diff options
Diffstat (limited to 'system/unzip')
-rw-r--r-- | system/unzip/10-unzip-handle-pkware-verify.patch | 21 | ||||
-rw-r--r-- | system/unzip/20-unzip-uidgid-fix.patch | 29 | ||||
-rw-r--r-- | system/unzip/APKBUILD | 45 | ||||
-rw-r--r-- | system/unzip/cflags.patch | 20 | ||||
-rw-r--r-- | system/unzip/format-secure.patch | 93 | ||||
-rw-r--r-- | system/unzip/unzip-6.0-heap-overflow-infloop.patch | 104 | ||||
-rw-r--r-- | system/unzip/unzipsfx-bomb-32bit.patch | 14 |
7 files changed, 160 insertions, 166 deletions
diff --git a/system/unzip/10-unzip-handle-pkware-verify.patch b/system/unzip/10-unzip-handle-pkware-verify.patch deleted file mode 100644 index b373ce07d..000000000 --- a/system/unzip/10-unzip-handle-pkware-verify.patch +++ /dev/null @@ -1,21 +0,0 @@ -From: Steven Schweda -Subject: Handle the PKWare verification bit of internal attributes -Bug-Debian: http://bugs.debian.org/630078 -X-Debian-version: 6.0-5 - ---- a/process.c -+++ b/process.c -@@ -1729,6 +1729,13 @@ - else if (uO.L_flag > 1) /* let -LL force lower case for all names */ - G.pInfo->lcflag = 1; - -+ /* Handle the PKWare verification bit, bit 2 (0x0004) of internal -+ attributes. If this is set, then a verification checksum is in the -+ first 3 bytes of the external attributes. In this case all we can use -+ for setting file attributes is the last external attributes byte. */ -+ if (G.crec.internal_file_attributes & 0x0004) -+ G.crec.external_file_attributes &= (ulg)0xff; -+ - /* do Amigas (AMIGA_) also have volume labels? */ - if (IS_VOLID(G.crec.external_file_attributes) && - (G.pInfo->hostnum == FS_FAT_ || G.pInfo->hostnum == FS_HPFS_ || diff --git a/system/unzip/20-unzip-uidgid-fix.patch b/system/unzip/20-unzip-uidgid-fix.patch deleted file mode 100644 index 3a308990e..000000000 --- a/system/unzip/20-unzip-uidgid-fix.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: sms -Subject: Restore uid and gid information when requested -Bug-Debian: http://bugs.debian.org/689212 -X-Debian-version: 6.0-8 - ---- a/process.c -+++ b/process.c -@@ -2904,7 +2904,7 @@ - #ifdef IZ_HAVE_UXUIDGID - if (eb_len >= EB_UX3_MINLEN - && z_uidgid != NULL -- && (*((EB_HEADSIZE + 0) + ef_buf) == 1) -+ && (*((EB_HEADSIZE + 0) + ef_buf) == 1)) - /* only know about version 1 */ - { - uch uid_size; -@@ -2916,10 +2916,10 @@ - flags &= ~0x0ff; /* ignore any previous UNIX field */ - - if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf, -- uid_size, z_uidgid[0]) -+ uid_size, &z_uidgid[0]) - && - read_ux3_value((EB_HEADSIZE + uid_size + 3) + ef_buf, -- gid_size, z_uidgid[1]) ) -+ gid_size, &z_uidgid[1]) ) - { - flags |= EB_UX2_VALID; /* signal success */ - } diff --git a/system/unzip/APKBUILD b/system/unzip/APKBUILD index aad54fa2d..88c0b76b3 100644 --- a/system/unzip/APKBUILD +++ b/system/unzip/APKBUILD @@ -4,37 +4,57 @@ pkgname=unzip pkgver=6.0 _pkgver=$(printf '%s' "$pkgver" | tr -d .) -pkgrel=3 +_debver=26 +pkgrel=6 pkgdesc="Extract PKZIP-compatible .zip files" url="http://www.info-zip.org/UnZip.html" arch="all" license="Info-ZIP" subpackages="$pkgname-doc" # normally ftp://ftp.info-zip.org/pub/infozip/src/$pkgname$_pkgver.zip +# find timestamp here: https://snapshot.debian.org/package/unzip/ source="$pkgname-$pkgver.tgz::https://distfiles.adelielinux.org/source/$pkgname$_pkgver.tgz - 10-unzip-handle-pkware-verify.patch - 20-unzip-uidgid-fix.patch - unzip-6.0-heap-overflow-infloop.patch + https://snapshot.debian.org/archive/debian-debug/20210110T204103Z/pool/main/u/${pkgname}/${pkgname}_${pkgver}-${_debver}.debian.tar.xz + cflags.patch + format-secure.patch + unzipsfx-bomb-32bit.patch " builddir="$srcdir/$pkgname$_pkgver" -build() { +# secfixes: +# 6.0-r4: +# - CVE-2014-8139 +# - CVE-2014-8140 +# - CVE-2014-8141 +# - CVE-2014-9636 +# - CVE-2014-9913 +# - CVE-2016-9844 +# - CVE-2018-18384 +# - CVE-2018-1000035 +# - CVE-2019-13232 + +prepare() { cd "$builddir" + while read -r i; do + msg "$i" + patch -p1 -i "../debian/patches/$i" + done < ../debian/patches/series + default_prepare +} +build() { make -f unix/Makefile \ CC="${CHOST}-gcc" \ - LOCAL_ZIP="${CFLAGS} ${CPPFLAGS}" \ + LOCAL_UNZIP="${CFLAGS} ${CPPFLAGS}" \ + STRIP=: \ prefix=/usr generic } check() { - cd "$builddir" make -f unix/Makefile check } package() { - cd "$builddir" - make -f unix/Makefile \ MANDIR=${pkgdir}/usr/share/man/man1/ \ prefix=${pkgdir}/usr install @@ -43,6 +63,7 @@ package() { } sha512sums="0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d unzip-6.0.tgz -9d2914f22fb0075a2b6f72825c235f46eafd8d47b6fb6fcc8303fc69336e256b15923c002d2615bb6af733344c2315e4a8504d77bae301e10c11d4736faa2c81 10-unzip-handle-pkware-verify.patch -57699582e9056af0817dcb67f8db67e6a1ff8208c137fbebcf559429e5f12b471b75d7e1ef938e5bbb5416074a51ac7342e4ce8057f4bbdcb0bf079b8d7832af 20-unzip-uidgid-fix.patch -b1e3fac6a787828efaaef8ec7cc52e1573aea27a6f29830af37ec4ba8bcd2a6488c953ab10eee0561c78e82c7401833ef172bebee793405d93632ce788756301 unzip-6.0-heap-overflow-infloop.patch" +9a56e400ad0984f87c7ee0548429349be549e35a3cae4c9acb88a8fb97a1d1fbd116cfa3292622ad8b2c67ffe79ae268861ddec1269993ba98f1a6a411b7611f unzip_6.0-26.debian.tar.xz +029447a48972234e60c6b45c58b01dbe411594b1ffe0db00d028810b0bcfa7244dcc89f765e1ee6e8805ba2d2db9bc1d05a1e30ef0d9dd08d33ff6f04af811ab cflags.patch +4bdf55937a181d496261a8f426a97d63844ba96f23beea7906c5e4f7064f55c188ee5ec3ae2d6f2011b5f26b6ac0941dcffb83c06370ed9648b2262917cde64d format-secure.patch +81777dfa1ad707046b238fa9205f8be0f48363f0f23bc0d2d83b67b143ceeba6818cc11058355195a03432cdd6ed4f392202ff3029e14d4b1435c9e2cb5ca6bf unzipsfx-bomb-32bit.patch" diff --git a/system/unzip/cflags.patch b/system/unzip/cflags.patch new file mode 100644 index 000000000..f85192155 --- /dev/null +++ b/system/unzip/cflags.patch @@ -0,0 +1,20 @@ +--- unzip60/unix/configure 2009-04-16 14:25:12.000000000 -0500 ++++ unzip60/unix/configure 2020-06-13 22:59:57.259771113 -0500 +@@ -17,7 +17,7 @@ CFLAGSR=${CFLAGS} + IZ_BZIP2=${3} + CFLAGS="${CFLAGS} -I. -DUNIX" + LFLAGS1="" +-LFLAGS2="-s" ++LFLAGS2="" + LN="ln -s" + + CFLAGS_OPT='' +@@ -130,6 +130,8 @@ _EOF_ + fi + fi + ++CFLAGS_OPT="" ++ + # optimization flags + if test -n "${CFLAGS_OPT}"; then + CFLAGSR="${CFLAGSR} ${CFLAGS_OPT}" diff --git a/system/unzip/format-secure.patch b/system/unzip/format-secure.patch new file mode 100644 index 000000000..5b766f31d --- /dev/null +++ b/system/unzip/format-secure.patch @@ -0,0 +1,93 @@ +Cherry picked from Fedora +https://src.fedoraproject.org/rpms/unzip/blob/874f1688f1662bb3baf76021969277cafeea6ea8/f/unzip-6.0-format-secure.patch + +diff --git a/extract.c b/extract.c +index eeb2f57..a0a4929 100644 +--- a/extract.c ++++ b/extract.c +@@ -472,8 +472,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + */ + Info(slide, 0x401, ((char *)slide, + LoadFarString(CentSigMsg), j + blknum*DIR_BLKSIZ + 1)); +- Info(slide, 0x401, ((char *)slide, +- LoadFarString(ReportMsg))); ++ Info(slide, 0x401, ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + error_in_archive = PK_BADERR; + } + reached_end = TRUE; /* ...so no more left to do */ +@@ -752,8 +752,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + + #ifndef SFX + if (no_endsig_found) { /* just to make sure */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); +- Info(slide, 0x401, ((char *)slide, LoadFarString(ReportMsg))); ++ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(ReportMsg))); + if (!error_in_archive) /* don't overwrite stronger error */ + error_in_archive = PK_WARN; + } +diff --git a/list.c b/list.c +index 15e0011..f7359c3 100644 +--- a/list.c ++++ b/list.c +@@ -181,7 +181,7 @@ int list_files(__G) /* return PK-type error code */ + Info(slide, 0x401, + ((char *)slide, LoadFarString(CentSigMsg), j)); + Info(slide, 0x401, +- ((char *)slide, LoadFarString(ReportMsg))); ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + return PK_BADERR; /* sig not found */ + } + } +@@ -507,7 +507,8 @@ int list_files(__G) /* return PK-type error code */ + && (!G.ecrec.is_zip64_archive) + && (memcmp(G.sig, end_central_sig, 4) != 0) + ) { /* just to make sure again */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ++ ((char *)slide,"%s", LoadFarString(EndSigMsg))); + error_in_archive = PK_WARN; /* didn't find sig */ + } + +@@ -591,7 +592,7 @@ int get_time_stamp(__G__ last_modtime, nmember) /* return PK-type error code */ + Info(slide, 0x401, + ((char *)slide, LoadFarString(CentSigMsg), j)); + Info(slide, 0x401, +- ((char *)slide, LoadFarString(ReportMsg))); ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + return PK_BADERR; /* sig not found */ + } + } +@@ -674,7 +675,7 @@ int get_time_stamp(__G__ last_modtime, nmember) /* return PK-type error code */ + ---------------------------------------------------------------------------*/ + + if (memcmp(G.sig, end_central_sig, 4)) { /* just to make sure again */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(EndSigMsg))); + error_in_archive = PK_WARN; + } + if (*nmember == 0L && error_in_archive <= PK_WARN) +diff --git a/zipinfo.c b/zipinfo.c +index 6e22cc8..ac5c61b 100644 +--- a/zipinfo.c ++++ b/zipinfo.c +@@ -771,7 +771,7 @@ int zipinfo(__G) /* return PK-type error code */ + Info(slide, 0x401, + ((char *)slide, LoadFarString(CentSigMsg), j)); + Info(slide, 0x401, +- ((char *)slide, LoadFarString(ReportMsg))); ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + error_in_archive = PK_BADERR; /* sig not found */ + break; + } +@@ -960,7 +960,8 @@ int zipinfo(__G) /* return PK-type error code */ + && (!G.ecrec.is_zip64_archive) + && (memcmp(G.sig, end_central_sig, 4) != 0) + ) { /* just to make sure again */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ++ ((char *)slide,"%s", LoadFarString(EndSigMsg))); + error_in_archive = PK_WARN; /* didn't find sig */ + } + diff --git a/system/unzip/unzip-6.0-heap-overflow-infloop.patch b/system/unzip/unzip-6.0-heap-overflow-infloop.patch deleted file mode 100644 index 160c512f9..000000000 --- a/system/unzip/unzip-6.0-heap-overflow-infloop.patch +++ /dev/null @@ -1,104 +0,0 @@ -From bdd4a0cecd745cb4825e4508b5bdf2579731086a Mon Sep 17 00:00:00 2001 -From: Petr Stodulka <pstodulk@redhat.com> -Date: Mon, 14 Sep 2015 18:23:17 +0200 -Subject: [PATCH 1/3] upstream fix for heap overflow - -https://bugzilla.redhat.com/attachment.cgi?id=1073002 ---- - crypt.