22782878 The option -T (Test for Integrity/ on files named *.war fail s11u3-sru
authorVladimir Marek <Vladimir.Marek@oracle.com>
Wed, 02 Mar 2016 10:35:32 +0100
branchs11u3-sru
changeset 5551 6d32c82eb4f5
parent 5545 4ba4c8209739
child 5552 4e17dd2a1b16
22782878 The option -T (Test for Integrity/ on files named *.war fail
components/unzip/patches/00_6719511-i18.patch
components/unzip/patches/01_CVE-2014-8139.patch
components/unzip/patches/02_CVE-2014-8140.patch
components/unzip/patches/03_CVE-2014-8141.patch
components/unzip/patches/04_CVE-2014-9636.patch
components/unzip/patches/05_unix-configure.patch
components/unzip/patches/06_CVE-2014-8139.2.patch
components/unzip/patches/6719511-i18.patch
components/unzip/patches/CVE-2014-8139.patch
components/unzip/patches/CVE-2014-8140.patch
components/unzip/patches/CVE-2014-8141.patch
components/unzip/patches/CVE-2014-9636.patch
components/unzip/patches/unix-configure.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/00_6719511-i18.patch	Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,512 @@
+diff -ur unzip60-orig/fileio.c unzip60/fileio.c
+--- unzip60-orig/fileio.c	2009-04-20 02:03:44.000000000 +0200
++++ unzip60/fileio.c	2011-02-25 11:57:38.242056429 +0100
[email protected]@ -2126,9 +2126,16 @@
+                 /* translate the text coded in the entry's host-dependent
+                    "extended ASCII" charset into the compiler's (system's)
+                    internal text code page */
++#ifdef UNIX
++                Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum,
++                                    G.pInfo->hostver, G.pInfo->HasUxAtt,
++                                    FALSE, OUTBUFSIZ);
++#else /* !UNIX */
+                 Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum,
+                                     G.pInfo->hostver, G.pInfo->HasUxAtt,
+                                     FALSE);
++#endif /* UNIX */
++
+ #ifdef WINDLL
+                 /* translate to ANSI (RTL internal codepage may be OEM) */
+                 INTERN_TO_ISO((char *)G.outbuf, (char *)G.outbuf);
[email protected]@ -2240,8 +2247,13 @@
+ 
+         /* translate the Zip entry filename coded in host-dependent "extended
+            ASCII" into the compiler's (system's) internal text code page */
++#ifdef UNIX
++        Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver,
++                            G.pInfo->HasUxAtt, (option == DS_FN_L), FILNAMSIZ);
++#else /* !UNIX */
+         Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver,
+                             G.pInfo->HasUxAtt, (option == DS_FN_L));
++#endif /* UNIX */
+ 
+         if (G.pInfo->lcflag)      /* replace with lowercase filename */
+             STRLOWER(G.filename, G.filename);
+Only in unzip60: fileio.c.orig
+diff -ur unzip60-orig/unix/unix.c unzip60/unix/unix.c
+--- unzip60-orig/unix/unix.c	2009-01-24 00:31:26.000000000 +0100
++++ unzip60/unix/unix.c	2011-02-25 11:57:38.259028876 +0100
[email protected]@ -30,6 +30,10 @@
+ #define UNZIP_INTERNAL
+ #include "unzip.h"
+ 
++#include <iconv.h>
++#include <langinfo.h>
++#include <strings.h>
++
+ #ifdef SCO_XENIX
+ #  define SYSNDIR
+ #else  /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */
[email protected]@ -1874,3 +1878,128 @@
+     }
+ }
+ #endif /* QLZIP */
++
++
++typedef struct {
++    char *local_charset;
++    char *archive_charset;
++} CHARSET_MAP;
++
++/* A mapping of local <-> archive charsets used by default to convert filenames
++ * of DOS/Windows Zip archives. Currently very basic. */
++const static CHARSET_MAP dos_charset_map[] = {
++    { "ANSI_X3.4-1968", "CP850" },
++    { "ISO-8859-1", "CP850" },
++    { "CP1252", "CP850" },
++    { "KOI8-R", "CP866" },
++    { "KOI8-U", "CP866" },
++    { "ISO-8859-5", "CP866" }
++};
++
++typedef struct {
++    char *locale;
++    char *archive_charset;
++} UTF8_CHARSET_MAP;
++
++/* In case local charset is UTF-8, lookup archive_charset
++   by locale.  Currently very basic. */
++#define	UTF8_CHARSET_MAP_DEFAULT	"CP866"
++const static UTF8_CHARSET_MAP utf8_charset_map[] = {
++    { "ja_JP", "CP932" },
++    { "zh_CN", "GBK" },
++    { "zh_TW", "BIG5" },
++    { "ko_KR", "CP949" },
++};
++
++char OEM_CP[MAX_CP_NAME] = "";
++char ISO_CP[MAX_CP_NAME] = "";
++
++/* Try to guess the default value of OEM_CP based on the current locale.
