main/unzip: fix various CVEs

- CVE-2014-8139 - CVE-2014-8140 - CVE-2014-8141 - CVE-2014-9636 - CVE-2014-9913 - CVE-2016-9844 - CVE-2018-1000035 fixes #9289
author: Natanael Copa <ncopa@alpinelinux.org> 2018-08-20 12:24:29 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2018-08-22 10:37:44 +0200
commit: 1a9d4e34862869cd3a82d1ce5c75be04b144229a (patch)
tree: e7d4181a1a0ba8cc679b40d059d0f9fd9850c606
parent: d510fa929a7f6ede654295930273de33fd0e9b15 (diff)
download: alpine_aports-1a9d4e34862869cd3a82d1ce5c75be04b144229a.tar.bz2
alpine_aports-1a9d4e34862869cd3a82d1ce5c75be04b144229a.tar.xz
alpine_aports-1a9d4e34862869cd3a82d1ce5c75be04b144229a.zip
8 files changed, 401 insertions, 12 deletions
diff --git a/main/unzip/APKBUILD b/main/unzip/APKBUILD
index 909e337f38..88e1929de6 100644
--- a/main/unzip/APKBUILD
+++ b/main/unzip/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Timo Teräs <timo.teras@iki.fi>
 pkgname=unzip
 pkgver=6.0
-pkgrel=2
+pkgrel=3
 pkgdesc="Extract PKZIP-compatible .zip files"
 url="http://www.info-zip.org/UnZip.html"
 arch="all"
@@ -11,13 +11,33 @@ depends=""
 makedepends=""
 subpackages="$pkgname-doc"
 # normally      ftp://ftp.info-zip.org/pub/infozip/src/${pkgname}60.zip
-source="http://distfiles.alpinelinux.org/distfiles/${pkgname}60.zip
+source="https://dev.alpinelinux.org/archive/unzip/$pkgname${pkgver/./}.tgz
        10-unzip-handle-pkware-verify.patch
        20-unzip-uidgid-fix.patch
        unzip-6.0-heap-overflow-infloop.patch
+        CVE-2014-8140.patch
+        CVE-2014-8141.patch
+        CVE-2014-9636.patch
+        CVE-2014-9913.patch
+        CVE-2016-9844.patch
+        CVE-2018-1000035.patch
+        fix-CVE-2014-8139.patch
        "
 builddir="$srcdir"/${pkgname}60
+# secfixes:
+#   6.0-r3:
+#   - CVE-2014-8139
+#   - CVE-2014-8140
+#   - CVE-2014-8141
+#   - CVE-2014-9636
+#   - CVE-2014-9913
+#   - CVE-2016-9844
+#   - CVE-2018-1000035
+#   6.0-r1:
+#   - CVE-2015-7696
+#   - CVE-2015-7697
 build() {
        cd "$builddir"
        make -f unix/Makefile \
@@ -34,15 +54,14 @@ package() {
                "$pkgdir"/usr/share/licenses/$pkgname/LICENSE
 }
-md5sums="85da5203f01ab0b9403efef3b9bb4010  unzip60.zip
+sha512sums="0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d  unzip60.tgz
-b860a1557b48b2c3fa52541f9260ed72  10-unzip-handle-pkware-verify.patch
-3de9dee957cb83615cdcb165375d00bd  20-unzip-uidgid-fix.patch
-4ff9673cf8337e80220e46c7eb95ac61  unzip-6.0-heap-overflow-infloop.patch"
-sha256sums="2bc3e70d412447595ac3bed58c1c1fdae289d9a652e55fd0eaadddfe111aa9e4  unzip60.zip
-6829ce345b66d081cb1b8b5be37f092836fbcb71819594e45218fc03d8e80754  10-unzip-handle-pkware-verify.patch
-3650b53a49742d7ffb2c7d5db2ef1cdeaf3d34d21daa976dc7024ceb605a9dee  20-unzip-uidgid-fix.patch
-1a12fe030bb1127f54362c7023995d4b01528ef4f2d068497d390877d15aafea  unzip-6.0-heap-overflow-infloop.patch"
-sha512sums="4a455d45b2c33bc28cab74b82d13f2f1bc5f4a2c45de125345181d2e712079727e825d25e5b7765f9f9c16b7746cd5342897dc8502cb55b8a9f2329b138a1614  unzip60.zip
 9d2914f22fb0075a2b6f72825c235f46eafd8d47b6fb6fcc8303fc69336e256b15923c002d2615bb6af733344c2315e4a8504d77bae301e10c11d4736faa2c81  10-unzip-handle-pkware-verify.patch
 57699582e9056af0817dcb67f8db67e6a1ff8208c137fbebcf559429e5f12b471b75d7e1ef938e5bbb5416074a51ac7342e4ce8057f4bbdcb0bf079b8d7832af  20-unzip-uidgid-fix.patch
-b1e3fac6a787828efaaef8ec7cc52e1573aea27a6f29830af37ec4ba8bcd2a6488c953ab10eee0561c78e82c7401833ef172bebee793405d93632ce788756301  unzip-6.0-heap-overflow-infloop.patch"
+b1e3fac6a787828efaaef8ec7cc52e1573aea27a6f29830af37ec4ba8bcd2a6488c953ab10eee0561c78e82c7401833ef172bebee793405d93632ce788756301  unzip-6.0-heap-overflow-infloop.patch
+028a97e781fb4e277df331fd40b848bbc002f1a5ceeb40e74477cf68d2f063ac2623e24afbeddfa0456940ecc7694fdb66ecd031cbcecad63079e8427fb731c9  CVE-2014-8140.patch
+3dd21343d6e5ae7d19f2b2f9cf7310eac38dd7f598e1265e247559a48143c9dbffabd9fc0d7aff6d859ec9e646e85c2b7ee00a1b1a2e23bdf96192c22c58b058  CVE-2014-8141.patch
+281c524a9adb1c0f1cb861548d96115f55152c1d76adca34bbaabcca410c5aaf5dd53d99360d7ea8ee9d0ab9eb62031cb40c5de4b5ecfd91535ac178cd3e7098  CVE-2014-9636.patch
+9a62286acdbd5bf5f679d813017b93c25bdb06edaf48b2b53d3281ce3c30587158a777b07457c574d72350499f786dac6b4493092d7e08c17c07cb65ecc513b6  CVE-2014-9913.patch
+8c4a4313072ff0d87eadb0f5472eb48f2802b835dd282305811a96de87a41fed48be60fbdd434e6b6359418f0559f7793deaa1d68161a0c0ead9f8574bb9f14c  CVE-2016-9844.patch
+6f757385a23fe6a034f676df6bf233243afa8743761e3d715e532d066fcd7dc8f8dcd6192be693258f3855837e5534490784378768abe7ce710fb869258d49b7  CVE-2018-1000035.patch
+13f9c54fcdde478c4afe391c8e7ef9c31b03228aaace5da38382612951cbfd60710fd3d931569297953be32b2c5906715aed4b1c05e28cc8fccbb27f38b57550  fix-CVE-2014-8139.patch"
diff --git a/main/unzip/CVE-2014-8140.patch b/main/unzip/CVE-2014-8140.patch
new file mode 100644
index 0000000000..81b96b8df7
--- /dev/null
+++ b/main/unzip/CVE-2014-8140.patch
@@ -0,0 +1,26 @@
+From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=969621&action=diff
+(unzip60/ path prefix added)
+--- unzip60/extract.c   2009-03-14 02:32:52.000000000 +0100
+++ unzip60/extract.c   2014-12-05 22:43:13.000000000 +0100
+@@ -2221,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_si
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+ 
