From e9ad3e8b8f28839835bf05da1088f0f4dec02108 Mon Sep 17 00:00:00 2001 From: wenyuzifang Date: Fri, 19 Sep 2025 01:54:45 +0800 Subject: [PATCH] Update code from upstream --- 0001-Fix-CVE-2016-9844-rhbz-1404283.patch | 39 ++++ ...-6.0-COVSCAN-fix-unterminated-string.patch | 131 +++++++++++++ unzip-6.0-RHEL-86228.patch | 19 ++ unzip-6.0-attribs-overflow.patch | 12 ++ unzip-6.0-close.patch | 176 ++++++++++++++++++ unzip-6.0-cve-2014-8139.patch | 79 ++++++++ unzip-6.0-cve-2014-8140.patch | 25 +++ unzip-6.0-cve-2014-8141.patch | 138 ++++++++++++++ unzip-6.0-cve-2018-18384.patch | 35 ++++ ....0-fix-warning-messages-on-big-files.patch | 15 ++ unzip-6.0-format-secure.patch | 90 +++++++++ unzip-6.0-heap-overflow-infloop.patch | 104 +++++++++++ unzip-6.0-manpage-fix.patch | 11 ++ unzip-6.0-overflow-long-fsize.patch | 34 ++++ unzip-6.0-overflow.patch | 25 +++ unzip-6.0-symlink.patch | 17 ++ unzip-6.0-timestamp.patch | 41 ++++ unzip-6.0-valgrind.patch | 26 +++ unzip-6.0-x-option.patch | 28 +++ unzip-zipbomb-part1.patch | 25 +++ unzip-zipbomb-part3.patch | 112 +++++++++++ unzip-zipbomb-part4.patch | 25 +++ unzip-zipbomb-part5.patch | 26 +++ unzip-zipbomb-part6.patch | 95 ++++++++++ unzip.spec | 55 +++++- unzip-6.0.tar.gz => unzip60.tar.gz | Bin 26 files changed, 1380 insertions(+), 3 deletions(-) create mode 100644 0001-Fix-CVE-2016-9844-rhbz-1404283.patch create mode 100644 unzip-6.0-COVSCAN-fix-unterminated-string.patch create mode 100644 unzip-6.0-RHEL-86228.patch create mode 100644 unzip-6.0-attribs-overflow.patch create mode 100644 unzip-6.0-close.patch create mode 100644 unzip-6.0-cve-2014-8139.patch create mode 100644 unzip-6.0-cve-2014-8140.patch create mode 100644 unzip-6.0-cve-2014-8141.patch create mode 100644 unzip-6.0-cve-2018-18384.patch create mode 100644 unzip-6.0-fix-warning-messages-on-big-files.patch create mode 100644 unzip-6.0-format-secure.patch create mode 100644 unzip-6.0-heap-overflow-infloop.patch create mode 100644 unzip-6.0-manpage-fix.patch create mode 100644 unzip-6.0-overflow-long-fsize.patch create mode 100644 unzip-6.0-overflow.patch create mode 100644 unzip-6.0-symlink.patch create mode 100644 unzip-6.0-timestamp.patch create mode 100644 unzip-6.0-valgrind.patch create mode 100644 unzip-6.0-x-option.patch create mode 100644 unzip-zipbomb-part1.patch create mode 100644 unzip-zipbomb-part3.patch create mode 100644 unzip-zipbomb-part4.patch create mode 100644 unzip-zipbomb-part5.patch create mode 100644 unzip-zipbomb-part6.patch rename unzip-6.0.tar.gz => unzip60.tar.gz (100%) diff --git a/0001-Fix-CVE-2016-9844-rhbz-1404283.patch b/0001-Fix-CVE-2016-9844-rhbz-1404283.patch new file mode 100644 index 0000000..0e4a173 --- /dev/null +++ b/0001-Fix-CVE-2016-9844-rhbz-1404283.patch @@ -0,0 +1,39 @@ +From 754137e70cf58a64ad524b704a86b651ba0cde07 Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Wed, 14 Dec 2016 16:30:36 +0100 +Subject: [PATCH] Fix CVE-2016-9844 (rhbz#1404283) + +Fixes buffer overflow in zipinfo in similar way like fix for +CVE-2014-9913 provided by upstream. +--- + zipinfo.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/zipinfo.c b/zipinfo.c +index c03620e..accca2a 100644 +--- a/zipinfo.c ++++ b/zipinfo.c +@@ -1984,7 +1984,19 @@ static int zi_short(__G) /* return PK-type error code */ + ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3); + methbuf[3] = dtype[dnum]; + } else if (methnum >= NUM_METHODS) { /* unknown */ +- sprintf(&methbuf[1], "%03u", G.crec.compression_method); ++ /* 2016-12-05 SMS. ++ * https://launchpad.net/bugs/1643750 ++ * Unexpectedly large compression methods overflow ++ * &methbuf[]. Use the old, three-digit decimal format ++ * for values which fit. Otherwise, sacrifice the "u", ++ * and use four-digit hexadecimal. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method); ++ } ++ + } + + for (k = 0; k < 15; ++k) +-- +2.5.5 + diff --git a/unzip-6.0-COVSCAN-fix-unterminated-string.patch b/unzip-6.0-COVSCAN-fix-unterminated-string.patch new file mode 100644 index 0000000..7173771 --- /dev/null +++ b/unzip-6.0-COVSCAN-fix-unterminated-string.patch @@ -0,0 +1,131 @@ +From 06d1b08aef94984256cad3c5a54cedb10295681f Mon Sep 17 00:00:00 2001 +From: Jakub Martisko +Date: Thu, 8 Nov 2018 09:31:18 +0100 +Subject: [PATCH] Possible unterminated string fix + +--- + unix/unix.c | 4 +++- + unix/unxcfg.h | 2 +- + unzip.c | 12 ++++++++---- + zipinfo.c | 12 ++++++++---- + 4 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/unix/unix.c b/unix/unix.c +index 59b622d..cd57f80 100644 +--- a/unix/unix.c ++++ b/unix/unix.c +@@ -1945,7 +1945,9 @@ void init_conversion_charsets() + for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++) + if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) { + strncpy(OEM_CP, dos_charset_map[i].archive_charset, +- sizeof(OEM_CP)); ++ MAX_CP_NAME - 1); ++ ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + break; + } + } +diff --git a/unix/unxcfg.h b/unix/unxcfg.h +index 8729de2..9ee8cfe 100644 +--- a/unix/unxcfg.h ++++ b/unix/unxcfg.h +@@ -228,7 +228,7 @@ typedef struct stat z_stat; + /* and notfirstcall are used by do_wild(). */ + + +-#define MAX_CP_NAME 25 ++#define MAX_CP_NAME 25 + 1 + + #ifdef SETLOCALE + # undef SETLOCALE +diff --git a/unzip.c b/unzip.c +index 2d94a38..a485f2b 100644 +--- a/unzip.c ++++ b/unzip.c +@@ -1561,7 +1561,8 @@ int uz_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -I charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -1570,7 +1571,8 @@ int uz_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +@@ -1665,7 +1667,8 @@ int uz_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -O charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -1674,7 +1677,8 @@ int uz_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +diff --git a/zipinfo.c b/zipinfo.c +index accca2a..cb7e08d 100644 +--- a/zipinfo.c ++++ b/zipinfo.c +@@ -519,7 +519,8 @@ int zi_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -I charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -528,7 +529,8 @@ int zi_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(ISO_CP, s, sizeof(ISO_CP)); ++ strncpy(ISO_CP, s, MAX_CP_NAME - 1); ++ ISO_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +@@ -568,7 +570,8 @@ int zi_opts(__G__ pargc, pargv) + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } else { /* -O charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { +@@ -577,7 +580,8 @@ int zi_opts(__G__ pargc, pargv) + return(PK_PARAM); + } + s = *argv; +- strncpy(OEM_CP, s, sizeof(OEM_CP)); ++ strncpy(OEM_CP, s, MAX_CP_NAME - 1); ++ OEM_CP[MAX_CP_NAME - 1] = '\0'; + } + while(*(++s)); /* No params straight after charset name */ + } +-- +2.14.5 + diff --git a/unzip-6.0-RHEL-86228.patch b/unzip-6.0-RHEL-86228.patch new file mode 100644 index 0000000..25c2fbb --- /dev/null +++ b/unzip-6.0-RHEL-86228.patch @@ -0,0 +1,19 @@ +From: Roy Tam +Subject: Handle Microsoft ZIP64 files by ignoring invalid "Total number of disks" field +Origin: https://sourceforge.net/p/infozip/bugs/42/ +Bug: https://sourceforge.net/p/infozip/bugs/42/ +Bug-Debian: https://bugs.debian.org/1064000 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/2051952 +X-Debian-version: 6.0-29 + +--- a/process.c ++++ b/process.c +@@ -1281,7 +1281,7 @@ + fprintf(stdout,"\nnumber of disks (ECR) %u, (ECLOC64) %lu\n", + G.ecrec.number_this_disk, ecloc64_total_disks); fflush(stdout); + #endif +- if ((G.ecrec.number_this_disk != 0xFFFF) && ++ if ((G.ecrec.number_this_disk != 0xFFFF) && ecloc64_total_disks && + (G.ecrec.number_this_disk != ecloc64_total_disks - 1)) { + /* Note: For some unknown reason, the developers at PKWARE decided to + store the "zip64 total disks" value as a counter starting from 1, diff --git a/unzip-6.0-attribs-overflow.patch b/unzip-6.0-attribs-overflow.patch new file mode 100644 index 0000000..3122325 --- /dev/null +++ b/unzip-6.0-attribs-overflow.patch @@ -0,0 +1,12 @@ +diff -up unzip60/zipinfo.c.attribs-overflow unzip60/zipinfo.c +--- unzip60/zipinfo.c.attribs-overflow 2009-11-30 09:55:39.000000000 +0100 ++++ unzip60/zipinfo.c 2009-11-30 09:56:42.844263244 +0100 +@@ -1881,7 +1881,7 @@ static int zi_short(__G) /* return PK- + #endif + int k, error, error_in_archive=PK_COOL; + unsigned hostnum, hostver, methid, methnum, xattr; +- char *p, workspace[12], attribs[16]; ++ char *p, workspace[12], attribs[17]; + char methbuf[5]; + static ZCONST char dtype[5]="NXFS"; /* normal, maximum, fast, superfast */ + static ZCONST char Far os[NUM_HOSTS+1][4] = { diff --git a/unzip-6.0-close.patch b/unzip-6.0-close.patch new file mode 100644 index 0000000..9a238a9 --- /dev/null +++ b/unzip-6.0-close.patch @@ -0,0 +1,176 @@ +diff -up unzip60/extract.c.close unzip60/extract.c +--- unzip60/extract.c.close 2009-03-14 02:32:52.000000000 +0100 ++++ unzip60/extract.c 2009-11-19 08:17:23.481263496 +0100 +@@ -1924,24 +1924,21 @@ static int extract_or_test_member(__G) + + #ifdef VMS /* VMS: required even for stdout! (final flush) */ + if (!uO.tflag) /* don't close NULL file */ +- close_outfile(__G); ++ error = close_outfile(__G); + #else + #ifdef DLL + if (!uO.tflag && (!uO.cflag || G.redirect_data)) { + if (G.redirect_data) + FINISH_REDIRECT(); + else +- close_outfile(__G); ++ error = close_outfile(__G); + } + #else + if (!uO.tflag && !uO.cflag) /* don't close NULL file or stdout */ +- close_outfile(__G); ++ error = close_outfile(__G); + #endif + #endif /* VMS */ + +- /* GRR: CONVERT close_outfile() TO NON-VOID: CHECK FOR ERRORS! */ +- +- + if (G.disk_full) { /* set by flush() */ + if (G.disk_full > 1) { + #if (defined(DELETE_IF_FULL) && defined(HAVE_UNLINK)) +diff -up unzip60/unix/unix.c.close unzip60/unix/unix.c +--- unzip60/unix/unix.c.close 2009-01-24 00:31:26.000000000 +0100 ++++ unzip60/unix/unix.c 2009-11-19 08:33:25.568389171 +0100 +@@ -1096,10 +1096,41 @@ static int get_extattribs(__G__ pzt, z_u + #ifndef MTS + + /****************************/ ++/* Function CloseError() */ ++/***************************/ ++ ++int CloseError(__G) ++ __GDEF ++{ ++ int errval = PK_OK; ++ ++ if (fclose(G.outfile) < 0) { ++ switch (errno) { ++ case ENOSPC: ++ /* Do we need this on fileio.c? */ ++ Info(slide, 0x4a1, ((char *)slide, "%s: write error (disk full?). Continue? (y/n/^C) ", ++ FnFilter1(G.filename))); ++ fgets(G.answerbuf, 9, stdin); ++ if (*G.answerbuf == 'y') /* stop writing to this file */ ++ G.disk_full = 1; /* pass to next */ ++ else ++ G.disk_full = 2; /* no: exit program */ ++ ++ errval = PK_DISK; ++ break; ++ ++ default: ++ errval = PK_WARN; ++ } ++ } ++ return errval; ++} /* End of CloseError() */ ++ ++/****************************/ + /* Function close_outfile() */ + /****************************/ + +-void close_outfile(__G) /* GRR: change to return PK-style warning level */ ++int close_outfile(__G) + __GDEF + { + union { +@@ -1108,6 +1139,7 @@ void close_outfile(__G) /* GRR: chang + } zt; + ulg z_uidgid[2]; + int have_uidgid_flg; ++ int errval = PK_OK; + + have_uidgid_flg = get_extattribs(__G__ &(zt.t3), z_uidgid); + +@@ -1141,16 +1173,16 @@ void close_outfile(__G) /* GRR: chang + Info(slide, 0x201, ((char *)slide, + "warning: symbolic link (%s) failed: mem alloc overflow\n", + FnFilter1(G.filename))); +- fclose(G.outfile); +- return; ++ errval = CloseError(G.outfile, G.filename); ++ return errval ? errval : PK_WARN; + } + + if ((slnk_entry = (slinkentry *)malloc(slnk_entrysize)) == NULL) { + Info(slide, 0x201, ((char *)slide, + "warning: symbolic link (%s) failed: no mem\n", + FnFilter1(G.filename))); +- fclose(G.outfile); +- return; ++ errval = CloseError(G.outfile, G.filename); ++ return errval ? errval : PK_WARN; + } + slnk_entry->next = NULL; + slnk_entry->targetlen = ucsize; +@@ -1174,10 +1206,10 @@ void close_outfile(__G) /* GRR: chang + "warning: symbolic link (%s) failed\n", + FnFilter1(G.filename))); + free(slnk_entry); +- fclose(G.outfile); +- return; ++ errval = CloseError(G.outfile, G.filename); ++ return errval ? errval : PK_WARN; + } +- fclose(G.outfile); /* close "link" file for good... */ ++ errval = CloseError(G.outfile, G.filename); /* close "link" file for good... */ + slnk_entry->target[ucsize] = '\0'; + if (QCOND2) + Info(slide, 0, ((char *)slide, "-> %s ", +@@ -1188,7 +1220,7 @@ void close_outfile(__G) /* GRR: chang + else + G.slink_head = slnk_entry; + G.slink_last = slnk_entry; +- return; ++ return errval; + } + #endif /* SYMLINKS */ + +@@ -1201,7 +1233,7 @@ void close_outfile(__G) /* GRR: chang + #endif + + #if (defined(NO_FCHOWN)) +- fclose(G.outfile); ++ errval = CloseError(G.outfile, G.filename); + #endif + + /* if -X option was specified and we have UID/GID info, restore it */ +@@ -1227,7 +1259,7 @@ void close_outfile(__G) /* GRR: chang + } + + #if (!defined(NO_FCHOWN) && defined(NO_FCHMOD)) +- fclose(G.outfile); ++ errval = CloseError(G.outfile, G.filename); + #endif + + #if (!defined(NO_FCHOWN) && !defined(NO_FCHMOD)) +@@ -1239,7 +1271,7 @@ void close_outfile(__G) /* GRR: chang + if (fchmod(fileno(G.outfile), filtattr(__G__ G.pInfo->file_attr))) + perror("fchmod (file attributes) error"); + +- fclose(G.outfile); ++ errval = CloseError(G.outfile, G.filename); + #endif /* !NO_FCHOWN && !NO_FCHMOD */ + + /* skip restoring time stamps on user's request */ +@@ -1267,6 +1299,7 @@ void close_outfile(__G) /* GRR: chang + #endif + #endif /* NO_FCHOWN || NO_FCHMOD */ + ++ return errval; + } /* end function close_outfile() */ + + #endif /* !MTS */ +diff -up unzip60/unzpriv.h.close unzip60/unzpriv.h +--- unzip60/unzpriv.h.close 2009-04-20 01:59:26.000000000 +0200 ++++ unzip60/unzpriv.h 2009-11-19 08:19:08.610388618 +0100 +@@ -2604,7 +2604,7 @@ char *GetLoadPath OF((__GPRO)); + int SetFileSize OF((FILE *file, zusz_t filesize)); /* local */ + #endif + #ifndef MTS /* macro in MTS */ +- void close_outfile OF((__GPRO)); /* local */ ++ int close_outfile OF((__GPRO)); /* local */ + #endif + #ifdef SET_SYMLINK_ATTRIBS + int set_symlnk_attribs OF((__GPRO__ slinkentry *slnk_entry)); /* local */ diff --git a/unzip-6.0-cve-2014-8139.patch b/unzip-6.0-cve-2014-8139.patch new file mode 100644 index 0000000..226b35a --- /dev/null +++ b/unzip-6.0-cve-2014-8139.patch @@ -0,0 +1,79 @@ +diff --git a/extract.c b/extract.c +index 9ef80b3..c741b5f 100644 +--- a/extract.c ++++ b/extract.c +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] = + #ifndef SFX + static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; ++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ ++ EF block length (%u bytes) invalid (< %d)\n"; + static ZCONST char Far InvalidComprDataEAs[] = + " invalid compressed data for EAs\n"; + # if (defined(WIN32) && defined(NTSD_EAS)) +@@ -2020,7 +2022,8 @@ static int TestExtraField(__G__ ef, ef_len) + ebID = makeword(ef); + ebLen = (unsigned)makeword(ef+EB_LEN); + +- if (ebLen > (ef_len - EB_HEADSIZE)) { ++ if (ebLen > (ef_len - EB_HEADSIZE)) ++ { + /* Discovered some extra field inconsistency! */ + if (uO.qflag) + Info(slide, 1, ((char *)slide, "%-22s ", +@@ -2155,11 +2158,29 @@ static int TestExtraField(__G__ ef, ef_len) + } + break; + case EF_PKVMS: +- if (makelong(ef+EB_HEADSIZE) != +- crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), +- (extent)(ebLen-4))) +- Info(slide, 1, ((char *)slide, +- LoadFarString(BadCRC_EAs))); ++ /* 2015-01-30 SMS. Added sufficient-bytes test/message ++ * here. (Removed defective ebLen test above.) ++ * ++ * If sufficient bytes (EB_PKVMS_MINLEN) are available, ++ * then compare the stored CRC value with the calculated ++ * CRC for the remainder of the data (and complain about ++ * a mismatch). ++ */ ++ if (ebLen < EB_PKVMS_MINLEN) ++ { ++ /* Insufficient bytes available. */ ++ Info( slide, 1, ++ ((char *)slide, LoadFarString( TooSmallEBlength), ++ ebLen, EB_PKVMS_MINLEN)); ++ } ++ else if (makelong(ef+ EB_HEADSIZE) != ++ crc32(CRCVAL_INITIAL, ++ (ef+ EB_HEADSIZE+ EB_PKVMS_MINLEN), ++ (extent)(ebLen- EB_PKVMS_MINLEN))) ++ { ++ Info(slide, 1, ((char *)slide, ++ LoadFarString(BadCRC_EAs))); ++ } + break; + case EF_PKW32: + case EF_PKUNIX: +diff --git a/unzpriv.h b/unzpriv.h +index 005cee0..5c83a6e 100644 +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -1806,6 +1806,8 @@ + #define EB_NTSD_VERSION 4 /* offset of NTSD version byte */ + #define EB_NTSD_MAX_VER (0) /* maximum version # we know how to handle */ + ++#define EB_PKVMS_MINLEN 4 /* minimum data length of PKVMS extra block */ ++ + #define EB_ASI_CRC32 0 /* offset of ASI Unix field's crc32 checksum */ + #define EB_ASI_MODE 4 /* offset of ASI Unix permission mode field */ + + diff --git a/unzip-6.0-cve-2014-8140.patch b/unzip-6.0-cve-2014-8140.patch new file mode 100644 index 0000000..b9eba92 --- /dev/null +++ b/unzip-6.0-cve-2014-8140.patch @@ -0,0 +1,25 @@ +diff --git a/extract.c b/extract.c +index c741b5f..e4a4c7b 100644 +--- a/extract.c ++++ b/extract.c +@@ -2240,10 +2240,17 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ + ++ /* Return no/bad-data error status if any problem is found: ++ * 1. eb_size is too small to hold the uncompressed size ++ * (eb_ucsize). (Else extract eb_ucsize.) ++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. ++ * 3. eb_ucsize is positive, but eb_size is too small to hold ++ * the compressed data header. ++ */ + if ((eb_size < (EB_UCSIZE_P + 4)) || +- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && +- eb_size <= (compr_offset + EB_CMPRHEADLEN))) +- return IZ_EF_TRUNC; /* no compressed data! */ ++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || ++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) ++ return IZ_EF_TRUNC; /* no/bad compressed data! */ + + method = makeword(eb + (EB_HEADSIZE + compr_offset)); + if ((method == STORED) && (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize)) diff --git a/unzip-6.0-cve-2014-8141.patch b/unzip-6.0-cve-2014-8141.patch new file mode 100644 index 0000000..584c576 --- /dev/null +++ b/unzip-6.0-cve-2014-8141.patch @@ -0,0 +1,138 @@ +diff --git a/fileio.c b/fileio.c +index 03fc4be..2a61a30 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTrunc[] = + #endif + static ZCONST char Far ExtraFieldTooLong[] = + "warning: extra field too long (%d). Ignoring...\n"; ++static ZCONST char Far ExtraFieldCorrupt[] = ++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; + + #ifdef WINDLL + static ZCONST char Far DiskFullQuery[] = +@@ -2300,7 +2302,13 @@ int do_string(__G__ length, option) /* return PK-type error code */ + length = length2; + } + /* Looks like here is where extra fields are read */ +- getZip64Data(__G__ G.extra_field, length); ++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) ++ { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); ++ error = PK_WARN; ++ } ++ + #ifdef UNICODE_SUPPORT + G.unipath_filename = NULL; + if (G.UzO.U_flag < 2) { +diff --git a/process.c b/process.c +index be6e006..0d57ab4 100644 +--- a/process.c ++++ b/process.c +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -1894,48 +1894,83 @@ int getZip64Data(__G__ ef_buf, ef_len) + and a 4-byte version of disk start number. + Sets both local header and central header fields. Not terribly clever, + but it means that this procedure is only called in one place. ++ ++ 2014-12-05 SMS. ++ Added checks to ensure that enough data are available before calling ++ makeint64() or makelong(). Replaced various sizeof() values with ++ simple ("4" or "8") constants. (The Zip64 structures do not depend ++ on our variable sizes.) Error handling is