diff options
38 files changed, 1575 insertions, 249 deletions
diff --git a/data/unzip/_metadata/version b/data/unzip/_metadata/version index e0ea36fee..e2c246fe1 100644 --- a/data/unzip/_metadata/version +++ b/data/unzip/_metadata/version @@ -1 +1 @@ -6.0 +6.0+deb9u1 diff --git a/data/unzip/debian/changelog b/data/unzip/debian/changelog new file mode 100644 index 000000000..1100fa175 --- /dev/null +++ b/data/unzip/debian/changelog @@ -0,0 +1,467 @@ +unzip (6.0-21+deb9u1) stretch; urgency=medium + + * Fix buffer overflow in password protected ZIP archives. Closes: #889838. + Patch borrowed from SUSE. For reference, this is CVE-2018-1000035. + + -- Santiago Vila <sanvila@debian.org> Wed, 17 Apr 2019 21:23:40 +0200 + +unzip (6.0-21) unstable; urgency=medium + + * Rename all debian/patches/* to have .patch ending. + * Update 12-cve-2014-9636-test-compr-eb.patch to follow revised + patch "unzip-6.0_overflow3.diff" from mancha (patch author). + Update also to follow upstream coding style. + * Drop workaround for gcc optimization bug on ARM (GCC Bug #764732) + in the hope that it's not present anymore in GCC-6. + * Allow source to be cross-built. Closes: #836051. + * Do not ignore Unix Timestamps. Closes: #842993. Patch by the author. + * Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485. + Patch by the author. + * Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486. + Patch by the author. + + -- Santiago Vila <sanvila@debian.org> Sun, 11 Dec 2016 21:03:30 +0100 + +unzip (6.0-20) unstable; urgency=high + + * Update debian/patches/16-fix-integer-underflow-csiz-decrypted to fix + regression on encrypted 0-byte files. Closes: #804595. + Thanks to Marc Deslauriers for the fix in Ubuntu. + + -- Santiago Vila <sanvila@debian.org> Mon, 09 Nov 2015 22:15:32 +0100 + +unzip (6.0-19) unstable; urgency=medium + + * Fix infinite loop when extracting password-protected archive. + This is CVE-2015-7697. Closes: #802160. + * Fix heap overflow when extracting password-protected archive. + This is CVE-2015-7696. Closes: #802162. + * Fix additional unsigned overflow on invalid input. + * Thanks a lot to Raphaël Hertzog for the squeeze-lts release, + from which this upload is mainly derived. + + -- Santiago Vila <sanvila@debian.org> Thu, 22 Oct 2015 12:12:46 +0200 + +unzip (6.0-18) unstable; urgency=medium + + * Ship a debian/copyright file in source package instead of generating + it a build time. Closes: #795567. + + -- Santiago Vila <sanvila@debian.org> Sun, 16 Aug 2015 23:34:42 +0200 + +unzip (6.0-17) unstable; urgency=medium + + * Switch to dh. + * Remove build date embedded in binary to make the build reproducible. + Thanks to Jérémy Bobbio <lunar@debian.org>. Closes: #782851. + + -- Santiago Vila <sanvila@debian.org> Sun, 17 May 2015 12:41:52 +0200 + +unzip (6.0-16) unstable; urgency=medium + + * Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139 + the right way (patch by the author). Closes: #775640. + * Update 10-cve-2014-8140-test-compr-eb to apply cleanly. + * Update 12-cve-2014-9636-test-compr-eb to follow the extract.c + file from the author. + + -- Santiago Vila <sanvila@debian.org> Fri, 30 Jan 2015 22:16:08 +0100 + +unzip (6.0-15) unstable; urgency=medium + + * Fix heap overflow. Ensure that compressed and uncompressed + block sizes match when using STORED method in extract.c. + Patch taken from Ubuntu. Thanks a lot. Closes: #776589. + For reference, this is CVE-2014-9636. + + -- Santiago Vila <sanvila@debian.org> Thu, 29 Jan 2015 18:39:52 +0100 + +unzip (6.0-14) unstable; urgency=medium + + * Drop -O2 optimization on armhf as a workaround for gcc Bug #764732. + Closes: #773785. + + -- Santiago Vila <sanvila@debian.org> Tue, 30 Dec 2014 22:17:12 +0100 + +unzip (6.0-13) unstable; urgency=medium + + * Apply upstream fix for three security bugs. Closes: #773722. + CVE-2014-8139: CRC32 verification heap-based overflow + CVE-2014-8140: out-of-bounds write issue in test_compr_eb() + CVE-2014-8141: out-of-bounds read issues in getZip64Data() + + -- Santiago Vila <sanvila@debian.org> Mon, 22 Dec 2014 19:16:10 +0100 + +unzip (6.0-12) unstable; urgency=medium + + * Fix zipinfo crash where a value <= 25.5 was printed in a buffer + having room only for values < 10.0. The integral part is now printed + at attribs[11] using %2u instead of attribs[12] using %u. + This way the output is the same as before for values < 10. + Authors tell me that the next unzip release will have a fix + like this, at least for the Unix case. Closes: #744212. + + -- Santiago Vila <sanvila@debian.org> Thu, 24 Apr 2014 23:39:38 +0200 + +unzip (6.0-11) unstable; urgency=medium + + * Lowered mime priority to 3, somewhat below 5 which is file-roller + default value. Closes: #727306. + * Increase size of cfactorstr array in list.c to avoid a buffer + overflow problem. Closes: #741384. + + -- Santiago Vila <sanvila@debian.org> Mon, 17 Mar 2014 17:38:50 +0100 + +unzip (6.0-10) unstable; urgency=low + + * Fixed bug "unzip thinks some files are symlinks". Closes: #717029. + Reported by Jeff King. Patch by Andreas Schwab. + * Added recommended targets build-arch and build-indep. + * Dropped obsolete Conflicts and Replaces on unzip-crypt, for which + the last version was a dummy transitional package. + * The copyright file is generated from copyright.in at build time. + Added lintian override for no-debian-copyright. + + -- Santiago Vila <sanvila@debian.org> Mon, 14 Oct 2013 18:48:40 +0200 + +unzip (6.0-9) unstable; urgency=low + + * Added NO_WORKING_ISPRINT to DEFINES so that UTF8 filenames are + displayed correctly. Reported by Slavek Banko. Closes: #682682. + * Use the right strip command when cross-building. Closes: #695141. + + -- Santiago Vila <sanvila@debian.org> Sun, 24 Feb 2013 17:12:00 +0100 + +unzip (6.0-8) unstable; urgency=low + + * Made unzip -X to actually restore uid/gid information. + Closes: #689212. Thanks to Axel Scheepers for the report. + * Disabled memcpy, as it is being used on overlapping buffers, + leading to data corruption. Closes: #694601. + Thanks to M Joonas Pihlaja for the report. + + -- Santiago Vila <sanvila@debian.org> Wed, 28 Nov 2012 12:41:34 +0100 + +unzip (6.0-7) unstable; urgency=low + + * Added Multi-Arch: foreign. Closes: #678812. + + -- Santiago Vila <sanvila@debian.org> Sat, 30 Jun 2012 14:17:42 +0200 + +unzip (6.0-6) unstable; urgency=low + + * Added hardening flags. Closes: #656268. + + -- Santiago Vila <sanvila@debian.org> Sun, 01 Apr 2012 00:01:40 +0200 + +unzip (6.0-5) unstable; urgency=low + + * Handle the PKWare verification bit of internal attributes. + Patch taken from 6.10 beta. Thanks to sms. Closes: #630078. + + -- Santiago Vila <sanvila@debian.org> Fri, 01 Jul 2011 19:06:08 +0200 + +unzip (6.0-4) unstable; urgency=low + + * Added homepage field to control file. + * Switch to 3.0 (quilt) source format. + * Support cross-build. + + -- Santiago Vila <sanvila@debian.org> Sun, 21 Feb 2010 17:01:00 +0100 + +unzip (6.0-3) unstable; urgency=low + + * Added "set -e" to postinst and postrm. + + -- Santiago Vila <sanvila@debian.org> Tue, 09 Feb 2010 23:53:42 +0100 + +unzip (6.0-2) unstable; urgency=low + + * Do not ignore errors from make clean (lintian warning) + * Remove .comment section from executables (lintian warning). + * Added mime stuff so that mutt is able to see the contents of a zipfile + using "unzip -l". Closes: #474538. + + -- Santiago Vila <sanvila@debian.org> Mon, 08 Feb 2010 18:44:00 +0100 + +unzip (6.0-1) unstable; urgency=low + + * New upstream release. Closes: #496989. + * Enabled new Unicode support. Closes: #197427. This may or may not work + for your already created zipfiles, but it's not a bug unless they were + created using the Unicode feature present in zip 3.0. + * Built using DATE_FORMAT=DF_YMD so that unzip -l show dates in ISO format, + as that's the only available one which makes sense. Closes: #312886. + * Enabled new bzip2 support. Closes: #426798. + * Exit code for zipgrep should now be the right one. Closes: #441997. + * The reason why a file may not be created is now shown. Closes: #478791. + * Summary of changes in this version not being the debian/* files: + - Manpages in section 1, not 1L. + - Branding patch. UnZip by Debian. Original by Info-ZIP. + - Always #include <unistd.h>. Debian GNU/kFreeBSD needs it. + + -- Santiago Vila <sanvila@debian.org> Fri, 08 May 2009 20:02:40 +0200 + +unzip (5.52-12) unstable; urgency=medium + + * Fixed stack underflow in unshrink.c. Closes: #454037. + Thanks to Christian Spieler for the patch. + + -- Santiago Vila <sanvila@debian.org> Sat, 26 Jul 2008 16:51:38 +0200 + +unzip (5.52-11) unstable; urgency=high + + * Apply patch from Tavis Ormandy to address invalid free() calls in + the inflate_dynamic() function (CVE-2008-0888). + + -- Santiago Vila <sanvila@debian.org> Thu, 20 Mar 2008 17:53:00 +0100 + +unzip (5.52-10) unstable; urgency=low + + * Fixed typo in unzipsfx(1). Thanks to Kevin