# HG changeset patch # User Vladimir Marek # Date 1456495280 -3600 # Node ID fb31633dac768ea906334d89449782bad0fa738a # Parent 5ae80072d3ba197f1e02b7c0ce67fd53d2ac0cb5 22782878 The option -T (Test for Integrity/ on files named *.war fail diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/00_6719511-i18.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/unzip/patches/00_6719511-i18.patch Fri Feb 26 15:01:20 2016 +0100 @@ -0,0 +1,512 @@ +diff -ur unzip60-orig/fileio.c unzip60/fileio.c +--- unzip60-orig/fileio.c 2009-04-20 02:03:44.000000000 +0200 ++++ unzip60/fileio.c 2011-02-25 11:57:38.242056429 +0100 +@@ -2126,9 +2126,16 @@ + /* translate the text coded in the entry's host-dependent + "extended ASCII" charset into the compiler's (system's) + internal text code page */ ++#ifdef UNIX ++ Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum, ++ G.pInfo->hostver, G.pInfo->HasUxAtt, ++ FALSE, OUTBUFSIZ); ++#else /* !UNIX */ + Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum, + G.pInfo->hostver, G.pInfo->HasUxAtt, + FALSE); ++#endif /* UNIX */ ++ + #ifdef WINDLL + /* translate to ANSI (RTL internal codepage may be OEM) */ + INTERN_TO_ISO((char *)G.outbuf, (char *)G.outbuf); +@@ -2240,8 +2247,13 @@ + + /* translate the Zip entry filename coded in host-dependent "extended + ASCII" into the compiler's (system's) internal text code page */ ++#ifdef UNIX ++ Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver, ++ G.pInfo->HasUxAtt, (option == DS_FN_L), FILNAMSIZ); ++#else /* !UNIX */ + Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver, + G.pInfo->HasUxAtt, (option == DS_FN_L)); ++#endif /* UNIX */ + + if (G.pInfo->lcflag) /* replace with lowercase filename */ + STRLOWER(G.filename, G.filename); +Only in unzip60: fileio.c.orig +diff -ur unzip60-orig/unix/unix.c unzip60/unix/unix.c +--- unzip60-orig/unix/unix.c 2009-01-24 00:31:26.000000000 +0100 ++++ unzip60/unix/unix.c 2011-02-25 11:57:38.259028876 +0100 +@@ -30,6 +30,10 @@ + #define UNZIP_INTERNAL + #include "unzip.h" + ++#include ++#include ++#include ++ + #ifdef SCO_XENIX + # define SYSNDIR + #else /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */ +@@ -1874,3 +1878,128 @@ + } + } + #endif /* QLZIP */ ++ ++ ++typedef struct { ++ char *local_charset; ++ char *archive_charset; ++} CHARSET_MAP; ++ ++/* A mapping of local <-> archive charsets used by default to convert filenames ++ * of DOS/Windows Zip archives. Currently very basic. */ ++const static CHARSET_MAP dos_charset_map[] = { ++ { "ANSI_X3.4-1968", "CP850" }, ++ { "ISO-8859-1", "CP850" }, ++ { "CP1252", "CP850" }, ++ { "KOI8-R", "CP866" }, ++ { "KOI8-U", "CP866" }, ++ { "ISO-8859-5", "CP866" } ++}; ++ ++typedef struct { ++ char *locale; ++ char *archive_charset; ++} UTF8_CHARSET_MAP; ++ ++/* In case local charset is UTF-8, lookup archive_charset ++ by locale. Currently very basic. */ ++#define UTF8_CHARSET_MAP_DEFAULT "CP866" ++const static UTF8_CHARSET_MAP utf8_charset_map[] = { ++ { "ja_JP", "CP932" }, ++ { "zh_CN", "GBK" }, ++ { "zh_TW", "BIG5" }, ++ { "ko_KR", "CP949" }, ++}; ++ ++char OEM_CP[MAX_CP_NAME] = ""; ++char ISO_CP[MAX_CP_NAME] = ""; ++ ++/* Try to guess the default value of OEM_CP based on the current locale. ++ * ISO_CP is left alone for now. */ ++void init_conversion_charsets(const char *loc) ++{ ++ const char *local_charset; ++ int i; ++ ++ /* Make a guess only if OEM_CP not already set. */ ++ if(*OEM_CP == '\0') ++ { ++ local_charset = nl_langinfo(CODESET); ++ if (!strcasecmp(local_charset, "UTF-8") || !strcasecmp(local_charset, ++"UTF8") ) ++ { ++ strcpy(OEM_CP, UTF8_CHARSET_MAP_DEFAULT); ++ for(i = 0; i < sizeof(utf8_charset_map)/sizeof(UTF8_CHARSET_MAP); ++ i++) ++ { ++ if (!strncmp(loc, utf8_charset_map[i].locale, 5)) ++ { ++ strncpy(OEM_CP, utf8_charset_map[i].archive_charset, ++ sizeof(OEM_CP) - 1); ++ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; ++ break; ++ } ++ } ++ } ++ else ++ { ++ for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++) ++ { ++ if (!strcasecmp(local_charset, ++ dos_charset_map[i].local_charset)) ++ { ++ strncpy(OEM_CP, dos_charset_map[i].archive_charset, ++ sizeof(OEM_CP) - 1); ++ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; ++ break; ++ } ++ } ++ } ++ } ++} ++ ++/* Convert a string from one encoding to the current locale using iconv(). ++ * Be as non-intrusive as possible. If error is encountered during covertion ++ * just leave the string intact. */ ++static void charset_to_intern(char *string, size_t sbuflen, char *from_charset) ++{ ++ iconv_t cd; ++ char *s,*d, *buf; ++ size_t slen, dlen; ++ const char *local_charset; ++ ++ if(*from_charset == '\0') ++ return; ++ ++ local_charset = nl_langinfo(CODESET); ++ ++ if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1) ++ return; ++ ++ slen = strlen(string); ++ s = string; ++ dlen = sbuflen - 1; ++ d = buf = malloc(sbuflen); ++ if(!d) ++ goto cleanup; ++ if(iconv(cd, (const char **)&s, &slen, &d, &dlen) != (size_t)-1) { ++ *d = '\0'; ++ strcpy(string, buf); ++ } ++ ++ free(buf); ++ cleanup: ++ iconv_close(cd); ++} ++ ++/* Convert a string from OEM_CP to the current locale charset. */ ++void oem_intern(char *string, size_t sbuflen) ++{ ++ charset_to_intern(string, sbuflen, OEM_CP); ++} ++ ++/* Convert a string from ISO_CP to the current locale charset. */ ++void iso_intern(char *string, size_t sbuflen) ++{ ++ charset_to_intern(string, sbuflen, ISO_CP); ++} +Only in unzip60/unix: unix.c.orig +diff -ur unzip60-orig/unix/unxcfg.h unzip60/unix/unxcfg.h +--- unzip60-orig/unix/unxcfg.h 2009-04-16 20:36:12.000000000 +0200 ++++ unzip60/unix/unxcfg.h 2011-02-25 11:57:38.262941301 +0100 +@@ -52,6 +52,7 @@ + + #include /* off_t, time_t, dev_t, ... */ + #include ++#include + + #ifdef NO_OFF_T + typedef long zoff_t; +@@ -227,4 +228,30 @@ + /* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */ + /* and notfirstcall are used by do_wild(). */ + ++ ++#define MAX_CP_NAME 25 ++ ++#ifdef SETLOCALE ++# undef SETLOCALE ++#endif ++#define SETLOCALE(category, locale) setlocale(category, locale) ++#include ++ ++#ifdef _ISO_INTERN ++# undef _ISO_INTERN ++#endif ++#define _ISO_INTERN(str1, ssize) iso_intern(str1, ssize) ++ ++#ifdef _OEM_INTERN ++# undef _OEM_INTERN ++#endif ++#ifndef IZ_OEM2ISO_ARRAY ++# define IZ_OEM2ISO_ARRAY ++#endif ++#define _OEM_INTERN(str1, ssize) oem_intern(str1, ssize) ++ ++void iso_intern(char *, size_t); ++void oem_intern(char *, size_t); ++void init_conversion_charsets(const char *); ++ + #endif /* !