unzip: re-base patches

omniosorg · Jan 23, 2024 · 9ab2e2e · 9ab2e2e
1 parent c66d80d
commit 9ab2e2e
Show file tree

Hide file tree

Showing 21 changed files with 104 additions and 100 deletions.
diff --git a/build/unzip/patches/CVE-2014-8139-crc-overflow.patch b/build/unzip/patches/CVE-2014-8139-crc-overflow.patch
@@ -1,4 +1,4 @@
-diff -wpruN '--exclude=*.orig' a~/extract.c a/extract.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/extract.c a/extract.c
 --- a~/extract.c	1970-01-01 00:00:00
 +++ a/extract.c	1970-01-01 00:00:00
 @@ -1,5 +1,5 @@

diff --git a/build/unzip/patches/CVE-2014-8140-test-compr-eb.patch b/build/unzip/patches/CVE-2014-8140-test-compr-eb.patch
@@ -1,4 +1,4 @@
-diff -wpruN '--exclude=*.orig' a~/extract.c a/extract.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/extract.c a/extract.c
 --- a~/extract.c	1970-01-01 00:00:00
 +++ a/extract.c	1970-01-01 00:00:00
 @@ -2232,10 +2232,17 @@ static int test_compr_eb(__G__ eb, eb_si

diff --git a/build/unzip/patches/CVE-2014-8141-getzip64data.patch b/build/unzip/patches/CVE-2014-8141-getzip64data.patch
@@ -1,4 +1,4 @@
-diff -wpruN '--exclude=*.orig' a~/fileio.c a/fileio.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/fileio.c a/fileio.c
 --- a~/fileio.c	1970-01-01 00:00:00
 +++ a/fileio.c	1970-01-01 00:00:00
 @@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr
@@ -24,7 +24,7 @@ diff -wpruN '--exclude=*.orig' a~/fileio.c a/fileio.c
  #ifdef UNICODE_SUPPORT
              G.unipath_filename = NULL;
              if (G.UzO.U_flag < 2) {
-diff -wpruN '--exclude=*.orig' a~/process.c a/process.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/process.c a/process.c
 --- a~/process.c	1970-01-01 00:00:00
 +++ a/process.c	1970-01-01 00:00:00
 @@ -1,5 +1,5 @@

diff --git a/build/unzip/patches/CVE-2014-9636-test-compr-eb.patch b/build/unzip/patches/CVE-2014-9636-test-compr-eb.patch
@@ -1,4 +1,4 @@
-diff -wpruN '--exclude=*.orig' a~/extract.c a/extract.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/extract.c a/extract.c
 --- a~/extract.c	1970-01-01 00:00:00
 +++ a/extract.c	1970-01-01 00:00:00
 @@ -2228,6 +2228,7 @@ static int test_compr_eb(__G__ eb, eb_si

diff --git a/build/unzip/patches/CVE-2014-9913-unzip-buffer-overflow.patch b/build/unzip/patches/CVE-2014-9913-unzip-buffer-overflow.patch
@@ -5,7 +5,7 @@ Bug-Debian: https://bugs.debian.org/847485
 Bug-Ubuntu: https://launchpad.net/bugs/387350
 X-Debian-version: 6.0-21
 
-diff -wpruN '--exclude=*.orig' a~/list.c a/list.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/list.c a/list.c
 --- a~/list.c	1970-01-01 00:00:00
 +++ a/list.c	1970-01-01 00:00:00
 @@ -339,7 +339,18 @@ int list_files(__G)    /* return PK-type

diff --git a/build/unzip/patches/CVE-2015-7696-heap-overflow.patch b/build/unzip/patches/CVE-2015-7696-heap-overflow.patch
@@ -5,7 +5,7 @@ Bug-Debian: https://bugs.debian.org/802162
 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
 Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002
 
-diff -wpruN '--exclude=*.orig' a~/crypt.c a/crypt.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/crypt.c a/crypt.c
 --- a~/crypt.c	1970-01-01 00:00:00
 +++ a/crypt.c	1970-01-01 00:00:00
 @@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)

diff --git a/build/unzip/patches/CVE-2015-7697-infinite-loop.patch b/build/unzip/patches/CVE-2015-7697-infinite-loop.patch
@@ -5,7 +5,7 @@ Bug-Debian: https://bugs.debian.org/802160
 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
 Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339
 
