pkgsrc-WIP-changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
unzip: add patches to fix some CVEs
Module Name: pkgsrc-wip
Committed By: kikadf <kikadf.01%gmail.com@localhost>
Pushed By: kikadf
Date: Sat Aug 23 17:03:08 2025 +0200
Changeset: 291897d3fc408e9618c2e8425a749dc235e4d6e3
Modified Files:
unzip/distinfo
unzip/patches/patch-ac
unzip/patches/patch-extract.c
unzip/patches/patch-fileio.c
unzip/patches/patch-globals.h
unzip/patches/patch-process.c
Added Files:
unzip/patches/patch-globals.c
unzip/patches/patch-man_unzip.1
unzip/patches/patch-unzip.c
unzip/patches/patch-unzip.h
unzip/patches/patch-unzpriv.h
Log Message:
unzip: add patches to fix some CVEs
To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=291897d3fc408e9618c2e8425a749dc235e4d6e3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
diffstat:
unzip/distinfo | 15 +-
unzip/patches/patch-ac | 20 ++-
unzip/patches/patch-extract.c | 298 +++++++++++++++++++++++++++++++++++++++-
unzip/patches/patch-fileio.c | 64 ++++++++-
unzip/patches/patch-globals.c | 23 ++++
unzip/patches/patch-globals.h | 21 ++-
unzip/patches/patch-man_unzip.1 | 24 ++++
unzip/patches/patch-process.c | 87 ++++++++++--
unzip/patches/patch-unzip.c | 46 +++++++
unzip/patches/patch-unzip.h | 30 ++++
unzip/patches/patch-unzpriv.h | 39 ++++++
11 files changed, 639 insertions(+), 28 deletions(-)
diffs:
diff --git a/unzip/distinfo b/unzip/distinfo
index ecb6642f42..71ed882530 100644
--- a/unzip/distinfo
+++ b/unzip/distinfo
@@ -4,12 +4,17 @@ BLAKE2s (unzip60.tgz) = d083b60907af71a6870edc1e87be4566dee486d5089e1fc3b57cc6eb
SHA512 (unzip60.tgz) = 0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d
Size (unzip60.tgz) = 1376845 bytes
SHA1 (patch-ab) = 672635c469e0a53ac9808f8155ee38643a8acf69
-SHA1 (patch-ac) = 27b91401d4d5ecc3842c91dc49c08f42c8646154
+SHA1 (patch-ac) = 0e1eb1e868bc2a26500b1d895bae2d9e7bc105ff
SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4
-SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732
-SHA1 (patch-fileio.c) = ef87b5e8a60b9268e4b0439766d089130b322d86
-SHA1 (patch-globals.h) = d537ad18fa4406cd4b78ccee694c3cccb832f5a3
+SHA1 (patch-extract.c) = cc5756372f3bc4fbdbf06a118a506d5045b17578
+SHA1 (patch-fileio.c) = 761051e87782f8bb0b195ecd0ea6e000e9f93530
+SHA1 (patch-globals.c) = c9f7467c3a5baf837d3561752b0e9d8383098bcb
+SHA1 (patch-globals.h) = 9c21780eb795cca6379832c73183b3bef11c884e
SHA1 (patch-list.c) = 29e6dc3f5d40bb087a8bff58f75eb02568f3ad87
-SHA1 (patch-process.c) = a9c95ada1a0d3ac706d97a0bbd7dd99220f1fe69
+SHA1 (patch-man_unzip.1) = e7d43e774c909a1f06f19bba7b6c2870f9402ce9
+SHA1 (patch-process.c) = 4f451259055a240e4d99baa61349e31f6832a3e2
SHA1 (patch-unix_unxcfg.h) = 8128ea53719ca88e9a4f4788fb7b4f706399f8ae
+SHA1 (patch-unzip.c) = e17e9c0f7bcb400de2e2da79a9fa1eca8e279e37
+SHA1 (patch-unzip.h) = fe448902952fe8597f0009942f86d3fc6d06dc7c
+SHA1 (patch-unzpriv.h) = fb8d0e8d1eea195d6ecdd7bc7773a3e30db3da8a
SHA1 (patch-zipinfo.c) = 0d93fd9b145e7e707762119ee30ddf8eac9c2f31
diff --git a/unzip/patches/patch-ac b/unzip/patches/patch-ac
index 16fd05a80b..c00b34b549 100644
--- a/unzip/patches/patch-ac
+++ b/unzip/patches/patch-ac
@@ -1,8 +1,17 @@
$NetBSD: patch-ac,v 1.3 2012/09/14 13:10:48 wiz Exp $
Fix build with -DFUNZIP.