__unxcfg_h */ +Only in unzip60/unix: unxcfg.h.orig +diff -ur unzip60-orig/unzip.c unzip60/unzip.c +--- unzip60-orig/unzip.c 2009-04-16 20:26:52.000000000 +0200 ++++ unzip60/unzip.c 2011-02-26 00:03:41.011389301 +0100 +@@ -327,11 +327,21 @@ + -2 just filenames but allow -h/-t/-z -l long Unix \"ls -l\" format\n\ + -v verbose, multi-page format\n"; + ++#ifdef UNIX ++static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\ ++ -h print header line -t print totals for listed files or for all\n\ ++ -z print zipfile comment -T print file times in sortable decimal format\ ++\n -C be case-insensitive %s\ ++ -x exclude filenames that follow from listing\n\ ++ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\ ++ -I CHARSET specify a character encoding for UNIX and other archives\n"; ++#else /* !UNIX */ + static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\ + -h print header line -t print totals for listed files or for all\n\ + -z print zipfile comment -T print file times in sortable decimal format\ + \n -C be case-insensitive %s\ + -x exclude filenames that follow from listing\n"; ++#endif /* UNIX */ + #ifdef MORE + static ZCONST char Far ZipInfoUsageLine4[] = + " -M page output through built-in \"more\"\n"; +@@ -666,6 +676,18 @@ + -C match filenames case-insensitively -L make (some) names \ + lowercase\n %-42s -V retain VMS version numbers\n%s"; + #else /* !VMS */ ++#ifdef UNIX ++static ZCONST char Far UnzipUsageLine4[] = "\ ++modifiers:\n\ ++ -n never overwrite existing files -q quiet mode (-qq => quieter)\n\ ++ -o overwrite files WITHOUT prompting -a auto-convert any text files\n\ ++ -j junk paths (do not make directories) -aa treat ALL files as text\n\ ++ -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\ ++ -C match filenames case-insensitively -L make (some) names \ ++lowercase\n %-42s -V retain VMS version numbers\n%s\n\ ++ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\ ++ -I CHARSET specify a character encoding for UNIX and other archives\n\n"; ++#else /* !UNIX */ + static ZCONST char Far UnzipUsageLine4[] = "\ + modifiers:\n\ + -n never overwrite existing files -q quiet mode (-qq => quieter)\n\ +@@ -674,6 +696,7 @@ + -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\ + -C match filenames case-insensitively -L make (some) names \ + lowercase\n %-42s -V retain VMS version numbers\n%s"; ++#endif /* UNIX */ + #endif /* ?VMS */ + #else /* !UNICODE_SUPPORT */ + #ifdef VMS +@@ -742,6 +765,9 @@ + int i; + #endif + int retcode, error=FALSE; ++#ifdef UNIX ++ const char *loc; ++#endif + #ifndef NO_EXCEPT_SIGNALS + #ifdef REENTRANT + savsigs_info *oldsighandlers = NULL; +@@ -756,7 +782,12 @@ + #endif /* NO_EXCEPT_SIGNALS */ + + /* initialize international char support to the current environment */ ++#ifdef UNIX ++ loc = SETLOCALE(LC_CTYPE,""); ++ init_conversion_charsets(loc); ++#else /* !UNIX */ + SETLOCALE(LC_CTYPE, ""); ++#endif /* UNIX */ + + #ifdef UNICODE_SUPPORT + /* see if can use UTF-8 Unicode locale */ +@@ -1336,6 +1367,11 @@ + argc = *pargc; + argv = *pargv; + ++#ifdef UNIX ++ extern char OEM_CP[MAX_CP_NAME]; ++ extern char ISO_CP[MAX_CP_NAME]; ++#endif ++ + while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) { + s = *argv + 1; + while ((c = *s++) != 0) { /* "!= 0": prevent Turbo C warning */ +@@ -1517,6 +1553,37 @@ + } + break; + #endif /* MACOS */ ++#ifdef UNIX ++ case ('I'): ++ if (negative) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: encodings can't be negated")); ++ return(PK_PARAM); ++ } else { ++ if(*s) { /* Handle the -Icharset case */ ++ /* Assume that charsets can't start with a dash to spot arguments misuse */ ++ if(*s == '-') { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1); ++ ISO_CP[sizeof(ISO_CP) - 1] = '\0'; ++ } else { /* -I charset */ ++ ++argv; ++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ s = *argv; ++ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1); ++ ISO_CP[sizeof(ISO_CP) - 1] = '\0'; ++ } ++ while(*(++s)); /* No params straight after charset name */ ++ } ++ break; ++#endif /* ?UNIX */ + case ('j'): /* junk pathnames/directory structure */ + if (negative) + uO.jflag = FALSE, negative = 0; +@@ -1592,6 +1659,37 @@ + } else + ++uO.overwrite_all; + break; ++#ifdef UNIX ++ case ('O'): ++ if (negative) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: encodings can't be negated")); ++ return(PK_PARAM); ++ } else { ++ if(*s) { /* Handle the -Ocharset case */ ++ /* Assume that charsets can't start with a dash to spot arguments misuse */ ++ if(*s == '-') { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1); ++ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; ++ } else { /* -O charset */ ++ ++argv; ++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -O argument")); ++ return(PK_PARAM); ++ } ++ s = *argv; ++ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1); ++ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; ++ } ++ while(*(++s)); /* No params straight after charset name */ ++ } ++ break; ++#endif /* ?UNIX */ + case ('p'): /* pipes: extract to stdout, no messages */ + if (negative) { + uO.cflag = FALSE; +Only in unzip60: unzip.c.orig +diff -ur unzip60-orig/unzpriv.h unzip60/unzpriv.h +--- unzip60-orig/unzpriv.h 2009-04-20 01:59:26.000000000 +0200 ++++ unzip60/unzpriv.h 2011-02-25 11:57:38.275212165 +0100 +@@ -3003,6 +3003,18 @@ + * All other ports are assumed to code zip entry filenames in ISO 8859-1. + */ + #ifndef Ext_ASCII_TO_Native ++#ifdef UNIX ++# define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr, ssize) \ ++ if (((hostnum) == FS_FAT_ && \ ++ !(((islochdr) || (isuxatt)) && \ ++ ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \ ++ (hostnum) == FS_HPFS_ || \ ++ ((hostnum) == FS_NTFS_/* && (hostver) == 50*/)) { \ ++ _OEM_INTERN((string), (ssize)); \ ++ } else { \ ++ _ISO_INTERN((string), (ssize)); \ ++ } ++#else /* !UNIX */ + # define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr) \ + if (((hostnum) == FS_FAT_ && \ + !(((islochdr) || (isuxatt)) && \ +@@ -3013,10 +3025,10 @@ + } else { \ + _ISO_INTERN((string)); \ + } ++#endif /* UNIX */ + #endif + + +- + /**********************/ + /* Global constants */ + /**********************/ +Only in unzip60: unzpriv.h.orig +diff -ur unzip60-orig/zipinfo.c unzip60/zipinfo.c +--- unzip60-orig/zipinfo.c 2009-02-08 18:04:30.000000000 +0100 ++++ unzip60/zipinfo.c 2011-02-25 11:57:38.281586457 +0100 +@@ -457,6 +457,10 @@ + int tflag_slm=TRUE, tflag_2v=FALSE; + int explicit_h=FALSE, explicit_t=FALSE; + ++#ifdef UNIX ++ extern char OEM_CP[MAX_CP_NAME]; ++ extern char ISO_CP[MAX_CP_NAME]; ++#endif + + #ifdef MACOS + uO.lflag = LFLAG; /* reset default on each call */ +@@ -501,6 +505,37 @@ + uO.lflag = 0; + } + break; ++#ifdef UNIX ++ case ('I'): ++ if (negative) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: encodings can't be negated")); ++ return(PK_PARAM); ++ } else { ++ if(*s) { /* Handle the -Icharset case */ ++ /* Assume that charsets can't start with a dash to spot arguments misuse */ ++ if(*s == '-') { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1); ++ ISO_CP[sizeof(ISO_CP) - 1] = '\0'; ++ } else { /* -I charset */ ++ ++argv; ++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ s = *argv; ++ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1); ++ ISO_CP[sizeof(ISO_CP) - 1] = '\0'; ++ } ++ while(*(++s)); /* No params straight after charset name */ ++ } ++ break; ++#endif /* ?UNIX */ + case 'l': /* longer form of "ls -l" type listing */ + if (negative) + uO.lflag = -2, negative = 0; +@@ -521,6 +556,37 @@ + G.M_flag = TRUE; + break; + #endif ++#ifdef UNIX ++ case ('O'): ++ if (negative) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: encodings can't be negated")); ++ return(PK_PARAM); ++ } else { ++ if(*s) { /* Handle the -Ocharset case */ ++ /* Assume that charsets can't start with a dash to spot arguments misuse */ ++ if(*s == '-') { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -I argument")); ++ return(PK_PARAM); ++ } ++ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1); ++ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; ++ } else { /* -O charset */ ++ ++argv; ++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { ++ Info(slide, 0x401, ((char *)slide, ++ "error: a valid character encoding should follow the -O argument")); ++ return(PK_PARAM); ++ } ++ s = *argv; ++ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1); ++ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; ++ } ++ while(*(++s)); /* No params straight after charset name */ ++ } ++ break; ++#endif /* ?UNIX */ + case 's': /* default: shorter "ls -l" type listing */ + if (negative) + uO.lflag = -2, negative = 0; +Only in unzip60: zipinfo.c.orig diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/01_CVE-2014-8139.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/unzip/patches/01_CVE-2014-8139.patch Fri Feb 26 15:01:20 2016 +0100 @@ -0,0 +1,51 @@ +Source: +https://bugzilla.redhat.com/show_bug.cgi?id=1174844 +Info: +http://www.ocert.org/advisories/ocert-2014-011.html + +--- unzip60/extract.c 2010-04-03 14:41:55 -0500 ++++ unzip60/extract.c 2014-12-03 15:33:35 -0600 +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -298,6 +298,8 @@ + #ifndef SFX + static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; ++ static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \ ++ EF block length (%u bytes) invalid (< %d)\n"; + static ZCONST char Far InvalidComprDataEAs[] = + " invalid compressed data for EAs\n"; + # if (defined(WIN32) && defined(NTSD_EAS)) +@@ -2023,7 +2025,8 @@ + ebID = makeword(ef); + ebLen = (unsigned)makeword(ef+EB_LEN); + +- if (ebLen > (ef_len - EB_HEADSIZE)) { ++ if (ebLen > (ef_len - EB_HEADSIZE)) ++ { + /* Discovered some extra field inconsistency! */ + if (uO.qflag) + Info(slide, 1, ((char *)slide, "%-22s ", +@@ -2032,6 +2035,16 @@ + ebLen, (ef_len - EB_HEADSIZE))); + return PK_ERR; + } ++ else if (ebLen < EB_HEADSIZE) ++ { ++ /* Extra block length smaller than header length. */ ++ if (uO.qflag) ++ Info(slide, 1, ((char *)slide, "%-22s ", ++ FnFilter1(G.filename))); ++ Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength), ++ ebLen, EB_HEADSIZE)); ++ return PK_ERR; ++ } + + switch (ebID) { + case EF_OS2: + diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/02_CVE-2014-8140.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/unzip/patches/02_CVE-2014-8140.patch Fri Feb 26 15:01:20 2016 +0100 @@ -0,0 +1,28 @@ +Source: +https://bugzilla.redhat.com/show_bug.cgi?id=1174851 +Info: +http://www.ocert.org/advisories/ocert-2014-011.html + +--- a/extract.c 2009-03-14 02:32:52.000000000 +0100 ++++ b/extract.c 2014-12-05 22:43:13.000000000 +0100 +@@ -2221,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_si + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ + ++ /* Return no/bad-data error status if any problem is found: ++ * 1. eb_size is too small to hold the uncompressed size ++ * (eb_ucsize). (Else extract eb_ucsize.) ++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. ++ * 3. eb_ucsize is positive, but eb_size is too small to hold ++ * the compressed data header. ++ */ + if ((eb_size < (EB_UCSIZE_P + 4)) || +- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && +- eb_size <= (compr_offset + EB_CMPRHEADLEN))) +- return IZ_EF_TRUNC; /* no compressed data! */ ++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || ++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) ++ return IZ_EF_TRUNC; /* no/bad compressed data! */ + + if ( + #ifdef INT_16BIT diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/03_CVE-2014-8141.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/unzip/patches/03_CVE-2014-8141.patch Fri Feb 26 15:01:20 2016 +0100 @@ -0,0 +1,138 @@ +Source: +https://bugzilla.redhat.com/show_bug.cgi?id=1174856 +Info: +http://www.ocert.org/advisories/ocert-2014-011.html + +--- a/process.c 2009-03-06 02:25:10.000000000 +0100 ++++ b/process.c 2014-12-05 22:42:39.000000000 +0100 +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. ++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. + + See the accompanying file LICENSE, version 2009-Jan-02 or later + (the contents of which are also included in unzip.h) for terms of use. +@@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len) + and a 4-byte version of disk start number. + Sets both local header and central header fields. Not terribly clever, + but it means that this procedure is only called in one place. ++ ++ 2014-12-05 SMS. ++ Added checks to ensure that enough data are available before calling ++ makeint64() or makelong(). Replaced various sizeof() values with ++ simple ("4" or "8") constants. (The Zip64 structures do not depend ++ on our variable sizes.) Error handling is crude, but we should now ++ stay within the buffer. + ---------------------------------------------------------------------------*/ + ++#define Z64FLGS 0xffff ++#define Z64FLGL 0xffffffff ++ + if (ef_len == 0 || ef_buf == NULL) + return PK_COOL; + + Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", + ef_len)); + +- while (ef_len >= EB_HEADSIZE) { ++ while (ef_len >= EB_HEADSIZE) ++ { + eb_id = makeword(EB_ID + ef_buf); + eb_len = makeword(EB_LEN + ef_buf); + +- if (eb_len > (ef_len - EB_HEADSIZE)) { +- /* discovered some extra field inconsistency! */ ++ if (eb_len > (ef_len - EB_HEADSIZE)) ++ { ++ /* Extra block length exceeds remaining extra field length. */ + Trace((stderr, + "getZip64Data: block length %u > rest ef_size %u\n", eb_len, + ef_len - EB_HEADSIZE)); + break; + } +- if (eb_id == EF_PKSZ64) { +- ++ if (eb_id == EF_PKSZ64) ++ { + int offset = EB_HEADSIZE; + +- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ +- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.ucsize); ++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ +- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.csize); ++ ++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ ++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); ++ offset += 8; + } +- if (G.crec.relative_offset_local_header == 0xffffffff){ ++ ++ if (G.crec.relative_offset_local_header == Z64FLGL) ++ { ++ if (offset+ 8 > ef_len) ++ return PK_ERR; ++ + G.crec.relative_offset_local_header = makeint64(offset + ef_buf); +- offset += sizeof(G.crec.relative_offset_local_header); ++ offset += 8; + } +- if (G.crec.disk_number_start == 0xffff){ ++ ++ if (G.crec.disk_number_start == Z64FLGS) ++ { ++ if (offset+ 4 > ef_len) ++ return PK_ERR; ++ + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); +- offset += sizeof(G.crec.disk_number_start); ++ offset += 4; + } ++#if 0 ++ break; /* Expect only one EF_PKSZ64 block. */ ++#endif /* 0 */ + } + +- /* Skip this extra field block */ ++ /* Skip this extra field block. */ + ef_buf += (eb_len + EB_HEADSIZE); + ef_len -= (eb_len + EB_HEADSIZE); + } +--- a/fileio.c 2009-04-20 02:03:44.000000000 +0200 ++++ b/fileio.c 2014-12-05 22:44:16.000000000 +0100 +@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr + #endif + static ZCONST char Far ExtraFieldTooLong[] = + "warning: extra field too long (%d). Ignoring...