 2 files changed, 39 insertions(+), 29 deletions(-) delete mode 100644 srcpkgs/unzip/patches/CVE-2014-9913.patch diff --git a/srcpkgs/unzip/patches/CVE-2014-9913.patch b/srcpkgs/unzip/patches/CVE-2014-9913.patch deleted file mode 100644 index 0124b0d62fc..00000000000 --- a/srcpkgs/unzip/patches/CVE-2014-9913.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: "Steven M. Schweda" -Subject: Fix CVE-2014-9913, buffer overflow in unzip -Bug: https://sourceforge.net/p/infozip/bugs/27/ -Bug-Debian: https://bugs.debian.org/847485 -Bug-Ubuntu: https://launchpad.net/bugs/387350 - ---- list.c -+++ list.c -@@ -339,7 +339,18 @@ - G.crec.compression_method == ENHDEFLATED) { - methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; - } else if (methnum >= NUM_METHODS) { -- sprintf(&methbuf[4], "%03u", G.crec.compression_method); -+ /* 2013-02-26 SMS. -+ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913. -+ * Unexpectedly large compression methods overflow -+ * &methbuf[]. Use the old, three-digit decimal format -+ * for values which fit. Otherwise, sacrifice the -+ * colon, and use four-digit hexadecimal. -+ */ -+ if (G.crec.compression_method <= 999) { -+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method); -+ } else { -+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method); -+ } - } - - #if 0 /* GRR/Euro: add this? */ diff --git a/srcpkgs/unzip/patches/patch-list.c.diff b/srcpkgs/unzip/patches/patch-list.c.diff index 43396fe0684..e0961ec9f13 100644 --- a/srcpkgs/unzip/patches/patch-list.c.diff +++ b/srcpkgs/unzip/patches/patch-list.c.diff @@ -1,10 +1,32 @@ -$NetBSD: patch-list.c,v 1.1 2015/01/06 14:12:45 wiz Exp $ +$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $ +chunk 1: +CVE-2018-18384 fix from +https://sourceforge.net/p/infozip/bugs/53/ +and +https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/ + +chunk 2: Big-hammer fix for http://seclists.org/oss-sec/2014/q4/497 +chunk 3: +CVE-2014-9913 fix from +https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt +via +http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529 + --- list.c.orig 2009-02-08 17:11:34.000000000 +0000 +++ list.c +@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type + { + int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL; + #ifndef WINDLL +- char sgn, cfactorstr[10]; ++ char sgn, cfactorstr[12]; + int longhdr=(uO.vflag>1); + #endif + int date_format; @@ -116,7 +116,7 @@ int list_files(__G) /* return PK-type ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L; #endif @@ -14,3 +36,19 @@ http://seclists.org/oss-sec/2014/q4/497 static ZCONST char dtype[]="NXFS"; /* see zi_short() */ static ZCONST char Far method[NUM_METHODS+1][8] = {"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4", +@@ -339,7 +339,14 @@ int list_files(__G) /* return PK-type + G.crec.compression_method == ENHDEFLATED) { + methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; + } else if (methnum >= NUM_METHODS) { +- sprintf(&methbuf[4], "%03u", G.crec.compression_method); ++ /* Fix for CVE-2014-9913, similar to CVE-2016-9844. ++ * Use the old decimal format only for values which fit. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method); ++ } + } + + #if 0 /* GRR/Euro: add this? */ From 3c0303927f117423e2bf005f2a4ea8e1c0dcc2dd Mon Sep 17 00:00:00 2001 From: travankor Date: Thu, 26 Dec 2019 06:52:53 -0700 Subject: [PATCH 2/3] unzip: add unzip as an unzip alternative. --- srcpkgs/unzip/template | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/srcpkgs/unzip/template b/srcpkgs/unzip/template index ec726ea239b..5338161e44b 100644 --- a/srcpkgs/unzip/template +++ b/srcpkgs/unzip/template @@ -1,7 +1,7 @@ # Template file for 'unzip' pkgname=unzip version=6.0 -revision=12 +revision=13 wrksrc=unzip60 makedepends="bzip2-devel" short_desc="List, test and extract compressed files in a ZIP archive" @@ -11,6 +11,10 @@ homepage="http://infozip.sf.net/" distfiles="${SOURCEFORGE_SITE}/infozip/${pkgname}60.tar.gz" checksum=036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 +alternatives=" + unzip:unzip:/usr/bin/unzip + unzip:unzip.1:/usr/share/man/man1/unzip.1" + do_build() { CFLAGS+=" -D_FILE_OFFSET_BITS=64 -DWILD_STOP_AT_DIR -DLARGE_FILE_SUPPORT \ -DUNICODE_SUPPORT -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE \ From a0d560b08c05d65de82e5d424261032d4c8ac96f Mon Sep 17 00:00:00 2001 From: travankor Date: Thu, 26 Dec 2019 06:53:24 -0700 Subject: [PATCH 3/3] bsdunzip: add bsdunzip as an unzip alternative. --- srcpkgs/bsdunzip/template | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/srcpkgs/bsdunzip/template b/srcpkgs/bsdunzip/template index dd02386b3e0..f851ea1fdf2 100644 --- a/srcpkgs/bsdunzip/template +++ b/srcpkgs/bsdunzip/template @@ -1,7 +1,7 @@ # Template file for 'bsdunzip' pkgname=bsdunzip version=20160115 -revision=1 +revision=2 build_style=gnu-makefile makedepends="libarchive-devel" short_desc="Libarchive(3)-utilizing unzip implementation from FreeBSD" @@ -11,6 +11,10 @@ homepage="https://github.com/somasis/bsdunzip" distfiles="https://github.com/somasis/bsdunzip/archive/${version}.tar.gz" checksum=06c52c77fa518732665aa2daa73f364cd2470a5d47a83c9c79f86f207cf3ecc1 +alternatives=" + unzip:unzip:/usr/bin/bsdunzip + unzip:unzip.1:/usr/share/man/man1/bsdunzip.1" + post_install() { vlicense LICENSE }