+Fix CVE-2019-13232
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch
---- inflate.c.orig 2008-07-30 01:31:08.000000000 +0000
+--- inflate.c.orig 2008-07-30 03:31:08.000000000 +0200
+++ inflate.c
@@ -473,7 +473,11 @@ int UZinflate(__G__ is_defl64)
retval = 2;
@@ -28,3 +37,12 @@ Fix build with -DFUNZIP.
}
} else {
Trace((stderr, "oops! (inflateBack() err = %d)\n", err));
+@@ -700,7 +708,7 @@ int UZinflate(__G__ is_defl64)
+ G.dstrm.total_out));
+
+ G.inptr = (uch *)G.dstrm.next_in;
+- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */
++ G.incnt -= G.inptr - G.inbuf; /* reset for other routines */
+
+ uzinflate_cleanup_exit:
+ err = inflateReset(&G.dstrm);
diff --git a/unzip/patches/patch-extract.c b/unzip/patches/patch-extract.c
index ce15a9ba96..c81eb9c98a 100644
--- a/unzip/patches/patch-extract.c
+++ b/unzip/patches/patch-extract.c
@@ -22,7 +22,19 @@ This patch ensures that when extra fields use STORED mode, the
* integer underflow
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802160
---- extract.c.orig 2009-03-14 01:32:52.000000000 +0000
+Fix CVE-2019-13232
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch
+
+
+
+--- extract.c.orig 2009-03-14 02:32:52.000000000 +0100
+++ extract.c
@@ -1,5 +1,5 @@
/*
@@ -40,7 +52,211 @@ This patch ensures that when extra fields use STORED mode, the
static ZCONST char Far InvalidComprDataEAs[] =
" invalid compressed data for EAs\n";
# if (defined(WIN32) && defined(NTSD_EAS))
-@@ -1255,8 +1257,17 @@ static int extract_or_test_entrylist(__G
+@@ -319,6 +321,126 @@ static ZCONST char Far UnsupportedExtraF
+ "\nerror: unsupported extra-field compression type (%u)--skipping\n";
+ static ZCONST char Far BadExtraFieldCRC[] =
+ "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n";
++static ZCONST char Far NotEnoughMemCover[] =
++ "error: not enough memory for bomb detection\n";
++static ZCONST char Far OverlappedComponents[] =
++ "error: invalid zip file with overlapped components (possible zip bomb)\n \
++To unzip the file anyway, rerun the command with UNZIP_DISABLE_ZIPBOMB_DETECTION=TRUE environmnent variable\n";
++
++
++
++
++
++/* A growable list of spans. */
++typedef zoff_t bound_t;
++typedef struct {
++ bound_t beg; /* start of the span */
++ bound_t end; /* one past the end of the span */
++} span_t;
++typedef struct {
++ span_t *span; /* allocated, distinct, and sorted list of spans */
++ size_t num; /* number of spans in the list */
++ size_t max; /* allocated number of spans (num <= max) */
++} cover_t;
++
++/*
++ * Return the index of the first span in cover whose beg is greater than val.
++ * If there is no such span, then cover->num is returned.
++ */
++static size_t cover_find(cover, val)
++ cover_t *cover;
++ bound_t val;
++{
++ size_t lo = 0, hi = cover->num;
++ while (lo < hi) {
++ size_t mid = (lo + hi) >> 1;
++ if (val < cover->span[mid].beg)
++ hi = mid;
++ else
++ lo = mid + 1;
++ }
++ return hi;
++}
++
++/* Return true if val lies within any one of the spans in cover. */
++static int cover_within(cover, val)
++ cover_t *cover;
++ bound_t val;
++{
++ size_t pos = cover_find(cover, val);
++ return pos > 0 && val < cover->span[pos - 1].end;
++}
++
++/*
++ * Add a new span to the list, but only if the new span does not overlap any
++ * spans already in the list. The new span covers the values beg..end-1. beg
++ * must be less than end.
++ *
++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for
++ * the list as needed. On success, 0 is returned. If the new span overlaps any
++ * existing spans, then 1 is returned and the new span is not added to the
++ * list. If the new span is invalid because beg is greater than or equal to
++ * end, then -1 is returned. If the list needs to be grown but the memory
++ * allocation fails, then -2 is returned.