crude, but we should now ++ stay within the buffer. + ---------------------------------------------------------------------------*/ + ++#define Z64FLGS 0xffff ++#define Z64FLGL 0xffffffff ++ + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; + + Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", + ef_len)); + +- while (ef_len >= EB_HEADSIZE) { ++ while (ef_len >= EB_HEADSIZE) ++ { + eb_id = makeword(EB_ID + ef_buf); + eb_len = makeword(EB_LEN + ef_buf); + +- if (eb_len > (ef_len - EB_HEADSIZE)) { +- /* discovered some extra field inconsistency! */ ++ if (eb_len > (ef_len - EB_HEADSIZE)) ++ { ++ /* Extra block length exceeds remaining extra field length. */ + Trace((stderr, + "getZip64Data: block length %u > rest ef_size %u\n", eb_len, + ef_len - EB_HEADSIZE)); + break; + } +- if (eb_id == EF_PKSZ64) { + ++ if (eb_id == EF_PKSZ64) ++ { + int offset = EB_HEADSIZE; + +- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ +- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.ucsize); ++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ +- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.csize); ++ ++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.relative_offset_local_header == 0xffffffff){ ++ ++ if (G.crec.relative_offset_local_header == Z64FLGL) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ + G.crec.relative_offset_local_header = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.relative_offset_local_header); ++ offset += 8; + } +- if (G.crec.disk_number_start == 0xffff){ ++ ++ if (G.crec.disk_number_start == Z64FLGS) ++ { ++ if (offset+ 4 > ef_len) ++ return PK_ERR; ++ + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); +- offset += sizeof(G.crec.disk_number_start); ++ offset += 4; + } ++#if 0 ++ break; /* Expect only one EF_PKSZ64 block. */ ++#endif /* 0 */ + } + +- /* Skip this extra field block */ ++ /* Skip this extra field block. */ + ef_buf += (eb_len + EB_HEADSIZE); + ef_len -= (eb_len + EB_HEADSIZE); + } diff --git a/unzip-6.0-cve-2018-18384.patch b/unzip-6.0-cve-2018-18384.patch new file mode 100644 index 0000000..54d4b8c --- /dev/null +++ b/unzip-6.0-cve-2018-18384.patch @@ -0,0 +1,35 @@ +--- unzip60/list.c ++++ unzip60/list.c +@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type + { + int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL; + #ifndef WINDLL +- char sgn, cfactorstr[13]; ++ char sgn, cfactorstr[1+10+1+1]; /* %NUL */ + int longhdr=(uO.vflag>1); + #endif + int date_format; +@@ -389,9 +389,9 @@ int list_files(__G) /* return PK-type + } + #else /* !WINDLL */ + if (cfactor == 100) +- sprintf(cfactorstr, LoadFarString(CompFactor100)); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100)); + else +- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor); + if (longhdr) + Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats), + FmZofft(G.crec.ucsize, "8", "u"), methbuf, +@@ -471,9 +471,9 @@ int list_files(__G) /* return PK-type + + #else /* !WINDLL */ + if (cfactor == 100) +- sprintf(cfactorstr, LoadFarString(CompFactor100)); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100)); + else +- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor); ++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor); + if (longhdr) { + Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer), + FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"), diff --git a/unzip-6.0-fix-warning-messages-on-big-files.patch b/unzip-6.0-fix-warning-messages-on-big-files.patch new file mode 100644 index 0000000..55a115a --- /dev/null +++ b/unzip-6.0-fix-warning-messages-on-big-files.patch @@ -0,0 +1,15 @@ +From: "Steven M. Schweda" +Subject: Fix lame code in fileio.c +Bug-Debian: https://bugs.debian.org/929502 +X-Debian-version: 6.0-23 + +--- a/fileio.c ++++ b/fileio.c +@@ -2477,6 +2477,7 @@ + */ + return (((zusz_t)sig[7]) << 56) + + (((zusz_t)sig[6]) << 48) ++ + (((zusz_t)sig[5]) << 40) + + (((zusz_t)sig[4]) << 32) + + (zusz_t)((((ulg)sig[3]) << 24) + + (((ulg)sig[2]) << 16) diff --git a/unzip-6.0-format-secure.patch b/unzip-6.0-format-secure.patch new file mode 100644 index 0000000..81cf860 --- /dev/null +++ b/unzip-6.0-format-secure.patch @@ -0,0 +1,90 @@ +diff --git a/extract.c b/extract.c +index eeb2f57..a0a4929 100644 +--- a/extract.c ++++ b/extract.c +@@ -472,8 +472,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + */ + Info(slide, 0x401, ((char *)slide, + LoadFarString(CentSigMsg), j + blknum*DIR_BLKSIZ + 1)); +- Info(slide, 0x401, ((char *)slide, +- LoadFarString(ReportMsg))); ++ Info(slide, 0x401, ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + error_in_archive = PK_BADERR; + } + reached_end = TRUE; /* ...so no more left to do */ +@@ -752,8 +752,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + + #ifndef SFX + if (no_endsig_found) { /* just to make sure */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); +- Info(slide, 0x401, ((char *)slide, LoadFarString(ReportMsg))); ++ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(ReportMsg))); + if (!error_in_archive) /* don't overwrite stronger error */ + error_in_archive = PK_WARN; + } +diff --git a/list.c b/list.c +index 15e0011..f7359c3 100644 +--- a/list.c ++++ b/list.c +@@ -181,7 +181,7 @@ int list_files(__G) /* return PK-type error code */ + Info(slide, 0x401, + ((char *)slide, LoadFarString(CentSigMsg), j)); + Info(slide, 0x401, +- ((char *)slide, LoadFarString(ReportMsg))); ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + return PK_BADERR; /* sig not found */ + } + } +@@ -507,7 +507,8 @@ int list_files(__G) /* return PK-type error code */ + && (!G.ecrec.is_zip64_archive) + && (memcmp(G.sig, end_central_sig, 4) != 0) + ) { /* just to make sure again */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ++ ((char *)slide,"%s", LoadFarString(EndSigMsg))); + error_in_archive = PK_WARN; /* didn't find sig */ + } + +@@ -591,7 +592,7 @@ int get_time_stamp(__G__ last_modtime, nmember) /* return PK-type error code */ + Info(slide, 0x401, + ((char *)slide, LoadFarString(CentSigMsg), j)); + Info(slide, 0x401, +- ((char *)slide, LoadFarString(ReportMsg))); ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + return PK_BADERR; /* sig not found */ + } + } +@@ -674,7 +675,7 @@ int get_time_stamp(__G__ last_modtime, nmember) /* return PK-type error code */ + ---------------------------------------------------------------------------*/ + + if (memcmp(G.sig, end_central_sig, 4)) { /* just to make sure