+    /* Return no/bad-data error status if any problem is found:
+     *    1. eb_size is too small to hold the uncompressed size
+     *       (eb_ucsize).  (Else extract eb_ucsize.)
+     *    2. eb_ucsize is zero (invalid).  2014-12-04 SMS.
+     *    3. eb_ucsize is positive, but eb_size is too small to hold
+     *       the compressed data header.
+     */
+     if ((eb_size < (EB_UCSIZE_P + 4)) ||
+-        ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
+-         eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+-        return IZ_EF_TRUNC;               /* no compressed data! */
+     ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
+     ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+        return IZ_EF_TRUNC;             /* no/bad compressed data! */
+ 
+     if (
+ #ifdef INT_16BIT
diff --git a/main/unzip/CVE-2014-8141.patch b/main/unzip/CVE-2014-8141.patch
new file mode 100644
index 0000000000..11007195b1
--- /dev/null
+++ b/main/unzip/CVE-2014-8141.patch
@@ -0,0 +1,136 @@
+From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=969625&action=diff
+(unzip60/ path prefix added)
+--- unzip60/process.c   2009-03-06 02:25:10.000000000 +0100
+++ unzip60/process.c   2014-12-05 22:42:39.000000000 +0100
+@@ -1,5 +1,5 @@ 
+ /*
+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
+  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
+ 
+   See the accompanying file LICENSE, version 2009-Jan-02 or later
+   (the contents of which are also included in unzip.h) for terms of use.
+@@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
+     and a 4-byte version of disk start number.
+     Sets both local header and central header fields.  Not terribly clever,
+     but it means that this procedure is only called in one place.
+
+    2014-12-05 SMS.
+    Added checks to ensure that enough data are available before calling
+    makeint64() or makelong().  Replaced various sizeof() values with
+    simple ("4" or "8") constants.  (The Zip64 structures do not depend
+    on our variable sizes.)  Error handling is crude, but we should now
+    stay within the buffer.
+   ---------------------------------------------------------------------------*/
+ 
+#define Z64FLGS 0xffff
+#define Z64FLGL 0xffffffff
+
+     if (ef_len == 0 || ef_buf == NULL)
+         return PK_COOL;
+ 
+     Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
+       ef_len));
+ 
+-    while (ef_len >= EB_HEADSIZE) {
+    while (ef_len >= EB_HEADSIZE)
+    {
+         eb_id = makeword(EB_ID + ef_buf);
+         eb_len = makeword(EB_LEN + ef_buf);
+ 
+-        if (eb_len > (ef_len - EB_HEADSIZE)) {
+-            /* discovered some extra field inconsistency! */
+        if (eb_len > (ef_len - EB_HEADSIZE))
+        {
+            /* Extra block length exceeds remaining extra field length. */
+             Trace((stderr,
+               "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
+               ef_len - EB_HEADSIZE));
+             break;
+         }
+-        if (eb_id == EF_PKSZ64) {
+-
+        if (eb_id == EF_PKSZ64)
+        {
+           int offset = EB_HEADSIZE;
+ 
+-          if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
+-            G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.ucsize);
+          if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
+          {
+            if (offset+ 8 > ef_len)
+              return PK_ERR;
+
+            G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
+            offset += 8;
+           }
+-          if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
+-            G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.csize);
+
+          if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
+          {
+            if (offset+ 8 > ef_len)
+              return PK_ERR;
+
+            G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
+            offset += 8;
+           }
+-          if (G.crec.relative_offset_local_header == 0xffffffff){
+
+          if (G.crec.relative_offset_local_header == Z64FLGL)
+          {
+            if (offset+ 8 > ef_len)
+              return PK_ERR;
+
+             G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.relative_offset_local_header);
+            offset += 8;
+           }
+-          if (G.crec.disk_number_start == 0xffff){
+
+          if (G.crec.disk_number_start == Z64FLGS)
+          {
+            if (offset+ 4 > ef_len)
+              return PK_ERR;
+
+             G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+-            offset += sizeof(G.crec.disk_number_start);
+            offset += 4;
+           }
+#if 0
+          break;                /* Expect only one EF_PKSZ64 block. */
+#endif /* 0 */
+         }
+ 
+-        /* Skip this extra field block */
+        /* Skip this extra field block. */
+         ef_buf += (eb_len + EB_HEADSIZE);
+         ef_len -= (eb_len + EB_HEADSIZE);
+     }
+--- unzip60/fileio.c    2009-04-20 02:03:44.000000000 +0200
+++ unzip60/fileio.c    2014-12-05 22:44:16.000000000 +0100
+@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+   "warning:  extra field too long (%d).  Ignoring...\n";
+static ZCONST char Far ExtraFieldCorrupt[] =
+  "warning:  extra field (type: 0x%04x) corrupt.  Continuing...\n";