++ */
++static int cover_add(cover, beg, end)
++ cover_t *cover;
++ bound_t beg;
++ bound_t end;
++{
++ size_t pos;
++ int prec, foll;
++
++ if (beg >= end)
++ /* The new span is invalid. */
++ return -1;
++
++ /* Find where the new span should go, and make sure that it does not
++ overlap with any existing spans. */
++ pos = cover_find(cover, beg);
++ if ((pos > 0 && beg < cover->span[pos - 1].end) ||
++ (pos < cover->num && end > cover->span[pos].beg))
++ return 1;
++
++ /* Check for adjacencies. */
++ prec = pos > 0 && beg == cover->span[pos - 1].end;
++ foll = pos < cover->num && end == cover->span[pos].beg;
++ if (prec && foll) {
++ /* The new span connects the preceding and following spans. Merge the
++ following span into the preceding span, and delete the following
++ span. */
++ cover->span[pos - 1].end = cover->span[pos].end;
++ cover->num--;
++ memmove(cover->span + pos, cover->span + pos + 1,
++ (cover->num - pos) * sizeof(span_t));
++ }
++ else if (prec)
++ /* The new span is adjacent only to the preceding span. Extend the end
++ of the preceding span. */
++ cover->span[pos - 1].end = end;
++ else if (foll)
++ /* The new span is adjacent only to the following span. Extend the
++ beginning of the following span. */
++ cover->span[pos].beg = beg;
++ else {
++ /* The new span has gaps between both the preceding and the following
++ spans. Assure that there is room and insert the span. */
++ if (cover->num == cover->max) {
++ size_t max = cover->max == 0 ? 16 : cover->max << 1;
++ span_t *span = realloc(cover->span, max * sizeof(span_t));
++ if (span == NULL)
++ return -2;
++ cover->span = span;
++ cover->max = max;
++ }
++ memmove(cover->span + pos + 1, cover->span + pos,
++ (cover->num - pos) * sizeof(span_t));
++ cover->num++;
++ cover->span[pos].beg = beg;
++ cover->span[pos].end = end;
++ }
++ return 0;
++}
+
+
+
+@@ -374,6 +496,44 @@ int extract_or_test_files(__G) /* ret
+ }
+ #endif /* !SFX || SFX_EXDIR */
+
++ /* One more: initialize cover structure for bomb detection. Start with
++ spans that cover any extra bytes at the start, the central directory,
++ the end of central directory record (including the Zip64 end of central
++ directory locator, if present), and the Zip64 end of central directory
++ record, if present. */
++ if (uO.zipbomb == TRUE) {
++ if (G.cover == NULL) {
++ G.cover = malloc(sizeof(cover_t));
++ if (G.cover == NULL) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++ ((cover_t *)G.cover)->span = NULL;
++ ((cover_t *)G.cover)->max = 0;
++ }
++ ((cover_t *)G.cover)->num = 0;
++ if (cover_add((cover_t *)G.cover,
++ G.extra_bytes + G.ecrec.offset_start_central_directory,
++ G.extra_bytes + G.ecrec.offset_start_central_directory +
++ G.ecrec.size_central_directory) != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++ if ((G.extra_bytes != 0 &&
++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++ (G.ecrec.have_ecr64 &&
++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
++ G.ecrec.ec64_end) != 0) ||
++ cover_add((cover_t *)G.cover, G.ecrec.ec_start,
++ G.ecrec.ec_end) != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
++ }
++
+ /*---------------------------------------------------------------------------
+ The basic idea of this function is as follows. Since the central di-
+ rectory lies at the end of the zipfile and the member files lie at the
+@@ -498,6 +658,7 @@ int extract_or_test_files(__G) /* ret
+ break;
+ }
+ }
++ G.pInfo->zip64 = FALSE;
+ if ((error = do_string(__G__ G.crec.extra_field_length,
+ EXTRA_FIELD)) != 0)
+ {
+@@ -591,7 +752,8 @@ int extract_or_test_files(__G) /* ret
+ if (error > error_in_archive)
+ error_in_archive = error;
+ /* ...and keep going (unless disk full or user break) */
+- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
++ error == PK_BOMB) {
+ /* clear reached_end to signal premature stop ... */
+ reached_end = FALSE;
+ /* ... and cancel scanning the central directory */
+@@ -1060,6 +1222,13 @@ static int extract_or_test_entrylist(__G
+
+ /* seek_zipf(__G__ pInfo->offset); */
+ request = G.pInfo->offset + G.extra_bytes;
