[pkgsrc/trunk]: pkgsrc/archivers/unzip unzip: Apply a patch from CVE-2018-18384

[nia <nia%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/3ea328bc1041
branches:  trunk
changeset: 336461:3ea328bc1041
user:      nia <nia%pkgsrc.org@localhost>
date:      Mon Jul 15 14:08:03 2019 +0000

description:
unzip: Apply a patch from CVE-2018-18384

from infozip's sourceforge / debian.

diffstat:

 archivers/unzip/Makefile             |   4 ++--
 archivers/unzip/distinfo             |   4 ++--
 archivers/unzip/patches/patch-list.c |  19 +++++++++++++++++--
 3 files changed, 21 insertions(+), 6 deletions(-)

diffs (70 lines):

diff -r c786190ab208 -r 3ea328bc1041 archivers/unzip/Makefile
--- a/archivers/unzip/Makefile  Mon Jul 15 13:47:32 2019 +0000
+++ b/archivers/unzip/Makefile  Mon Jul 15 14:08:03 2019 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.95 2017/02/04 23:25:59 wiz Exp $
+# $NetBSD: Makefile,v 1.96 2019/07/15 14:08:03 nia Exp $
 
 DISTNAME=      unzip60
 PKGNAME=       unzip-6.0
-PKGREVISION=   8
+PKGREVISION=   9
 CATEGORIES=    archivers
 MASTER_SITES=  ftp://ftp.info-zip.org/pub/infozip/src/
 EXTRACT_SUFX=  .tgz
diff -r c786190ab208 -r 3ea328bc1041 archivers/unzip/distinfo
--- a/archivers/unzip/distinfo  Mon Jul 15 13:47:32 2019 +0000
+++ b/archivers/unzip/distinfo  Mon Jul 15 14:08:03 2019 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.30 2017/02/04 23:25:59 wiz Exp $
+$NetBSD: distinfo,v 1.31 2019/07/15 14:08:03 nia Exp $
 
 SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22
 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba
@@ -9,7 +9,7 @@
 SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4
 SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732
 SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534
-SHA1 (patch-list.c) = 56ac008e42570d60d58ca84ea773819640461961
+SHA1 (patch-list.c) = 29e6dc3f5d40bb087a8bff58f75eb02568f3ad87
 SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812
 SHA1 (patch-unix_unxcfg.h) = b2831f38b2245dacedd4eb2eef12ee1e3cf20613
 SHA1 (patch-zipinfo.c) = 0d93fd9b145e7e707762119ee30ddf8eac9c2f31
diff -r c786190ab208 -r 3ea328bc1041 archivers/unzip/patches/patch-list.c
--- a/archivers/unzip/patches/patch-list.c      Mon Jul 15 13:47:32 2019 +0000
+++ b/archivers/unzip/patches/patch-list.c      Mon Jul 15 14:08:03 2019 +0000
@@ -1,10 +1,16 @@
-$NetBSD: patch-list.c,v 1.2 2017/02/04 23:25:59 wiz Exp $
+$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $
 
 chunk 1:
+CVE-2018-18384 fix from
+https://sourceforge.net/p/infozip/bugs/53/
+and
+https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/
+
+chunk 2:
 Big-hammer fix for
 http://seclists.org/oss-sec/2014/q4/497
 
-chunk 2:
+chunk 3:
 CVE-2014-9913 fix from
 https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt
 via
@@ -12,6 +18,15 @@
 
 --- list.c.orig        2009-02-08 17:11:34.000000000 +0000
 +++ list.c
+@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type
+ {
+     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+-    char sgn, cfactorstr[10];
++    char sgn, cfactorstr[12];
+     int longhdr=(uO.vflag>1);
+ #endif
+     int date_format;
 @@ -116,7 +116,7 @@ int list_files(__G)    /* return PK-type
      ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L;
  #endif