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/crypt.c b/crypt.c -index 784e411..a8975f2 100644 ---- a/crypt.c -+++ b/crypt.c -@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) - GLOBAL(pInfo->encrypted) = FALSE; - defer_leftover_input(__G); - for (n = 0; n < RAND_HEAD_LEN; n++) { -- b = NEXTBYTE; -+ /* 2012-11-23 SMS. (OUSPG report.) -+ * Quit early if compressed size < HEAD_LEN. The resulting -+ * error message ("unable to get password") could be improved, -+ * but it's better than trying to read nonexistent data, and -+ * then continuing with a negative G.csize. (See -+ * fileio.c:readbyte()). -+ */ -+ if ((b = NEXTBYTE) == (ush)EOF) -+ { -+ return PK_ERR; -+ } - h[n] = (uch)b; - Trace((stdout, " (%02x)", h[n])); - } --- -2.4.6 - - -From 4b48844661ff9569f2ecf582a387d46a5775b5d8 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Mon, 14 Sep 2015 18:24:56 +0200 -Subject: [PATCH 2/3] fix infinite loop when extracting empty bzip2 data - -Bug: https://sourceforge.net/p/infozip/patches/23/ ---- - extract.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/extract.c b/extract.c -index 7134bfe..29db027 100644 ---- a/extract.c -+++ b/extract.c -@@ -2733,6 +2733,12 @@ __GDEF - int repeated_buf_err; - bz_stream bstrm; - -+ if (G.incnt <= 0 && G.csize <= 0L) { -+ /* avoid an infinite loop */ -+ Trace((stderr, "UZbunzip2() got empty input\n")); -+ return 2; -+ } -+ - #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) - if (G.redirect_slide) - wsize = G.redirect_size, redirSlide = G.redirect_buffer; --- -2.4.6 - - -From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Tue, 22 Sep 2015 18:52:23 +0200 -Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input - -Suggested-by: Stefan Cornelius ---- - extract.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/extract.c b/extract.c -index 29db027..b9ae667 100644 ---- a/extract.c -+++ b/extract.c -@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk, - if (G.lrec.compression_method == STORED) { - zusz_t csiz_decrypted = G.lrec.csize; - -- if (G.pInfo->encrypted) -+ if (G.pInfo->encrypted) { -+ if (csiz_decrypted <= 12) { -+ /* handle the error now to prevent unsigned overflow */ -+ Info(slide, 0x401, ((char *)slide, -+ LoadFarStringSmall(ErrUnzipNoFile), -+ LoadFarString(InvalidComprData), -+ LoadFarStringSmall2(Inflate))); -+ return PK_ERR; -+ } - csiz_decrypted -= 12; -+ } - if (G.lrec.ucsize != csiz_decrypted) { - Info(slide, 0x401, ((char *)slide, - LoadFarStringSmall2(WrnStorUCSizCSizDiff), --- -2.5.2 - diff --git a/system/unzip/unzipsfx-bomb-32bit.patch b/system/unzip/unzipsfx-bomb-32bit.patch new file mode 100644 index 000000000..f834a919b --- /dev/null +++ b/system/unzip/unzipsfx-bomb-32bit.patch @@ -0,0 +1,14 @@ +Explicitly cast literal 0 to the expected bound_t type because K&R C is +awful. + +--- unzip60/extract.c 2020-06-13 22:51:33.799778287 -0500 ++++ unzip60/extract.c 2020-06-14 00:00:50.669719055 -0500 +@@ -520,7 +520,7 @@ int extract_or_test_files(__G) /* ret + return PK_MEM; + } + if ((G.extra_bytes != 0 && +- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ cover_add((cover_t *)G.cover, (bound_t)0, G.extra_bytes) != 0) || + (G.ecrec.have_ecr64 && + cover_add((cover_t *)G.cover, G.ecrec.ec64_start, + G.ecrec.ec64_end) != 0) || |