++ * ISO_CP is left alone for now. */
++void init_conversion_charsets(const char *loc)
++{
++    const char *local_charset;
++    int i;
++
++    /* Make a guess only if OEM_CP not already set. */ 
++    if(*OEM_CP == '\0')
++    {
++	local_charset = nl_langinfo(CODESET);
++	if (!strcasecmp(local_charset, "UTF-8") || !strcasecmp(local_charset,
++"UTF8") )
++	{
++	    strcpy(OEM_CP, UTF8_CHARSET_MAP_DEFAULT);
++	    for(i = 0; i < sizeof(utf8_charset_map)/sizeof(UTF8_CHARSET_MAP);
++		i++)
++	    {
++		if (!strncmp(loc, utf8_charset_map[i].locale, 5))
++		{
++		    strncpy(OEM_CP, utf8_charset_map[i].archive_charset,
++			sizeof(OEM_CP) - 1);
++		    OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++		    break;
++		}
++	    }
++	}
++	else
++	{
++	    for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++)
++            {
++		if (!strcasecmp(local_charset, 
++		    dos_charset_map[i].local_charset))
++		{
++		    strncpy(OEM_CP, dos_charset_map[i].archive_charset,
++			sizeof(OEM_CP) - 1);
++		    OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++		    break;
++		}
++	    }
++	}
++    }
++}
++
++/* Convert a string from one encoding to the current locale using iconv().
++ * Be as non-intrusive as possible. If error is encountered during covertion
++ * just leave the string intact. */
++static void charset_to_intern(char *string, size_t sbuflen, char *from_charset)
++{
++    iconv_t cd;
++    char *s,*d, *buf;
++    size_t slen, dlen;
++    const char *local_charset;
++
++    if(*from_charset == '\0')
++    	return;
++
++    local_charset = nl_langinfo(CODESET);
++
++    if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1)
++        return;
++
++    slen = strlen(string);
++    s = string;
++    dlen = sbuflen - 1;
++    d = buf = malloc(sbuflen);
++    if(!d)
++    	goto cleanup;
++    if(iconv(cd, (const char **)&s, &slen, &d, &dlen) != (size_t)-1) {
++	*d = '\0';
++	strcpy(string, buf);
++    }
++    
++    free(buf);
++    cleanup:
++    iconv_close(cd);
++}
++
++/* Convert a string from OEM_CP to the current locale charset. */
++void oem_intern(char *string, size_t sbuflen)
++{
++    charset_to_intern(string, sbuflen, OEM_CP);
++}
++
++/* Convert a string from ISO_CP to the current locale charset. */
++void iso_intern(char *string, size_t sbuflen)
++{
++    charset_to_intern(string, sbuflen, ISO_CP);
++}
+Only in unzip60/unix: unix.c.orig
+diff -ur unzip60-orig/unix/unxcfg.h unzip60/unix/unxcfg.h
+--- unzip60-orig/unix/unxcfg.h	2009-04-16 20:36:12.000000000 +0200
++++ unzip60/unix/unxcfg.h	2011-02-25 11:57:38.262941301 +0100
[email protected]@ -52,6 +52,7 @@
+ 
+ #include <sys/types.h>          /* off_t, time_t, dev_t, ... */
+ #include <sys/stat.h>
++#include <unistd.h>
+ 
+ #ifdef NO_OFF_T
+   typedef long zoff_t;
[email protected]@ -227,4 +228,30 @@
+ /* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */
+ /*    and notfirstcall are used by do_wild().                          */
+ 
++
++#define MAX_CP_NAME 25 
++   
++#ifdef SETLOCALE
++#  undef SETLOCALE
++#endif
++#define SETLOCALE(category, locale) setlocale(category, locale)
++#include <locale.h>
++   
++#ifdef _ISO_INTERN
++#  undef _ISO_INTERN
++#endif
++#define _ISO_INTERN(str1, ssize) iso_intern(str1, ssize)
++
++#ifdef _OEM_INTERN
++#  undef _OEM_INTERN
++#endif
++#ifndef IZ_OEM2ISO_ARRAY
++#  define IZ_OEM2ISO_ARRAY
++#endif
++#define _OEM_INTERN(str1, ssize) oem_intern(str1, ssize)
++
++void iso_intern(char *, size_t);
++void oem_intern(char *, size_t);
++void init_conversion_charsets(const char *);
++   
+ #endif /* !__unxcfg_h */
+Only in unzip60/unix: unxcfg.h.orig
+diff -ur unzip60-orig/unzip.c unzip60/unzip.c
+--- unzip60-orig/unzip.c	2009-04-16 20:26:52.000000000 +0200
++++ unzip60/unzip.c	2011-02-26 00:03:41.011389301 +0100
[email protected]@ -327,11 +327,21 @@
+   -2  just filenames but allow -h/-t/-z  -l  long Unix \"ls -l\" format\n\
+                                          -v  verbose, multi-page format\n";
+ 
++#ifdef UNIX
++static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
++  -h  print header line       -t  print totals for listed files or for all\n\