++ if (uO.zipbomb == TRUE) {
++ if (cover_within((cover_t *)G.cover, request)) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
++ }
+ inbuf_offset = request % INBUFSIZ;
+ bufstart = request - inbuf_offset;
+
+@@ -1255,8 +1424,17 @@ static int extract_or_test_entrylist(__G
if (G.lrec.compression_method == STORED) {
zusz_t csiz_decrypted = G.lrec.csize;
@@ -59,7 +275,66 @@ This patch ensures that when extra fields use STORED mode, the
if (G.lrec.ucsize != csiz_decrypted) {
Info(slide, 0x401, ((char *)slide,
LoadFarStringSmall2(WrnStorUCSizCSizDiff),
-@@ -2023,7 +2034,8 @@ static int TestExtraField(__G__ ef, ef_l
+@@ -1591,6 +1769,20 @@ reprompt:
+ return IZ_CTRLC; /* cancel operation by user request */
+ }
+ #endif
++ if (uO.zipbomb == TRUE) {
++ error = cover_add((cover_t *)G.cover, request,
++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf));
++ if (error < 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++ if (error != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
++ }
+ #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */
+ UserStop();
+ #endif
+@@ -1992,6 +2184,37 @@ static int extract_or_test_member(__G)
+ }
+
+ undefer_input(__G);
++
++ if (uO.zipbomb == TRUE) {
++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
++ /* skip over data descriptor (harder than it sounds, due to signature
++ * ambiguity)
++ */
++# define SIG 0x08074b50
++# define LOW 0xffffffff
++ uch buf[12];
++ unsigned shy = 12 - readbuf((char *)buf, 12);
++ ulg crc = shy ? 0 : makelong(buf);
++ ulg clen = shy ? 0 : makelong(buf + 4);
++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */
++ if (crc == SIG && /* if not SIG, no signature */
++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */
++ (clen == SIG && /* if not SIG, no signature */
++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */
++ (ulen == SIG && /* if not SIG, no signature */
++ (G.pInfo->zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
++ /* if not SIG, have signature */
++ )))))
++ /* skip four more bytes to account for signature */
++ shy += 4 - readbuf((char *)buf, 4);
++ if (G.pInfo->zip64)
++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
++ if (shy)
++ error = PK_ERR;
++
++ }
++ }
++
+ return error;
+
+ } /* end function extract_or_test_member() */
+@@ -2023,7 +2246,8 @@ static int TestExtraField(__G__ ef, ef_l
ebID = makeword(ef);
ebLen = (unsigned)makeword(ef+EB_LEN);
@@ -69,7 +344,7 @@ This patch ensures that when extra fields use STORED mode, the
/* Discovered some extra field inconsistency! */
if (uO.qflag)
Info(slide, 1, ((char *)slide, "%-22s ",
-@@ -2032,6 +2044,16 @@ static int TestExtraField(__G__ ef, ef_l
+@@ -2032,6 +2256,16 @@ static int TestExtraField(__G__ ef, ef_l
ebLen, (ef_len - EB_HEADSIZE)));
return PK_ERR;
}
@@ -86,7 +361,7 @@ This patch ensures that when extra fields use STORED mode, the
switch (ebID) {
case EF_OS2:
-@@ -2217,6 +2239,7 @@ static int test_compr_eb(__G__ eb, eb_si
+@@ -2217,6 +2451,7 @@ static int test_compr_eb(__G__ eb, eb_si
ulg eb_ucsize;
uch *eb_ucptr;
int r;
@@ -94,7 +369,7 @@ This patch ensures that when extra fields use STORED mode, the
if (compr_offset < 4) /* field is not compressed: */
return PK_OK; /* do nothing and signal OK */
-@@ -2226,6 +2249,13 @@ static int test_compr_eb(__G__ eb, eb_si
+@@ -2226,6 +2461,13 @@ static int test_compr_eb(__G__ eb, eb_si
eb_size <= (compr_offset + EB_CMPRHEADLEN)))
return IZ_EF_TRUNC; /* no compressed data! */
@@ -108,7 +383,7 @@ This patch ensures that when extra fields use STORED mode, the
if (
#ifdef INT_16BIT
(((ulg)(extent)eb_ucsize) != eb_ucsize) ||
-@@ -2701,6 +2731,12 @@ __GDEF
+@@ -2701,6 +2943,12 @@ __GDEF
int repeated_buf_err;
bz_stream bstrm;
@@ -121,3 +396,12 @@ This patch ensures that when extra fields use STORED mode, the
#if (defined(DLL) && !defined(NO_SLIDE_REDIR))
if (G.redirect_slide)
wsize = G.redirect_size, redirSlide = G.redirect_buffer;
+@@ -2808,7 +3056,7 @@ __GDEF
+ #endif
+
+ G.inptr = (uch *)bstrm.next_in;
+- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */
++ G.incnt -= G.inptr - G.inbuf; /* reset for other routines */