again */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(EndSigMsg))); + error_in_archive = PK_WARN; + } + if (*nmember == 0L && error_in_archive <= PK_WARN) +diff --git a/zipinfo.c b/zipinfo.c +index 6e22cc8..ac5c61b 100644 +--- a/zipinfo.c ++++ b/zipinfo.c +@@ -771,7 +771,7 @@ int zipinfo(__G) /* return PK-type error code */ + Info(slide, 0x401, + ((char *)slide, LoadFarString(CentSigMsg), j)); + Info(slide, 0x401, +- ((char *)slide, LoadFarString(ReportMsg))); ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + error_in_archive = PK_BADERR; /* sig not found */ + break; + } +@@ -960,7 +960,8 @@ int zipinfo(__G) /* return PK-type error code */ + && (!G.ecrec.is_zip64_archive) + && (memcmp(G.sig, end_central_sig, 4) != 0) + ) { /* just to make sure again */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ++ ((char *)slide,"%s", LoadFarString(EndSigMsg))); + error_in_archive = PK_WARN; /* didn't find sig */ + } + diff --git a/unzip-6.0-heap-overflow-infloop.patch b/unzip-6.0-heap-overflow-infloop.patch new file mode 100644 index 0000000..b517c40 --- /dev/null +++ b/unzip-6.0-heap-overflow-infloop.patch @@ -0,0 +1,104 @@ +From bdd4a0cecd745cb4825e4508b5bdf2579731086a Mon Sep 17 00:00:00 2001 +From: Petr Stodulka +Date: Mon, 14 Sep 2015 18:23:17 +0200 +Subject: [PATCH 1/3] upstream fix for heap overflow + +https://bugzilla.redhat.com/attachment.cgi?id=1073002 +--- + crypt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/crypt.c b/crypt.c +index 784e411..a8975f2 100644 +--- a/crypt.c ++++ b/crypt.c +@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd) + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + } +-- +2.4.6 + + +From 4b48844661ff9569f2ecf582a387d46a5775b5d8 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 14 Sep 2015 18:24:56 +0200 +Subject: [PATCH 2/3] fix infinite loop when extracting empty bzip2 data + +Bug: https://sourceforge.net/p/infozip/patches/23/ +--- + extract.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/extract.c b/extract.c +index 7134bfe..29db027 100644 +--- a/extract.c ++++ b/extract.c +@@ -2733,6 +2733,12 @@ __GDEF + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; +-- +2.4.6 + + +From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 22 Sep 2015 18:52:23 +0200 +Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input + +Suggested-by: Stefan Cornelius +--- + extract.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index 29db027..b9ae667 100644 +--- a/extract.c ++++ b/extract.c +@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk, + if (G.lrec.compression_method == STORED) { + zusz_t csiz_decrypted = G.lrec.csize; + +- if (G.pInfo->encrypted) ++ if (G.pInfo->encrypted) { ++ if (csiz_decrypted < 12) { ++ /* handle the error now to prevent unsigned overflow */ ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarStringSmall(ErrUnzipNoFile), ++ LoadFarString(InvalidComprData), ++ LoadFarStringSmall2(Inflate))); ++ return PK_ERR; ++ } + csiz_decrypted -= 12; ++ } + if (G.lrec.ucsize != csiz_decrypted) { + Info(slide, 0x401, ((char *)slide, + LoadFarStringSmall2(WrnStorUCSizCSizDiff), +-- +2.5.2 + diff --git a/unzip-6.0-manpage-fix.patch b/unzip-6.0-manpage-fix.patch new file mode 100644 index 0000000..ec06516 --- /dev/null +++ b/unzip-6.0-manpage-fix.patch @@ -0,0 +1,11 @@ +--- unzip60/man/unzip.1 2011-01-11 11:59:59.000000000 +0000 ++++ unzip60/man/unzip_new 2011-02-05 18:45:55.000000000 +0000 +@@ -424,7 +424,7 @@ + .\" Amiga support possible eventually, but not yet + [MS-DOS, OS/2, NT] restore the volume label if the extraction medium is + removable (e.g., a diskette). Doubling the option (\fB\-$$\fP) allows fixed +-media (hard disks) to be labelled as well. By default, volume labels are ++media (hard disks) to be labeled as well. By default, volume labels are + ignored. + .IP \fB\-/\fP\ \fIextensions\fP + [Acorn only] overrides the extension list supplied by Unzip$Ext environment diff --git a/unzip-6.0-overflow-long-fsize.patch b/unzip-6.0-overflow-long-fsize.patch new file mode 100644 index 0000000..80cd708 --- /dev/null +++ b/unzip-6.0-overflow-long-fsize.patch @@ -0,0 +1,34 @@ +diff --git a/list.c b/list.c +index f7359c3..4c3d703 100644 +--- a/list.c ++++ b/list.c +@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type error code */ + { + int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL; + #ifndef WINDLL +- char sgn, cfactorstr[10]; ++ char sgn, cfactorstr[13]; + int longhdr=(uO.vflag>1); + #endif + int date_format; +@@ -339,7 +339,19 @@ int list_files(__G) /* return PK-type error code */ + G.crec.compression_method == ENHDEFLATED) { + methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; + } else if (methnum >= NUM_METHODS) { +- sprintf(&methbuf[4], "%03u", G.crec.compression_method); ++ /* 2013-02-26 SMS. ++ * http://sourceforge.net/tracker/?func=detail ++ * &aid=2861648&group_id=118012&atid=679786 ++ * Unexpectedly large compression methods overflow ++ * &methbuf[]. Use the old, three-digit decimal format ++ * for values which fit. Otherwise, sacrifice the ++ * colon, and use four-digit hexadecimal. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method); ++ } + } + + #if 0 /* GRR/Euro: add this? */ diff --git a/unzip-6.0-overflow.patch b/unzip-6.0-overflow.patch new file mode 100644 index 0000000..228c283 --- /dev/null +++ b/unzip-6.0-overflow.patch @@ -0,0 +1,25 @@ +diff --git a/extract.c b/extract.c +index a0a4929..9ef80b3 100644 +--- a/extract.c ++++ b/extract.c +@@ -2214,6 +2214,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) + ulg eb_ucsize; + uch *eb_ucptr; + int r; ++ ush method; + + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ +@@ -2223,6 +2224,12 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) + eb_size <= (compr_offset + EB_CMPRHEADLEN))) + return IZ_EF_TRUNC; /* no compressed data! */ + ++ method = makeword(eb + (EB_HEADSIZE + compr_offset)); ++ if ((method == STORED) && (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize)) ++ return PK_ERR; /* compressed & uncompressed ++ * should match in STORED ++ * method */ ++ + if ( + #ifdef INT_16BIT + (((ulg)(extent)eb_ucsize) != eb_ucsize) || diff --git a/unzip-6.0-symlink.patch b/unzip-6.0-symlink.patch new file mode 100644 index 0000000..d7eaf16 --- /dev/null +++ b/unzip-6.0-symlink.patch @@ -0,0 +1,17 @@ +diff --git a/process.c b/process.c +index 1e9a1e1..905732b 100644 +--- a/process.c ++++ b/process.c +@@ -1751,6 +1751,12 @@ int