-diff -wpruN '--exclude=*.orig' a~/extract.c a/extract.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/extract.c a/extract.c
 --- a~/extract.c	1970-01-01 00:00:00
 +++ a/extract.c	1970-01-01 00:00:00
 @@ -2728,6 +2728,12 @@ __GDEF

diff --git a/build/unzip/patches/CVE-2016-9844-zipinfo-buffer-overflow.patch b/build/unzip/patches/CVE-2016-9844-zipinfo-buffer-overflow.patch
@@ -4,7 +4,7 @@ Bug-Debian: https://bugs.debian.org/847486
 Bug-Ubuntu: https://launchpad.net/bugs/1643750
 X-Debian-version: 6.0-21
 
-diff -wpruN '--exclude=*.orig' a~/zipinfo.c a/zipinfo.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/zipinfo.c a/zipinfo.c
 --- a~/zipinfo.c	1970-01-01 00:00:00
 +++ a/zipinfo.c	1970-01-01 00:00:00
 @@ -1921,7 +1921,18 @@ static int zi_short(__G)   /* return PK-

diff --git a/build/unzip/patches/CVE-2018-1000035-overflow-password-protect.patch b/build/unzip/patches/CVE-2018-1000035-overflow-password-protect.patch
@@ -1,4 +1,4 @@
-diff -wpruN '--exclude=*.orig' a~/fileio.c a/fileio.c
+diff -wpruN --no-dereference '--exclude=*.orig' a~/fileio.c a/fileio.c
 --- a~/fileio.c	1970-01-01 00:00:00
 +++ a/fileio.c	1970-01-01 00:00:00
 @@ -1,5 +1,5 @@

diff --git a/build/unzip/patches/CVE-2019-13232a.patch b/build/unzip/patches/CVE-2019-13232a.patch
@@ -6,9 +6,10 @@ X-Debian-version: 6.0-24
 
     Fix bug in undefer_input() that misplaced the input state.
 
---- a/fileio.c
-+++ b/fileio.c
-@@ -532,8 +532,10 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/fileio.c a/fileio.c
+--- a~/fileio.c	1970-01-01 00:00:00
++++ a/fileio.c	1970-01-01 00:00:00
+@@ -532,8 +532,10 @@ void undefer_input(__G)
           * This condition was checked when G.incnt_leftover was set > 0 in
           * defer_leftover_input(), and it is NOT allowed to touch G.csize
           * before calling undefer_input() when (G.incnt_leftover > 0)

diff --git a/build/unzip/patches/CVE-2019-13232b.patch b/build/unzip/patches/CVE-2019-13232b.patch
@@ -27,9 +27,10 @@ X-Debian-version: 6.0-24
     This commit depends on a preceding commit: "Fix bug in
     undefer_input() that misplaced the input state."
 
---- a/extract.c
-+++ b/extract.c
-@@ -321,6 +321,125 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/extract.c a/extract.c
+--- a~/extract.c	1970-01-01 00:00:00
++++ a/extract.c	1970-01-01 00:00:00
+@@ -321,6 +321,125 @@ static ZCONST char Far UnsupportedExtraF
    "\nerror:  unsupported extra-field compression type (%u)--skipping\n";
  static ZCONST char Far BadExtraFieldCRC[] =
    "error [%s]:  bad extra-field CRC %08lx (should be %08lx)\n";
@@ -155,7 +156,7 @@ X-Debian-version: 6.0-24
 
 
 
-@@ -376,6 +495,29 @@
+@@ -376,6 +495,29 @@ int extract_or_test_files(__G)    /* ret
      }
  #endif /* !SFX || SFX_EXDIR */
 
@@ -185,7 +186,7 @@ X-Debian-version: 6.0-24
  /*---------------------------------------------------------------------------
      The basic idea of this function is as follows.  Since the central di-
      rectory lies at the end of the zipfile and the member files lie at the
-@@ -593,7 +735,8 @@
+@@ -593,7 +735,8 @@ int extract_or_test_files(__G)    /* ret
              if (error > error_in_archive)
                  error_in_archive = error;
              /* ...and keep going (unless disk full or user break) */
@@ -195,7 +196,7 @@ X-Debian-version: 6.0-24
                  /* clear reached_end to signal premature stop ... */
                  reached_end = FALSE;
                  /* ... and cancel scanning the central directory */
-@@ -1062,6 +1205,11 @@
+@@ -1062,6 +1205,11 @@ static int extract_or_test_entrylist(__G
 