Ryde. Closes: #419479. + + -- Santiago Vila <sanvila@debian.org> Mon, 2 Jul 2007 18:08:44 +0200 + +unzip (5.52-9) unstable; urgency=low + + * Added appropriate compiler flags for Large File Support (Closes: #192253). + This procedure is blessed by upstream in the FAQ, and as a result, + some .zip archives may now be uncompressed using Debian unzip. + For those which still may not, please test unzip 6.0 beta. + + -- Santiago Vila <sanvila@debian.org> Wed, 30 Aug 2006 10:34:24 +0200 + +unzip (5.52-8) unstable; urgency=low + + * Modified unix/unxcfg.h to always #include <unistd.h>. + This should now work on GNU/kFreeBSD (Closes: #340693). + + -- Santiago Vila <sanvila@debian.org> Tue, 25 Apr 2006 19:50:24 +0200 + +unzip (5.52-7) unstable; urgency=medium + + * Fixed buffer overflow when insanely long filenames are given on the + command line. Patch from Johnny Lee. Changed some format strings so + that they use 512 characters at most. The "right" fix will be in 5.53, + but this should work well enough for now. Closes: #349794. + * This is CVE-2005-4667. + + -- Santiago Vila <sanvila@debian.org> Thu, 16 Mar 2006 10:31:20 +0100 + +unzip (5.52-6) unstable; urgency=medium + + * Symlinks should work again (Closes: #343680). Fix provided by + Christian Spieler. Thanks to Carl W. Hoffman for the report. + + -- Santiago Vila <sanvila@debian.org> Tue, 20 Dec 2005 19:18:32 +0100 + +unzip (5.52-5) unstable; urgency=low + + * Fixed CAN-2005-2475 the same way it will be fixed in unzip 5.53. + Patch extracted from a prerelease provided by upstream. + * Changed unzip banner line to reflect the fact that this is + a "modified" release. Debian-derived distributions should probably + do the same if they deviate from the Debian version. + + -- Santiago Vila <sanvila@debian.org> Thu, 17 Nov 2005 16:34:24 +0100 + +unzip (5.52-4) unstable; urgency=medium + + * Fixed toctou vulnerability (Closes: #321927). Modified unix/unix.c + to use fchmod() and fchown() instead of chmod() and chown() to change + permissions and ownerships on the files actually created by unzip. + Patch from Dan Yefimov. CAN-2005-2475. + + -- Santiago Vila <sanvila@debian.org> Wed, 9 Nov 2005 18:05:02 +0100 + +unzip (5.52-3) unstable; urgency=low + + * Put manpages in section 1, not 1L. + * Fixed more typos (Closes: #309885). + + -- Santiago Vila <sanvila@debian.org> Wed, 25 May 2005 16:09:02 +0200 + +unzip (5.52-2) unstable; urgency=low + + * Fixed typos in manpage (Closes: #301915). + + -- Santiago Vila <sanvila@debian.org> Sun, 24 Apr 2005 19:27:02 +0200 + +unzip (5.52-1) unstable; urgency=low + + * New upstream release. + * Enabled new -W option via WILD_STOP_AT_DIR macro. + * Macro USE_UNSHRINK is no longer defined, as it's now the default. + + -- Santiago Vila <sanvila@debian.org> Tue, 1 Mar 2005 15:33:54 +0100 + +unzip (5.51-2) unstable; urgency=low + + * Added unshrinking support (Closes: #252563). + + -- Santiago Vila <sanvila@debian.org> Sun, 6 Jun 2004 17:57:46 +0200 + +unzip (5.51-1) unstable; urgency=low + + * New upstream release, improves error message when a zipfile is not + readable (Closes: #139331). + * Added a newline character to the CannotOpenZipfile string for the + previous fix to be really complete. + + -- Santiago Vila <sanvila@debian.org> Tue, 25 May 2004 14:38:26 +0200 + +unzip (5.50-4) unstable; urgency=low + + * Changed __GNU__ to __GLIBC__ in unix/unxcfg.h to support glibc-based + systems not being GNU itself, like GNU/KFreeBSD and GNU/KNetBSD. + + -- Santiago Vila <sanvila@debian.org> Sun, 16 Nov 2003 14:45:28 +0100 + +unzip (5.50-3) unstable; urgency=high + + * Fixed "unzip directory traversal revisited" again (Bug #206439). + There was still a missing case that the previous patch didn't catch. + Patch borrowed from unzip-5.50-33.src.rpm. + * For reference, this is (still) CAN-2003-0282. + + -- Santiago Vila <sanvila@debian.org> Wed, 20 Aug 2003 23:00:42 +0200 + +unzip (5.50-2) unstable; urgency=high + + * Fixed "unzip directory traversal revisited" problem (Bug #199648). + A filename containing ".somenonprintablechar." will not unpack + into .. anymore. Patch borrowed from unzip-5.50-11.src.rpm. + * For reference, this is CAN-2003-0282. + * No more doc symlinks. + + -- Santiago Vila <sanvila@debian.org> Mon, 7 Jul 2003 20:25:20 +0200 + +unzip (5.50-1) unstable; urgency=low + + * New upstream release. + * Moved from non-US/main to main. Section: utils. + + -- Santiago Vila <sanvila@debian.org> Sun, 24 Mar 2002 15:54:12 +0100 + +unzip (5.42-3) unstable; urgency=low + + * Added support for DEB_BUILD_OPTIONS. + + -- Santiago Vila <sanvila@debian.org> Sun, 11 Nov 2001 16:25:00 +0100 + +unzip (5.42-2) unstable; urgency=low + + * Applied a patch from Marcus Brinkmann: + - Closes: #99699: unzip does not build on the Hurd. + - Modified debian/rules to support cross-compilation. + + -- Santiago Vila <sanvila@debian.org> Wed, 6 Jun 2001 16:40:14 +0200 + +unzip (5.42-1) unstable; urgency=low + + * New upstream release. + * Changed to Section: non-US. + * Removed "packaged for Debian" from extended description. + + -- Santiago Vila <sanvila@debian.org> Thu, 10 May 2001 16:47:41 +0200 + +unzip (5.41-1) unstable; urgency=low + + * New upstream release, featuring a new BSD-like license and built-in + encryption support. Moved to non-US/main. + * Copyright file now generated from LICENSE file. + * Versioned Conflicts and Replaces. + * Standards-Version: 3.1.1 + + -- Santiago Vila <sanvila@debian.org> Fri, 18 Aug 2000 19:03:59 +0200 + +unzip (5.40-1) unstable; urgency=low + + * New upstream release. + * Removed `email-from-greg'. + * Fixed URL location in copyright file. + * Enabled -F option, as suggested by James Aylett. + + -- Santiago Vila <sanvila@ctv.es> Fri, 22 Oct 1999 10:30:49 +0200 + +unzip (5.32-1) unstable; urgency=low + + * New upstream release, using pristine source. + + -- Santiago Vila <sanvila@ctv.es> Tue, 4 Nov 1997 14:19:20 +0100 + +unzip (5.31-2) unstable; urgency=low + + * Removed debstd dependency. + + -- Santiago Vila <sanvila@ctv.es> Fri, 17 Oct 1997 17:22:22 +0200 + +unzip (5.31-1) unstable; urgency=low + + * `copyright' file is generated from COPYING automatically. + * Distribution unstable, Section non-free. + * Conflicts and Replaces "unzip-crypt". + * New upstream release. + * First libc6 release. + * Added md5sums. + + -- Santiago Vila <sanvila@ctv.es> Fri, 12 Sep 1997 19:16:59 +0200 + +unzip (5.20-3) unstable; urgency=low + + * Changed priority from `extra' to `optional'. + * Changed section from `misc' to `utils'. + * Simplified debian/rules a little bit. No debstd yet. + * Copied `History.520' as is. Added the symlink changelog -> History.520. + * Added ToDo and BUGS to /usr/doc/unzip. + * New maintainer. + + -- Santiago Vila <sanvila@ctv.es> Sun, 16 Feb 1997 19:29:13 +0100 + +unzip (5.20-2) unstable; urgency=low + + * zipgrep manpage is now installed through the unix/Makefile + * permissions guaranteed to be set properly for the zipgrep script + (did not work for those who compiled from the straight sources.) + * removed several superfluous commands from debian/rules. + * All changes this revision are courtesy of Santiago Vila. + + -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Wed, 8 Jan 1997 18:48:00 +1100 + +unzip (5.20-1) unstable; urgency=low + + * new upstream version + * modified the copyright to include 5.2's COPYING, just in case it's changed. + * minor modifications to debian/rules + * added zipgrep (from the zip package). + + -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Wed, 13 Nov 1996 19:35:24 +1100 + +unzip (5.12-15) unstable; urgency=low + + * received email from the upstream maintainers: unzip can now go into + the distribution proper. Yippee! :-) + * added the email in question to the copyright file. + + -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Sat, 19 Oct 1996 18:34:21 +1000 + +unzip (5.12-14) non-free; urgency=low + + * moved to the 2.1.1.0 source format + * fixed a typo in the Maintainer field (missing the ">". Oops.) + + -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Sun, 1 Sep 1996 07:36:16 +1000 + +unzip (5.12-13) non-free; urgency=low + + * new maintainer + * mods to make the "binary" rule portable to different platforms + * uses dpkg-name rather than manual moving + + -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Tue, 30 Jul 1996 00:00:00 +0000 + +unzip (5.12-12) non-free; urgency=low + + * initial release (used 2 to avoid confusion with old unzip) + + -- Carl Streeter <streeter@cae.wisc.edu> Tue, 5 Sep 1995 00:00:00 +0000 diff --git a/data/unzip/debian/compat b/data/unzip/debian/compat new file mode 100644 index 000000000..ec635144f --- /dev/null +++ b/data/unzip/debian/compat @@ -0,0 +1 @@ +9 diff --git a/data/unzip/debian/control b/data/unzip/debian/control new file mode 100644 index 000000000..8d1ca2ffc --- /dev/null +++ b/data/unzip/debian/control @@ -0,0 +1,20 @@ +Source: unzip +Section: utils +Priority: optional +Maintainer: Santiago Vila <sanvila@debian.org> +Standards-Version: 3.9.6 +Build-Depends: debhelper (>= 9), libbz2-dev +Homepage: http://www.info-zip.org/UnZip.html + +Package: unzip +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Suggests: zip +Multi-Arch: foreign +Description: De-archiver for .zip files + InfoZIP's unzip program. With the exception of multi-volume archives + (ie, .ZIP files that are split across several disks using PKZIP's /& option), + this can handle any file produced either by PKZIP, or the corresponding + InfoZIP zip program. + . + This version supports encryption. diff --git a/data/unzip/debian/copyright b/data/unzip/debian/copyright new file mode 100644 index 000000000..f7172d2d6 --- /dev/null +++ b/data/unzip/debian/copyright @@ -0,0 +1,76 @@ +This is the Debian prepackaged version of "unzip", Info-Zip's fast, +portable, zipfile decompression utility. + +This package is currently maintained by Santiago Vila <sanvila@debian.org> +and built from sources obtained from: + +ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz + +The changes were fairly minimal, and consisted solely of adding +various debian/* files to the distribution, plus several miscellaneous +fixes as reflected in the Debian changelog. + +Copyright and license: + +This is version 2009-Jan-02 of the Info-ZIP license. +The definitive version of this document should be available at +ftp://ftp.info-zip.org/pub/infozip/license.html indefinitely and +a copy at http://www.info-zip.org/pub/infozip/license.html. + + +Copyright (c) 1990-2009 Info-ZIP. All rights reserved. + +For the purposes of this copyright and license, "Info-ZIP" is defined as +the following set of individuals: + + Mark Adler, John Bush, Karl Davis, Harald Denker, Jean-Michel Dubois, + Jean-loup Gailly, Hunter Goatley, Ed Gordon, Ian Gorman, Chris Herborth, + Dirk Haase, Greg Hartwig, Robert Heath, Jonathan Hudson, Paul Kienitz, + David Kirschbaum, Johnny Lee, Onno van der Linden, Igor Mandrichenko, + Steve P. Miller, Sergio Monesi, Keith Owens, George Petrov, Greg Roelofs, + Kai Uwe Rommel, Steve Salisbury, Dave Smith, Steven M. Schweda, + Christian Spieler, Cosmin Truta, Antoine Verheijen, Paul von Behren, + Rich Wales, Mike White. + +This software is provided "as is," without warranty of any kind, express +or implied. In no event shall Info-ZIP or its contributors be held liable +for any direct, indirect, incidental, special or consequential damages +arising out of the use of or inability to use this software. + +Permission is granted to anyone to use this software for any purpose, +including commercial applications, and to alter it and redistribute it +freely, subject to the above disclaimer and the following restrictions: + + 1. Redistributions of source code (in whole or in part) must retain + the above copyright notice, definition, disclaimer, and this list + of conditions. + + 2. Redistributions in binary form (compiled executables and libraries) + must reproduce the above copyright notice, definition, disclaimer, + and this list of conditions in documentation and/or other materials + provided with the distribution. Additional documentation is not needed + for executables where a command line license option provides these and + a note regarding this option is in the executable's startup banner. The + sole exception to this condition is redistribution of a standard + UnZipSFX binary (including SFXWiz) as part of a self-extracting archive; + that is permitted without inclusion of this license, as long as the + normal SFX banner has not been removed from the binary or disabled. + + 3. Altered versions--including, but not limited to, ports to new operating + systems, existing ports with new graphical interfaces, versions with + modified or added functionality, and dynamic, shared, or static library + versions not from Info-ZIP--must be plainly marked as such and must not + be misrepresented as being the original source or, if binaries, + compiled from the original source. Such altered versions also must not + be misrepresented as being Info-ZIP releases--including, but not + limited to, labeling of the altered versions with the names "Info-ZIP" + (or any variation thereof, including, but not limited to, different + capitalizations), "Pocket UnZip," "WiZ" or "MacZip" without the + explicit permission of Info-ZIP. Such altered versions are further + prohibited from misrepresentative use of the Zip-Bugs or Info-ZIP + e-mail addresses or the Info-ZIP URL(s), such as to imply Info-ZIP + will provide support for the altered versions. + + 4. Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip," + "UnZipSFX," "WiZ," "Pocket UnZip," "Pocket Zip," and "MacZip" for its + own source and binary releases. diff --git a/data/unzip/debian/mime b/data/unzip/debian/mime new file mode 100644 index 000000000..6df5691ee --- /dev/null +++ b/data/unzip/debian/mime @@ -0,0 +1 @@ +application/zip; unzip -l %s; nametemplate=%s.zip; copiousoutput; priority=3 diff --git a/data/unzip/debian/patches/01-manpages-in-section-1-not-in-section-1l.patch b/data/unzip/debian/patches/01-manpages-in-section-1-not-in-section-1l.patch new file mode 100644 index 000000000..2499ed9f8 --- /dev/null +++ b/data/unzip/debian/patches/01-manpages-in-section-1-not-in-section-1l.patch @@ -0,0 +1,295 @@ +From: Santiago Vila <sanvila@debian.org> +Subject: In Debian, manpages are in section 1, not in section 1L +X-Debian-version: 5.52-3 + +--- a/man/funzip.1 ++++ b/man/funzip.1 +@@ -20,7 +20,7 @@ + .in -4n + .. + .\" ========================================================================= +-.TH FUNZIP 1L "20 April 2009 (v3.95)" "Info-ZIP" ++.TH FUNZIP 1 "20 April 2009 (v3.95)" "Info-ZIP" + .SH NAME + funzip \- filter for extracting from a ZIP archive in a pipe + .PD +@@ -78,7 +78,7 @@ + .EE + .PP + To use \fIzip\fP and \fIfunzip\fP in place of \fIcompress\fP(1) and +-\fIzcat\fP(1) (or \fIgzip\fP(1L) and \fIgzcat\fP(1L)) for tape backups: ++\fIzcat\fP(1) (or \fIgzip\fP(1) and \fIgzcat\fP(1)) for tape backups: + .PP + .EX + tar cf \- . | zip \-7 | dd of=/dev/nrst0 obs=8k +@@ -108,8 +108,8 @@ + .PD + .\" ========================================================================= + .SH "SEE ALSO" +-\fIgzip\fP(1L), \fIunzip\fP(1L), \fIunzipsfx\fP(1L), \fIzip\fP(1L), +-\fIzipcloak\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L) ++\fIgzip\fP(1), \fIunzip\fP(1), \fIunzipsfx\fP(1), \fIzip\fP(1), ++\fIzipcloak\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1) + .PD + .\" ========================================================================= + .SH URL +--- a/man/unzip.1 ++++ b/man/unzip.1 +@@ -20,7 +20,7 @@ + .in -4n + .. + .\" ========================================================================= +-.TH UNZIP 1L "20 April 2009 (v6.0)" "Info-ZIP" ++.TH UNZIP 1 "20 April 2009 (v6.0)" "Info-ZIP" + .SH NAME + unzip \- list, test and extract compressed files in a ZIP archive + .PD +@@ -34,7 +34,7 @@ + \fIunzip\fP will list, test, or extract files from a ZIP archive, commonly + found on MS-DOS systems. The default behavior (with no options) is to extract + into the current directory (and subdirectories below it) all files from the +-specified ZIP archive. A companion program, \fIzip\fP(1L), creates ZIP ++specified ZIP archive. A companion program, \fIzip\fP(1), creates ZIP + archives; both programs are compatible with archives created by PKWARE's + \fIPKZIP\fP and \fIPKUNZIP\fP for MS-DOS, but in many cases the program + options or default behaviors differ. +@@ -105,8 +105,8 @@ + list of all possible flags. The exhaustive list follows: + .TP + .B \-Z +-\fIzipinfo\fP(1L) mode. If the first option on the command line is \fB\-Z\fP, +-the remaining options are taken to be \fIzipinfo\fP(1L) options. See the ++\fIzipinfo\fP(1) mode. If the first option on the command line is \fB\-Z\fP, ++the remaining options are taken to be \fIzipinfo\fP(1) options. See the + appropriate manual page for a description of these options. + .TP + .B \-A +@@ -178,7 +178,7 @@ + compressed size and compression ratio figures are independent of the entry's + encryption status and show the correct compression performance. (The complete + size of the encrypted compressed data stream for zipfile entries is reported +-by the more verbose \fIzipinfo\fP(1L) reports, see the separate manual.) ++by the more verbose \fIzipinfo\fP(1) reports, see the separate manual.) + When no zipfile is specified (that is, the complete command is simply + ``\fCunzip \-v\fR''), a diagnostic screen is printed. In addition to + the normal header with release date and version, \fIunzip\fP lists the +@@ -379,8 +379,8 @@ + .TP + .B \-N + [Amiga] extract file comments as Amiga filenotes. File comments are created +-with the \-c option of \fIzip\fP(1L), or with the \-N option of the Amiga port +-of \fIzip\fP(1L), which stores filenotes as comments. ++with the \-c option of \fIzip\fP(1), or