+ 
+ #ifdef WINDLL
+    static ZCONST char Far DiskFullQuery[] =
+@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option)   /*
+             if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+                 return PK_EOF;
+             /* Looks like here is where extra fields are read */
+-            getZip64Data(__G__ G.extra_field, length);
+            if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
+            {
+                Info(slide, 0x401, ((char *)slide,
+                 LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
+                error = PK_WARN;
+            }
+ #ifdef UNICODE_SUPPORT
+             G.unipath_filename = NULL;
+             if (G.UzO.U_flag < 2) {
diff --git a/main/unzip/CVE-2014-9636.patch b/main/unzip/CVE-2014-9636.patch
new file mode 100644
index 0000000000..d4c7f75297
--- /dev/null
+++ b/main/unzip/CVE-2014-9636.patch
@@ -0,0 +1,42 @@
+From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Wed, 11 Feb 2015
+Subject: Info-ZIP UnZip buffer overflow
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+---
+ extract.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+--- a/extract.c
+++ b/extract.c
+@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
+     ulg eb_ucsize;
+     uch *eb_ucptr;
+     int r;
+    ush method;
+ 
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
+          eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+         return IZ_EF_TRUNC;               /* no compressed data! */
+ 
+    method = makeword(eb + (EB_HEADSIZE + compr_offset));
+    if ((method == STORED) &&
+        (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
+       return PK_ERR;                    /* compressed & uncompressed
+                                          * should match in STORED
+                                          * method */
+
+     if (
+ #ifdef INT_16BIT
+         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/main/unzip/CVE-2014-9913.patch b/main/unzip/CVE-2014-9913.patch
new file mode 100644
index 0000000000..a5675f4fb7
--- /dev/null
+++ b/main/unzip/CVE-2014-9913.patch
@@ -0,0 +1,29 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Fix CVE-2014-9913, buffer overflow in unzip
+Bug: https://sourceforge.net/p/infozip/bugs/27/
+Bug-Debian: https://bugs.debian.org/847485
+Bug-Ubuntu: https://launchpad.net/bugs/387350
+X-Debian-version: 6.0-21
+--- a/list.c
+++ b/list.c
+@@ -339,7 +339,18 @@
+                 G.crec.compression_method == ENHDEFLATED) {
+                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+             } else if (methnum >= NUM_METHODS) {
+-                sprintf(&methbuf[4], "%03u", G.crec.compression_method);
+                /* 2013-02-26 SMS.
+                 * http://sourceforge.net/p/infozip/bugs/27/  CVE-2014-9913.
+                 * Unexpectedly large compression methods overflow
+                 * &methbuf[].  Use the old, three-digit decimal format
+                 * for values which fit.  Otherwise, sacrifice the
+                 * colon, and use four-digit hexadecimal.
+                 */
+                if (G.crec.compression_method <= 999) {
+                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
+                } else {
+                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
+                }
+             }
+ 
+ #if 0       /* GRR/Euro:  add this? */
diff --git a/main/unzip/CVE-2016-9844.patch b/main/unzip/CVE-2016-9844.patch
new file mode 100644
index 0000000000..52d07987b3
--- /dev/null
+++ b/main/unzip/CVE-2016-9844.patch
@@ -0,0 +1,28 @@
+From: "Steven M. Schweda" <sms@antinode.info>
+Subject: Fix CVE-2016-9844, buffer overflow in zipinfo
+Bug-Debian: https://bugs.debian.org/847486
+Bug-Ubuntu: https://launchpad.net/bugs/1643750
+X-Debian-version: 6.0-21
+--- a/zipinfo.c
+++ b/zipinfo.c
+@@ -1921,7 +1921,18 @@
+         ush  dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
+         methbuf[3] = dtype[dnum];
+     } else if (methnum >= NUM_METHODS) {   /* unknown */
+-        sprintf(&methbuf[1], "%03u", G.crec.compression_method);
+        /* 2016-12-05 SMS.
+         * https://launchpad.net/bugs/1643750
+         * Unexpectedly large compression methods overflow
+         * &methbuf[].  Use the old, three-digit decimal format
+         * for values which fit.  Otherwise, sacrifice the "u",
+         * and use four-digit hexadecimal.
+         */
+        if (G.crec.compression_method <= 999) {
+            sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
+        } else {
+            sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
+        }
+     }
+ 
+     for (k = 0;  k < 15;  ++k)
diff --git a/main/unzip/CVE-2018-1000035.patch b/main/unzip/CVE-2018-1000035.patch
new file mode 100644
index 0000000000..8ca713865c
--- /dev/null
+++ b/main/unzip/CVE-2018-1000035.patch
@@ -0,0 +1,34 @@
+--- a/fileio.c  2014-12-05 05:06:05 -0600
+++ b/fileio.c  2017-11-14 01:06:28 -0600
+@@ -1,5 +1,5 @@
+ /*
+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
+  Copyright (c) 1990-2017 Info-ZIP.  All rights reserved.
+ 
+   See the accompanying file LICENSE, version 2009-Jan-02 or later
+   (the contents of which are also included in unzip.h) for terms of use.