\n"; ++static ZCONST char Far ExtraFieldCorrupt[] = ++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; + + #ifdef WINDLL + static ZCONST char Far DiskFullQuery[] = +@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /* + if (readbuf(__G__ (char *)G.extra_field, length) == 0) + return PK_EOF; + /* Looks like here is where extra fields are read */ +- getZip64Data(__G__ G.extra_field, length); ++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) ++ { ++ Info(slide, 0x401, ((char *)slide, ++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); ++ error = PK_WARN; ++ } + #ifdef UNICODE_SUPPORT + G.unipath_filename = NULL; + if (G.UzO.U_flag < 2) { diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/04_CVE-2014-9636.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/unzip/patches/04_CVE-2014-9636.patch Fri Feb 26 15:01:20 2016 +0100 @@ -0,0 +1,44 @@ +Patch source: http://www.info-zip.org/phpBB3/download/file.php?id=95&sid=ec5c7dac6dd48459f3be4effa1a30945 +More info: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 + +From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001 +From: mancha +Date: Mon, 3 Nov 2014 +Subject: Info-ZIP UnZip buffer overflow + +By carefully crafting a corrupt ZIP archive with "extra fields" that +purport to have compressed blocks larger than the corresponding +uncompressed blocks in STORED no-compression mode, an attacker can +trigger a heap overflow that can result in application crash or +possibly have other unspecified impact. + +This patch ensures that when extra fields use STORED mode, the +"compressed" and uncompressed block sizes match. + +--- + extract.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/extract.c ++++ b/extract.c +@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si + ulg eb_ucsize; + uch *eb_ucptr; + int r; ++ ush method; + + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ +@@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si + eb_size <= (compr_offset + EB_CMPRHEADLEN))) + return IZ_EF_TRUNC; /* no compressed data! */ + ++ method = makeword(eb + (EB_HEADSIZE + compr_offset)); ++ if ((method == STORED) && (eb_size - compr_offset != eb_ucsize)) ++ return PK_ERR; /* compressed & uncompressed ++ * should match in STORED ++ * method */ ++ + if ( + #ifdef INT_16BIT + (((ulg)(extent)eb_ucsize) != eb_ucsize) || diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/05_unix-configure.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/unzip/patches/05_unix-configure.patch Fri Feb 26 15:01:20 2016 +0100 @@ -0,0 +1,11 @@ +--- unzip60/unix/configure.bkp 2011-07-28 07:07:08.691240200 -0700 ++++ unzip60/unix/configure 2011-07-28 07:07:47.315977300 -0700 +@@ -646,7 +646,7 @@ + + + echo CC=\"${CC}\" CF=\"${CFLAGSR} ${D_USE_BZ2}\" CRCA_O=\"${CRC32OA}\" \ +- AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1}\" LF2=\"${LFLAGS2}\" \ ++ AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1} ${LD_OPTIONS}\" LF2=\"${LFLAGS2}\" \ + CC_BZ=\"${CC_BZ}\" CFLAGS_BZ=\"${CFLAGS_BZ}\" \ + IZ_BZIP2=\"${IZ_BZIP2}\" D_USE_BZ2=\"${D_USE_BZ2}\" \ + L_BZ2=\"${L_BZ2}\" LIBBZ2=\"${LIBBZ2}\" > flags diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/06_CVE-2014-8139.2.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/unzip/patches/06_CVE-2014-8139.2.patch Fri Feb 26 15:01:20 2016 +0100 @@ -0,0 +1,160 @@ +The fix is taken from http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=454 +and should be available in next unzip release. + +--- unzip60/extract.c Fri Feb 26 07:14:44 2016 ++++ /home/vmarek/extract.c Mon Feb 22 08:32:56 2016 +@@ -298,7 +298,7 @@ + #ifndef SFX + static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; +- static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \ ++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) invalid (< %d)\n"; + static ZCONST char Far InvalidComprDataEAs[] = + " invalid compressed data for EAs\n"; +@@ -2035,16 +2035,6 @@ + ebLen, (ef_len - EB_HEADSIZE))); + return PK_ERR; + } +- else if (ebLen < EB_HEADSIZE) +- { +- /* Extra block length smaller than header length. */ +- if (uO.qflag) +- Info(slide, 1, ((char *)slide, "%-22s ", +- FnFilter1(G.filename))); +- Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength), +- ebLen, EB_HEADSIZE)); +- return PK_ERR; +- } + + switch (ebID) { + case EF_OS2: +@@ -2171,11 +2161,19 @@ + } + break; + case EF_PKVMS: +- if (makelong(ef+EB_HEADSIZE) != ++ if (ebLen < 4) ++ { ++ Info(slide, 1, ++ ((char *)slide, LoadFarString(TooSmallEBlength), ++ ebLen, 4)); ++ } ++ else if (makelong(ef+EB_HEADSIZE) != + crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), + (extent)(ebLen-4))) ++ { + Info(slide, 1, ((char *)slide, + LoadFarString(BadCRC_EAs))); ++ } + break; + case EF_PKW32: + case EF_PKUNIX: +@@ -2230,7 +2228,7 @@ + ulg eb_ucsize; + uch *eb_ucptr; + int r; +- ush method; ++ ush eb_compr_method; + + if (compr_offset < 4) /* field is not compressed: */ + return PK_OK; /* do nothing and signal OK */ +@@ -2247,11 +2245,14 @@ + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) + return IZ_EF_TRUNC; /* no/bad compressed data! */ + +- method = makeword(eb + (EB_HEADSIZE + compr_offset)); +- if ((method == STORED) && (eb_size - compr_offset != eb_ucsize)) +- return PK_ERR; /* compressed & uncompressed +- * should match in STORED +- * method */ ++ /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS. ++ * For STORE method, compressed and uncompressed sizes must agree. ++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 ++ */ ++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset)); ++ if ((eb_compr_method == STORED) && ++ (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize)) ++ return PK_ERR; + + if ( + #ifdef INT_16BIT +@@ -2523,10 +2524,28 @@ + __GDEF + slinkentry *slnk_entry; + { ++ int sts; + extent ucsize = slnk_entry->targetlen; + char *linkfname = slnk_entry->fname; + char *linktarget = (char *)malloc(ucsize+1); + ++#ifdef VMS ++ static int vms_symlink_works = -1; ++ ++ if (vms_symlink_works < 0) ++ { ++ /* Test symlink() with an invalid file name. If errno comes ++ * back ENOSYS ("Function not implemented"), then don't try to ++ * use it below on the symlink placeholder