with the \-N option of the Amiga port ++of \fIzip\fP(1), which stores filenotes as comments. + .TP + .B \-o + overwrite existing files without prompting. This is a dangerous option, so +@@ -598,7 +598,7 @@ + As suggested by the examples above, the default variable names are UNZIP_OPTS + for VMS (where the symbol used to install \fIunzip\fP as a foreign command + would otherwise be confused with the environment variable), and UNZIP +-for all other operating systems. For compatibility with \fIzip\fP(1L), ++for all other operating systems. For compatibility with \fIzip\fP(1), + UNZIPOPT is also accepted (don't ask). If both UNZIP and UNZIPOPT + are defined, however, UNZIP takes precedence. \fIunzip\fP's diagnostic + option (\fB\-v\fP with no zipfile name) can be used to check the values +@@ -648,8 +648,8 @@ + a password is not known, entering a null password (that is, just a carriage + return or ``Enter'') is taken as a signal to skip all further prompting. + Only unencrypted files in the archive(s) will thereafter be extracted. (In +-fact, that's not quite true; older versions of \fIzip\fP(1L) and +-\fIzipcloak\fP(1L) allowed null passwords, so \fIunzip\fP checks each encrypted ++fact, that's not quite true; older versions of \fIzip\fP(1) and ++\fIzipcloak\fP(1) allowed null passwords, so \fIunzip\fP checks each encrypted + file to see if the null password works. This may result in ``false positives'' + and extraction errors, as noted above.) + .PP +@@ -943,8 +943,8 @@ + .PD + .\" ========================================================================= + .SH "SEE ALSO" +-\fIfunzip\fP(1L), \fIzip\fP(1L), \fIzipcloak\fP(1L), \fIzipgrep\fP(1L), +-\fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L) ++\fIfunzip\fP(1), \fIzip\fP(1), \fIzipcloak\fP(1), \fIzipgrep\fP(1), ++\fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1) + .PD + .\" ========================================================================= + .SH URL +--- a/man/unzipsfx.1 ++++ b/man/unzipsfx.1 +@@ -20,7 +20,7 @@ + .in -4n + .. + .\" ========================================================================= +-.TH UNZIPSFX 1L "20 April 2009 (v6.0)" "Info-ZIP" ++.TH UNZIPSFX 1 "20 April 2009 (v6.0)" "Info-ZIP" + .SH NAME + unzipsfx \- self-extracting stub for prepending to ZIP archives + .PD +@@ -30,7 +30,7 @@ + .PD + .\" ========================================================================= + .SH DESCRIPTION +-\fIunzipsfx\fP is a modified version of \fIunzip\fP(1L) designed to be ++\fIunzipsfx\fP is a modified version of \fIunzip\fP(1) designed to be + prepended to existing ZIP archives in order to form self-extracting archives. + Instead of taking its first non-flag argument to be the zipfile(s) to be + extracted, \fIunzipsfx\fP seeks itself under the name by which it was invoked +@@ -109,7 +109,7 @@ + .PD + .\" ========================================================================= + .SH OPTIONS +-\fIunzipsfx\fP supports the following \fIunzip\fP(1L) options: \fB\-c\fP ++\fIunzipsfx\fP supports the following \fIunzip\fP(1) options: \fB\-c\fP + and \fB\-p\fP (extract to standard output/screen), \fB\-f\fP and \fB\-u\fP + (freshen and update existing files upon extraction), \fB\-t\fP (test + archive) and \fB\-z\fP (print archive comment). All normal listing options +@@ -118,11 +118,11 @@ + those creating self-extracting archives may wish to include a short listing + in the zipfile comment. + .PP +-See \fIunzip\fP(1L) for a more complete description of these options. ++See \fIunzip\fP(1) for a more complete description of these options. + .PD + .\" ========================================================================= + .SH MODIFIERS +-\fIunzipsfx\fP currently supports all \fIunzip\fP(1L) modifiers: \fB\-a\fP ++\fIunzipsfx\fP currently supports all \fIunzip\fP(1) modifiers: \fB\-a\fP + (convert text files), \fB\-n\fP (never overwrite), \fB\-o\fP (overwrite + without prompting), \fB\-q\fP (operate quietly), \fB\-C\fP (match names + case-insensitively), \fB\-L\fP (convert uppercase-OS names to lowercase), +@@ -137,18 +137,18 @@ + of course continue to be supported since the zipfile format implies ASCII + storage of text files.) + .PP +-See \fIunzip\fP(1L) for a more complete description of these modifiers. ++See \fIunzip\fP(1) for a more complete description of these modifiers. + .PD + .\" ========================================================================= + .SH "ENVIRONMENT OPTIONS" +-\fIunzipsfx\fP uses the same environment variables as \fIunzip\fP(1L) does, ++\fIunzipsfx\fP uses the same environment variables as \fIunzip\fP(1) does, + although this is likely to be an issue only for the person creating and +-testing the self-extracting archive. See \fIunzip\fP(1L) for details. ++testing the self-extracting archive. See \fIunzip\fP(1) for details. + .PD + .\" ========================================================================= + .SH DECRYPTION +-Decryption is supported exactly as in \fIunzip\fP(1L); that is, interactively +-with a non-echoing prompt for the password(s). See \fIunzip\fP(1L) for ++Decryption is supported exactly as in \fIunzip\fP(1); that is, interactively ++with a non-echoing prompt for the password(s). See \fIunzip\fP(1) for + details. Once again, note that if the archive has no encrypted files there + is no reason to use a version of \fIunzipsfx\fP with decryption support; + that only adds to the size of the archive. +@@ -286,7 +286,7 @@ + from anywhere in the user's path. The situation is not known for AmigaDOS, + Atari TOS, MacOS, etc. + .PP +-As noted above, a number of the normal \fIunzip\fP(1L) functions have ++As noted above, a number of the normal \fIunzip\fP(1) functions have + been removed in order to make \fIunzipsfx\fP smaller: usage and diagnostic + info, listing functions and extraction to other directories. Also, only + stored and deflated files are supported. The latter limitation is mainly +@@ -303,17 +303,17 @@ + defined as a ``debug hunk.'') There may be compatibility problems between + the ROM levels of older Amigas and newer ones. + .PP +-All current bugs in \fIunzip\fP(1L) exist in \fIunzipsfx\fP as well. ++All current bugs in \fIunzip\fP(1) exist in \fIunzipsfx\fP as well. + .PD + .\" ========================================================================= + .SH DIAGNOSTICS + \fIunzipsfx\fP's exit status (error level) is identical to that of +-\fIunzip\fP(1L); see the corresponding man page. ++\fIunzip\fP(1); see the corresponding man page. + .PD + .\" ========================================================================= + .SH "SEE ALSO" +-\fIfunzip\fP(1L), \fIunzip\fP(1L), \fIzip\fP(1L), \fIzipcloak\fP(1L), +-\fIzipgrep\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L) ++\fIfunzip\fP(1), \fIunzip\fP(1), \fIzip\fP(1), \fIzipcloak\fP(1), ++\fIzipgrep\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1) + .PD + .PD + .\" ========================================================================= +@@ -330,7 +330,7 @@ + .\" ========================================================================= + .SH AUTHORS + Greg Roelofs was responsible for the basic modifications to UnZip necessary +-to create UnZipSFX. See \fIunzip\fP(1L) for the current list of Zip-Bugs ++to create UnZipSFX. See \fIunzip\fP(1) for the current list of Zip-Bugs + authors, or the file CONTRIBS in the UnZip source distribution for the + full list of Info-ZIP contributors. + .PD +--- a/man/zipgrep.1 ++++ b/man/zipgrep.1 +@@ -8,7 +8,7 @@ + .\" zipgrep.1 by Greg Roelofs. + .\" + .\" ========================================================================= +-.TH ZIPGREP 1L "20 April 2009" "Info-ZIP" ++.TH ZIPGREP 1 "20 April 2009" "Info-ZIP" + .SH NAME + zipgrep \- search files in a ZIP archive for lines matching a pattern + .PD +@@ -21,7 +21,7 @@ + .SH DESCRIPTION + \fIzipgrep\fP will search files within a ZIP archive for lines matching + the given string or pattern. \fIzipgrep\fP is a shell script and requires +-\fIegrep\fP(1) and \fIunzip\fP(1L) to function. Its output is identical to ++\fIegrep\fP(1) and \fIunzip\fP(1) to function. Its output is identical to + that of \fIegrep\fP(1). + .PD + .\" ========================================================================= +@@ -69,8 +69,8 @@ + .PD + .\" ========================================================================= + .SH "SEE ALSO" +-\fIegrep\fP(1), \fIunzip\fP(1L), \fIzip\fP(1L), \fIfunzip\fP(1L), +-\fIzipcloak\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L) ++\fIegrep\fP(1), \fIunzip\fP(1), \fIzip\fP(1), \fIfunzip\fP(1), ++\fIzipcloak\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1) + .PD + .\" ========================================================================= + .SH URL +--- a/man/zipinfo.1 ++++ b/man/zipinfo.1 +@@ -34,7 +34,7 @@ + .in -4n + .. + .