+@@ -1582,6 +1582,8 @@
+     int r = IZ_PW_ENTERED;
+     char *m;
+     char *prompt;
+    char *ep;
+    char *zp;
+ 
+ #ifndef REENTRANT
+     /* tell picky compilers to shut up about "unused variable" warnings */
+@@ -1590,9 +1592,12 @@
+ 
+     if (*rcnt == 0) {           /* First call for current entry */
+         *rcnt = 2;
+-        if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+-            sprintf(prompt, LoadFarString(PasswPrompt),
+-                    FnFilter1(zfn), FnFilter2(efn));
+        zp = FnFilter1( zfn);
+        ep = FnFilter2( efn);
+        prompt = (char *)malloc(        /* Slightly too long (2* "%s"). */
+         sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
+        if (prompt != (char *)NULL) {
+            sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
+             m = prompt;
+         } else
+             m = (char *)LoadFarString(PasswPrompt2);
diff --git a/main/unzip/fix-CVE-2014-8139.patch b/main/unzip/fix-CVE-2014-8139.patch
new file mode 100644
index 0000000000..2465af0328
--- /dev/null
+++ b/main/unzip/fix-CVE-2014-8139.patch
@@ -0,0 +1,75 @@
+--- a/extract.c
+++ b/extract.c
+@@ -1,5 +1,5 @@
+ /*
+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
+  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
+   See the accompanying file LICENSE, version 2009-Jan-02 or later
+   (the contents of which are also included in unzip.h) for terms of use.
+@@ -298,6 +298,8 @@
+ #ifndef SFX
+    static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+      EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
+   static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
+     EF block length (%u bytes) invalid (< %d)\n";
+    static ZCONST char Far InvalidComprDataEAs[] =
+      " invalid compressed data for EAs\n";
+ #  if (defined(WIN32) && defined(NTSD_EAS))
+@@ -2032,7 +2034,8 @@
+         ebID = makeword(ef);
+         ebLen = (unsigned)makeword(ef+EB_LEN);
+-        if (ebLen > (ef_len - EB_HEADSIZE)) {
+        if (ebLen > (ef_len - EB_HEADSIZE))
+        {
+            /* Discovered some extra field inconsistency! */
+             if (uO.qflag)
+                 Info(slide, 1, ((char *)slide, "%-22s ",
+@@ -2167,11 +2170,29 @@
+                 }
+                 break;
+             case EF_PKVMS:
+-                if (makelong(ef+EB_HEADSIZE) !=
+-                    crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
+-                          (extent)(ebLen-4)))
+-                    Info(slide, 1, ((char *)slide,
+-                      LoadFarString(BadCRC_EAs)));
+                /* 2015-01-30 SMS.  Added sufficient-bytes test/message
+                 * here.  (Removed defective ebLen test above.)
+                 *
+                 * If sufficient bytes (EB_PKVMS_MINLEN) are available,
+                 * then compare the stored CRC value with the calculated
+                 * CRC for the remainder of the data (and complain about
+                 * a mismatch).
+                 */
+                if (ebLen < EB_PKVMS_MINLEN)
+                {
+                    /* Insufficient bytes available. */
+                    Info( slide, 1,
+                     ((char *)slide, LoadFarString( TooSmallEBlength),
+                     ebLen, EB_PKVMS_MINLEN));
+                }
+                else if (makelong(ef+ EB_HEADSIZE) !=
+                 crc32(CRCVAL_INITIAL,
+                 (ef+ EB_HEADSIZE+ EB_PKVMS_MINLEN),
+                 (extent)(ebLen- EB_PKVMS_MINLEN)))
+                {
+                     Info(slide, 1, ((char *)slide,
+                       LoadFarString(BadCRC_EAs)));
+                }
+                 break;
+             case EF_PKW32:
+             case EF_PKUNIX:
+--- a/unzpriv.h
+++ b/unzpriv.h
+@@ -1806,6 +1806,8 @@
+ #define EB_NTSD_VERSION   4    /* offset of NTSD version byte */
+ #define EB_NTSD_MAX_VER   (0)  /* maximum version # we know how to handle */
+#define EB_PKVMS_MINLEN   4    /* minimum data length of PKVMS extra block */
+
+ #define EB_ASI_CRC32      0    /* offset of ASI Unix field's crc32 checksum */
+ #define EB_ASI_MODE       4    /* offset of ASI Unix permission mode field */
author	Natanael Copa <ncopa@alpinelinux.org>	2018-08-20 12:24:29 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2018-08-22 10:37:44 +0200
commit	1a9d4e34862869cd3a82d1ce5c75be04b144229a (patch)
tree	e7d4181a1a0ba8cc679b40d059d0f9fd9850c606
parent	d510fa929a7f6ede654295930273de33fd0e9b15 (diff)
download	alpine_aports-1a9d4e34862869cd3a82d1ce5c75be04b144229a.tar.bz2 alpine_aports-1a9d4e34862869cd3a82d1ce5c75be04b144229a.tar.xz alpine_aports-1a9d4e34862869cd3a82d1ce5c75be04b144229a.zip

diff --git a/main/unzip/APKBUILD b/main/unzip/APKBUILD index 909e337f38..88e1929de6 100644 --- a/main/unzip/APKBUILD +++ b/main/unzip/APKBUILD
@@ -2,7 +2,7 @@
2	# Maintainer: Timo Teräs <timo.teras@iki.fi>	2	# Maintainer: Timo Teräs <timo.teras@iki.fi>
3	pkgname=unzip	3	pkgname=unzip
4	pkgver=6.0	4	pkgver=6.0
5	pkgrel=2	5	pkgrel=3
6	pkgdesc="Extract PKZIP-compatible .zip files"	6	pkgdesc="Extract PKZIP-compatible .zip files"
7	url="http://www.info-zip.org/UnZip.html"	7	url="http://www.info-zip.org/UnZip.html"
