CVS commit: pkgsrc/archivers/unzip

["Nia Alarie" <nia%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   nia
Date:           Mon Jul 15 14:08:03 UTC 2019

Modified Files:
        pkgsrc/archivers/unzip: Makefile distinfo
        pkgsrc/archivers/unzip/patches: patch-list.c

Log Message:
unzip: Apply a patch from CVE-2018-18384

from infozip's sourceforge / debian.


To generate a diff of this commit:
cvs rdiff -u -r1.95 -r1.96 pkgsrc/archivers/unzip/Makefile
cvs rdiff -u -r1.30 -r1.31 pkgsrc/archivers/unzip/distinfo
cvs rdiff -u -r1.2 -r1.3 pkgsrc/archivers/unzip/patches/patch-list.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/archivers/unzip/Makefile
diff -u pkgsrc/archivers/unzip/Makefile:1.95 pkgsrc/archivers/unzip/Makefile:1.96
--- pkgsrc/archivers/unzip/Makefile:1.95        Sat Feb  4 23:25:59 2017
+++ pkgsrc/archivers/unzip/Makefile     Mon Jul 15 14:08:03 2019
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.95 2017/02/04 23:25:59 wiz Exp $
+# $NetBSD: Makefile,v 1.96 2019/07/15 14:08:03 nia Exp $
 
 DISTNAME=      unzip60
 PKGNAME=       unzip-6.0
-PKGREVISION=   8
+PKGREVISION=   9
 CATEGORIES=    archivers
 MASTER_SITES=  ftp://ftp.info-zip.org/pub/infozip/src/
 EXTRACT_SUFX=  .tgz

Index: pkgsrc/archivers/unzip/distinfo
diff -u pkgsrc/archivers/unzip/distinfo:1.30 pkgsrc/archivers/unzip/distinfo:1.31
--- pkgsrc/archivers/unzip/distinfo:1.30        Sat Feb  4 23:25:59 2017
+++ pkgsrc/archivers/unzip/distinfo     Mon Jul 15 14:08:03 2019
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.30 2017/02/04 23:25:59 wiz Exp $
+$NetBSD: distinfo,v 1.31 2019/07/15 14:08:03 nia Exp $
 
 SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22
 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba
@@ -9,7 +9,7 @@ SHA1 (patch-ac) = 27b91401d4d5ecc3842c91
 SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4
 SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732
 SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534
-SHA1 (patch-list.c) = 56ac008e42570d60d58ca84ea773819640461961
+SHA1 (patch-list.c) = 29e6dc3f5d40bb087a8bff58f75eb02568f3ad87
 SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812
 SHA1 (patch-unix_unxcfg.h) = b2831f38b2245dacedd4eb2eef12ee1e3cf20613
 SHA1 (patch-zipinfo.c) = 0d93fd9b145e7e707762119ee30ddf8eac9c2f31

Index: pkgsrc/archivers/unzip/patches/patch-list.c
diff -u pkgsrc/archivers/unzip/patches/patch-list.c:1.2 pkgsrc/archivers/unzip/patches/patch-list.c:1.3
--- pkgsrc/archivers/unzip/patches/patch-list.c:1.2     Sat Feb  4 23:25:59 2017
+++ pkgsrc/archivers/unzip/patches/patch-list.c Mon Jul 15 14:08:03 2019
@@ -1,10 +1,16 @@
-$NetBSD: patch-list.c,v 1.2 2017/02/04 23:25:59 wiz Exp $
+$NetBSD: patch-list.c,v 1.3 2019/07/15 14:08:03 nia Exp $
 
 chunk 1:
+CVE-2018-18384 fix from
+https://sourceforge.net/p/infozip/bugs/53/
+and
+https://sources.debian.org/patches/unzip/6.0-24/07-increase-size-of-cfactorstr.patch/
+
+chunk 2:
 Big-hammer fix for
 http://seclists.org/oss-sec/2014/q4/497
 
-chunk 2:
+chunk 3:
 CVE-2014-9913 fix from
 https://people.debian.org/~sanvila/unzip/cve-2014-9913/cve-2014-9913-unzip-buffer-overflow.txt
 via
@@ -12,6 +18,15 @@ http://www.info-zip.org/phpBB3/viewtopic
 
 --- list.c.orig        2009-02-08 17:11:34.000000000 +0000
 +++ list.c
+@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type
+ {
+     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+-    char sgn, cfactorstr[10];
++    char sgn, cfactorstr[12];
+     int longhdr=(uO.vflag>1);
+ #endif
+     int date_format;
 @@ -116,7 +116,7 @@ int list_files(__G)    /* return PK-type
      ulg acl_size, tot_aclsize=0L, tot_aclfiles=0L;
  #endif