+
+ uzbunzip_cleanup_exit:
+ err = BZ2_bzDecompressEnd(&bstrm);
diff --git a/unzip/patches/patch-fileio.c b/unzip/patches/patch-fileio.c
index 2d15e8dbbc..cdda0d03e9 100644
--- a/unzip/patches/patch-fileio.c
+++ b/unzip/patches/patch-fileio.c
@@ -3,8 +3,29 @@ $NetBSD: patch-fileio.c,v 1.2 2024/08/06 14:40:13 nia Exp $
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8141
https://sources.debian.org/patches/unzip/6.0-28/28-cve-2022-0529-and-cve-2022-0530.patch/
---- fileio.c.orig 2009-04-20 00:03:44.000000000 +0000
+Fix CVE-2018-1000035
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
+
+Fix CVE-2019-13232
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch
+
+
+--- fileio.c.orig 2009-04-20 02:03:44.000000000 +0200
+++ fileio.c
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2017 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
@@ -171,11 +171,15 @@ static ZCONST char Far ReadError[] = "er
static ZCONST char Far FilenameTooLongTrunc[] =
"warning: filename too long--truncating.\n";
@@ -22,7 +43,44 @@ https://sources.debian.org/patches/unzip/6.0-28/28-cve-2022-0529-and-cve-2022-05
#ifdef WINDLL
static ZCONST char Far DiskFullQuery[] =
-@@ -2295,7 +2299,12 @@ int do_string(__G__ length, option) /*
+@@ -530,8 +534,10 @@ void undefer_input(__G)
+ * This condition was checked when G.incnt_leftover was set > 0 in
+ * defer_leftover_input(), and it is NOT allowed to touch G.csize
+ * before calling undefer_input() when (G.incnt_leftover > 0)
+- * (single exception: see read_byte()'s "G.csize <= 0" handling) !!
++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !!
+ */
++ if (G.csize < 0L)
++ G.csize = 0L;
+ G.incnt = G.incnt_leftover + (int)G.csize;
+ G.inptr = G.inptr_leftover - (int)G.csize;
+ G.incnt_leftover = 0;
+@@ -1580,6 +1586,8 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf,
+ int r = IZ_PW_ENTERED;
+ char *m;
+ char *prompt;
++ char *ep;
++ char *zp;
+
+ #ifndef REENTRANT
+ /* tell picky compilers to shut up about "unused variable" warnings */
+@@ -1588,9 +1596,12 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf,
+
+ if (*rcnt == 0) { /* First call for current entry */
+ *rcnt = 2;
+- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+- sprintf(prompt, LoadFarString(PasswPrompt),
+- FnFilter1(zfn), FnFilter2(efn));
++ zp = FnFilter1( zfn);
++ ep = FnFilter2( efn);
++ prompt = (char *)malloc( /* Slightly too long (2* "%s"). */
++ sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
++ if (prompt != (char *)NULL) {
++ sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
+ m = prompt;
+ } else
+ m = (char *)LoadFarString(PasswPrompt2);
+@@ -2295,7 +2306,12 @@ int do_string(__G__ length, option) /*
if (readbuf(__G__ (char *)G.extra_field, length) == 0)
return PK_EOF;
/* Looks like here is where extra fields are read */
@@ -36,7 +94,7 @@ https://sources.debian.org/patches/unzip/6.0-28/28-cve-2022-0529-and-cve-2022-05
#ifdef UNICODE_SUPPORT
G.unipath_filename = NULL;
if (G.UzO.U_flag < 2) {
-@@ -2340,16 +2349,30 @@ int do_string(__G__ length, option) /*
+@@ -2340,16 +2356,30 @@ int do_string(__G__ length, option) /*
/* convert UTF-8 to local character set */
fn = utf8_to_local_string(G.unipath_filename,
G.unicode_escape_all);
diff --git a/unzip/patches/patch-globals.c b/unzip/patches/patch-globals.c
new file mode 100644
index 0000000000..ce398789a0
--- /dev/null
+++ b/unzip/patches/patch-globals.c
@@ -0,0 +1,23 @@
+$NetBSD$
+
+Fix CVE-2019-13232
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch
+
+
+--- globals.c.orig 2025-08-23 16:31:09.322300882 +0200
++++ globals.c
+@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor()
+ # if (!defined(NO_TIMESTAMPS))
+ uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */
+ # endif
++ G.cover = NULL; /* not allocated yet */
+ #endif
+
+ uO.lflag=(-1);
diff --git a/unzip/patches/patch-globals.h b/unzip/patches/patch-globals.h
index 0eb9a7eee3..8fe438347d 100644
--- a/unzip/patches/patch-globals.h
+++ b/unzip/patches/patch-globals.h
@@ -8,7 +8,18 @@ and 32-bit is the correct width for the crc32 table, so ...