8	arch="all"	8	arch="all"
@@ -11,13 +11,33 @@ depends=""
11	makedepends=""	11	makedepends=""
12	subpackages="$pkgname-doc"	12	subpackages="$pkgname-doc"
13	# normally ftp://ftp.info-zip.org/pub/infozip/src/${pkgname}60.zip	13	# normally ftp://ftp.info-zip.org/pub/infozip/src/${pkgname}60.zip
14	source="http://distfiles.alpinelinux.org/distfiles/${pkgname}60.zip	14	source="https://dev.alpinelinux.org/archive/unzip/$pkgname${pkgver/./}.tgz
15	10-unzip-handle-pkware-verify.patch	15	10-unzip-handle-pkware-verify.patch
16	20-unzip-uidgid-fix.patch	16	20-unzip-uidgid-fix.patch
17	unzip-6.0-heap-overflow-infloop.patch	17	unzip-6.0-heap-overflow-infloop.patch
		18	CVE-2014-8140.patch
		19	CVE-2014-8141.patch
		20	CVE-2014-9636.patch
		21	CVE-2014-9913.patch
		22	CVE-2016-9844.patch
		23	CVE-2018-1000035.patch
		24	fix-CVE-2014-8139.patch
18	"	25	"
19		26
20	builddir="$srcdir"/${pkgname}60	27	builddir="$srcdir"/${pkgname}60
		28	# secfixes:
		29	# 6.0-r3:
		30	# - CVE-2014-8139
		31	# - CVE-2014-8140
		32	# - CVE-2014-8141
		33	# - CVE-2014-9636
		34	# - CVE-2014-9913
		35	# - CVE-2016-9844
		36	# - CVE-2018-1000035
		37	# 6.0-r1:
		38	# - CVE-2015-7696
		39	# - CVE-2015-7697
		40
21	build() {	41	build() {
22	cd "$builddir"	42	cd "$builddir"
23	make -f unix/Makefile \	43	make -f unix/Makefile \
@@ -34,15 +54,14 @@ package() {
34	"$pkgdir"/usr/share/licenses/$pkgname/LICENSE	54	"$pkgdir"/usr/share/licenses/$pkgname/LICENSE
35	}	55	}
36		56
37	md5sums="85da5203f01ab0b9403efef3b9bb4010 unzip60.zip	57	sha512sums="0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d unzip60.tgz
38	b860a1557b48b2c3fa52541f9260ed72 10-unzip-handle-pkware-verify.patch
39	3de9dee957cb83615cdcb165375d00bd 20-unzip-uidgid-fix.patch
40	4ff9673cf8337e80220e46c7eb95ac61 unzip-6.0-heap-overflow-infloop.patch"
41	sha256sums="2bc3e70d412447595ac3bed58c1c1fdae289d9a652e55fd0eaadddfe111aa9e4 unzip60.zip
42	6829ce345b66d081cb1b8b5be37f092836fbcb71819594e45218fc03d8e80754 10-unzip-handle-pkware-verify.patch
43	3650b53a49742d7ffb2c7d5db2ef1cdeaf3d34d21daa976dc7024ceb605a9dee 20-unzip-uidgid-fix.patch
44	1a12fe030bb1127f54362c7023995d4b01528ef4f2d068497d390877d15aafea unzip-6.0-heap-overflow-infloop.patch"
45	sha512sums="4a455d45b2c33bc28cab74b82d13f2f1bc5f4a2c45de125345181d2e712079727e825d25e5b7765f9f9c16b7746cd5342897dc8502cb55b8a9f2329b138a1614 unzip60.zip
46	9d2914f22fb0075a2b6f72825c235f46eafd8d47b6fb6fcc8303fc69336e256b15923c002d2615bb6af733344c2315e4a8504d77bae301e10c11d4736faa2c81 10-unzip-handle-pkware-verify.patch	58	9d2914f22fb0075a2b6f72825c235f46eafd8d47b6fb6fcc8303fc69336e256b15923c002d2615bb6af733344c2315e4a8504d77bae301e10c11d4736faa2c81 10-unzip-handle-pkware-verify.patch
47	57699582e9056af0817dcb67f8db67e6a1ff8208c137fbebcf559429e5f12b471b75d7e1ef938e5bbb5416074a51ac7342e4ce8057f4bbdcb0bf079b8d7832af 20-unzip-uidgid-fix.patch	59	57699582e9056af0817dcb67f8db67e6a1ff8208c137fbebcf559429e5f12b471b75d7e1ef938e5bbb5416074a51ac7342e4ce8057f4bbdcb0bf079b8d7832af 20-unzip-uidgid-fix.patch
48	b1e3fac6a787828efaaef8ec7cc52e1573aea27a6f29830af37ec4ba8bcd2a6488c953ab10eee0561c78e82c7401833ef172bebee793405d93632ce788756301 unzip-6.0-heap-overflow-infloop.patch"	60	b1e3fac6a787828efaaef8ec7cc52e1573aea27a6f29830af37ec4ba8bcd2a6488c953ab10eee0561c78e82c7401833ef172bebee793405d93632ce788756301 unzip-6.0-heap-overflow-infloop.patch
		61	028a97e781fb4e277df331fd40b848bbc002f1a5ceeb40e74477cf68d2f063ac2623e24afbeddfa0456940ecc7694fdb66ecd031cbcecad63079e8427fb731c9 CVE-2014-8140.patch
		62	3dd21343d6e5ae7d19f2b2f9cf7310eac38dd7f598e1265e247559a48143c9dbffabd9fc0d7aff6d859ec9e646e85c2b7ee00a1b1a2e23bdf96192c22c58b058 CVE-2014-8141.patch
		63	281c524a9adb1c0f1cb861548d96115f55152c1d76adca34bbaabcca410c5aaf5dd53d99360d7ea8ee9d0ab9eb62031cb40c5de4b5ecfd91535ac178cd3e7098 CVE-2014-9636.patch
		64	9a62286acdbd5bf5f679d813017b93c25bdb06edaf48b2b53d3281ce3c30587158a777b07457c574d72350499f786dac6b4493092d7e08c17c07cb65ecc513b6 CVE-2014-9913.patch
		65	8c4a4313072ff0d87eadb0f5472eb48f2802b835dd282305811a96de87a41fed48be60fbdd434e6b6359418f0559f7793deaa1d68161a0c0ead9f8574bb9f14c CVE-2016-9844.patch
		66	6f757385a23fe6a034f676df6bf233243afa8743761e3d715e532d066fcd7dc8f8dcd6192be693258f3855837e5534490784378768abe7ce710fb869258d49b7 CVE-2018-1000035.patch
		67	13f9c54fcdde478c4afe391c8e7ef9c31b03228aaace5da38382612951cbfd60710fd3d931569297953be32b2c5906715aed4b1c05e28cc8fccbb27f38b57550 fix-CVE-2014-8139.patch"


diff --git a/main/unzip/CVE-2014-8140.patch b/main/unzip/CVE-2014-8140.patch new file mode 100644 index 0000000000..81b96b8df7 --- /dev/null +++ b/main/unzip/CVE-2014-8140.patch
@@ -0,0 +1,26 @@
		1	From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=969621&action=diff
		2	(unzip60/ path prefix added)
		3
		4	--- unzip60/extract.c 2009-03-14 02:32:52.000000000 +0100
		5	+++ unzip60/extract.c 2014-12-05 22:43:13.000000000 +0100
		6	@@ -2221,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_si
		7	if (compr_offset < 4) /* field is not compressed: */
		8	return PK_OK; /* do nothing and signal OK */
		9
		10	+ /* Return no/bad-data error status if any problem is found:
		11	+ * 1. eb_size is too small to hold the uncompressed size
		12	+ * (eb_ucsize). (Else extract eb_ucsize.)