\" ========================================================================= +-.TH ZIPINFO 1L "20 April 2009 (v3.0)" "Info-ZIP" ++.TH ZIPINFO 1 "20 April 2009 (v3.0)" "Info-ZIP" + .SH NAME + zipinfo \- list detailed information about a ZIP archive + .PD +@@ -272,7 +272,7 @@ + Note that because of limitations in the MS-DOS format used to store file + times, the seconds field is always rounded to the nearest even second. + For Unix files this is expected to change in the next major releases of +-\fIzip\fP(1L) and \fIunzip\fP. ++\fIzip\fP(1) and \fIunzip\fP. + .PP + In addition to individual file information, a default zipfile listing + also includes header and trailer lines: +@@ -361,7 +361,7 @@ + As suggested above, the default variable names are ZIPINFO_OPTS for VMS + (where the symbol used to install \fIzipinfo\fP as a foreign command + would otherwise be confused with the environment variable), and ZIPINFO +-for all other operating systems. For compatibility with \fIzip\fP(1L), ++for all other operating systems. For compatibility with \fIzip\fP(1), + ZIPINFOOPT is also accepted (don't ask). If both ZIPINFO and ZIPINFOOPT + are defined, however, ZIPINFO takes precedence. \fIunzip\fP's diagnostic + option (\fB\-v\fP with no zipfile name) can be used to check the values +@@ -496,8 +496,8 @@ + .PP + .\" ========================================================================= + .SH "SEE ALSO" +-\fIls\fP(1), \fIfunzip\fP(1L), \fIunzip\fP(1L), \fIunzipsfx\fP(1L), +-\fIzip\fP(1L), \fIzipcloak\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L) ++\fIls\fP(1), \fIfunzip\fP(1), \fIunzip\fP(1), \fIunzipsfx\fP(1), ++\fIzip\fP(1), \fIzipcloak\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1) + .PD + .\" ========================================================================= + .SH URL diff --git a/data/unzip/debian/patches/02-this-is-debian-unzip.patch b/data/unzip/debian/patches/02-this-is-debian-unzip.patch new file mode 100644 index 000000000..7f0465120 --- /dev/null +++ b/data/unzip/debian/patches/02-this-is-debian-unzip.patch @@ -0,0 +1,16 @@ +From: Santiago Vila <sanvila@debian.org> +Subject: "Branding patch": UnZip by Debian. Original by Info-ZIP. +X-Debian-version: 5.52-5 + +--- a/unzip.c ++++ b/unzip.c +@@ -570,8 +570,7 @@ + #else /* !VMS */ + # ifdef COPYRIGHT_CLEAN + static ZCONST char Far UnzipUsageLine1[] = "\ +-UnZip %d.%d%d%s of %s, by Info-ZIP. Maintained by C. Spieler. Send\n\ +-bug reports using http://www.info-zip.org/zip-bug.html; see README for details.\ ++UnZip %d.%d%d%s of %s, by Debian. Original by Info-ZIP.\ + \n\n"; + # else + static ZCONST char Far UnzipUsageLine1[] = "\ diff --git a/data/unzip/debian/patches/03-include-unistd-for-kfreebsd.patch b/data/unzip/debian/patches/03-include-unistd-for-kfreebsd.patch new file mode 100644 index 000000000..6f06191ff --- /dev/null +++ b/data/unzip/debian/patches/03-include-unistd-for-kfreebsd.patch @@ -0,0 +1,15 @@ +From: Aurelien Jarno <aurel32@debian.org> +Subject: #include <unistd.h> for kFreeBSD +Bug-Debian: https://bugs.debian.org/340693 +X-Debian-version: 5.52-8 + +--- a/unix/unxcfg.h ++++ b/unix/unxcfg.h +@@ -52,6 +52,7 @@ + + #include <sys/types.h> /* off_t, time_t, dev_t, ... */ + #include <sys/stat.h> ++#include <unistd.h> + + #ifdef NO_OFF_T + typedef long zoff_t; diff --git a/data/unzip/debian/patches/04-handle-pkware-verification-bit.patch b/data/unzip/debian/patches/04-handle-pkware-verification-bit.patch new file mode 100644 index 000000000..6bda15a56 --- /dev/null +++ b/data/unzip/debian/patches/04-handle-pkware-verification-bit.patch @@ -0,0 +1,21 @@ +From: "Steven M. Schweda" <sms@antinode.info> +Subject: Handle the PKWare verification bit of internal attributes +Bug-Debian: https://bugs.debian.org/630078 +X-Debian-version: 6.0-5 + +--- a/process.c ++++ b/process.c +@@ -1729,6 +1729,13 @@ + else if (uO.L_flag > 1) /* let -LL force lower case for all names */ + G.pInfo->lcflag = 1; + ++ /* Handle the PKWare verification bit, bit 2 (0x0004) of internal ++ attributes. If this is set, then a verification checksum is in the ++ first 3 bytes of the external attributes. In this case all we can use ++ for setting file attributes is the last external attributes byte. */ ++ if (G.crec.internal_file_attributes & 0x0004) ++ G.crec.external_file_attributes &= (ulg)0xff; ++ + /* do Amigas (AMIGA_) also have volume labels? */ + if (IS_VOLID(G.crec.external_file_attributes) && + (G.pInfo->hostnum == FS_FAT_ || G.pInfo->hostnum == FS_HPFS_ || diff --git a/data/unzip/debian/patches/05-fix-uid-gid-handling.patch b/data/unzip/debian/patches/05-fix-uid-gid-handling.patch new file mode 100644 index 000000000..ee9b3ddc6 --- /dev/null +++ b/data/unzip/debian/patches/05-fix-uid-gid-handling.patch @@ -0,0 +1,29 @@ +From: "Steven M. Schweda" <sms@antinode.info> +Subject: Restore uid and gid information when requested +Bug-Debian: https://bugs.debian.org/689212 +X-Debian-version: 6.0-8 + +--- a/process.c ++++ b/process.c +@@ -2904,7 +2904,7 @@ + #ifdef IZ_HAVE_UXUIDGID + if (eb_len >= EB_UX3_MINLEN + && z_uidgid != NULL +- && (*((EB_HEADSIZE + 0) + ef_buf) == 1) ++ && (*((EB_HEADSIZE + 0) + ef_buf) == 1)) + /* only know about version 1 */ + { + uch uid_size; +@@ -2916,10 +2916,10 @@ + flags &= ~0x0ff; /* ignore any previous UNIX field */ + + if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf, +- uid_size, z_uidgid[0]) ++ uid_size, &z_uidgid[0]) + && + read_ux3_value((EB_HEADSIZE + uid_size + 3) + ef_buf, +- gid_size, z_uidgid[1]) ) ++ gid_size, &z_uidgid[1]) ) + { + flags |= EB_UX2_VALID; /* signal success */ + } diff --git a/data/unzip/debian/patches/06-initialize-the-symlink-flag.patch b/data/unzip/debian/patches/06-initialize-the-symlink-flag.patch new file mode 100644 index 000000000..11fa0d9f9 --- /dev/null +++ b/data/unzip/debian/patches/06-initialize-the-symlink-flag.patch @@ -0,0 +1,20 @@ +From: Andreas Schwab <schwab@linux-m68k.org> +Subject: Initialize the symlink flag +Bug-Debian: https://bugs.debian.org/717029 +X-Debian-version: 6.0-10 + +--- a/process.c ++++ b/process.c +@@ -1758,6 +1758,12 @@ + = (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11); + #endif + ++#ifdef SYMLINKS ++ /* Initialize the symlink flag, may be set by the platform-specific ++ mapattr function. */ ++ G.pInfo->symlink = 0; ++#endif ++ + return PK_COOL; + + } /* end function process_cdir_file_hdr() */ diff --git a/data/unzip/debian/patches/07-increase-size-of-cfactorstr.patch b/data/unzip/debian/patches/07-increase-size-of-cfactorstr.patch new file mode 100644 index 000000000..e2d8926f2 --- /dev/null +++ b/data/unzip/debian/patches/07-increase-size-of-cfactorstr.patch @@ -0,0 +1,16 @@ +From: "Steven M. Schweda" <sms@antinode.info> +Subject: Increase size of cfactorstr array to avoid buffer overflow +Bug-Debian: https://bugs.debian.org/741384 +X-Debian-version: 6.0-11 + +--- a/list.c ++++ b/list.c +@@ -97,7 +97,7 @@ + { + int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL; + #ifndef WINDLL +- char sgn, cfactorstr[10]; ++ char sgn, cfactorstr[12]; + int longhdr=(uO.vflag>1); + #endif + int date_format; diff --git a/data/unzip/debian/patches/08-allow-greater-hostver-values.patch b/data/unzip/debian/patches/08-allow-greater-hostver-values.patch new file mode 100644 index 000000000..3460787b8 --- /dev/null +++ b/data/unzip/debian/patches/08-allow-greater-hostver-values.patch @@ -0,0 +1,14 @@ +From: Santiago Vila <sanvila@debian.org> +Subject: zipinfo.c: Do not crash when hostver byte is >= 100 + +--- a/zipinfo.c ++++ b/zipinfo.c +@@ -2114,7 +2114,7 @@ + else + attribs[9] = (xattr & UNX_ISVTX)? 'T' : '-'; /* T==undefined */ + +- sprintf(&attribs[12], "%u.%u", hostver/10, hostver%10); ++ sprintf(&attribs[11], "%2u.%u", hostver/10, hostver%10); + break; + + } /* end switch (hostnum: external attributes format) */ diff --git a/data/unzip/debian/patches/09-cve-2014-8139-crc-overflow.patch b/data/unzip/debian/patches/09-cve-2014-8139-crc-overflow.patch new file mode 100644 index 000000000..3b49472e1 --- /dev/null +++ b/data/unzip/debian/patches/09-cve-2014-8139-crc-overflow.patch @@ -0,0 +1,53 @@ +From: "Steven M. Schweda" <sms@antinode.info> +Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow +Bug-Debian: https://bugs.debian.org/773722 + +--- a/extract.c ++++ b/extract.c +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -298,6 +298,8 @@ + #ifndef SFX + static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; ++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ ++ EF block length (%u bytes) invalid (< %d)\n"; + static ZCONST char Far InvalidComprDataEAs[] = + " invalid compressed data for EAs\n"; + # if (defined(WIN32) && defined(NTSD_EAS)) +@@ -2023,7 +2025,8 @@ + ebID = makeword(ef); + ebLen = (unsigned)makeword(ef+EB_LEN); + +- if (ebLen > (ef_len - EB_HEADSIZE)) { ++ if (ebLen > (ef_len - EB_HEADSIZE)) ++ { + /* Discovered some extra field inconsistency! */ + if (uO.qflag) + Info(slide, 1, ((char *)slide, "%-22s ", +@@ -2158,11 +2161,19 @@ + } + break; + case EF_PKVMS: +- if (makelong(ef+EB_HEADSIZE) != ++ if (ebLen < 4) ++ { ++ Info(slide, 1, ++ ((char *)slide, LoadFarString(TooSmallEBlength), ++ ebLen, 4)); ++ } ++ else if (makelong(ef+EB_HEADSIZE) != + crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), + (extent)(ebLen-4))) ++ { + Info(slide, 1, ((char *)slide, + LoadFarString(BadCRC_EAs))); ++ } + break; + case EF_PKW32: + case EF_PKUNIX: diff --git a/data/unzip/debian/patches/10-cve-2014-8140-test-compr-eb.patch b/data/unzip/debian/patches/10-cve-2014-8140-test-compr-eb.patch new file mode 100644 index 000000000..ad74239eb --- /dev/null +++ b/data/unzip/debian/patches/10-cve-2014-8140-test-compr-eb.patch @@ -0,0 +1,27 @@ +From: "Steven M. Schweda" <sms@antinode.info> +Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb() +Bug-Debian: https://bugs.debian.org/773722 + +--- a/extract.c ++++ b/extract.c +@@ -2232,10 +2232,17 @@ + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ + ++ /* Return no/bad-data error status if any problem is found: ++ * 1. eb_size is too small to hold the uncompressed size ++ * (eb_ucsize). (Else extract eb_ucsize.) ++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. ++ * 3. eb_ucsize is positive, but eb_size is too small to hold ++ * the compressed data header. ++ */ + if ((eb_size < (EB_UCSIZE_P + 4)) || +- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && +- eb_size <= (compr_offset + EB_CMPRHEADLEN))) +- return IZ_EF_TRUNC; /* no compressed data! */ ++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || ++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) ++ return IZ_EF_TRUNC; /* no/bad compressed data! */ + + if ( + #ifdef INT_16BIT diff --git a/data/unzip/debian/patches/11-cve-2014-8141-getzip64data.patch b/data/unzip/debian/patches/11-cve-2014-8141-getzip64data.patch new file mode 100644 index 000000000..6097966c2 --- /dev/null +++ b/data/unzip/debian/patches/11-cve-2014-8141-getzip64data.patch @@ -0,0 +1,137 @@ +From: "Steven M. Schweda" <sms@antinode.info> +Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data() +Bug-Debian: https://bugs.debian.org/773722 + +--- a/fileio.c ++++ b/fileio.c +@@ -176,6 +176,8 @@ + #endif + static ZCONST char Far ExtraFieldTooLong[] = + "warning: extra field too long (%d). Ignoring...\n"; ++static ZCONST char Far ExtraFieldCorrupt[] = ++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; + + #ifdef WINDLL + static ZCONST char Far DiskFullQuery[] = +@@ -2295,7 +2297,12 @@ + if (readbuf(__G__ (char *)G.extra_field, length) == 0) + return PK_EOF; + /* Looks like here is where extra fields are read */ +- getZip64Data(__G__ G.extra_field, length); ++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) ++ { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); ++ error = PK_WARN; ++ } + #ifdef UNICODE_SUPPORT + G.unipath_filename = NULL; + if (G.UzO.U_flag < 2) { +--- a/process.c ++++ b/process.c +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -1901,48 +1901,82 @@ + and a 4-byte version of disk start number. + Sets both local header and central header fields. Not terribly clever, + but it means that this procedure is only called in one place. ++ ++ 2014-12-05 SMS. ++ Added checks to ensure that enough data are available before calling ++ makeint64() or makelong(). Replaced various sizeof() values with ++ simple ("4" or "8") constants. (The Zip64 structures do not depend ++ on our variable sizes.) Error handling is crude, but we should now ++ stay within the buffer. + ---------------------------------------------------------------------------*/ + ++#define Z64FLGS 0xffff ++#define Z64FLGL 0xffffffff ++ + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; + + Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", + ef_len)); + +- while (ef_len >= EB_HEADSIZE) { ++ while (ef_len >= EB_HEADSIZE) ++ { + eb_id = makeword(EB_ID + ef_buf); + eb_len = makeword(EB_LEN + ef_buf); + +- if (eb_len > (ef_len - EB_HEADSIZE)) { +- /* discovered some extra field inconsistency! */ ++ if (eb_len > (ef_len - EB_HEADSIZE)) ++ { ++ /* Extra block length exceeds remaining extra field length. */ + Trace((stderr, + "getZip64Data: block length %u > rest ef_size %u\n", eb_len, + ef_len - EB_HEADSIZE)); + break; + } +- if (eb_id == EF_PKSZ64) { +- ++ if (eb_id == EF_PKSZ64) ++ { + int offset = EB_HEADSIZE; + +- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ +- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.ucsize); ++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ +- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.csize); ++ ++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.relative_offset_local_header == 0xffffffff){ ++ ++ if (G.crec.relative_offset_local_header == Z64FLGL) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ + G.crec.relative_offset_local_header = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.relative_offset_local_header); ++ offset += 8; + } +- if (G.crec.disk_number_start == 0xffff){ ++ ++ if (G.crec.disk_number_start == Z64FLGS) ++ { ++ if (offset+ 4 > ef_len) ++ return PK_ERR; ++ + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); +- offset += sizeof(G.crec.disk_number_start); ++ offset += 4; + } ++#if 0 ++ break; /* Expect only one EF_PKSZ64 block. */ ++#endif /* 0 */ + } + +- /* Skip this extra field block */ ++ /* Skip this extra field block. */ + ef_buf += (eb_len + EB_HEADSIZE); + ef_len -= (eb_len + EB_HEADSIZE); + } diff --git a/data/unzip/debian/patches/12-cve-2014-9636-test-compr-eb.patch b/data/unzip/debian/patches/12-cve-2014-9636-test-compr-eb.patch new file mode 100644 index 000000000..1f3838498 --- /dev/null +++ b/data/unzip/debian/patches/12-cve-2014-9636-test-compr-eb.patch @@ -0,0 +1,40 @@ +From: mancha <mancha1 AT zoho DOT com> +Date: Wed, 11 Feb 2015 +Subject: Info-ZIP UnZip buffer overflow +Bug-Debian: https://bugs.debian.org/776589 + +By carefully crafting a corrupt ZIP archive with "extra fields" that +purport to have compressed blocks larger than the corresponding +uncompressed blocks in STORED no-compression mode, an attacker can +trigger a heap overflow that can result in application crash or +possibly have other unspecified impact. + +This patch ensures that when extra fields use STORED mode, the +"compressed" and uncompressed block sizes match. + +--- a/extract.c ++++ b/extract.c +@@ -2228,6 +2228,7 @@ + ulg eb_ucsize; + uch *eb_ucptr; + int r; ++ ush eb_compr_method; + + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ +@@ -2244,6 +2245,15 @@ + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) + return IZ_EF_TRUNC; /* no/bad compressed data! */ + ++ /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS. ++ * For STORE method, compressed and uncompressed sizes must agree. ++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 ++ */ ++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset)); ++ if ((eb_compr_method == STORED) && ++ (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize)) ++ return PK_ERR; ++ + if ( + #ifdef INT_16BIT + (((ulg)(extent)eb_ucsize) != eb_ucsize) || diff --git a/data/unzip/debian/patches/13-remove-build-date.patch b/data/unzip/debian/patches/13-remove-build-date.patch new file mode 100644 index 000000000..bb60533cb --- /dev/null +++ b/data/unzip/debian/patches/13-remove-build-date.patch @@ -0,0 +1,17 @@ +From: Jérémy Bobbio <lunar@debian.org> +Subject: Remove build date +Bug-Debian: https://bugs.debian.org/782851 + In order to make unzip build reproducibly, we remove the + (already optional) build date from the binary. + +--- a/unix/unix.c ++++ b/unix/unix.c +@@ -1705,7 +1705,7 @@ + #endif /* Sun */ + #endif /* SGI */ + +-#ifdef __DATE__ ++#if 0 + " on ", __DATE__ + #else + "", "" diff --git a/data/unzip/debian/patches/14-cve-2015-7696.patch b/data/unzip/debian/patches/14-cve-2015-7696.patch new file mode 100644 index 000000000..91482dae0 --- /dev/null +++ b/data/unzip/debian/patches/14-cve-2015-7696.patch @@ -0,0 +1,33 @@ +From: Petr Stodulka <pstodulk@redhat.com> +Date: Mon, 14 Sep 2015 18:23:17 +0200 +Subject: Upstream fix for heap overflow +Bug-Debian: https://bugs.debian.org/802162 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002 +Forwarded: yes + +--- + crypt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/crypt.c ++++ b/crypt.c +@@ -465,7 +465,17 @@ + GLOBAL(pInfo->encrypted) = FALSE; + defer_leftover_input(__G); + for (n = 0; n < RAND_HEAD_LEN; n++) { +- b = NEXTBYTE; ++ /* 2012-11-23 SMS. (OUSPG report.) ++ * Quit early if compressed size < HEAD_LEN. The resulting ++ * error message ("unable to get password") could be improved, ++ * but it's better than trying to read nonexistent data, and ++ * then continuing with a negative G.csize. (See ++ * fileio.c:readbyte()). ++ */ ++ if ((b = NEXTBYTE) == (ush)EOF) ++ { ++ return PK_ERR; ++ } + h[n] = (uch)b; + Trace((stdout, " (%02x)", h[n])); + } diff --git a/data/unzip/debian/patches/15-cve-2015-7697.patch b/data/unzip/debian/patches/15-cve-2015-7697.patch new file mode 100644 index 000000000..782431090 --- /dev/null +++ b/data/unzip/debian/patches/15-cve-2015-7697.patch @@ -0,0 +1,26 @@ +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 14 Sep 2015 18:24:56 +0200 +Subject: fix infinite loop when extracting empty bzip2 data +Bug-Debian: https://bugs.debian.org/802160 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 +Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339 + +--- + extract.