unzip: -> 6.0

2022-11-14 17:25:07 +00:00 · 2022-11-14 17:25:07 +00:00 · 954b187fb0
commit 954b187fb0
parent 0a92a3ee0c
4 changed files with 2899 additions and 32 deletions
--- a/unzip/.signature
+++ b/unzip/.signature
@ -1,14 +1,7 @@
 untrusted comment: verify with /etc/ports/opt.pub
-RWSE3ohX2g5d/R7O45474ZQ+K45Hf9/iDhigZ4Baf/L0OHwJIGYHlZZhSQSu3EZRX5/Zw4rGAxHwaPpyGKX6jX3bixZSrOpUoww=
-SHA256 (Pkgfile) = 16eadedbcb7d94a93429ef704f7fcd31c2a213343b9837ac2e2359f9aaac8f1e
+RWSE3ohX2g5d/RuvXYvJhKL6u25H66hnRE7em9kKl1KEHlcgQKMomFIE34UIsoFHju8QMOUBOibNw2WjWUsVEDOo/emdS5IyDQQ=
+SHA256 (Pkgfile) = e8289fa1c583afdcd46d442f966257f90a6d75f272fdf687fe48743f0058e46b
 SHA256 (.footprint) = a1d2c71a5371982b87a8a14082aa2236258f84e0d602ec39247e0d63bf46ffdd
 SHA256 (unzip60.tar.gz) = 036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37
-SHA256 (unzip-6.0-overflow.patch) = dcd41e0be383c485427fc5461a1aeb8a6207e7fcacf0d254f18700599845a9da
-SHA256 (unzip-6.0-attribs-overflow.patch) = 74bc961e8013a4058687a3730590a709b7889203beb74a4a8369ba0301bef0e2
-SHA256 (unzip-6.0-heap-overflow-infloop.patch) = b072c5a6d252425dbbda54a3d94285e4fb9aca122a0b9f8aa8f0f12ae505e64f
-SHA256 (unzip-6.0-cve-2014-8139.patch) = 337131428f491b7030f96ee5b8ef3d8f5963730d1619b2754c624f4616d79adb
-SHA256 (unzip-6.0-cve-2014-8140.patch) = 64f64985270e026c01d2c19c6b66c218cf5bcfc7cf3d4a44e601fad41975ec73
-SHA256 (unzip-6.0-cve-2014-8141.patch) = b7a14c33db93d1e5b4fc6ce113b4b99ff7a81ed56f46c87e001f22ec085e0273
-SHA256 (0001-Fix-CVE-2016-9844-rhbz-1404283.patch) = 1980d37c82591f9ad473052408b0a61d0c50cce8db795b9980e6a74b2270c339
-SHA256 (unzip-6.0-cve-2018-1000035-heap-based-overflow.patch) = aced0f27191a67f9b8b3fdc5995938a64fd87cea64a0bbba2106e06137ef91c2
-SHA256 (unzip-6.0-alt-iconv-utf8-print.patch) = b990d8d8d8e02777999484a132170666ea736a865f9ad81da651dc63725475ff
+SHA256 (28-cve-2022-0529-and-cve-2022-0530.patch) = a27efd8c4950fb3d942d602ad7846996e02aafd77a8ad1e26700e42ae6c1cd37
+SHA256 (cumulative.patch) = f4173a8e2a2eea7f537ef8919369c2b6bac43d9ccd05345755ac0d1457c24234
--- a/unzip/28-cve-2022-0529-and-cve-2022-0530.patch
+++ b/unzip/28-cve-2022-0529-and-cve-2022-0530.patch
@ -0,0 +1,173 @@
+From: Steven M. Schweda <sms@antinode.info>
+Subject: Fix for CVE-2022-0529 and CVE-2022-0530
+Bug-Debian: https://bugs.debian.org/1010355
+X-Debian-version: 6.0-27
+
+--- a/fileio.c
+++ b/fileio.c
+@@ -171,8 +171,10 @@
+ static ZCONST char Far FilenameTooLongTrunc[] =
+   "warning:  filename too long--truncating.\n";
+ #ifdef UNICODE_SUPPORT
+   static ZCONST char Far UFilenameCorrupt[] =
+     "error: Unicode filename corrupt.\n";
+    static ZCONST char Far UFilenameTooLongTrunc[] =
+-     "warning:  Converted unicode filename too long--truncating.\n";
+     "warning:  Converted Unicode filename too long--truncating.\n";
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+   "warning:  extra field too long (%d).  Ignoring...\n";
+@@ -2361,16 +2363,30 @@
+                   /* convert UTF-8 to local character set */
+                   fn = utf8_to_local_string(G.unipath_filename,
+                                             G.unicode_escape_all);
+-                  /* make sure filename is short enough */
+-                  if (strlen(fn) >= FILNAMSIZ) {
+-                    fn[FILNAMSIZ - 1] = '\0';
+
+                  /* 2022-07-22 SMS, et al.  CVE-2022-0530
+                   * Detect conversion failure, emit message.