++  -z  print zipfile comment   -T  print file times in sortable decimal format\
++\n  -C  be case-insensitive   %s\
++  -x  exclude filenames that follow from listing\n\
++  -O CHARSET  specify a character encoding for DOS, Windows and OS/2 archives\n\
++  -I CHARSET  specify a character encoding for UNIX and other archives\n";
++#else /* !UNIX */
+ static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
+   -h  print header line       -t  print totals for listed files or for all\n\
+   -z  print zipfile comment   -T  print file times in sortable decimal format\
+ \n  -C  be case-insensitive   %s\
+   -x  exclude filenames that follow from listing\n";
++#endif /* UNIX */
+ #ifdef MORE
+    static ZCONST char Far ZipInfoUsageLine4[] =
+      "  -M  page output through built-in \"more\"\n";
[email protected]@ -666,6 +676,18 @@
+   -C  match filenames case-insensitively     -L  make (some) names \
+ lowercase\n %-42s  -V  retain VMS version numbers\n%s";
+ #else /* !VMS */
++#ifdef UNIX
++static ZCONST char Far UnzipUsageLine4[] = "\
++modifiers:\n\
++  -n  never overwrite existing files         -q  quiet mode (-qq => quieter)\n\
++  -o  overwrite files WITHOUT prompting      -a  auto-convert any text files\n\
++  -j  junk paths (do not make directories)   -aa treat ALL files as text\n\
++  -U  use escapes for all non-ASCII Unicode  -UU ignore any Unicode fields\n\
++  -C  match filenames case-insensitively     -L  make (some) names \
++lowercase\n %-42s  -V  retain VMS version numbers\n%s\n\
++  -O CHARSET  specify a character encoding for DOS, Windows and OS/2 archives\n\
++  -I CHARSET  specify a character encoding for UNIX and other archives\n\n";
++#else /* !UNIX */
+ static ZCONST char Far UnzipUsageLine4[] = "\
+ modifiers:\n\
+   -n  never overwrite existing files         -q  quiet mode (-qq => quieter)\n\
[email protected]@ -674,6 +696,7 @@
+   -U  use escapes for all non-ASCII Unicode  -UU ignore any Unicode fields\n\
+   -C  match filenames case-insensitively     -L  make (some) names \
+ lowercase\n %-42s  -V  retain VMS version numbers\n%s";
++#endif /* UNIX */
+ #endif /* ?VMS */
+ #else /* !UNICODE_SUPPORT */
+ #ifdef VMS
[email protected]@ -742,6 +765,9 @@
+     int i;
+ #endif
+     int retcode, error=FALSE;
++#ifdef UNIX
++    const char *loc;
++#endif
+ #ifndef NO_EXCEPT_SIGNALS
+ #ifdef REENTRANT
+     savsigs_info *oldsighandlers = NULL;
[email protected]@ -756,7 +782,12 @@
+ #endif /* NO_EXCEPT_SIGNALS */
+ 
+     /* initialize international char support to the current environment */
++#ifdef UNIX
++    loc = SETLOCALE(LC_CTYPE,"");
++    init_conversion_charsets(loc);
++#else /* !UNIX */
+     SETLOCALE(LC_CTYPE, "");
++#endif /* UNIX */
+ 
+ #ifdef UNICODE_SUPPORT
+     /* see if can use UTF-8 Unicode locale */
[email protected]@ -1336,6 +1367,11 @@
+     argc = *pargc;
+     argv = *pargv;
+ 
++#ifdef UNIX
++    extern char OEM_CP[MAX_CP_NAME];
++    extern char ISO_CP[MAX_CP_NAME];
++#endif
++    
+     while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) {
+         s = *argv + 1;
+         while ((c = *s++) != 0) {    /* "!= 0":  prevent Turbo C warning */
[email protected]@ -1517,6 +1553,37 @@
+                     }
+                     break;
+ #endif  /* MACOS */
++#ifdef UNIX
++                case ('I'):
++                    if (negative) {
++                        Info(slide, 0x401, ((char *)slide,
++                          "error:  encodings can't be negated"));
++                        return(PK_PARAM);
++                    } else {
++                        if(*s) { /* Handle the -Icharset case */
++                            /* Assume that charsets can't start with a dash to spot arguments misuse */
++                            if(*s == '-') { 
++                                Info(slide, 0x401, ((char *)slide,
++                                  "error:  a valid character encoding should follow the -I argument"));
++                                return(PK_PARAM); 
++                            }
++                            strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
++                            ISO_CP[sizeof(ISO_CP) - 1] = '\0';