text files. ++ */ ++ vms_symlink_works = symlink( "", "?"); ++ if (errno == ENOSYS) ++ vms_symlink_works = 0; ++ else ++ vms_symlink_works = 1; ++ } ++#endif /* def VMS */ ++ + if (!linktarget) { + Info(slide, 0x201, ((char *)slide, + LoadFarString(SymLnkWarnNoMem), FnFilter1(linkfname))); +@@ -2554,11 +2573,29 @@ + return; + } + fclose(G.outfile); /* close "data" file for good... */ ++ ++#ifdef VMS ++ if (vms_symlink_works == 0) ++ { ++ /* Should we be using some UnZip error message function instead ++ * of perror() (or equivalent) for these "symlink error" ++ * messages? ++ */ ++ Info(slide, 0, ((char *)slide, LoadFarString(SymLnkFinish), ++ FnFilter1(linkfname), FnFilter2(linktarget))); ++ ++ fprintf( stderr, "Symlink error: %s\n", strerror( ENOSYS)); ++ free(linktarget); ++ return; ++ } ++#endif /* def VMS */ ++ + unlink(linkfname); /* ...and delete it */ +- if (QCOND2) ++ sts = symlink(linktarget, linkfname); /* create the real link */ ++ if (QCOND2 || (sts != 0)) + Info(slide, 0, ((char *)slide, LoadFarString(SymLnkFinish), + FnFilter1(linkfname), FnFilter2(linktarget))); +- if (symlink(linktarget, linkfname)) /* create the real link */ ++ if (sts != 0) + perror("symlink error"); + free(linktarget); + #ifdef SET_SYMLINK_ATTRIBS +@@ -2652,7 +2689,7 @@ + #endif /* ?HAVE_WORKING_ISPRINT */ + } else { + #ifdef _MBCS +- unsigned i = CLEN(r); ++ extent i = CLEN(r); + if (se != NULL && (s > (space + (size-i-2)))) { + have_overflow = TRUE; + break; +@@ -2835,7 +2872,7 @@ + #endif + + G.inptr = (uch *)bstrm.next_in; +- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */ ++ G.incnt = (int)((G.inbuf + INBUFSIZ) - G.inptr); /* Reset for others. */ + + uzbunzip_cleanup_exit: + err = BZ2_bzDecompressEnd(&bstrm); diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/6719511-i18.patch --- a/components/unzip/patches/6719511-i18.patch Tue Mar 01 18:50:57 2016 -0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,512 +0,0 @@ -diff -ur unzip60-orig/fileio.c unzip60/fileio.c ---- unzip60-orig/fileio.c 2009-04-20 02:03:44.000000000 +0200 -+++ unzip60/fileio.c 2011-02-25 11:57:38.242056429 +0100 -@@ -2126,9 +2126,16 @@ - /* translate the text coded in the entry's host-dependent - "extended ASCII" charset into the compiler's (system's) - internal text code page */ -+#ifdef UNIX -+ Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum, -+ G.pInfo->hostver, G.pInfo->HasUxAtt, -+ FALSE, OUTBUFSIZ); -+#else /* !UNIX */ - Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum, - G.pInfo->hostver, G.pInfo->HasUxAtt, - FALSE); -+#endif /* UNIX */ -+ - #ifdef WINDLL - /* translate to ANSI (RTL internal codepage may be OEM) */ - INTERN_TO_ISO((char *)G.outbuf, (char *)G.outbuf); -@@ -2240,8 +2247,13 @@ - - /* translate the Zip entry filename coded in host-dependent "extended - ASCII" into the compiler's (system's) internal text code page */ -+#ifdef UNIX -+ Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver, -+ G.pInfo->HasUxAtt, (option == DS_FN_L), FILNAMSIZ); -+#else /* !UNIX */ - Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver, - G.pInfo->HasUxAtt, (option == DS_FN_L)); -+#endif /* UNIX */ - - if (G.pInfo->lcflag) /* replace with lowercase filename */ - STRLOWER(G.filename, G.filename); -Only in unzip60: fileio.c.orig -diff -ur unzip60-orig/unix/unix.c unzip60/unix/unix.c ---- unzip60-orig/unix/unix.c 2009-01-24 00:31:26.000000000 +0100 -+++ unzip60/unix/unix.c 2011-02-25 11:57:38.259028876 +0100 -@@ -30,6 +30,10 @@ - #define UNZIP_INTERNAL - #include "unzip.h" - -+#include -+#include -+#include -+ - #ifdef SCO_XENIX - # define SYSNDIR - #else /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */ -@@ -1874,3 +1878,128 @@ - } - } - #endif /* QLZIP */ -+ -+ -+typedef struct { -+ char *local_charset; -+ char *archive_charset; -+} CHARSET_MAP; -+ -+/* A mapping of local <-> archive charsets used by default to convert filenames -+ * of DOS/Windows Zip archives. Currently very basic. */ -+const static CHARSET_MAP dos_charset_map[] = { -+ { "ANSI_X3.4-1968", "CP850" }, -+ { "ISO-8859-1", "CP850" }, -+ { "CP1252", "CP850" }, -+ { "KOI8-R", "CP866" }, -+ { "KOI8-U", "CP866" }, -+ { "ISO-8859-5", "CP866" } -+}; -+ -+typedef struct { -+ char *locale; -+ char *archive_charset; -+} UTF8_CHARSET_MAP; -+ -+/* In case local charset is UTF-8, lookup archive_charset -+ by locale. Currently very basic. */ -+#define UTF8_CHARSET_MAP_DEFAULT "CP866" -+const static UTF8_CHARSET_MAP utf8_charset_map[] = { -+ { "ja_JP", "CP932" }, -+ { "zh_CN", "GBK" }, -+ { "zh_TW", "BIG5" }, -+ { "ko_KR", "CP949" }, -+}; -+ -+char OEM_CP[MAX_CP_NAME] = ""; -+char ISO_CP[MAX_CP_NAME] = ""; -+ -+/* Try to guess the default value of OEM_CP based on the current locale. -+ * ISO_CP is left alone for now. */ -+void init_conversion_charsets(const char *loc) -+{ -+ const char *local_charset; -+ int i; -+ -+ /* Make a guess only if OEM_CP not already set. */ -+ if(*OEM_CP == '\0') -+ { -+ local_charset = nl_langinfo(CODESET); -+ if (!strcasecmp(local_charset, "UTF-8") || !strcasecmp(local_charset, -+"UTF8") ) -+ { -+ strcpy(OEM_CP, UTF8_CHARSET_MAP_DEFAULT); -+ for(i = 0; i < sizeof(utf8_charset_map)/sizeof(UTF8_CHARSET_MAP); -+ i++) -+ { -+ if (!strncmp(loc, utf8_charset_map[i].locale, 5)) -+ { -+ strncpy(OEM_CP, utf8_charset_map[i].archive_charset, -+ sizeof(OEM_CP) - 1); -+ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; -+ break; -+ } -+ } -+ } -+ else -+ { -+ for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++) -+ { -+ if (!strcasecmp(local_charset, -+ dos_charset_map[i].local_charset)) -+ { -+ strncpy(OEM_CP, dos_charset_map[i].archive_charset, -+ sizeof(OEM_CP) - 1); -+ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; -+ break; -+ } -+ } -+ } -+ } -+} -+ -+/* Convert a string from one encoding to the current locale using iconv(). -+ * Be as non-intrusive as possible. If error is encountered during covertion -+ * just leave the string intact. */ -+static void charset_to_intern(char *string, size_t sbuflen, char *from_charset) -+{ -+ iconv_t cd; -+ char *s,*d, *buf; -+ size_t slen, dlen; -+ const char *local_charset; -+ -+ if(*from_charset == '\0') -+ return; -+ -+ local_charset = nl_langinfo(CODESET); -+ -+ if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1) -+ return; -+ -+ slen = strlen(string); -+ s = string; -+ dlen = sbuflen - 1; -+ d = buf = malloc(sbuflen); -+ if(!d) -+ goto cleanup; -+ if(iconv(cd, (const char **)&s, &slen, &d, &dlen) != (size_t)-1) { -+ *d = '\0'; -+ strcpy(string, buf); -+ } -+ -+ free(buf); -+ cleanup: -+ iconv_close(cd); -+} -+ -+/* Convert a string from OEM_CP to the current locale charset. */ -+void oem_intern(char *string, size_t sbuflen) -+{ -+ charset_to_intern(string, sbuflen, OEM_CP); -+} -+ -+/* Convert a string from ISO_CP to the current locale charset. */ -+void iso_intern(char *string, size_t sbuflen) -+{ -+ charset_to_intern(string, sbuflen, ISO_CP); -+} -Only in unzip60/unix: unix.c.orig -diff -ur unzip60-orig/unix/unxcfg.h unzip60/unix/unxcfg.h ---- unzip60-orig/unix/unxcfg.h 2009-04-16 20:36:12.000000000 +0200 -+++ unzip60/unix/unxcfg.h 2011-02-25 11:57:38.262941301 +0100 -@@ -52,6 +52,7 @@ - - #include /* off_t, time_t, dev_t, ... */ - #include -+#include - - #ifdef NO_OFF_T - typedef long zoff_t; -@@ -227,4 +228,30 @@ - /* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */ - /* and notfirstcall are used by do_wild(). */ - -+ -+#define MAX_CP_NAME 25 -+ -+#ifdef SETLOCALE -+# undef SETLOCALE -+#endif -+#define SETLOCALE(category, locale) setlocale(category, locale) -+#include -+ -+#ifdef _ISO_INTERN -+# undef _ISO_INTERN -+#endif -+#define _ISO_INTERN(str1, ssize) iso_intern(str1, ssize) -+ -+#ifdef _OEM_INTERN -+# undef _OEM_INTERN -+#endif -+#ifndef IZ_OEM2ISO_ARRAY -+# define IZ_OEM2ISO_ARRAY -+#endif -+#define _OEM_INTERN(str1, ssize) oem_intern(str1, ssize) -+ -+void iso_intern(char *, size_t); -+void oem_intern(char *, size_t); -+void init_conversion_charsets(const char *); -+ - #endif /* !__unxcfg_h */ -Only in unzip60/unix: unxcfg.h.orig -diff -ur unzip60-orig/unzip.c unzip60/unzip.c ---- unzip60-orig/unzip.c 2009-04-16 20:26:52.000000000 +0200 -+++ unzip60/unzip.c 2011-02-26 00:03:41.011389301 +0100 -@@ -327,11 +327,21 @@ - -2 just filenames but allow -h/-t/-z -l long Unix \"ls -l\" format\n\ - -v verbose, multi-page format\n"; - -+#ifdef UNIX -+static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\ -+ -h print header line -t print totals for listed files or for all\n\ -+ -z print zipfile comment -T print file times in sortable decimal format\ -+\n -C be case-insensitive %s\ -+ -x exclude filenames that follow from listing\n\ -+ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\ -+ -I CHARSET specify a character encoding for UNIX and other archives\n"; -+#else /* !UNIX */ - static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\ - -h print header line -t print totals for listed files or for all\n\ - -z print zipfile comment -T print file times in sortable decimal format\ - \n -C be case-insensitive %s\ - -x exclude filenames that follow from listing\n"; -+#endif /* UNIX */ - #ifdef MORE - static ZCONST char Far ZipInfoUsageLine4[] = - " -M page output through built-in \"more\"\n"; -@@ -666,6 +676,18 @@ - -C match filenames case-insensitively -L make (some) names \ - lowercase\n %-42s -V retain VMS version numbers\n%s"; - #else /* !VMS */ -+#ifdef UNIX -+static ZCONST char Far UnzipUsageLine4[] = "\ -+modifiers:\n\ -+ -n never overwrite existing files -q quiet mode (-qq => quieter)\n\ -+ -o overwrite files WITHOUT prompting -a auto-convert any text files\n\ -+ -j junk paths (do not make directories) -aa treat ALL files as text\n\ -+ -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\ -+ -C match filenames case-insensitively -L make (some) names \ -+lowercase\n %-42s -V retain VMS version numbers\n%s\n\ -+ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\ -+ -I CHARSET specify a character encoding for UNIX and other archives\n\n"; -+#else /* !UNIX */ - static ZCONST char Far UnzipUsageLine4[] = "\ - modifiers:\n\ - -n never overwrite existing files -q quiet mode (-qq => quieter)\n\ -@@ -674,6 +696,7 @@ - -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\ - -C match filenames case-insensitively -L make (some) names \ - lowercase\n %-42s -V retain VMS version numbers\n%s"; -+#endif /* UNIX */ - #endif /* ?VMS */ - #else /* !UNICODE_SUPPORT */ - #ifdef VMS -@@ -742,6 +765,9 @@ - int i; - #endif - int retcode, error=FALSE; -+#ifdef UNIX -+ const char *loc; -+#endif - #ifndef NO_EXCEPT_SIGNALS - #ifdef REENTRANT - savsigs_info *oldsighandlers = NULL; -@@ -756,7 +782,12 @@ - #endif /* NO_EXCEPT_SIGNALS */ - - /* initialize international char support to the current environment */ -+#ifdef UNIX -+ loc = SETLOCALE(LC_CTYPE,""); -+ init_conversion_charsets(loc); -+#else /* !UNIX */ - SETLOCALE(LC_CTYPE, ""); -+#endif /* UNIX */ - - #ifdef UNICODE_SUPPORT - /* see if can use UTF-8 Unicode locale */ -@@ -1336,6 +1367,11 @@ - argc = *pargc; - argv = *pargv; - -+#ifdef UNIX -+ extern char OEM_CP[MAX_CP_NAME]; -+ extern char ISO_CP[MAX_CP_NAME]; -+#endif -+ - while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) { - s = *argv + 1; - while ((c = *s++) != 0) { /* "!= 0": prevent Turbo C warning */ -@@ -1517,6 +1553,37 @@ - } - break; - #endif /* MACOS */ -+#ifdef UNIX -+ case ('I'): -+ if (negative) { -+ Info(slide, 0x401, ((char *)slide, -+ "error: encodings can't be negated")); -+ return(PK_PARAM); -+ } else { -+ if(*s) { /* Handle the -Icharset case */ -+ /* Assume that charsets can't start with a dash to spot arguments misuse */ -+ if(*s == '-') { -+ Info(slide, 0x401, ((char *)slide, -+ "error: a valid character encoding should follow the -I argument")); -+ return(PK_PARAM); -+ } -+ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1); -+ ISO_CP[sizeof(ISO_CP) - 1] = '\0'; -+ } else { /* -I charset */ -+ ++argv; -+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { -+ Info(slide, 0x401, ((char *)slide, -+ "error: a valid character encoding should follow the -I argument")); -+ return(PK_PARAM); -+ } -+ s = *argv; -+ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1); -+ ISO_CP[sizeof(ISO_CP) - 1] = '\0'; -+ } -+ while(*(++s)); /* No params straight after charset name */ -+ } -+ break; -+#endif /* ?UNIX */ - case ('j'): /* junk pathnames/directory structure */ - if (negative) - uO.jflag = FALSE, negative = 0; -@@ -1592,6 +1659,37 @@ - } else - ++uO.overwrite_all; - break; -+#ifdef UNIX -+ case ('O'): -+ if (negative) { -+ Info(slide, 0x401, ((char *)slide, -+ "error: encodings can't be negated")); -+ return(PK_PARAM); -+ } else { -+ if(*s) { /* Handle the -Ocharset case */ -+ /* Assume that charsets can't start with a dash to spot arguments misuse */ -+ if(*s == '-') { -+ Info(slide, 0x401, ((char *)slide, -+ "error: a valid character encoding should follow the -I argument")); -+ return(PK_PARAM); -+ } -+ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1); -+ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; -+ } else { /* -O charset */ -+ ++argv; -+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { -+ Info(slide, 0x401, ((char *)slide, -+ "error: a valid character encoding should follow the -O argument")); -+ return(PK_PARAM); -+ } -+ s = *argv; -+ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1); -+ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; -+ } -+ while(*(++s)); /* No params straight after charset name */ -+ } -+ break; -+#endif /* ?UNIX */ - case ('p'): /* pipes: extract to stdout, no messages */ - if (negative) { - uO.cflag = FALSE; -Only in unzip60: unzip.c.orig -diff -ur unzip60-orig/unzpriv.h unzip60/unzpriv.h ---- unzip60-orig/unzpriv.h 2009-04-20 01:59:26.000000000 +0200 -+++ unzip60/unzpriv.h 2011-02-25 11:57:38.275212165 +0100 -@@ -3003,6 +3003,18 @@ - * All other ports are assumed to code zip entry filenames in ISO 8859-1. - */ - #ifndef Ext_ASCII_TO_Native -+#ifdef UNIX -+# define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr, ssize) \ -+ if (((hostnum) == FS_FAT_ && \ -+ !