extract.c:363:25: error: assignment to 'const ulg *' {aka 'const long unsigned int *'} from incompatible pointer type 'const z_crc_t *' {aka 'const unsigned int *'} [-Wincompatible-pointer-types]
363 | if ((CRC_32_TAB = get_crc_table()) == NULL) {
---- globals.h.orig 2024-08-05 10:40:15.418511764 +0000
+Fix CVE-2019-13232
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch
+
+
+--- globals.h.orig 2009-02-22 20:25:04.000000000 +0100
+++ globals.h
@@ -226,7 +226,7 @@ typedef struct Globals {
#if (!defined(USE_ZLIB) || defined(USE_OWN_CRCTAB))
@@ -19,3 +30,11 @@ extract.c:363:25: error: assignment to 'const ulg *' {aka 'const long unsigned i
#endif
ulg crc32val; /* CRC shift reg. (was static in funzip) */
+@@ -266,6 +266,7 @@ typedef struct Globals {
+ int reported_backslash; /* extract.c static */
+ int disk_full;
+ int newfile;
++ void **cover; /* used in extract.c for bomb detection */
+
+ int didCRlast; /* fileio static */
+ ulg numlines; /* fileio static: number of lines printed */
diff --git a/unzip/patches/patch-man_unzip.1 b/unzip/patches/patch-man_unzip.1
new file mode 100644
index 0000000000..b18fdc8e7d
--- /dev/null
+++ b/unzip/patches/patch-man_unzip.1
@@ -0,0 +1,24 @@
+$NetBSD$
+
+Fix CVE-2019-13232
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch
+
+
+--- man/unzip.1.orig 2025-08-23 16:32:18.527847647 +0200
++++ man/unzip.1
+@@ -850,6 +850,8 @@ the specified zipfiles were not found.
+ invalid options were specified on the command line.
+ .IP 11
+ no matching files were found.
++.IP 12
++invalid zip file with overlapped components (possible zip-bomb). The zip-bomb checks can be disabled by using the UNZIP_DISABLE_ZIPBOMB_DETECTION=TRUE environment variable.
+ .IP 50
+ the disk is (or was) full during extraction.
+ .IP 51
diff --git a/unzip/patches/patch-process.c b/unzip/patches/patch-process.c
index 5e139ce58d..f6946bf864 100644
--- a/unzip/patches/patch-process.c
+++ b/unzip/patches/patch-process.c
@@ -3,7 +3,20 @@ $NetBSD: patch-process.c,v 1.2 2024/08/06 14:40:13 nia Exp $
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8141
https://sources.debian.org/patches/unzip/6.0-28/28-cve-2022-0529-and-cve-2022-0530.patch/
---- process.c.orig 2009-03-06 01:25:10.000000000 +0000
+Fix CVE-2019-13232
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch
+
+Fix CVE-2021-4217
+ https://gitlab.archlinux.org/archlinux/packaging/packages/unzip/-/raw/main/unzip-6.0_CVE-2021-4217.patch
+
+--- process.c.orig 2009-03-06 02:25:10.000000000 +0100
+++ process.c
@@ -1,5 +1,5 @@
/*
@@ -21,7 +34,41 @@ https://sources.debian.org/patches/unzip/6.0-28/28-cve-2022-0529-and-cve-2022-05
#endif
-@@ -1888,48 +1890,83 @@ int getZip64Data(__G__ ef_buf, ef_len)
+@@ -637,6 +639,13 @@ void free_G_buffers(__G) /* releases
+ }
+ #endif
+
++ /* Free the cover span list and the cover structure. */
++ if (G.cover != NULL) {
++ free(*(G.cover));
++ free(G.cover);
++ G.cover = NULL;
++ }
++
+ } /* end function free_G_buffers() */
+
+
+@@ -1401,6 +1410,10 @@ static int find_ecrec64(__G__ searchlen)
+
+ /* Now, we are (almost) sure that we have a Zip64 archive. */
+ G.ecrec.have_ecr64 = 1;
++ G.ecrec.ec_start -= ECLOC64_SIZE+4;
++ G.ecrec.ec64_start = ecrec64_start_offset;
++ G.ecrec.ec64_end = ecrec64_start_offset +
++ 12 + makeint64(&byterec[ECREC64_LENGTH]);
+
+ /* Update the "end-of-central-dir offset" for later checks. */
+ G.real_ecrec_offset = ecrec64_start_offset;
+@@ -1535,6 +1548,8 @@ static int find_ecrec(__G__ searchlen)
+ makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]);
+ G.ecrec.zipfile_comment_length =
+ makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
++ G.ecrec.ec_start = G.real_ecrec_offset;
++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
+
+ /* Now, we have to read the archive comment, BEFORE the file pointer
+ is moved away backwards to seek for a Zip64 ECLOC64 structure.