+                   * Continue with unconverted name.
+                   */
+                  if (fn == NULL)
+                  {
+                     Info(slide, 0x401, ((char *)slide,
+-                      LoadFarString(UFilenameTooLongTrunc)));
+-                    error = PK_WARN;
+                     LoadFarString(UFilenameCorrupt)));
+                    error = PK_ERR;
+                  }
+                  else
+                  {
+                    /* make sure filename is short enough */
+                    if (strlen(fn) >= FILNAMSIZ) {
+                      fn[FILNAMSIZ - 1] = '\0';
+                      Info(slide, 0x401, ((char *)slide,
+                        LoadFarString(UFilenameTooLongTrunc)));
+                      error = PK_WARN;
+                    }
+                    /* replace filename with converted UTF-8 */
+                    strcpy(G.filename, fn);
+                    free(fn);
+                   }
+-                  /* replace filename with converted UTF-8 */
+-                  strcpy(G.filename, fn);
+-                  free(fn);
+                 }
+ # endif /* UNICODE_WCHAR */
+                 if (G.unipath_filename != G.filename_full)
+--- a/process.c
+++ b/process.c
+@@ -222,6 +222,8 @@
+      "\nwarning:  Unicode Path version > 1\n";
+    static ZCONST char Far UnicodeMismatchError[] =
+      "\nwarning:  Unicode Path checksum invalid\n";
+   static ZCONST char Far UFilenameTooLongTrunc[] =
+     "warning:  filename too long (P1) -- truncating.\n";
+ #endif
+ 
+ 
+@@ -1915,7 +1917,7 @@
+     Sets both local header and central header fields.  Not terribly clever,
+     but it means that this procedure is only called in one place.
+ 
+-    2014-12-05 SMS.
+    2014-12-05 SMS.  (oCERT.org report.)  CVE-2014-8141.
+     Added checks to ensure that enough data are available before calling
+     makeint64() or makelong().  Replaced various sizeof() values with
+     simple ("4" or "8") constants.  (The Zip64 structures do not depend
+@@ -1947,9 +1949,10 @@
+               ef_len - EB_HEADSIZE));
+             break;
+         }
+
+         if (eb_id == EF_PKSZ64)
+         {
+-          int offset = EB_HEADSIZE;
+          unsigned offset = EB_HEADSIZE;
+ 
+           if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
+           {
+@@ -2046,7 +2049,7 @@
+         }
+         if (eb_id == EF_UNIPATH) {
+ 
+-          int offset = EB_HEADSIZE;
+          unsigned offset = EB_HEADSIZE;
+           ush ULen = eb_len - 5;
+           ulg chksum = CRCVAL_INITIAL;
+ 
+@@ -2504,16 +2507,17 @@
+   int state_dependent;
+   int wsize = 0;
+   int max_bytes = MB_CUR_MAX;
+-  char buf[9];
+  char buf[ MB_CUR_MAX+ 1];             /* ("+1" not really needed?) */
+   char *buffer = NULL;
+   char *local_string = NULL;
+  size_t buffer_size;                   /* CVE-2022-0529 */
+ 
+   for (wsize = 0; wide_string[wsize]; wsize++) ;
+ 
+   if (max_bytes < MAX_ESCAPE_BYTES)
+     max_bytes = MAX_ESCAPE_BYTES;
+-
+-  if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
+  buffer_size = wsize * max_bytes + 1;          /* Reused below. */
+  if ((buffer = (char *)malloc( buffer_size)) == NULL) {
+     return NULL;
+   }