process_cdir_file_hdr(__G) /* return PK-type error code */ + = (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11); + #endif + ++#ifdef SYMLINKS ++ /* Initialize the symlink flag, may be set by the platform-specific ++ mapattr function. */ ++ G.pInfo->symlink = 0; ++#endif ++ + return PK_COOL; + + } /* end function process_cdir_file_hdr() */ diff --git a/unzip-6.0-timestamp.patch b/unzip-6.0-timestamp.patch new file mode 100644 index 0000000..2aa9424 --- /dev/null +++ b/unzip-6.0-timestamp.patch @@ -0,0 +1,41 @@ +From: "Steven M. Schweda" +Subject: Do not ignore extra fields containing Unix Timestamps +Bug-Debian: https://bugs.debian.org/842993 +X-Debian-version: 6.0-21 + +--- a/process.c ++++ b/process.c +@@ -2914,10 +2914,13 @@ + break; + + case EF_IZUNIX2: +- if (have_new_type_eb == 0) { +- flags &= ~0x0ff; /* ignore any previous IZUNIX field */ ++ if (have_new_type_eb == 0) { /* (< 1) */ + have_new_type_eb = 1; + } ++ if (have_new_type_eb <= 1) { ++ /* Ignore any prior (EF_IZUNIX/EF_PKUNIX) UID/GID. */ ++ flags &= 0x0ff; ++ } + #ifdef IZ_HAVE_UXUIDGID + if (have_new_type_eb > 1) + break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */ +@@ -2933,6 +2936,8 @@ + /* new 3rd generation Unix ef */ + have_new_type_eb = 2; + ++ /* Ignore any prior EF_IZUNIX/EF_PKUNIX/EF_IZUNIX2 UID/GID. */ ++ flags &= 0x0ff; + /* + Version 1 byte version of this extra field, currently 1 + UIDSize 1 byte Size of UID field +@@ -2953,8 +2958,6 @@ + uid_size = *((EB_HEADSIZE + 1) + ef_buf); + gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf); + +- flags &= ~0x0ff; /* ignore any previous UNIX field */ +- + if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf, + uid_size, &z_uidgid[0]) + && diff --git a/unzip-6.0-valgrind.patch b/unzip-6.0-valgrind.patch new file mode 100644 index 0000000..41a7520 --- /dev/null +++ b/unzip-6.0-valgrind.patch @@ -0,0 +1,26 @@ +diff --git a/fileio.c b/fileio.c +index ba0a1d0..03fc4be 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -2006,6 +2006,7 @@ int do_string(__G__ length, option) /* return PK-type error code */ + unsigned comment_bytes_left; + unsigned int block_len; + int error=PK_OK; ++ unsigned int length2; + #ifdef AMIGA + char tmp_fnote[2 * AMIGA_FILENOTELEN]; /* extra room for squozen chars */ + #endif +@@ -2292,8 +2293,12 @@ int do_string(__G__ length, option) /* return PK-type error code */ + seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + + (G.inptr-G.inbuf) + length); + } else { +- if (readbuf(__G__ (char *)G.extra_field, length) == 0) ++ if ((length2 = readbuf(__G__ (char *)G.extra_field, length)) == 0) + return PK_EOF; ++ if(length2 < length) { ++ memset (__G__ (char *)G.extra_field+length2, 0 , length-length2); ++ length = length2; ++ } + /* Looks like here is where extra fields are read */ + getZip64Data(__G__ G.extra_field, length); + #ifdef UNICODE_SUPPORT diff --git a/unzip-6.0-x-option.patch b/unzip-6.0-x-option.patch new file mode 100644 index 0000000..72c77ae --- /dev/null +++ b/unzip-6.0-x-option.patch @@ -0,0 +1,28 @@ +--- ./process.c.orig 2009-03-06 02:25:10.000000000 +0100 ++++ ./process.c 2013-09-12 10:51:16.000000000 +0200 +@@ -2901,9 +2901,9 @@ + */ + + #ifdef IZ_HAVE_UXUIDGID +- if (eb_len >= EB_UX3_MINLEN +- && z_uidgid != NULL +- && (*((EB_HEADSIZE + 0) + ef_buf) == 1) ++ if ((eb_len >= EB_UX3_MINLEN) ++ && (z_uidgid != NULL) ++ && ((*((EB_HEADSIZE + 0) + ef_buf) == 1))) + /* only know about version 1 */ + { + uch uid_size; +@@ -2915,10 +2915,10 @@ + flags &= ~0x0ff; /* ignore any previous UNIX field */ + + if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf, +- uid_size, z_uidgid[0]) ++ uid_size, &z_uidgid[0]) + && + read_ux3_value((EB_HEADSIZE + uid_size + 3) + ef_buf, +- gid_size, z_uidgid[1]) ) ++ gid_size, &z_uidgid[1]) ) + { + flags |= EB_UX2_VALID; /* signal success */ + } diff --git a/unzip-zipbomb-part1.patch b/unzip-zipbomb-part1.patch new file mode 100644 index 0000000..35cf856 --- /dev/null +++ b/unzip-zipbomb-part1.patch @@ -0,0 +1,25 @@ +From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Mon, 27 May 2019 08:20:32 -0700 +Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state. + +--- + fileio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fileio.c b/fileio.c +index c042987..bc00d74 100644 +--- a/fileio.c ++++ b/fileio.c +@@ -530,8 +530,10 @@ void undefer_input(__G) + * This condition was checked when G.incnt_leftover was set > 0 in + * defer_leftover_input(), and it is NOT allowed to touch G.csize + * before calling undefer_input() when (G.incnt_leftover > 0) +- * (single exception: see read_byte()'s "G.csize <= 0" handling) !! ++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !! + */ ++ if (G.csize < 0L) ++ G.csize = 0L; + G.incnt = G.incnt_leftover + (int)G.csize; + G.inptr = G.inptr_leftover - (int)G.csize; + G.incnt_leftover = 0; diff --git a/unzip-zipbomb-part3.patch b/unzip-zipbomb-part3.patch new file mode 100644 index 0000000..3b8d67b --- /dev/null +++ b/unzip-zipbomb-part3.patch @@ -0,0 +1,112 @@ +From 6d351831be705cc26d897db44f878a978f4138fc Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Thu, 25 Jul 2019 20:43:17 -0700 +Subject: [PATCH] Do not raise a zip bomb alert for a misplaced central + directory. + +There is a zip-like file in the Firefox distribution, omni.ja, +which is a zip container with the central directory placed at the +start of the file instead of after the local entries as required +by the zip standard. This commit marks the actual location of the +central directory, as well as the end of central directory records, +as disallowed locations. This now permits such containers to not +raise a zip bomb alert, where in fact there are no overlaps. +--- + extract.c | 25 +++++++++++++++++++------ + process.c | 6 ++++++ + unzpriv.h | 10 ++++++++++ + 3 files changed, 35 insertions(+), 6 deletions(-) + +diff --git a/extract.c b/extract.c +index 0973a33..1b73cb0 100644 +--- a/extract.c ++++ b/extract.c +@@ -493,8 +493,11 @@ int extract_or_test_files(__G) /* return PK-type error code */ + } + #endif /* !SFX || SFX_EXDIR */ + +- /* One more: initialize cover structure for bomb detection. Start with a +- span that covers the central directory though the end of the file. */ ++ /* One more: initialize cover structure for bomb detection. Start with ++ spans that cover any extra bytes at the start, the central directory, ++ the end of central directory record (including the Zip64 end of central ++ directory locator, if