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/extract.c ++++ b/extract.c +@@ -2729,6 +2729,12 @@ + int repeated_buf_err; + bz_stream bstrm; + ++ if (G.incnt <= 0 && G.csize <= 0L) { ++ /* avoid an infinite loop */ ++ Trace((stderr, "UZbunzip2() got empty input\n")); ++ return 2; ++ } ++ + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) + if (G.redirect_slide) + wsize = G.redirect_size, redirSlide = G.redirect_buffer; diff --git a/data/unzip/debian/patches/16-fix-integer-underflow-csiz-decrypted.patch b/data/unzip/debian/patches/16-fix-integer-underflow-csiz-decrypted.patch new file mode 100644 index 000000000..45afbdd68 --- /dev/null +++ b/data/unzip/debian/patches/16-fix-integer-underflow-csiz-decrypted.patch @@ -0,0 +1,32 @@ +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 22 Sep 2015 18:52:23 +0200 +Subject: [PATCH] extract: prevent unsigned overflow on invalid input +Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1075942 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 + +Suggested-by: Stefan Cornelius +--- + extract.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/extract.c ++++ b/extract.c +@@ -1257,8 +1257,17 @@ + if (G.lrec.compression_method == STORED) { + zusz_t csiz_decrypted = G.lrec.csize; + +- if (G.pInfo->encrypted) ++ if (G.pInfo->encrypted) { ++ if (csiz_decrypted < 12) { ++ /* handle the error now to prevent unsigned overflow */ ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarStringSmall(ErrUnzipNoFile), ++ LoadFarString(InvalidComprData), ++ LoadFarStringSmall2(Inflate))); ++ return PK_ERR; ++ } + csiz_decrypted -= 12; ++ } + if (G.lrec.ucsize != csiz_decrypted) { + Info(slide, 0x401, ((char *)slide, + LoadFarStringSmall2(WrnStorUCSizCSizDiff), diff --git a/data/unzip/debian/patches/17-restore-unix-timestamps-accurately.patch b/data/unzip/debian/patches/17-restore-unix-timestamps-accurately.patch new file mode 100644 index 000000000..2aa9424eb --- /dev/null +++ b/data/unzip/debian/patches/17-restore-unix-timestamps-accurately.patch @@ -0,0 +1,41 @@ +From: "Steven M. Schweda" <sms@antinode.info> +Subject: Do not ignore extra fields containing Unix Timestamps +Bug-Debian: https://bugs.debian.org/842993 +X-Debian-version: 6.0-21 + +--- a/process.c ++++ b/process.c +@@ -2914,10 +2914,13 @@ + break; + + case EF_IZUNIX2: +- if (have_new_type_eb == 0) { +- flags &= ~0x0ff; /* ignore any previous IZUNIX field */ ++ if (have_new_type_eb == 0) { /* (< 1) */ + have_new_type_eb = 1; + } ++ if (have_new_type_eb <= 1) { ++ /* Ignore any prior (EF_IZUNIX/EF_PKUNIX) UID/GID. */ ++ flags &= 0x0ff; ++ } + #ifdef IZ_HAVE_UXUIDGID + if (have_new_type_eb > 1) + break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */ +@@ -2933,6 +2936,8 @@ + /* new 3rd generation Unix ef */ + have_new_type_eb = 2; + ++ /* Ignore any prior EF_IZUNIX/EF_PKUNIX/EF_IZUNIX2 UID/GID. */ ++ flags &= 0x0ff; + /* + Version 1 byte version of this extra field, currently 1 + UIDSize 1 byte Size of UID field +@@ -2953,8 +2958,6 @@ + uid_size = *((EB_HEADSIZE + 1) + ef_buf); + gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf); + +- flags &= ~0x0ff; /* ignore any previous UNIX field */ +- + if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf, + uid_size, &z_uidgid[0]) + && diff --git a/data/unzip/debian/patches/18-cve-2014-9913-unzip-buffer-overflow.patch b/data/unzip/debian/patches/18-cve-2014-9913-unzip-buffer-overflow.patch new file mode 100644 index 000000000..a5675f4fb --- /dev/null +++ b/data/unzip/debian/patches/18-cve-2014-9913-unzip-buffer-overflow.patch @@ -0,0 +1,29 @@ +From: "Steven M. Schweda" <sms@antinode.info> +Subject: Fix CVE-2014-9913, buffer overflow in unzip +Bug: https://sourceforge.net/p/infozip/bugs/27/ +Bug-Debian: https://bugs.debian.org/847485 +Bug-Ubuntu: https://launchpad.net/bugs/387350 +X-Debian-version: 6.0-21 + +--- a/list.c ++++ b/list.c +@@ -339,7 +339,18 @@ + G.crec.compression_method == ENHDEFLATED) { + methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3]; + } else if (methnum >= NUM_METHODS) { +- sprintf(&methbuf[4], "%03u", G.crec.compression_method); ++ /* 2013-02-26 SMS. ++ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913. ++ * Unexpectedly large compression methods overflow ++ * &methbuf[]. Use the old, three-digit decimal format ++ * for values which fit. Otherwise, sacrifice the ++ * colon, and use four-digit hexadecimal. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method); ++ } + } + + #if 0 /* GRR/Euro: add this? */ diff --git a/data/unzip/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow.patch b/data/unzip/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow.patch new file mode 100644 index 000000000..52d07987b --- /dev/null +++ b/data/unzip/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow.patch @@ -0,0 +1,28 @@ +From: "Steven M. Schweda" <sms@antinode.info> +Subject: Fix CVE-2016-9844, buffer overflow in zipinfo +Bug-Debian: https://bugs.debian.org/847486 +Bug-Ubuntu: https://launchpad.net/bugs/1643750 +X-Debian-version: 6.0-21 + +--- a/zipinfo.c ++++ b/zipinfo.c +@@ -1921,7 +1921,18 @@ + ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3); + methbuf[3] = dtype[dnum]; + } else if (methnum >= NUM_METHODS) { /* unknown */ +- sprintf(&methbuf[1], "%03u", G.crec.compression_method); ++ /* 2016-12-05 SMS. ++ * https://launchpad.net/bugs/1643750 ++ * Unexpectedly large compression methods overflow ++ * &methbuf[]. Use the old, three-digit decimal format ++ * for values which fit. Otherwise, sacrifice the "u", ++ * and use four-digit hexadecimal. ++ */ ++ if (G.crec.compression_method <= 999) { ++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method); ++ } else { ++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method); ++ } + } + + for (k = 0; k < 15; ++k) diff --git a/data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch b/data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch new file mode 100644 index 000000000..10ae0302f --- /dev/null +++ b/data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch @@ -0,0 +1,35 @@ +From: Karol Babioch <kbabioch@suse.com> +Subject: Fix buffer overflow in password protected zip archives +Bug-Debian: https://bugs.debian.org/889838 +Origin: https://bugzilla.novell.com/attachment.cgi?id=759406 + +--- a/fileio.c ++++ b/fileio.c +@@ -1582,6 +1582,10 @@ + int r = IZ_PW_ENTERED; + char *m; + char *prompt; ++ char *zfnf; ++ char *efnf; ++ size_t zfnfl; ++ int isOverflow; + + #ifndef REENTRANT + /* tell picky compilers to shut up about "unused variable" warnings */ +@@ -1590,7 +1594,15 @@ + + if (*rcnt == 0) { /* First call for current entry */ + *rcnt = 2; +- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) { ++ zfnf = FnFilter1(zfn); ++ efnf = FnFilter2(efn); ++ zfnfl = strlen(zfnf); ++ isOverflow = TRUE; ++ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf)) ++ { ++ isOverflow = FALSE; ++ } ++ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) { + sprintf(prompt, LoadFarString(PasswPrompt), + FnFilter1(zfn), FnFilter2(efn)); + m = prompt; diff --git a/data/unzip/debian/patches/series b/data/unzip/debian/patches/series new file mode 100644 index 000000000..dfc7cc522 --- /dev/null +++ b/data/unzip/debian/patches/series @@ -0,0 +1,20 @@ +01-manpages-in-section-1-not-in-section-1l.patch +02-this-is-debian-unzip.patch +03-include-unistd-for-kfreebsd.patch +04-handle-pkware-verification-bit.patch +05-fix-uid-gid-handling.patch +06-initialize-the-symlink-flag.patch +07-increase-size-of-cfactorstr.patch +08-allow-greater-hostver-values.patch +09-cve-2014-8139-crc-overflow.patch +10-cve-2014-8140-test-compr-eb.patch +11-cve-2014-8141-getzip64data.patch +12-cve-2014-9636-test-compr-eb.patch +13-remove-build-date.patch +14-cve-2015-7696.patch +15-cve-2015-7697.patch +16-fix-integer-underflow-csiz-decrypted.patch +17-restore-unix-timestamps-accurately.patch +18-cve-2014-9913-unzip-buffer-overflow.patch +19-cve-2016-9844-zipinfo-buffer-overflow.patch +20-cve-2018-1000035-unzip-buffer-overflow.patch diff --git a/data/unzip/debian/postinst b/data/unzip/debian/postinst new file mode 100644 index 000000000..e232e2601 --- /dev/null +++ b/data/unzip/debian/postinst @@ -0,0 +1,5 @@ +#!/bin/sh +set -e +if [ "$1" = "configure" ] && [ -x "`which update-mime 2> /dev/null`" ]; then + update-mime +fi diff --git a/data/unzip/debian/postrm b/data/unzip/debian/postrm new file mode 100644 index 000000000..86165e3b4 --- /dev/null +++ b/data/unzip/debian/postrm @@ -0,0 +1,5 @@ +#!