          /* seek_zipf(__G__ pInfo->offset);  */
          request = G.pInfo->offset + G.extra_bytes;
@@ -207,7 +208,7 @@ X-Debian-version: 6.0-24
          inbuf_offset = request % INBUFSIZ;
          bufstart = request - inbuf_offset;
 
-@@ -1602,6 +1750,18 @@
+@@ -1602,6 +1750,18 @@ reprompt:
              return IZ_CTRLC;        /* cancel operation by user request */
          }
  #endif
@@ -226,7 +227,7 @@ X-Debian-version: 6.0-24
  #ifdef MACOS  /* MacOS is no preemptive OS, thus call event-handling by hand */
          UserStop();
  #endif
-@@ -2003,6 +2163,34 @@
+@@ -2003,6 +2163,34 @@ static int extract_or_test_member(__G)
      }
 
      undefer_input(__G);
@@ -261,19 +262,21 @@ X-Debian-version: 6.0-24
      return error;
 
  } /* end function extract_or_test_member() */
---- a/globals.c
-+++ b/globals.c
-@@ -181,6 +181,7 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/globals.c a/globals.c
+--- a~/globals.c	1970-01-01 00:00:00
++++ a/globals.c	1970-01-01 00:00:00
+@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor()
  # if (!defined(NO_TIMESTAMPS))
      uO.D_flag=1;    /* default to '-D', no restoration of dir timestamps */
  # endif
 +    G.cover = NULL;     /* not allocated yet */
  #endif
 
      uO.lflag=(-1);
---- a/globals.h
-+++ b/globals.h
-@@ -260,12 +260,15 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/globals.h a/globals.h
+--- a~/globals.h	1970-01-01 00:00:00
++++ a/globals.h	1970-01-01 00:00:00
+@@ -260,12 +260,15 @@ typedef struct Globals {
      ecdir_rec       ecrec;         /* used in unzip.c, extract.c */
      z_stat   statbuf;              /* used by main, mapname, check_for_newer */
 
@@ -289,9 +292,10 @@ X-Debian-version: 6.0-24
 
      int      didCRlast;            /* fileio static */
      ulg      numlines;             /* fileio static: number of lines printed */
---- a/process.c
-+++ b/process.c
-@@ -637,6 +637,13 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/process.c a/process.c
+--- a~/process.c	1970-01-01 00:00:00
++++ a/process.c	1970-01-01 00:00:00
+@@ -637,6 +637,13 @@ void free_G_buffers(__G)     /* releases
      }
  #endif
 
@@ -305,7 +309,7 @@ X-Debian-version: 6.0-24
  } /* end function free_G_buffers() */
 
 
-@@ -1913,6 +1920,8 @@
+@@ -1900,6 +1907,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
  #define Z64FLGS 0xffff
  #define Z64FLGL 0xffffffff
 
@@ -314,7 +318,7 @@ X-Debian-version: 6.0-24
      if (ef_len == 0 || ef_buf == NULL)
          return PK_COOL;
 
-@@ -2084,6 +2093,8 @@
+@@ -2071,6 +2080,8 @@ int getUnicodeData(__G__ ef_buf, ef_len)
                      (ZCONST char *)(offset + ef_buf), ULen);
              G.unipath_filename[ULen] = '\0';
            }
@@ -323,9 +327,10 @@ X-Debian-version: 6.0-24
          }
 
          /* Skip this extra field block */
---- a/unzip.h
-+++ b/unzip.h
-@@ -645,6 +645,7 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/unzip.h a/unzip.h
+--- a~/unzip.h	1970-01-01 00:00:00
++++ a/unzip.h	1970-01-01 00:00:00
+@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec {
  #define PK_NOZIP           9   /* zipfile not found */
  #define PK_PARAM          10   /* bad or illegal parameters specified */
  #define PK_FIND           11   /* no files found */

diff --git a/build/unzip/patches/CVE-2019-13232c.patch b/build/unzip/patches/CVE-2019-13232c.patch
@@ -14,9 +14,10 @@ X-Debian-version: 6.0-25
     as disallowed locations. This now permits such containers to not
     raise a zip bomb alert, where in fact there are no overlaps.
 