present), and the Zip64 end of central directory ++ record, if present. */ + if (G.cover == NULL) { + G.cover = malloc(sizeof(cover_t)); + if (G.cover == NULL) { +@@ -506,15 +509,25 @@ int extract_or_test_files(__G) /* return PK-type error code */ + ((cover_t *)G.cover)->max = 0; + } + ((cover_t *)G.cover)->num = 0; +- if ((G.extra_bytes != 0 && +- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || +- cover_add((cover_t *)G.cover, ++ if (cover_add((cover_t *)G.cover, + G.extra_bytes + G.ecrec.offset_start_central_directory, +- G.ziplen) != 0) { ++ G.extra_bytes + G.ecrec.offset_start_central_directory + ++ G.ecrec.size_central_directory) != 0) { + Info(slide, 0x401, ((char *)slide, + LoadFarString(NotEnoughMemCover))); + return PK_MEM; + } ++ if ((G.extra_bytes != 0 && ++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) || ++ (G.ecrec.have_ecr64 && ++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start, ++ G.ecrec.ec64_end) != 0) || ++ cover_add((cover_t *)G.cover, G.ecrec.ec_start, ++ G.ecrec.ec_end) != 0) { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString(OverlappedComponents))); ++ return PK_BOMB; ++ } + + /*--------------------------------------------------------------------------- + The basic idea of this function is as follows. Since the central di- +diff --git a/process.c b/process.c +index d2e4dc3..d75d405 100644 +--- a/process.c ++++ b/process.c +@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */ + + /* Now, we are (almost) sure that we have a Zip64 archive. */ + G.ecrec.have_ecr64 = 1; ++ G.ecrec.ec_start -= ECLOC64_SIZE+4; ++ G.ecrec.ec64_start = ecrec64_start_offset; ++ G.ecrec.ec64_end = ecrec64_start_offset + ++ 12 + makeint64(&byterec[ECREC64_LENGTH]); + + /* Update the "end-of-central-dir offset" for later checks. */ + G.real_ecrec_offset = ecrec64_start_offset; +@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */ + makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]); + G.ecrec.zipfile_comment_length = + makeword(&byterec[ZIPFILE_COMMENT_LENGTH]); ++ G.ecrec.ec_start = G.real_ecrec_offset; ++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length; + + /* Now, we have to read the archive comment, BEFORE the file pointer + is moved away backwards to seek for a Zip64 ECLOC64 structure. +diff --git a/unzpriv.h b/unzpriv.h +index dc9eff5..297b3c7 100644 +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf { + int have_ecr64; /* valid Zip64 ecdir-record exists */ + int is_zip64_archive; /* Zip64 ecdir-record is mandatory */ + ush zipfile_comment_length; ++ zusz_t ec_start, ec_end; /* offsets of start and end of the ++ end of central directory record, ++ including if present the Zip64 ++ end of central directory locator, ++ which immediately precedes the ++ end of central directory record */ ++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these ++ are the offsets of the start and ++ end of the Zip64 end of central ++ directory record */ + } ecdir_rec; + + diff --git a/unzip-zipbomb-part4.patch b/unzip-zipbomb-part4.patch new file mode 100644 index 0000000..beffa2c --- /dev/null +++ b/unzip-zipbomb-part4.patch @@ -0,0 +1,25 @@ +From 5e2efcd633a4a1fb95a129a75508e7d769e767be Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sun, 9 Feb 2020 20:36:28 -0800 +Subject: [PATCH] Fix bug in UZbunzip2() that incorrectly updated G.incnt. + +The update assumed a full buffer, which is not always full. This +could result in a false overlapped element detection when a small +bzip2-compressed file was unzipped. This commit remedies that. +--- + extract.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/extract.c b/extract.c +index d9866f9..0cb7bfc 100644 +--- a/extract.c ++++ b/extract.c +@@ -3010,7 +3010,7 @@ __GDEF + #endif + + G.inptr = (uch *)bstrm.next_in; +- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */ ++ G.incnt -= G.inptr - G.inbuf; /* reset for other routines */ + + uzbunzip_cleanup_exit: + err = BZ2_bzDecompressEnd(&bstrm); diff --git a/unzip-zipbomb-part5.patch b/unzip-zipbomb-part5.patch new file mode 100644 index 0000000..ca6a43a --- /dev/null +++ b/unzip-zipbomb-part5.patch @@ -0,0 +1,26 @@ +From 5c572555cf5d80309a07c30cf7a54b2501493720 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sun, 9 Feb 2020 21:39:09 -0800 +Subject: [PATCH] Fix bug in UZinflate() that incorrectly updated G.incnt. + +The update assumed a full buffer, which is not always full. This +could result in a false overlapped element detection when a small +deflate-compressed file was unzipped using an old zlib. This +commit remedies that. +--- + inflate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/inflate.c b/inflate.c +index 2f5a015..70e3cc0 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -700,7 +700,7 @@ int UZinflate(__G__ is_defl64) + G.dstrm.total_out)); + + G.inptr = (uch *)G.dstrm.next_in; +- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */ ++ G.incnt -= G.inptr - G.inbuf; /* reset for other routines */ + + uzinflate_cleanup_exit: + err = inflateReset(&G.dstrm); diff --git a/unzip-zipbomb-part6.patch b/unzip-zipbomb-part6.patch new file mode 100644 index 0000000..3dce6e3 --- /dev/null +++ b/unzip-zipbomb-part6.patch @@ -0,0 +1,95 @@ +From 122050bac16fae82a460ff739fb1ca0f106e9d85 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sat, 2 Jan 2021 13:09:34 -0800 +Subject: [PATCH] Determine Zip64 status entry-by-entry instead of for entire + file. + +Fixes a bug for zip files with mixed Zip64 and not Zip64 entries, +which resulted in an incorrect data descriptor length. The bug is +seen when a Zip64 entry precedes a non-Zip64 entry, in which case +the data descriptor would have been assumed to be larger than it +is, resulting in an incorrect bomb warning due to a perceived +overlap with the next entry. This commit determines and saves the +Zip64 status for each entry based on the central directory, and +then computes the length of each data descriptor accordingly. +--- + extract.c | 5 +++-- + globals.h | 2 -- + process.c | 4 +--- + unzpriv.h | 1 + + 4 files changed, 5 insertions(+), 7 deletions(-) + +diff --git a/extract.c b/extract.c +index 504afd6..878817d 100644 +--- a/extract.c ++++ b/extract.c +@@ -658,6 +658,7 @@ int extract_or_test_files(__G) /* return PK-type error code */ + break; + } + } ++ G.pInfo->zip64 = FALSE; + if ((error = do_string(__G__ G.crec.extra_field_length, + EXTRA_FIELD)) != 0) + { +@@ -2187,12 +2188,12 @@ static int extract_or_test_member(__G) /* return