From cc8b68b5a796ff131289930ead8f4b0d0812b348 Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Sun, 14 Jun 2020 00:52:37 -0500
Subject: system/unzip: miscellaneous fixes

* Make sure CFLAGS are respected by setting LOCAL_UNZIP instead of
  LOCAL_ZIP and unsetting CFLAGS_OPT in the configure script.
* Don't strip too early by setting STRIP to a no-op and unsetting
  LFLAGS2 in the configure script.
* Cherry-pick a patch from Fedora to fix format warnings.
* Fix unzipsfx test on 32-bit arches by casting a literal argument to
  the correct type.
---
 system/unzip/APKBUILD                  | 16 ++++--
 system/unzip/cflags.patch              | 20 ++++++++
 system/unzip/format-secure.patch       | 93 ++++++++++++++++++++++++++++++++++
 system/unzip/unzipsfx-bomb-32bit.patch | 14 +++++
 4 files changed, 139 insertions(+), 4 deletions(-)
 create mode 100644 system/unzip/cflags.patch
 create mode 100644 system/unzip/format-secure.patch
 create mode 100644 system/unzip/unzipsfx-bomb-32bit.patch

(limited to 'system/unzip')

diff --git a/system/unzip/APKBUILD b/system/unzip/APKBUILD
index ea8f7e6fa..9b3f696f3 100644
--- a/system/unzip/APKBUILD
+++ b/system/unzip/APKBUILD
@@ -5,7 +5,7 @@ pkgname=unzip
 pkgver=6.0
 _pkgver=$(printf '%s' "$pkgver" | tr -d .)
 _debver=25
-pkgrel=4
+pkgrel=5
 pkgdesc="Extract PKZIP-compatible .zip files"
 url="http://www.info-zip.org/UnZip.html"
 arch="all"
@@ -14,6 +14,9 @@ subpackages="$pkgname-doc"
 # normally     ftp://ftp.info-zip.org/pub/infozip/src/$pkgname$_pkgver.zip
 source="$pkgname-$pkgver.tgz::https://distfiles.adelielinux.org/source/$pkgname$_pkgver.tgz
 	http://deb.debian.org/debian/pool/main/u/unzip/unzip_$pkgver-$_debver.debian.tar.xz
+	cflags.patch
+	format-secure.patch
+	unzipsfx-bomb-32bit.patch
 	"
 builddir="$srcdir/$pkgname$_pkgver"
 
@@ -30,17 +33,19 @@ builddir="$srcdir/$pkgname$_pkgver"
 #     - CVE-2019-13232
 
 prepare() {
-	default_prepare
+	cd "$builddir"
 	while read -r i; do
 		msg "$i"
 		patch -p1 -i "../debian/patches/$i"
 	done < ../debian/patches/series
+	default_prepare
 }
 
 build() {
 	make -f unix/Makefile \
 		CC="${CHOST}-gcc" \
-		LOCAL_ZIP="${CFLAGS} ${CPPFLAGS}" \
+		LOCAL_UNZIP="${CFLAGS} ${CPPFLAGS}" \
+		STRIP=: \
 		prefix=/usr generic
 }
 
