unzip: add commit_msg

[kikadf (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>]

Module Name:	pkgsrc-wip
Committed By:	kikadf <kikadf.01%gmail.com@localhost>
Pushed By:	kikadf
Date:		Sat Aug 23 18:07:41 2025 +0200
Changeset:	56b4b12e47a32441a2bfd2177f8c2bc547fc6241

Modified Files:
	unzip/Makefile
Added Files:
	unzip/COMMIT_MSG

Log Message:
unzip: add commit_msg

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=56b4b12e47a32441a2bfd2177f8c2bc547fc6241

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 unzip/COMMIT_MSG | 26 ++++++++++++++++++++++++++
 unzip/Makefile   |  2 +-
 2 files changed, 27 insertions(+), 1 deletion(-)

diffs:
diff --git a/unzip/COMMIT_MSG b/unzip/COMMIT_MSG
new file mode 100644
index 0000000000..a7212acc03
--- /dev/null
+++ b/unzip/COMMIT_MSG
@@ -0,0 +1,26 @@
+archivers/unzip: fix some CVEs
+
+Fix CVE-2018-1000035
+  https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
+
+Fix CVE-2019-13232
+  https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch
+  https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch
+  https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch
+  https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch
+  https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch
+  https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch
+  https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch
+  https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch
+
+  https://www.bamsoftware.com/hacks/zipbomb/
+  With patches:
+  $ /usr/pkg/bin/unzip zbsm.zip 
+  Archive:  zbsm.zip
+   inflating: 0                       
+  error: invalid zip file with overlapped components (possible zip bomb)
+   To unzip the file anyway, rerun the command with UNZIP_DISABLE_ZIPBOMB_DETECTION=TRUE environmnent variable
+
+Fix CVE-2021-4217
+  https://gitlab.archlinux.org/archlinux/packaging/packages/unzip/-/raw/main/unzip-6.0_CVE-2021-4217.patch
+
diff --git a/unzip/Makefile b/unzip/Makefile
index 26a686ede0..77d162720f 100644
--- a/unzip/Makefile
+++ b/unzip/Makefile
@@ -2,7 +2,7 @@
 
 DISTNAME=	unzip60
 PKGNAME=	unzip-6.0
-PKGREVISION=	10
+PKGREVISION=	11
 CATEGORIES=	archivers
 MASTER_SITES=	ftp://ftp.info-zip.org/pub/infozip/src/
 EXTRACT_SUFX=	.tgz