[pkgsrc/trunk]: pkgsrc/archivers/unzip Add patches for CVE-2014-9913 and CVE-...

[wiz <wiz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/82aa99169c8e
branches:  trunk
changeset: 358073:82aa99169c8e
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Sat Feb 04 23:25:59 2017 +0000

description:
Add patches for CVE-2014-9913 and CVE-2016-9844.

Bump PKGREVISION.

diffstat:

 archivers/unzip/Makefile                |   4 ++--
 archivers/unzip/distinfo                |   5 +++--
 archivers/unzip/patches/patch-list.c    |  25 ++++++++++++++++++++++++-
 archivers/unzip/patches/patch-zipinfo.c |  27 +++++++++++++++++++++++++++
 4 files changed, 56 insertions(+), 5 deletions(-)

diffs (103 lines):

diff -r bc67f8edcf75 -r 82aa99169c8e archivers/unzip/Makefile
--- a/archivers/unzip/Makefile  Sat Feb 04 23:05:51 2017 +0000
+++ b/archivers/unzip/Makefile  Sat Feb 04 23:25:59 2017 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.94 2016/09/13 14:49:16 jperkin Exp $
+# $NetBSD: Makefile,v 1.95 2017/02/04 23:25:59 wiz Exp $
 
 DISTNAME=      unzip60
 PKGNAME=       unzip-6.0
-PKGREVISION=   7
+PKGREVISION=   8
 CATEGORIES=    archivers
 MASTER_SITES=  ftp://ftp.info-zip.org/pub/infozip/src/
 EXTRACT_SUFX=  .tgz
diff -r bc67f8edcf75 -r 82aa99169c8e archivers/unzip/distinfo
--- a/archivers/unzip/distinfo  Sat Feb 04 23:05:51 2017 +0000
+++ b/archivers/unzip/distinfo  Sat Feb 04 23:25:59 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2015/11/11 12:47:26 wiz Exp $
+$NetBSD: distinfo,v 1.30 2017/02/04 23:25:59 wiz Exp $
 
 SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22
 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba
@@ -9,6 +9,7 @@
 SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4
 SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732
 SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534
-SHA1 (patch-list.c) = 7aa261ecef5e5cc14ad387070560730ff419d635
+SHA1 (patch-list.c) = 56ac008e42570d60d58ca84ea773819640461961
 SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812
 SHA1 (patch-unix_unxcfg.h) = b2831f38b2245dacedd4eb2eef12ee1e3cf20613
+SHA1 (patch-zipinfo.c) = 0d93fd9b145e7e707762119ee30ddf8eac9c2f31
diff -r bc67f8edcf75 -r 82aa99169c8e archivers/unzip/patches/patch-list.c
--- a/archivers/unzip/patches/patch-list.c      Sat Feb 04 23:05:51 2017 +0000
+++ b/archivers/unzip/patches/patch-list.c      Sat Feb 04 23:25:59 2017 +0000
@@ -1,8 +1,15 @@
-$NetBSD: patch-list.c,v 1.1 2015/01/06 14:12:45 wiz Exp $
+$NetBSD: patch-list.c,v 1.2 2017/02/04 23:25:59 wiz Exp $
 
+chunk 1:
 Big-hammer fix for
 http://seclists.org/oss-sec/2014/q4/497
 
+chunk 2:
+CVE-2014-9913 fix from
+https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt
+via
+http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=529
+
 --- list.c.orig        2009-02-08 17:11:34.000000000 +0000
 +++ list.c
 @@ -116,7 +116,7 @@ int list_files(__G)    /* return PK-type
@@ -14,3 +21,19 @@
      static ZCONST char dtype[]="NXFS";  /* see zi_short() */
      static ZCONST char Far method[NUM_METHODS+1][8] =
          {"Stored", "Shrunk", "Reduce1", "Reduce2", "Reduce3", "Reduce4",
+@@ -339,7 +339,14 @@ int list_files(__G)    /* return PK-type
+                 G.crec.compression_method == ENHDEFLATED) {
+                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+             } else if (methnum >= NUM_METHODS) {
+-                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++                /* Fix for CVE-2014-9913, similar to CVE-2016-9844.
++                 * Use the old decimal format only for values which fit.
++                 */
++                if (G.crec.compression_method <= 999) {
++                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++                } else {
++                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++                }
+             }
+ 
+ #if 0       /* GRR/Euro:  add this? */
diff -r bc67f8edcf75 -r 82aa99169c8e archivers/unzip/patches/patch-zipinfo.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/archivers/unzip/patches/patch-zipinfo.c   Sat Feb 04 23:25:59 2017 +0000
@@ -0,0 +1,27 @@
+$NetBSD: patch-zipinfo.c,v 1.1 2017/02/04 23:25:59 wiz Exp $
+
+Fix crash in zipinfo, CVE-2016-9844.
+http://www.openwall.com/lists/oss-security/2016/12/05/19
+
+--- zipinfo.c.orig     2009-02-08 17:04:30.000000000 +0000
++++ zipinfo.c
+@@ -1921,7 +1921,18 @@ static int zi_short(__G)   /* return PK-
+         ush  dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
+         methbuf[3] = dtype[dnum];
+     } else if (methnum >= NUM_METHODS) {   /* unknown */
+-        sprintf(&methbuf[1], "%03u", G.crec.compression_method);
++        /* 2016-12-05 SMS.
++         * https://launchpad.net/bugs/1643750
++         * Unexpectedly large compression methods overflow
++         * &methbuf[].  Use the old, three-digit decimal format
++         * for values which fit.  Otherwise, sacrifice the "u",
++         * and use four-digit hexadecimal.
++         */
++        if (G.crec.compression_method <= 999) {
++            sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
++        } else {
++            sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
++        }
+     }
+ 
+     for (k = 0;  k < 15;  ++k)