		13	+ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
		14	+ * 3. eb_ucsize is positive, but eb_size is too small to hold
		15	+ * the compressed data header.
		16	+ */
		17	if ((eb_size < (EB_UCSIZE_P + 4)) \|\|
		18	- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
		19	- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
		20	- return IZ_EF_TRUNC; /* no compressed data! */
		21	+ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) \|\|
		22	+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
		23	+ return IZ_EF_TRUNC; /* no/bad compressed data! */
		24
		25	if (
		26	#ifdef INT_16BIT


diff --git a/main/unzip/CVE-2014-8141.patch b/main/unzip/CVE-2014-8141.patch new file mode 100644 index 0000000000..11007195b1 --- /dev/null +++ b/main/unzip/CVE-2014-8141.patch
@@ -0,0 +1,136 @@
		1	From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=969625&action=diff
		2	(unzip60/ path prefix added)
		3
		4	--- unzip60/process.c 2009-03-06 02:25:10.000000000 +0100
		5	+++ unzip60/process.c 2014-12-05 22:42:39.000000000 +0100
		6	@@ -1,5 +1,5 @@
		7	/*
		8	- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
		9	+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
		10
		11	See the accompanying file LICENSE, version 2009-Jan-02 or later
		12	(the contents of which are also included in unzip.h) for terms of use.
		13	@@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
		14	and a 4-byte version of disk start number.
		15	Sets both local header and central header fields. Not terribly clever,
		16	but it means that this procedure is only called in one place.
		17	+
		18	+ 2014-12-05 SMS.
		19	+ Added checks to ensure that enough data are available before calling
		20	+ makeint64() or makelong(). Replaced various sizeof() values with
		21	+ simple ("4" or "8") constants. (The Zip64 structures do not depend
		22	+ on our variable sizes.) Error handling is crude, but we should now
		23	+ stay within the buffer.
		24	---------------------------------------------------------------------------*/
		25
		26	+#define Z64FLGS 0xffff
		27	+#define Z64FLGL 0xffffffff
		28	+
		29	if (ef_len == 0 \|\| ef_buf == NULL)
		30	return PK_COOL;
		31
		32	Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
		33	ef_len));
		34
		35	- while (ef_len >= EB_HEADSIZE) {
		36	+ while (ef_len >= EB_HEADSIZE)
		37	+ {
		38	eb_id = makeword(EB_ID + ef_buf);
		39	eb_len = makeword(EB_LEN + ef_buf);
		40
		41	- if (eb_len > (ef_len - EB_HEADSIZE)) {
		42	- /* discovered some extra field inconsistency! */
		43	+ if (eb_len > (ef_len - EB_HEADSIZE))
		44	+ {
		45	+ /* Extra block length exceeds remaining extra field length. */
		46	Trace((stderr,
		47	"getZip64Data: block length %u > rest ef_size %u\n", eb_len,
		48	ef_len - EB_HEADSIZE));
		49	break;
		50	}
		51	- if (eb_id == EF_PKSZ64) {
		52	-
		53	+ if (eb_id == EF_PKSZ64)
		54	+ {
		55	int offset = EB_HEADSIZE;
		56
		57	- if (G.crec.ucsize == 0xffffffff \|\| G.lrec.ucsize == 0xffffffff){
		58	- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
		59	- offset += sizeof(G.crec.ucsize);
		60	+ if ((G.crec.ucsize == Z64FLGL) \|\| (G.lrec.ucsize == Z64FLGL))
		61	+ {
		62	+ if (offset+ 8 > ef_len)
		63	+ return PK_ERR;
		64	+
		65	+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
		66	+ offset += 8;
		67	}
		68	- if (G.crec.csize == 0xffffffff \|\| G.lrec.csize == 0xffffffff){
		69	- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
		70	- offset += sizeof(G.crec.csize);
		71	+
		72	+ if ((G.crec.csize == Z64FLGL) \|\| (G.lrec.csize == Z64FLGL))
		73	+ {
		74	+ if (offset+ 8 > ef_len)
		75	+ return PK_ERR;
		76	+
		77	+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
		78	+ offset += 8;
		79	}
		80	- if (G.crec.relative_offset_local_header == 0xffffffff){
		81	+
		82	+ if (G.crec.relative_offset_local_header == Z64FLGL)
		83	+ {
		84	+ if (offset+ 8 > ef_len)
		85	+ return PK_ERR;
		86	+
		87	G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
		88	- offset += sizeof(G.crec.relative_offset_local_header);
		89	+ offset += 8;
		90	}
		91	- if (G.crec.disk_number_start == 0xffff){
		92	+
		93	+ if (G.crec.disk_number_start == Z64FLGS)
		94	+ {
		95	+ if (offset+ 4 > ef_len)
		96	+ return PK_ERR;
		97	+
		98	G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
		99	- offset += sizeof(G.crec.disk_number_start);
		100	+ offset += 4;
		101	}
		102	+#if 0
		103	+ break; /* Expect only one EF_PKSZ64 block. */
		104	+#endif /* 0 */
		105	}
		106
		107	- /* Skip this extra field block */
		108	+ /* Skip this extra field block. */
		109	ef_buf += (eb_len + EB_HEADSIZE);
		110	ef_len -= (eb_len + EB_HEADSIZE);
		111	}
		112	--- unzip60/fileio.c 2009-04-20 02:03:44.000000000 +0200