+ 
+@@ -2551,8 +2555,28 @@
+     } else {
+       /* no MB for this wide */
+         /* use escape for wide character */
+-        char *escape_string = wide_to_escape_string(wide_string[i]);
+-        strcat(buffer, escape_string);
+        size_t buffer_len;
+        size_t escape_string_len;
+        char *escape_string;
+        int err_msg = 0;
+
+        escape_string = wide_to_escape_string(wide_string[i]);
+        buffer_len = strlen( buffer);
+        escape_string_len = strlen( escape_string);
+
+        /* Append escape string, as space allows. */
+        /* 2022-07-18 SMS, et al.  CVE-2022-0529 */
+        if (escape_string_len > buffer_size- buffer_len- 1)
+        {
+            escape_string_len = buffer_size- buffer_len- 1;
+            if (err_msg == 0)
+            {
+                err_msg = 1;
+                Info(slide, 0x401, ((char *)slide,
+                 LoadFarString( UFilenameTooLongTrunc)));
+            }
+        }
+        strncat( buffer, escape_string, escape_string_len);
+         free(escape_string);
+     }
+   }
+@@ -2604,9 +2628,18 @@
+   ZCONST char *utf8_string;
+   int escape_all;
+ {
+-  zwchar *wide = utf8_to_wide_string(utf8_string);
+-  char *loc = wide_to_local_string(wide, escape_all);
+-  free(wide);
+  zwchar *wide;
+  char *loc = NULL;
+
+  wide = utf8_to_wide_string( utf8_string);
+
+  /* 2022-07-25 SMS, et al.  CVE-2022-0530 */
+  if (wide != NULL)
+  {
+    loc = wide_to_local_string( wide, escape_all);
+    free( wide);
+  }
+
+   return loc;
+ }
+ 
--- a/unzip/Pkgfile
+++ b/unzip/Pkgfile
@ -1,31 +1,18 @@
 # Description: Decompress utility for zipfiles
-# URL: http://infozip.sourceforge.net/UnZip.html
+# URL: https://infozip.sourceforge.net/UnZip.html
 # Maintainer: CRUX System Team, core-ports at crux dot nu

 name=unzip
 version=6.0
-release=7
-source=(http://downloads.sourceforge.net/sourceforge/infozip/${name}${version//./}.tar.gz
-	unzip-6.0-overflow.patch unzip-6.0-attribs-overflow.patch
-	unzip-6.0-heap-overflow-infloop.patch
-	unzip-6.0-cve-2014-8139.patch
-	unzip-6.0-cve-2014-8140.patch
-	unzip-6.0-cve-2014-8141.patch
-	0001-Fix-CVE-2016-9844-rhbz-1404283.patch
-	unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
-	unzip-6.0-alt-iconv-utf8-print.patch)
+release=8
+source=(https://downloads.sourceforge.net/sourceforge/infozip/${name}${version//./}.tar.gz
+  28-cve-2022-0529-and-cve-2022-0530.patch
+  cumulative.patch)

 build() {
 	cd ${name}${version//./}
-	patch -p1 -i $SRC/unzip-6.0-overflow.patch
-	patch -p1 -i $SRC/unzip-6.0-attribs-overflow.patch
-	patch -p1 -i $SRC/unzip-6.0-heap-overflow-infloop.patch
-	patch -p1 -i $SRC/unzip-6.0-cve-2014-8139.patch
-	patch -p1 -i $SRC/unzip-6.0-cve-2014-8140.patch
-	patch -p1 -i $SRC/unzip-6.0-cve-2014-8141.patch
-	patch -p1 -i $SRC/0001-Fix-CVE-2016-9844-rhbz-1404283.patch
-	patch -p1 -i $SRC/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
-	patch -p1 -i $SRC/unzip-6.0-alt-iconv-utf8-print.patch
+	patch -Np1 -i $SRC/cumulative.patch
+	patch -p1 -F3 -i $SRC/28-cve-2022-0529-and-cve-2022-0530.patch

 	sed -i 's/-O3//' unix/configure
 	make -f unix/Makefile LOCAL_UNZIP="$CFLAGS" generic
--- a/unzip/cumulative.patch
+++ b/unzip/cumulative.patch