PK-type error code */ + (clen == SIG && /* if not SIG, no signature */ + ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */ + (ulen == SIG && /* if not SIG, no signature */ +- (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG ++ (G.pInfo->zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG + /* if not SIG, have signature */ + ))))) + /* skip four more bytes to account for signature */ + shy += 4 - readbuf((char *)buf, 4); +- if (G.zip64) ++ if (G.pInfo->zip64) + shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */ + if (shy) + error = PK_ERR; +diff --git a/globals.h b/globals.h +index f9c6daf..a883c90 100644 +--- a/globals.h ++++ b/globals.h +@@ -261,8 +261,6 @@ typedef struct Globals { + ecdir_rec ecrec; /* used in unzip.c, extract.c */ + z_stat statbuf; /* used by main, mapname, check_for_newer */ + +- int zip64; /* true if Zip64 info in extra field */ +- + int mem_mode; + uch *outbufptr; /* extract.c static */ + ulg outsize; /* extract.c static */ +diff --git a/process.c b/process.c +index d75d405..d643c6f 100644 +--- a/process.c ++++ b/process.c +@@ -1903,8 +1903,6 @@ int getZip64Data(__G__ ef_buf, ef_len) + #define Z64FLGS 0xffff + #define Z64FLGL 0xffffffff + +- G.zip64 = FALSE; +- + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; + +@@ -1943,7 +1941,7 @@ int getZip64Data(__G__ ef_buf, ef_len) + break; /* Expect only one EF_PKSZ64 block. */ + #endif /* 0 */ + +- G.zip64 = TRUE; ++ G.pInfo->zip64 = TRUE; + } + + /* Skip this extra field block. */ +diff --git a/unzpriv.h b/unzpriv.h +index 09f288e..75b3359 100644 +--- a/unzpriv.h ++++ b/unzpriv.h +@@ -2034,6 +2034,7 @@ typedef struct min_info { + #ifdef UNICODE_SUPPORT + unsigned GPFIsUTF8: 1; /* crec gen_purpose_flag UTF-8 bit 11 is set */ + #endif ++ unsigned zip64: 1; /* true if entry has Zip64 extra block */ + #ifndef SFX + char Far *cfilname; /* central header version of filename */ + #endif diff --git a/unzip.spec b/unzip.spec index aaacc81..a173e7c 100644 --- a/unzip.spec +++ b/unzip.spec @@ -1,13 +1,13 @@ -%define anolis_release 4 +%define anolis_release 5 Name: unzip Epoch: 1 -Version: 6.0 +Version: 6.0 Release: %{anolis_release}%{?dist} License: BSD Summary: A utility for unpacking zip files URL: http://infozip.sourceforge.net -Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz#/%{name}-%{version}.tar.gz +Source0: http://downloads.sourceforge.net/infozip/unzip60.tar.gz # Not sent to upstream. Patch1: 0001-unzip-6.0-bzip2-configure.patch @@ -69,6 +69,30 @@ Patch31: 0031-unzip-zipbomb-part6.patch Patch32: 0032-unzip-zipbomb-switch.patch Patch33: 33-bugfix-for-CVE-2022-0529.patch +Patch34: unzip-6.0-cve-2014-8140.patch +Patch35: unzip-6.0-fix-warning-messages-on-big-files.patch +Patch36: unzip-6.0-symlink.patch +Patch37: unzip-zipbomb-part6.patch +Patch38: unzip-6.0-cve-2018-18384.patch +Patch39: unzip-6.0-valgrind.patch +Patch40: unzip-6.0-close.patch +Patch41: unzip-6.0-overflow.patch +Patch42: unzip-6.0-heap-overflow-infloop.patch +Patch43: unzip-6.0-COVSCAN-fix-unterminated-string.patch +Patch44: unzip-6.0-manpage-fix.patch +Patch45: unzip-6.0-cve-2014-8141.patch +Patch46: unzip-6.0-format-secure.patch +Patch47: unzip-6.0-RHEL-86228.patch +Patch48: unzip-zipbomb-part1.patch +Patch49: unzip-zipbomb-part3.patch +Patch50: 0001-Fix-CVE-2016-9844-rhbz-1404283.patch +Patch51: unzip-zipbomb-part5.patch +Patch52: unzip-6.0-timestamp.patch +Patch53: unzip-6.0-attribs-overflow.patch +Patch54: unzip-6.0-x-option.patch +Patch55: unzip-6.0-overflow-long-fsize.patch +Patch56: unzip-6.0-cve-2014-8139.patch +Patch57: unzip-zipbomb-part4.patch BuildRequires: make BuildRequires: bzip2-devel, gcc @@ -114,6 +138,31 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT%{_ %doc README BUGS %changelog +* Fri Sep 19 2025 wenyuzifang - 6.0-5 +- Apply patch to prevent crashes and security issues from malformed ZIP files by validating compressed extra field sizes +- Fix incorrect 64-bit value parsing by including all bytes for proper ZIP64 support and prevent data corruption +- Initialize symlink flag safely to prevent undefined behavior and ensure reliable symbolic link handling +- Fix extraction errors in mixed Zip64 archives by correctly handling per-entry data descriptors +- Apply patch to prevent buffer overflows and enhance security when processing untrusted ZIP archives +- Fix partial read handling, zero unused buffer space, prevent garbage data parsing, and ensure correct ZIP64 field processing +- Fix critical disk-full detection during file close to prevent silent data corruption +- Fix size validation in stored method to prevent parsing errors and enhance security against malformed ZIP files +- Apply patch to prevent crashes, loops, and overflows from malicious ZIP files +- Apply patch to prevent buffer overflows and ensure string safety in character set handling +- Standardize spelling to American English for consistency in documentation +- Improve security and stability by preventing buffer overruns when parsing corrupt Zip64 extra fields +- Fix format string vulnerabilities to prevent crashes and security risks +- Fix extraction failures on valid ZIP64 archives created by Microsoft tools +- Fix input state corruption by ensuring G.csize is non-negative before restoring buffer pointers +- Prevent false zip bomb alerts on valid non-standard ZIP files without compromising security +- Prevent buffer overflows from malicious ZIP files by safely formatting large compression method values +- Fix incorrect buffer count handling to prevent false overlap detection in small files with old zlib +- Ensure correct handling of Unix timestamps and ownership by prioritizing newer extra fields over outdated metadata +- Apply patch to prevent a stack-based buffer overflow and ensure safe string handling in file attribute display +- Fix memory corruption by correctly passing pointers when reading UID/GID values from ZIP extra fields +- Apply patch to prevent buffer overflow from malicious ZIP files and ensure safe display of unknown compression methods +- Apply patch to prevent buffer overreads and improve error reporting for malformed ZIP files +- Fix incorrect buffer count update to prevent false overlap detection and ensure reliable extraction of small bzip2 files * Tue Sep 02 2025 tomcruiseqi - 1:6.0-4 - Fix CVE-2022-0529 diff --git a/unzip-6.0.tar.gz b/unzip60.tar.gz similarity index 100% rename from unzip-6.0.tar.gz rename to unzip60.tar.gz -- Gitee