+@@ -1888,48 +1903,85 @@ int getZip64Data(__G__ ef_buf, ef_len)
and a 4-byte version of disk start number.
Sets both local header and central header fields. Not terribly clever,
but it means that this procedure is only called in one place.
@@ -65,15 +112,15 @@ https://sources.debian.org/patches/unzip/6.0-28/28-cve-2022-0529-and-cve-2022-05
+ if (eb_id == EF_PKSZ64)
+ {
+ unsigned offset = EB_HEADSIZE;
-+
-+ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
-+ {
-+ if (offset+ 8 > ef_len)
-+ return PK_ERR;
- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
- offset += sizeof(G.crec.ucsize);
++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
+ offset += 8;
}
@@ -114,6 +161,8 @@ https://sources.debian.org/patches/unzip/6.0-28/28-cve-2022-0529-and-cve-2022-05
+#if 0
+ break; /* Expect only one EF_PKSZ64 block. */
+#endif /* 0 */
++
++ G.pInfo->zip64 = TRUE;
}
- /* Skip this extra field block */
@@ -121,7 +170,7 @@ https://sources.debian.org/patches/unzip/6.0-28/28-cve-2022-0529-and-cve-2022-05
ef_buf += (eb_len + EB_HEADSIZE);
ef_len -= (eb_len + EB_HEADSIZE);
}
-@@ -1984,7 +2021,7 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+@@ -1984,7 +2036,7 @@ int getUnicodeData(__G__ ef_buf, ef_len)
}
if (eb_id == EF_UNIPATH) {
@@ -130,7 +179,23 @@ https://sources.debian.org/patches/unzip/6.0-28/28-cve-2022-0529-and-cve-2022-05
ush ULen = eb_len - 5;
ulg chksum = CRCVAL_INITIAL;
-@@ -2440,16 +2477,17 @@ char *wide_to_local_string(wide_string,
+@@ -2002,10 +2054,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+ G.unipath_checksum = makelong(offset + ef_buf);
+ offset += 4;
+
++ if (!G.filename_full) {
++ /* Check if we have a unicode extra section but no filename set */
++ return PK_ERR;
++ }
++
+ /*
+ * Compute 32-bit crc
+ */
+-
+ chksum = crc32(chksum, (uch *)(G.filename_full),
+ strlen(G.filename_full));
+
+@@ -2440,16 +2496,17 @@ char *wide_to_local_string(wide_string,
int state_dependent;
int wsize = 0;
int max_bytes = MB_CUR_MAX;
@@ -151,7 +216,7 @@ https://sources.debian.org/patches/unzip/6.0-28/28-cve-2022-0529-and-cve-2022-05
return NULL;
}
-@@ -2487,8 +2525,28 @@ char *wide_to_local_string(wide_string,
+@@ -2487,8 +2544,28 @@ char *wide_to_local_string(wide_string,
} else {
/* no MB for this wide */
/* use escape for wide character */
@@ -182,7 +247,7 @@ https://sources.debian.org/patches/unzip/6.0-28/28-cve-2022-0529-and-cve-2022-05
free(escape_string);
}
}
-@@ -2540,9 +2598,18 @@ char *utf8_to_local_string(utf8_string,
+@@ -2540,9 +2617,18 @@ char *utf8_to_local_string(utf8_string,
ZCONST char *utf8_string;
int escape_all;
{
diff --git a/unzip/patches/patch-unzip.c b/unzip/patches/patch-unzip.c
new file mode 100644
index 0000000000..38c9a0be4a
--- /dev/null
+++ b/unzip/patches/patch-unzip.c
@@ -0,0 +1,46 @@
+$NetBSD$
+
+Fix CVE-2019-13232
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch
+
+
+--- unzip.c.orig 2025-08-23 16:32:58.736449614 +0200
++++ unzip.c
+@@ -1329,10 +1329,9 @@ int uz_opts(__G__ pargc, pargv)
+ int *pargc;
+ char ***pargv;
+ {
+- char **argv, *s;