(((islochdr) || (isuxatt)) && \ -+ ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \ -+ (hostnum) == FS_HPFS_ || \ -+ ((hostnum) == FS_NTFS_/* && (hostver) == 50*/)) { \ -+ _OEM_INTERN((string), (ssize)); \ -+ } else { \ -+ _ISO_INTERN((string), (ssize)); \ -+ } -+#else /* !UNIX */ - # define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr) \ - if (((hostnum) == FS_FAT_ && \ - !(((islochdr) || (isuxatt)) && \ -@@ -3013,10 +3025,10 @@ - } else { \ - _ISO_INTERN((string)); \ - } -+#endif /* UNIX */ - #endif - - -- - /**********************/ - /* Global constants */ - /**********************/ -Only in unzip60: unzpriv.h.orig -diff -ur unzip60-orig/zipinfo.c unzip60/zipinfo.c ---- unzip60-orig/zipinfo.c 2009-02-08 18:04:30.000000000 +0100 -+++ unzip60/zipinfo.c 2011-02-25 11:57:38.281586457 +0100 -@@ -457,6 +457,10 @@ - int tflag_slm=TRUE, tflag_2v=FALSE; - int explicit_h=FALSE, explicit_t=FALSE; - -+#ifdef UNIX -+ extern char OEM_CP[MAX_CP_NAME]; -+ extern char ISO_CP[MAX_CP_NAME]; -+#endif - - #ifdef MACOS - uO.lflag = LFLAG; /* reset default on each call */ -@@ -501,6 +505,37 @@ - uO.lflag = 0; - } - break; -+#ifdef UNIX -+ case ('I'): -+ if (negative) { -+ Info(slide, 0x401, ((char *)slide, -+ "error: encodings can't be negated")); -+ return(PK_PARAM); -+ } else { -+ if(*s) { /* Handle the -Icharset case */ -+ /* Assume that charsets can't start with a dash to spot arguments misuse */ -+ if(*s == '-') { -+ Info(slide, 0x401, ((char *)slide, -+ "error: a valid character encoding should follow the -I argument")); -+ return(PK_PARAM); -+ } -+ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1); -+ ISO_CP[sizeof(ISO_CP) - 1] = '\0'; -+ } else { /* -I charset */ -+ ++argv; -+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { -+ Info(slide, 0x401, ((char *)slide, -+ "error: a valid character encoding should follow the -I argument")); -+ return(PK_PARAM); -+ } -+ s = *argv; -+ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1); -+ ISO_CP[sizeof(ISO_CP) - 1] = '\0'; -+ } -+ while(*(++s)); /* No params straight after charset name */ -+ } -+ break; -+#endif /* ?UNIX */ - case 'l': /* longer form of "ls -l" type listing */ - if (negative) - uO.lflag = -2, negative = 0; -@@ -521,6 +556,37 @@ - G.M_flag = TRUE; - break; - #endif -+#ifdef UNIX -+ case ('O'): -+ if (negative) { -+ Info(slide, 0x401, ((char *)slide, -+ "error: encodings can't be negated")); -+ return(PK_PARAM); -+ } else { -+ if(*s) { /* Handle the -Ocharset case */ -+ /* Assume that charsets can't start with a dash to spot arguments misuse */ -+ if(*s == '-') { -+ Info(slide, 0x401, ((char *)slide, -+ "error: a valid character encoding should follow the -I argument")); -+ return(PK_PARAM); -+ } -+ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1); -+ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; -+ } else { /* -O charset */ -+ ++argv; -+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) { -+ Info(slide, 0x401, ((char *)slide, -+ "error: a valid character encoding should follow the -O argument")); -+ return(PK_PARAM); -+ } -+ s = *argv; -+ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1); -+ OEM_CP[sizeof(OEM_CP) - 1] = '\0'; -+ } -+ while(*(++s)); /* No params straight after charset name */ -+ } -+ break; -+#endif /* ?UNIX */ - case 's': /* default: shorter "ls -l" type listing */ - if (negative) - uO.lflag = -2, negative = 0; -Only in unzip60: zipinfo.c.orig diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/CVE-2014-8139.patch --- a/components/unzip/patches/CVE-2014-8139.patch Tue Mar 01 18:50:57 2016 -0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,51 +0,0 @@ -Source: -https://bugzilla.redhat.com/show_bug.cgi?id=1174844 -Info: -http://www.ocert.org/advisories/ocert-2014-011.html - ---- unzip60/extract.c 2010-04-03 14:41:55 -0500 -+++ unzip60/extract.c 2014-12-03 15:33:35 -0600 -@@ -1,5 +1,5 @@ - /* -- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. -+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. - - See the accompanying file LICENSE, version 2009-Jan-02 or later - (the contents of which are also included in unzip.h) for terms of use. -@@ -298,6 +298,8 @@ - #ifndef SFX - static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ - EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; -+ static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \ -+ EF block length (%u bytes) invalid (< %d)\n"; - static ZCONST char Far InvalidComprDataEAs[] = - " invalid compressed data for EAs\n"; - # if (defined(WIN32) && defined(NTSD_EAS)) -@@ -2023,7 +2025,8 @@ - ebID = makeword(ef); - ebLen = (unsigned)makeword(ef+EB_LEN); - -- if (ebLen > (ef_len - EB_HEADSIZE)) { -+ if (ebLen > (ef_len - EB_HEADSIZE)) -+ { - /* Discovered some extra field inconsistency! */ - if (uO.qflag) - Info(slide, 1, ((char *)slide, "%-22s ", -@@ -2032,6 +2035,16 @@ - ebLen, (ef_len - EB_HEADSIZE))); - return PK_ERR; - } -+ else if (ebLen < EB_HEADSIZE) -+ { -+ /* Extra block length smaller than header length. */ -+ if (uO.qflag) -+ Info(slide, 1, ((char *)slide, "%-22s ", -+ FnFilter1(G.filename))); -+ Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength), -+ ebLen, EB_HEADSIZE)); -+ return PK_ERR; -+ } - - switch (ebID) { - case EF_OS2: - diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/CVE-2014-8140.patch --- a/components/unzip/patches/CVE-2014-8140.patch Tue Mar 01 18:50:57 2016 -0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,28 +0,0 @@ -Source: -https://bugzilla.redhat.com/show_bug.cgi?id=1174851 -Info: -http://www.ocert.org/advisories/ocert-2014-011.html - ---- a/extract.c 2009-03-14 02:32:52.000000000 +0100 -+++ b/extract.c 2014-12-05 22:43:13.000000000 +0100 -@@ -2221,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_si - if (compr_offset < 4) /* field is not compressed: */ - return PK_OK; /* do nothing and signal OK */ - -+ /* Return no/bad-data error status if any problem is found: -+ * 1. eb_size is too small to hold the uncompressed size -+ * (eb_ucsize). (Else extract eb_ucsize.) -+ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. -+ * 3. eb_ucsize is positive, but eb_size is too small to hold -+ * the compressed data header. -+ */ - if ((eb_size < (EB_UCSIZE_P + 4)) || -- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && -- eb_size <= (compr_offset + EB_CMPRHEADLEN))) -- return IZ_EF_TRUNC; /* no compressed data! */ -+ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || -+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) -+ return IZ_EF_TRUNC; /* no/bad compressed data! */ - - if ( - #ifdef INT_16BIT diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/CVE-2014-8141.patch --- a/components/unzip/patches/CVE-2014-8141.patch Tue Mar 01 18:50:57 2016 -0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,138 +0,0 @@ -Source: -https://bugzilla.redhat.com/show_bug.cgi?id=1174856 -Info: -http://www.ocert.org/advisories/ocert-2014-011.html - ---- a/process.c 2009-03-06 02:25:10.000000000 +0100 -+++ b/process.c 2014-12-05 22:42:39.000000000 +0100 -@@ -1,5 +1,5 @@ - /* -- Copyright (c) 1990-2009 Info-ZIP. All rights reserved. -+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved. - - See the accompanying file LICENSE, version 2009-Jan-02 or later - (the contents of which are also included in unzip.h) for terms of use. -@@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len) - and a 4-byte version of disk start number. - Sets both local header and central header fields. Not terribly clever, - but it means that this procedure is only called in one place. -+ -+ 2014-12-05 SMS. -+ Added checks to ensure that enough data are available before calling -+ makeint64() or makelong(). Replaced various sizeof() values with -+ simple ("4" or "8") constants. (The Zip64 structures do not depend -+ on our variable sizes.) Error handling is crude, but we should now -+ stay within the buffer. - ---------------------------------------------------------------------------*/ - -+#define Z64FLGS 0xffff -+#define Z64FLGL 0xffffffff -+ - if (ef_len == 0 || ef_buf == NULL) - return PK_COOL; - - Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", - ef_len)); - -- while (ef_len >= EB_HEADSIZE) { -+ while (ef_len >= EB_HEADSIZE) -+ { - eb_id = makeword(EB_ID + ef_buf); - eb_len = makeword(EB_LEN + ef_buf); - -- if (eb_len > (ef_len - EB_HEADSIZE)) { -- /* discovered some extra field inconsistency! */ -+ if (eb_len > (ef_len - EB_HEADSIZE)) -+ { -+ /* Extra block length exceeds remaining extra field length. */ - Trace((stderr, - "getZip64Data: block length %u > rest ef_size %u\n", eb_len, - ef_len - EB_HEADSIZE)); - break; - } -- if (eb_id == EF_PKSZ64) { -- -+ if (eb_id == EF_PKSZ64) -+ { - int offset = EB_HEADSIZE; - -- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ -- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); -- offset += sizeof(G.crec.ucsize); -+ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) -+ { -+ if (offset+ 8 > ef_len) -+ return PK_ERR; -+ -+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); -+ offset += 8; - } -- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ -- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); -- offset += sizeof(G.crec.csize); -+ -+ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) -+ { -+ if (offset+ 8 > ef_len) -+ return PK_ERR; -+ -+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); -+ offset += 8; - } -- if (G.crec.relative_offset_local_header == 0xffffffff){ -+ -+ if (G.crec.relative_offset_local_header == Z64FLGL) -+ { -+ if (offset+ 8 > ef_len) -+ return PK_ERR; -+ - G.crec.relative_offset_local_header = makeint64(offset + ef_buf); -- offset += sizeof(G.crec.relative_offset_local_header); -+ offset += 8; - } -- if (G.crec.disk_number_start == 0xffff){ -+ -+ if (G.crec.disk_number_start == Z64FLGS) -+ { -+ if (offset+ 4 > ef_len) -+ return PK_ERR; -+ - G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); -- offset += sizeof(G.crec.disk_number_start); -+ offset += 4; - } -+#if 0 -+ break; /* Expect only one EF_PKSZ64 block. */ -+#endif /* 0 */ - } - -- /* Skip this extra field block */ -+ /* Skip this extra field block. */ - ef_buf += (eb_len + EB_HEADSIZE); - ef_len -= (eb_len + EB_HEADSIZE); - } ---- a/fileio.c 2009-04-20 02:03:44.000000000 +0200 -+++ b/fileio.c 2014-12-05 22:44:16.000000000 +0100 -@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr - #endif - static ZCONST char Far ExtraFieldTooLong[] = - "warning: extra field too long (%d). Ignoring...\n"; -+static ZCONST char Far ExtraFieldCorrupt[] = -+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; - - #ifdef WINDLL - static ZCONST char Far DiskFullQuery[] = -@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /* - if (readbuf(__G__ (char *)G.extra_field, length) == 0) - return PK_EOF; - /* Looks like here is where extra fields are read */ -- getZip64Data(__G__ G.extra_field, length); -+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) -+ { -+ Info(slide, 0x401, ((char *)slide, -+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); -+ error = PK_WARN; -+ } - #ifdef UNICODE_SUPPORT - G.unipath_filename = NULL; - if (G.UzO.U_flag < 2) { diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/CVE-2014-9636.patch --- a/components/unzip/patches/CVE-2014-9636.patch Tue Mar 01 18:50:57 2016 -0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,44 +0,0 @@ -Patch source: http://www.info-zip.org/phpBB3/download/file.php?id=95&sid=ec5c7dac6dd48459f3be4effa1a30945 -More info: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 - -From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001 -From: mancha -Date: Mon, 3 Nov 2014 -Subject: Info-ZIP UnZip buffer overflow - -By carefully crafting a corrupt ZIP archive with "extra fields" that -purport to have compressed blocks larger than the corresponding -uncompressed blocks in STORED no-compression mode, an attacker can -trigger a heap overflow that can result in application crash or -possibly have other unspecified impact. - -This patch ensures that when extra fields use STORED mode, the -"compressed" and uncompressed block sizes match. - ---- - extract.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/extract.c -+++ b/extract.c -@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si - ulg eb_ucsize; - uch *eb_ucptr; - int r; -+ ush method; - - if (compr_offset < 4) /* field is not compressed: */ - return PK_OK; /* do nothing and signal OK */ -@@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si - eb_size <= (compr_offset + EB_CMPRHEADLEN))) - return IZ_EF_TRUNC; /* no compressed data! */ - -+ method = makeword(eb + (EB_HEADSIZE + compr_offset)); -+ if ((method == STORED) && (eb_size - compr_offset != eb_ucsize)) -+ return PK_ERR; /* compressed & uncompressed -+ * should match in STORED -+ * method */ -+ - if ( - #ifdef INT_16BIT - (((ulg)(extent)eb_ucsize) != eb_ucsize) || diff -r 5ae80072d3ba -r fb31633dac76 components/unzip/patches/unix-configure.patch --- a/components/unzip/patches/unix-configure.patch Tue Mar 01 18:50:57 2016 -0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,11 +0,0 @@ ---- unzip60/unix/configure.bkp 2011-07-28 07:07:08.691240200 -0700 -+++ unzip60/unix/configure 2011-07-28 07:07:47.315977300 -0700 -@@ -646,7 +646,7 @@ - - - echo CC=\"${CC}\" CF=\"${CFLAGSR} ${D_USE_BZ2}\" CRCA_O=\"${CRC32OA}\" \ -- AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1}\" LF2=\"${LFLAGS2}\" \ -+ AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1} ${LD_OPTIONS}\" LF2=\"${LFLAGS2}\" \ - CC_BZ=\"${CC_BZ}\" CFLAGS_BZ=\"${CFLAGS_BZ}\" \ - IZ_BZIP2=\"${IZ_BZIP2}\" D_USE_BZ2=\"${D_USE_BZ2}\" \ - L_BZ2=\"${L_BZ2}\" LIBBZ2=\"${LIBBZ2}\" > flags