		113	+++ unzip60/fileio.c 2014-12-05 22:44:16.000000000 +0100
		114	@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr
		115	#endif
		116	static ZCONST char Far ExtraFieldTooLong[] =
		117	"warning: extra field too long (%d). Ignoring...\n";
		118	+static ZCONST char Far ExtraFieldCorrupt[] =
		119	+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
		120
		121	#ifdef WINDLL
		122	static ZCONST char Far DiskFullQuery[] =
		123	@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /*
		124	if (readbuf(__G__ (char *)G.extra_field, length) == 0)
		125	return PK_EOF;
		126	/* Looks like here is where extra fields are read */
		127	- getZip64Data(__G__ G.extra_field, length);
		128	+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
		129	+ {
		130	+ Info(slide, 0x401, ((char *)slide,
		131	+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
		132	+ error = PK_WARN;
		133	+ }
		134	#ifdef UNICODE_SUPPORT
		135	G.unipath_filename = NULL;
		136	if (G.UzO.U_flag < 2) {


diff --git a/main/unzip/CVE-2014-9636.patch b/main/unzip/CVE-2014-9636.patch new file mode 100644 index 0000000000..d4c7f75297 --- /dev/null +++ b/main/unzip/CVE-2014-9636.patch
@@ -0,0 +1,42 @@
		1	From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
		2	From: mancha <mancha1 AT zoho DOT com>
		3	Date: Wed, 11 Feb 2015
		4	Subject: Info-ZIP UnZip buffer overflow
		5
		6	By carefully crafting a corrupt ZIP archive with "extra fields" that
		7	purport to have compressed blocks larger than the corresponding
		8	uncompressed blocks in STORED no-compression mode, an attacker can
		9	trigger a heap overflow that can result in application crash or
		10	possibly have other unspecified impact.
		11
		12	This patch ensures that when extra fields use STORED mode, the
		13	"compressed" and uncompressed block sizes match.
		14
		15	---
		16	extract.c \| 8 ++++++++
		17	1 file changed, 8 insertions(+)
		18
		19	--- a/extract.c
		20	+++ b/extract.c
		21	@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
		22	ulg eb_ucsize;
		23	uch *eb_ucptr;
		24	int r;
		25	+ ush method;
		26
		27	if (compr_offset < 4) /* field is not compressed: */
		28	return PK_OK; /* do nothing and signal OK */
		29	@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
		30	eb_size <= (compr_offset + EB_CMPRHEADLEN)))
		31	return IZ_EF_TRUNC; /* no compressed data! */
		32
		33	+ method = makeword(eb + (EB_HEADSIZE + compr_offset));
		34	+ if ((method == STORED) &&
		35	+ (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
		36	+ return PK_ERR; /* compressed & uncompressed
		37	+ * should match in STORED
		38	+ * method */
		39	+
		40	if (
		41	#ifdef INT_16BIT
		42	(((ulg)(extent)eb_ucsize) != eb_ucsize) \|\|


diff --git a/main/unzip/CVE-2014-9913.patch b/main/unzip/CVE-2014-9913.patch new file mode 100644 index 0000000000..a5675f4fb7 --- /dev/null +++ b/main/unzip/CVE-2014-9913.patch
@@ -0,0 +1,29 @@
		1	From: "Steven M. Schweda" <sms@antinode.info>
		2	Subject: Fix CVE-2014-9913, buffer overflow in unzip
		3	Bug: https://sourceforge.net/p/infozip/bugs/27/
		4	Bug-Debian: https://bugs.debian.org/847485
		5	Bug-Ubuntu: https://launchpad.net/bugs/387350
		6	X-Debian-version: 6.0-21
		7
		8	--- a/list.c
		9	+++ b/list.c
		10	@@ -339,7 +339,18 @@
		11	G.crec.compression_method == ENHDEFLATED) {
		12	methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
		13	} else if (methnum >= NUM_METHODS) {
		14	- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
		15	+ /* 2013-02-26 SMS.
		16	+ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
		17	+ * Unexpectedly large compression methods overflow
		18	+ * &methbuf[]. Use the old, three-digit decimal format
		19	+ * for values which fit. Otherwise, sacrifice the
		20	+ * colon, and use four-digit hexadecimal.
		21	+ */
		22	+ if (G.crec.compression_method <= 999) {
		23	+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
		24	+ } else {
		25	+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
		26	+ }
		27	}
		28
		29	#if 0 /* GRR/Euro: add this? */


diff --git a/main/unzip/CVE-2016-9844.patch b/main/unzip/CVE-2016-9844.patch new file mode 100644 index 0000000000..52d07987b3 --- /dev/null +++ b/main/unzip/CVE-2016-9844.patch
@@ -0,0 +1,28 @@
		1	From: "Steven M. Schweda" <sms@antinode.info>
		2	Subject: Fix CVE-2016-9844, buffer overflow in zipinfo
		3	Bug-Debian: https://bugs.debian.org/847486
		4	Bug-Ubuntu: https://launchpad.net/bugs/1643750
		5	X-Debian-version: 6.0-21
		6
		7	--- a/zipinfo.c
		8	+++ b/zipinfo.c
		9	@@ -1921,7 +1921,18 @@
		10	ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
		11	methbuf[3] = dtype[dnum];
		12	} else if (methnum >= NUM_METHODS) { /* unknown */
		13	- sprintf(&methbuf[1], "%03u", G.crec.compression_method);
		14	+ /* 2016-12-05 SMS.