@@ -57,4 +62,7 @@ package() {
 }
 
 sha512sums="0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d  unzip-6.0.tgz
-13c16db420fa4a34be3090a9acdd79b01320da40ac5aa89a9dfca03e64b914b28eb72aff3882d02a8197457bcb8eeb9473c998cf6920e511883c9289a949fb21  unzip_6.0-25.debian.tar.xz"
+13c16db420fa4a34be3090a9acdd79b01320da40ac5aa89a9dfca03e64b914b28eb72aff3882d02a8197457bcb8eeb9473c998cf6920e511883c9289a949fb21  unzip_6.0-25.debian.tar.xz
+029447a48972234e60c6b45c58b01dbe411594b1ffe0db00d028810b0bcfa7244dcc89f765e1ee6e8805ba2d2db9bc1d05a1e30ef0d9dd08d33ff6f04af811ab  cflags.patch
+4bdf55937a181d496261a8f426a97d63844ba96f23beea7906c5e4f7064f55c188ee5ec3ae2d6f2011b5f26b6ac0941dcffb83c06370ed9648b2262917cde64d  format-secure.patch
+81777dfa1ad707046b238fa9205f8be0f48363f0f23bc0d2d83b67b143ceeba6818cc11058355195a03432cdd6ed4f392202ff3029e14d4b1435c9e2cb5ca6bf  unzipsfx-bomb-32bit.patch"
diff --git a/system/unzip/cflags.patch b/system/unzip/cflags.patch
new file mode 100644
index 000000000..f85192155
--- /dev/null
+++ b/system/unzip/cflags.patch
@@ -0,0 +1,20 @@
+--- unzip60/unix/configure	2009-04-16 14:25:12.000000000 -0500
++++ unzip60/unix/configure	2020-06-13 22:59:57.259771113 -0500
+@@ -17,7 +17,7 @@ CFLAGSR=${CFLAGS}
+ IZ_BZIP2=${3}
+ CFLAGS="${CFLAGS} -I. -DUNIX"
+ LFLAGS1=""
+-LFLAGS2="-s"
++LFLAGS2=""
+ LN="ln -s"
+ 
+ CFLAGS_OPT=''
+@@ -130,6 +130,8 @@ _EOF_
+   fi
+ fi
+ 
++CFLAGS_OPT=""
++
+ # optimization flags
+ if test -n "${CFLAGS_OPT}"; then
+   CFLAGSR="${CFLAGSR} ${CFLAGS_OPT}"
diff --git a/system/unzip/format-secure.patch b/system/unzip/format-secure.patch
new file mode 100644
index 000000000..5b766f31d
--- /dev/null
+++ b/system/unzip/format-secure.patch
@@ -0,0 +1,93 @@
+Cherry picked from Fedora
+https://src.fedoraproject.org/rpms/unzip/blob/874f1688f1662bb3baf76021969277cafeea6ea8/f/unzip-6.0-format-secure.patch
+
+diff --git a/extract.c b/extract.c
+index eeb2f57..a0a4929 100644
+--- a/extract.c
++++ b/extract.c
+@@ -472,8 +472,8 @@ int extract_or_test_files(__G)    /* return PK-type error code */
+                      */
+                     Info(slide, 0x401, ((char *)slide,
+                       LoadFarString(CentSigMsg), j + blknum*DIR_BLKSIZ + 1));
+-                    Info(slide, 0x401, ((char *)slide,
+-                      LoadFarString(ReportMsg)));
++                    Info(slide, 0x401,
++                         ((char *)slide,"%s", LoadFarString(ReportMsg)));
+                     error_in_archive = PK_BADERR;
+                 }
+                 reached_end = TRUE;     /* ...so no more left to do */
+@@ -752,8 +752,8 @@ int extract_or_test_files(__G)    /* return PK-type error code */
+ 
+ #ifndef SFX
+     if (no_endsig_found) {                      /* just to make sure */
+-        Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
+-        Info(slide, 0x401, ((char *)slide, LoadFarString(ReportMsg)));
++        Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(EndSigMsg)));
++        Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(ReportMsg)));
+         if (!error_in_archive)       /* don't overwrite stronger error */
+             error_in_archive = PK_WARN;
+     }
+diff --git a/list.c b/list.c
+index 15e0011..f7359c3 100644
+--- a/list.c
++++ b/list.c
+@@ -181,7 +181,7 @@ int list_files(__G)    /* return PK-type error code */
+                 Info(slide, 0x401,
+                      ((char *)slide, LoadFarString(CentSigMsg), j));
+                 Info(slide, 0x401,
+-                     ((char *)slide, LoadFarString(ReportMsg)));
++                     ((char *)slide,"%s", LoadFarString(ReportMsg)));
+                 return PK_BADERR;   /* sig not found */
+             }
+         }
+@@ -507,7 +507,8 @@ int list_files(__G)    /* return PK-type error code */
+             && (!G.ecrec.is_zip64_archive)
+             && (memcmp(G.sig, end_central_sig, 4) != 0)
+            ) {          /* just to make sure again */
+-            Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
++            Info(slide, 0x401, 
++                 ((char *)slide,"%s", LoadFarString(EndSigMsg)));
+             error_in_archive = PK_WARN;   /* didn't find sig */
+         }
+ 
+@@ -591,7 +592,7 @@ int get_time_stamp(__G__ last_modtime, nmember)  /* return PK-type error code */
+                 Info(slide, 0x401,
+                      ((char *)slide, LoadFarString(CentSigMsg), j));
+                 Info(slide, 0x401,
+-                     ((char *)slide, LoadFarString(ReportMsg)));
++                     ((char *)slide,"%s", LoadFarString(ReportMsg)));
+                 return PK_BADERR;   /* sig not found */
+             }
+         }
+@@ -674,7 +675,7 @@ int get_time_stamp(__G__ last_modtime, nmember)  /* return PK-type error code */
+   ---------------------------------------------------------------------------*/
+ 
+     if (memcmp(G.sig, end_central_sig, 4)) {    /* just to make sure again */
+-        Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
++        Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(EndSigMsg)));
+         error_in_archive = PK_WARN;
+     }
+     if (*nmember == 0L && error_in_archive <= PK_WARN)
+diff --git a/zipinfo.c b/zipinfo.c
+index 6e22cc8..ac5c61b 100644
+--- a/zipinfo.c
++++ b/zipinfo.c
+@@ -771,7 +771,7 @@ int zipinfo(__G)   /* return PK-type error code */
+                 Info(slide, 0x401,
+                      ((char *)slide, LoadFarString(CentSigMsg), j));
+                 Info(slide, 0x401,
+-                     ((char *)slide, LoadFarString(ReportMsg)));
++                     ((char *)slide,"%s", LoadFarString(ReportMsg)));
+                 error_in_archive = PK_BADERR;   /* sig not found */
+                 break;
+             }
+@@ -960,7 +960,8 @@ int zipinfo(__G)   /* return PK-type error code */
+             && (!G.ecrec.is_zip64_archive)
+             && (memcmp(G.sig, end_central_sig, 4) != 0)
+            ) {          /* just to make sure again */
+-            Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
++            Info(slide, 0x401, 
++                 ((char *)slide,"%s", LoadFarString(EndSigMsg)));
+             error_in_archive = PK_WARN;   /* didn't find sig */
+         }
+ 
diff --git a/system/unzip/unzipsfx-bomb-32bit.patch b/system/unzip/unzipsfx-bomb-32bit.patch
new file mode 100644
index 000000000..f834a919b
--- /dev/null
+++ b/system/unzip/unzipsfx-bomb-32bit.patch
@@ -0,0 +1,14 @@
+Explicitly cast literal 0 to the expected bound_t type because K&R C is
+awful.
+
+--- unzip60/extract.c	2020-06-13 22:51:33.799778287 -0500
++++ unzip60/extract.c	2020-06-14 00:00:50.669719055 -0500
+@@ -520,7 +520,7 @@ int extract_or_test_files(__G)    /* ret
+         return PK_MEM;
+     }
+     if ((G.extra_bytes != 0 &&
+-         cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++         cover_add((cover_t *)G.cover, (bound_t)0, G.extra_bytes) != 0) ||
+         (G.ecrec.have_ecr64 &&
+          cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
+                    G.ecrec.ec64_end) != 0) ||
-- 
cgit v1.2.3-60-g2f50