++ char **argv, *s, *zipbomb_envar;
+ int argc, c, error=FALSE, negative=0, showhelp=0;
+
+-
+ argc = *pargc;
+ argv = *pargv;
+
+@@ -1923,6 +1922,18 @@ opts_done: /* yes, very ugly...but only
+ else
+ G.extract_flag = TRUE;
+
++ /* Disable the zipbomb detection, this is the only option set only via the shell variables but it should at least not clash with something in the future. */
++ zipbomb_envar = getenv("UNZIP_DISABLE_ZIPBOMB_DETECTION");
++ uO.zipbomb = TRUE;
++ if (zipbomb_envar != NULL) {
++ /* strcasecmp might be a better approach here but it is POSIX-only */
++ if ((strcmp ("TRUE", zipbomb_envar) == 0)
++ || (strcmp ("True", zipbomb_envar) == 0)
++ || (strcmp ("true",zipbomb_envar) == 0)) {
++ uO.zipbomb = FALSE;
++ }
++ }
++
+ *pargc = argc;
+ *pargv = argv;
+ return PK_OK;
diff --git a/unzip/patches/patch-unzip.h b/unzip/patches/patch-unzip.h
new file mode 100644
index 0000000000..ec0c3e7bf0
--- /dev/null
+++ b/unzip/patches/patch-unzip.h
@@ -0,0 +1,30 @@
+$NetBSD$
+
+Fix CVE-2019-13232
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch
+
+--- unzip.h.orig 2025-08-23 16:31:36.969582988 +0200
++++ unzip.h
+@@ -559,6 +559,7 @@ typedef struct _UzpOpts {
+ #ifdef UNIX
+ int cflxflag; /* -^: allow control chars in extracted filenames */
+ #endif
++ int zipbomb;
+ #endif /* !FUNZIP */
+ } UzpOpts;
+
+@@ -645,6 +646,7 @@ typedef struct _Uzp_cdir_Rec {
+ #define PK_NOZIP 9 /* zipfile not found */
+ #define PK_PARAM 10 /* bad or illegal parameters specified */
+ #define PK_FIND 11 /* no files found */
++#define PK_BOMB 12 /* likely zip bomb */
+ #define PK_DISK 50 /* disk full */
+ #define PK_EOF 51 /* unexpected EOF */
+
diff --git a/unzip/patches/patch-unzpriv.h b/unzip/patches/patch-unzpriv.h
new file mode 100644
index 0000000000..143892c9be
--- /dev/null
+++ b/unzip/patches/patch-unzpriv.h
@@ -0,0 +1,39 @@
+$NetBSD$
+
+Fix CVE-2019-13232
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch
+ https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch
+
+--- unzpriv.h.orig 2025-08-23 16:31:58.373631717 +0200
++++ unzpriv.h
+@@ -2031,6 +2031,7 @@ typedef struct min_info {
+ #ifdef UNICODE_SUPPORT
+ unsigned GPFIsUTF8: 1; /* crec gen_purpose_flag UTF-8 bit 11 is set */
+ #endif
++ unsigned zip64: 1; /* true if entry has Zip64 extra block */
+ #ifndef SFX
+ char Far *cfilname; /* central header version of filename */
+ #endif
+@@ -2185,6 +2186,16 @@ typedef struct VMStimbuf {
+ int have_ecr64; /* valid Zip64 ecdir-record exists */
+ int is_zip64_archive; /* Zip64 ecdir-record is mandatory */
+ ush zipfile_comment_length;
++ zusz_t ec_start, ec_end; /* offsets of start and end of the
++ end of central directory record,
++ including if present the Zip64
++ end of central directory locator,
++ which immediately precedes the
++ end of central directory record */
++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these
++ are the offsets of the start and
++ end of the Zip64 end of central
++ directory record */
+ } ecdir_rec;
+
+
Home |
Main Index |
Thread Index |
Old Index