---- a/extract.c
-+++ b/extract.c
-@@ -495,8 +495,11 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/extract.c a/extract.c
+--- a~/extract.c	1970-01-01 00:00:00
++++ a/extract.c	1970-01-01 00:00:00
+@@ -495,8 +495,11 @@ int extract_or_test_files(__G)    /* ret
      }
  #endif /* !SFX || SFX_EXDIR */
 
@@ -30,7 +31,7 @@ X-Debian-version: 6.0-25
      if (G.cover == NULL) {
          G.cover = malloc(sizeof(cover_t));
          if (G.cover == NULL) {
-@@ -508,15 +511,25 @@
+@@ -508,15 +511,25 @@ int extract_or_test_files(__G)    /* ret
          ((cover_t *)G.cover)->max = 0;
      }
      ((cover_t *)G.cover)->num = 0;
@@ -60,9 +61,10 @@ X-Debian-version: 6.0-25
 
  /*---------------------------------------------------------------------------
      The basic idea of this function is as follows.  Since the central di-
---- a/process.c
-+++ b/process.c
-@@ -1408,6 +1408,10 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/process.c a/process.c
+--- a~/process.c	1970-01-01 00:00:00
++++ a/process.c	1970-01-01 00:00:00
+@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen)
 
      /* Now, we are (almost) sure that we have a Zip64 archive. */
      G.ecrec.have_ecr64 = 1;
@@ -73,7 +75,7 @@ X-Debian-version: 6.0-25
 
      /* Update the "end-of-central-dir offset" for later checks. */
      G.real_ecrec_offset = ecrec64_start_offset;
-@@ -1542,6 +1546,8 @@
+@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen)
        makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]);
      G.ecrec.zipfile_comment_length =
        makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
@@ -82,9 +84,10 @@ X-Debian-version: 6.0-25
 
      /* Now, we have to read the archive comment, BEFORE the file pointer
         is moved away backwards to seek for a Zip64 ECLOC64 structure.
---- a/unzpriv.h
-+++ b/unzpriv.h
-@@ -2185,6 +2185,16 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/unzpriv.h a/unzpriv.h
+--- a~/unzpriv.h	1970-01-01 00:00:00
++++ a/unzpriv.h	1970-01-01 00:00:00
+@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf {
         int have_ecr64;                  /* valid Zip64 ecdir-record exists */
         int is_zip64_archive;            /* Zip64 ecdir-record is mandatory */
         ush zipfile_comment_length;

diff --git a/build/unzip/patches/CVE-2019-13232d.patch b/build/unzip/patches/CVE-2019-13232d.patch
@@ -10,9 +10,10 @@ X-Debian-version: 6.0-26
     could result in a false overlapped element detection when a small
     bzip2-compressed file was unzipped. This commit remedies that.
 
---- a/extract.c
-+++ b/extract.c
-@@ -3052,7 +3052,7 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/extract.c a/extract.c
+--- a~/extract.c	1970-01-01 00:00:00
++++ a/extract.c	1970-01-01 00:00:00
+@@ -3051,7 +3051,7 @@ __GDEF
  #endif
 
      G.inptr = (uch *)bstrm.next_in;

diff --git a/build/unzip/patches/CVE-2019-13232e.patch b/build/unzip/patches/CVE-2019-13232e.patch
@@ -10,9 +10,10 @@ X-Debian-version: 6.0-26
     deflate-compressed file was unzipped using an old zlib. This
     commit remedies that.
 
---- a/inflate.c
-+++ b/inflate.c
-@@ -700,7 +700,7 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/inflate.c a/inflate.c
+--- a~/inflate.c	1970-01-01 00:00:00
++++ a/inflate.c	1970-01-01 00:00:00
+@@ -700,7 +700,7 @@ int UZinflate(__G__ is_defl64)
        G.dstrm.total_out));
 
      G.inptr = (uch *)G.dstrm.next_in;

diff --git a/build/unzip/patches/CVE-2021-4217.patch b/build/unzip/patches/CVE-2021-4217.patch
@@ -5,9 +5,10 @@ As can be seen in fileio.c:3326 patch is already implemented here but not in pro
 
 I will try to ask Steven Schweda (maintainer) why it is so.
 
---- a/process.c	2022-02-28 21:31:13.665727140 +0000
-+++ b/process.c	2022-02-28 21:32:11.636401015 +0000
-@@ -2626,6 +2626,11 @@
+diff -wpruN --no-dereference '--exclude=*.orig' a~/process.c a/process.c
+--- a~/process.c	1970-01-01 00:00:00
++++ a/process.c	1970-01-01 00:00:00
+@@ -2051,6 +2051,11 @@ int getUnicodeData(__G__ ef_buf, ef_len)
            G.unipath_checksum = makelong(offset + ef_buf);
            offset += 4;