/bin/sh +set -e +if which update-mime > /dev/null 2>&1; then + update-mime +fi diff --git a/data/unzip/debian/rules b/data/unzip/debian/rules new file mode 100755 index 000000000..1c4a1f4f0 --- /dev/null +++ b/data/unzip/debian/rules @@ -0,0 +1,34 @@ +#!/usr/bin/make -f + +export DEB_BUILD_MAINT_OPTIONS=hardening=-format + +DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +CC = $(DEB_HOST_GNU_TYPE)-gcc +CFLAGS := `dpkg-buildflags --get CFLAGS` -Wall +LDFLAGS := `dpkg-buildflags --get LDFLAGS` +CPPFLAGS := `dpkg-buildflags --get CPPFLAGS` +DEFINES = -DACORN_FTYPE_NFS -DWILD_STOP_AT_DIR -DLARGE_FILE_SUPPORT \ + -DUNICODE_SUPPORT -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE -DNO_LCHMOD \ + -DDATE_FORMAT=DF_YMD -DUSE_BZIP2 -DIZ_HAVE_UXUIDGID -DNOMEMCPY \ + -DNO_WORKING_ISPRINT + +%: + dh $@ + +override_dh_auto_clean: + $(MAKE) -f unix/Makefile clean + +override_dh_auto_build: + $(MAKE) -f unix/Makefile D_USE_BZ2=-DUSE_BZIP2 L_BZ2=-lbz2 \ + CC="$(CC)" LF2="$(LDFLAGS)" \ + CF="$(CFLAGS) $(CPPFLAGS) -I. $(DEFINES)" unzips + +override_dh_auto_install: + $(MAKE) -f unix/Makefile install prefix=`pwd`/debian/tmp/usr + +override_dh_strip: + dh_strip + cd debian/unzip/usr/bin && rm -f zipinfo && ln unzip zipinfo + +override_dh_compress: + dh_compress -XBUGS -XToDo diff --git a/data/unzip/debian/source/format b/data/unzip/debian/source/format new file mode 100644 index 000000000..163aaf8d8 --- /dev/null +++ b/data/unzip/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/data/unzip/debian/source/lintian-overrides b/data/unzip/debian/source/lintian-overrides new file mode 100644 index 000000000..251a68652 --- /dev/null +++ b/data/unzip/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +# generated from copyright.in at build time +unzip source: no-debian-copyright diff --git a/data/unzip/debian/unzip.docs b/data/unzip/debian/unzip.docs new file mode 100644 index 000000000..7f604e6e0 --- /dev/null +++ b/data/unzip/debian/unzip.docs @@ -0,0 +1,3 @@ +BUGS +History.600 +ToDo diff --git a/data/unzip/debian/unzip.install b/data/unzip/debian/unzip.install new file mode 100644 index 000000000..be053882d --- /dev/null +++ b/data/unzip/debian/unzip.install @@ -0,0 +1,2 @@ +usr/bin/* +usr/man/* usr/share/man diff --git a/data/unzip/debian/unzip.links b/data/unzip/debian/unzip.links new file mode 100644 index 000000000..bac398edb --- /dev/null +++ b/data/unzip/debian/unzip.links @@ -0,0 +1 @@ +usr/share/doc/unzip/History.600.gz usr/share/doc/unzip/changelog.gz diff --git a/data/unzip/make.sh b/data/unzip/make.sh index 57f85234b..cb67f5243 100644 --- a/data/unzip/make.sh +++ b/data/unzip/make.sh @@ -1,4 +1,14 @@ -pkg:setup +pkg:extract +cd unzip* +for patch in $(cat ../debian/patches/series); do + patch -p1 < ../debian/patches/${patch} +done +pkg:patch cp unix/Makefile . -make unzips CC=${PKG_TARG}-gcc CF='-O3 -Wall -I. -DBSD -DUNIX' LF2= +pkg:make unzips CC=${PKG_TARG}-gcc \ + CF='-O3 -Wall -I. -DBSD -DUNIX -DACORN_FTYPE_NFS -DWILD_STOP_AT_DIR \ + -DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE \ + -DNO_LCHMOD -DDATE_FORMAT=DF_YMD -DUSE_BZIP2 -DIZ_HAVE_UXUIDGID ' \ + LF2= L_BZ2=-lbz2 + pkg:usrbin unzip funzip unzipsfx diff --git a/data/unzip/timestamp.diff b/data/unzip/timestamp.diff deleted file mode 100644 index f67747fc2..000000000 --- a/data/unzip/timestamp.diff +++ /dev/null @@ -1,246 +0,0 @@ -diff -ur unzip60/consts.h unzip60+iPhone/consts.h ---- unzip60/consts.h 2002-03-23 05:52:48.000000000 -1000 -+++ unzip60+iPhone/consts.h 2018-08-06 11:35:37.000000000 -1000 -@@ -50,5 +50,5 @@ - - #ifndef SFX - ZCONST char Far Zipnfo[] = "zipinfo"; -- ZCONST char Far CompiledWith[] = "Compiled with %s%s for %s%s%s%s.\n\n"; -+ ZCONST char Far CompiledWith[] = "Compiled with %s%s for %s%s.\n\n"; - #endif -diff -ur unzip60/unix/unix.c unzip60+iPhone/unix/unix.c ---- unzip60/unix/unix.c 2009-01-23 13:31:26.000000000 -1000 -+++ unzip60+iPhone/unix/unix.c 2018-08-06 11:43:37.000000000 -1000 -@@ -1517,162 +1517,170 @@ - IZ_OS_NAME, - - #if defined(sgi) || defined(__sgi) -- " (Silicon Graphics IRIX)", -+ " (Silicon Graphics IRIX)" - #else - #ifdef sun - # ifdef sparc - # ifdef __SVR4 -- " (Sun SPARC/Solaris)", -+ " (Sun SPARC/Solaris)" - # else /* may or may not be SunOS */ -- " (Sun SPARC)", -+ " (Sun SPARC)" - # endif - # else - # if defined(sun386) || defined(i386) -- " (Sun 386i)", -+ " (Sun 386i)" - # else - # if defined(mc68020) || defined(__mc68020__) -- " (Sun 3)", -+ " (Sun 3)" - # else /* mc68010 or mc68000: Sun 2 or earlier */ -- " (Sun 2)", -+ " (Sun 2)" - # endif - # endif - # endif - #else - #ifdef __hpux -- " (HP-UX)", -+ " (HP-UX)" - #else - #ifdef __osf__ -- " (DEC OSF/1)", -+ " (DEC OSF/1)" - #else - #ifdef _AIX -- " (IBM AIX)", -+ " (IBM AIX)" - #else - #ifdef aiws -- " (IBM RT/AIX)", -+ " (IBM RT/AIX)" - #else - #if defined(CRAY) || defined(cray) - # ifdef _UNICOS -- (sprintf(os_namebuf, " (Cray UNICOS release %d)", _UNICOS), os_namebuf), -+ (sprintf(os_namebuf, " (Cray UNICOS release %d)", _UNICOS), os_namebuf) - # else -- " (Cray UNICOS)", -+ " (Cray UNICOS)" - # endif - #else - #if defined(uts) || defined(UTS) -- " (Amdahl UTS)", -+ " (Amdahl UTS)" - #else - #ifdef NeXT - # ifdef mc68000 -- " (NeXTStep/black)", -+ " (NeXTStep/black)" - # else -- " (NeXTStep for Intel)", -+ " (NeXTStep for Intel)" - # endif - #else /* the next dozen or so are somewhat order-dependent */ - #ifdef LINUX - # ifdef __ELF__ -- " (Linux ELF)", -+ " (Linux ELF)" - # else -- " (Linux a.out)", -+ " (Linux a.out)" - # endif - #else - #ifdef MINIX -- " (Minix)", -+ " (Minix)" - #else - #ifdef M_UNIX -- " (SCO Unix)", -+ " (SCO Unix)" - #else - #ifdef M_XENIX -- " (SCO Xenix)", -+ " (SCO Xenix)" - #else - #ifdef __NetBSD__ - # ifdef NetBSD0_8 - (sprintf(os_namebuf, " (NetBSD 0.8%c)", (char)(NetBSD0_8 - 1 + 'A')), -- os_namebuf), -+ os_namebuf) - # else - # ifdef NetBSD0_9 - (sprintf(os_namebuf, " (NetBSD 0.9%c)", (char)(NetBSD0_9 - 1 + 'A')), -- os_namebuf), -+ os_namebuf) - # else - # ifdef NetBSD1_0 - (sprintf(os_namebuf, " (NetBSD 1.0%c)", (char)(NetBSD1_0 - 1 + 'A')), -- os_namebuf), -+ os_namebuf) - # else -- (BSD4_4 == 0.5)? " (NetBSD before 0.9)" : " (NetBSD 1.1 or later)", -+ (BSD4_4 == 0.5)? " (NetBSD before 0.9)" : " (NetBSD 1.1 or later)" - # endif - # endif - # endif - #else - #ifdef __FreeBSD__ -- (BSD4_4 == 0.5)? " (FreeBSD 1.x)" : " (FreeBSD 2.0 or later)", -+ (BSD4_4 == 0.5)? " (FreeBSD 1.x)" : " (FreeBSD 2.0 or later)" - #else - #ifdef __bsdi__ -- (BSD4_4 == 0.5)? " (BSD/386 1.0)" : " (BSD/386 1.1 or later)", -+ (BSD4_4 == 0.5)? " (BSD/386 1.0)" : " (BSD/386 1.1 or later)" - #else - #ifdef __386BSD__ -- (BSD4_4 == 1)? " (386BSD, post-4.4 release)" : " (386BSD)", -+ (BSD4_4 == 1)? " (386BSD, post-4.4 release)" : " (386BSD)" - #else - #ifdef __CYGWIN__ -- " (Cygwin)", -+ " (Cygwin)" - #else - #if defined(i686) || defined(__i686) || defined(__i686__) -- " (Intel 686)", -+ " (Intel 686)" - #else - #if defined(i586) || defined(__i586) || defined(__i586__) -- " (Intel 586)", -+ " (Intel 586)" - #else - #if defined(i486) || defined(__i486) || defined(__i486__) -- " (Intel 486)", -+ " (Intel 486)" - #else - #if defined(i386) || defined(__i386) || defined(__i386__) -- " (Intel 386)", -+ " (Intel 386)" - #else - #ifdef pyr -- " (Pyramid)", -+ " (Pyramid)" - #else - #ifdef ultrix - # ifdef mips -- " (DEC/MIPS)", -+ " (DEC/MIPS)" - # else - # ifdef vax -- " (DEC/VAX)", -+ " (DEC/VAX)" - # else /* __alpha? */ -- " (DEC/Alpha)", -+ " (DEC/Alpha)" - # endif - # endif - #else - #ifdef gould -- " (Gould)", -+ " (Gould)" - #else - #ifdef MTS -- " (MTS)", -+ " (MTS)" - #else - #ifdef __convexc__ -- " (Convex)", -+ " (Convex)" - #else - #ifdef __QNX__ -- " (QNX 4)", -+ " (QNX 4)" - #else - #ifdef __QNXNTO__ -- " (QNX Neutrino)", -+ " (QNX Neutrino)" - #else - #ifdef Lynx -- " (LynxOS)", -+ " (LynxOS)" - #else - #ifdef __APPLE__ - # ifdef __i386__ -- " Mac OS X Intel i32", -+ " Mac OS X Intel i32" - # else - # ifdef __ppc__ -- " Mac OS X PowerPC", -+ " Mac OS X PowerPC" - # else - # ifdef __ppc64__ -- " Mac OS X PowerPC64", -+ " Mac OS X PowerPC64" - # else -- " Mac OS X", -+# ifdef __arm__ -+ " iPhoneOS ARM" -+# else -+# ifdef __arm64__ -+ " iPhoneOS ARM64" -+# else -+ " Mac OS X" -+# endif /* __arm64__ */ -+# endif /* __arm__ */ - # endif /* __ppc64__ */ - # endif /* __ppc__ */ - # endif /* __i386__ */ - #else -- "", -+ "" - #endif /* Apple */ - #endif /* Lynx */ - #endif /* QNX Neutrino */ -@@ -1704,12 +1712,6 @@ - #endif /* HP-UX */ - #endif /* Sun */ - #endif /* SGI */ -- --#ifdef __DATE__ -- " on ", __DATE__ --#else -- "", "" --#endif - ); - - (*G.message)((zvoid *)&G, slide, (ulg)strlen((char *)slide), 0); -Only in unzip60+iPhone/unix: unix.c.orig -Only in unzip60+iPhone/unix: unix.c.rej diff --git a/data/unzip/unzip_6.0-21+deb9u1.debian.tar.xz b/data/unzip/unzip_6.0-21+deb9u1.debian.tar.xz Binary files differnew file mode 100644 index 000000000..187a51389 --- /dev/null +++ b/data/unzip/unzip_6.0-21+deb9u1.debian.tar.xz |