		15	+ * https://launchpad.net/bugs/1643750
		16	+ * Unexpectedly large compression methods overflow
		17	+ * &methbuf[]. Use the old, three-digit decimal format
		18	+ * for values which fit. Otherwise, sacrifice the "u",
		19	+ * and use four-digit hexadecimal.
		20	+ */
		21	+ if (G.crec.compression_method <= 999) {
		22	+ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
		23	+ } else {
		24	+ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
		25	+ }
		26	}
		27
		28	for (k = 0; k < 15; ++k)


diff --git a/main/unzip/CVE-2018-1000035.patch b/main/unzip/CVE-2018-1000035.patch new file mode 100644 index 0000000000..8ca713865c --- /dev/null +++ b/main/unzip/CVE-2018-1000035.patch
@@ -0,0 +1,34 @@
		1	--- a/fileio.c 2014-12-05 05:06:05 -0600
		2	+++ b/fileio.c 2017-11-14 01:06:28 -0600
		3	@@ -1,5 +1,5 @@
		4	/*
		5	- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
		6	+ Copyright (c) 1990-2017 Info-ZIP. All rights reserved.
		7
		8	See the accompanying file LICENSE, version 2009-Jan-02 or later
		9	(the contents of which are also included in unzip.h) for terms of use.
		10	@@ -1582,6 +1582,8 @@
		11	int r = IZ_PW_ENTERED;
		12	char *m;
		13	char *prompt;
		14	+ char *ep;
		15	+ char *zp;
		16
		17	#ifndef REENTRANT
		18	/* tell picky compilers to shut up about "unused variable" warnings */
		19	@@ -1590,9 +1592,12 @@
		20
		21	if (rcnt == 0) { / First call for current entry */
		22	*rcnt = 2;
		23	- if ((prompt = (char )malloc(2FILNAMSIZ + 15)) != (char *)NULL) {
		24	- sprintf(prompt, LoadFarString(PasswPrompt),
		25	- FnFilter1(zfn), FnFilter2(efn));
		26	+ zp = FnFilter1( zfn);
		27	+ ep = FnFilter2( efn);
		28	+ prompt = (char )malloc( / Slightly too long (2* "%s"). */
		29	+ sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
		30	+ if (prompt != (char *)NULL) {
		31	+ sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
		32	m = prompt;
		33	} else
		34	m = (char *)LoadFarString(PasswPrompt2);


diff --git a/main/unzip/fix-CVE-2014-8139.patch b/main/unzip/fix-CVE-2014-8139.patch new file mode 100644 index 0000000000..2465af0328 --- /dev/null +++ b/main/unzip/fix-CVE-2014-8139.patch
@@ -0,0 +1,75 @@
		1	--- a/extract.c
		2	+++ b/extract.c
		3	@@ -1,5 +1,5 @@
		4	/*
		5	- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
		6	+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
		7
		8	See the accompanying file LICENSE, version 2009-Jan-02 or later
		9	(the contents of which are also included in unzip.h) for terms of use.
		10	@@ -298,6 +298,8 @@
		11	#ifndef SFX
		12	static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
		13	EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
		14	+ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
		15	+ EF block length (%u bytes) invalid (< %d)\n";
		16	static ZCONST char Far InvalidComprDataEAs[] =
		17	" invalid compressed data for EAs\n";
		18	# if (defined(WIN32) && defined(NTSD_EAS))
		19	@@ -2032,7 +2034,8 @@
		20	ebID = makeword(ef);
		21	ebLen = (unsigned)makeword(ef+EB_LEN);
		22
		23	- if (ebLen > (ef_len - EB_HEADSIZE)) {
		24	+ if (ebLen > (ef_len - EB_HEADSIZE))
		25	+ {
		26	/* Discovered some extra field inconsistency! */
		27	if (uO.qflag)
		28	Info(slide, 1, ((char *)slide, "%-22s ",
		29	@@ -2167,11 +2170,29 @@
		30	}
		31	break;
		32	case EF_PKVMS:
		33	- if (makelong(ef+EB_HEADSIZE) !=
		34	- crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
		35	- (extent)(ebLen-4)))
		36	- Info(slide, 1, ((char *)slide,
		37	- LoadFarString(BadCRC_EAs)));
		38	+ /* 2015-01-30 SMS. Added sufficient-bytes test/message
		39	+ * here. (Removed defective ebLen test above.)
		40	+ *
		41	+ * If sufficient bytes (EB_PKVMS_MINLEN) are available,
		42	+ * then compare the stored CRC value with the calculated
		43	+ * CRC for the remainder of the data (and complain about
		44	+ * a mismatch).
		45	+ */
		46	+ if (ebLen < EB_PKVMS_MINLEN)
		47	+ {
		48	+ /* Insufficient bytes available. */
		49	+ Info( slide, 1,
		50	+ ((char *)slide, LoadFarString( TooSmallEBlength),
		51	+ ebLen, EB_PKVMS_MINLEN));
		52	+ }
		53	+ else if (makelong(ef+ EB_HEADSIZE) !=
		54	+ crc32(CRCVAL_INITIAL,
		55	+ (ef+ EB_HEADSIZE+ EB_PKVMS_MINLEN),
		56	+ (extent)(ebLen- EB_PKVMS_MINLEN)))
		57	+ {
		58	+ Info(slide, 1, ((char *)slide,
		59	+ LoadFarString(BadCRC_EAs)));
		60	+ }
		61	break;
		62	case EF_PKW32:
		63	case EF_PKUNIX:
		64	--- a/unzpriv.h
		65	+++ b/unzpriv.h
		66	@@ -1806,6 +1806,8 @@
		67	#define EB_NTSD_VERSION 4 /* offset of NTSD version byte */
		68	#define EB_NTSD_MAX_VER (0) /* maximum version # we know how to handle */
		69
		70	+#define EB_PKVMS_MINLEN 4 /* minimum data length of PKVMS extra block */
		71	+
		72	#define EB_ASI_CRC32 0 /* offset of ASI Unix field's crc32 checksum */
		73	#define EB_ASI_MODE 4 /* offset of ASI Unix permission mode field */
		74
		75