++                        } else { /* -I charset */
++                            ++argv;
++                            if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++                                Info(slide, 0x401, ((char *)slide,
++                                  "error:  a valid character encoding should follow the -I argument"));
++                                return(PK_PARAM); 
++                            }
++                            s = *argv;
++                            strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
++                            ISO_CP[sizeof(ISO_CP) - 1] = '\0';
++                        }
++                        while(*(++s)); /* No params straight after charset name */
++                    }
++                    break;
++#endif /* ?UNIX */
+                 case ('j'):    /* junk pathnames/directory structure */
+                     if (negative)
+                         uO.jflag = FALSE, negative = 0;
[email protected]@ -1592,6 +1659,37 @@
+                     } else
+                         ++uO.overwrite_all;
+                     break;
++#ifdef UNIX
++                case ('O'):
++                    if (negative) {
++                        Info(slide, 0x401, ((char *)slide,
++                          "error:  encodings can't be negated"));
++                        return(PK_PARAM);
++                    } else {
++                        if(*s) { /* Handle the -Ocharset case */
++                            /* Assume that charsets can't start with a dash to spot arguments misuse */
++                            if(*s == '-') { 
++                                Info(slide, 0x401, ((char *)slide,
++                                  "error:  a valid character encoding should follow the -I argument"));
++                                return(PK_PARAM); 
++                            }
++                            strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
++                            OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++                        } else { /* -O charset */
++                            ++argv;
++                            if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++                                Info(slide, 0x401, ((char *)slide,
++                                  "error:  a valid character encoding should follow the -O argument"));
++                                return(PK_PARAM); 
++                            }
++                            s = *argv;
++                            strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
++                            OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++                        }
++                        while(*(++s)); /* No params straight after charset name */
++                    }
++                    break;
++#endif /* ?UNIX */
+                 case ('p'):    /* pipes:  extract to stdout, no messages */
+                     if (negative) {
+                         uO.cflag = FALSE;
+Only in unzip60: unzip.c.orig
+diff -ur unzip60-orig/unzpriv.h unzip60/unzpriv.h
+--- unzip60-orig/unzpriv.h	2009-04-20 01:59:26.000000000 +0200
++++ unzip60/unzpriv.h	2011-02-25 11:57:38.275212165 +0100
[email protected]@ -3003,6 +3003,18 @@
+  * All other ports are assumed to code zip entry filenames in ISO 8859-1.
+  */
+ #ifndef Ext_ASCII_TO_Native
++#ifdef UNIX
++#  define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr, ssize) \
++    if (((hostnum) == FS_FAT_ && \
++         !(((islochdr) || (isuxatt)) && \
++           ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \
++        (hostnum) == FS_HPFS_ || \
++        ((hostnum) == FS_NTFS_/* && (hostver) == 50*/)) { \
++        _OEM_INTERN((string), (ssize)); \
++    } else { \
++        _ISO_INTERN((string), (ssize)); \
++    }
++#else /* !UNIX */
+ #  define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr) \
+     if (((hostnum) == FS_FAT_ && \
+          !(((islochdr) || (isuxatt)) && \
[email protected]@ -3013,10 +3025,10 @@
+     } else { \
+         _ISO_INTERN((string)); \
+     }
++#endif /* UNIX */
+ #endif
+ 
+ 
+-
+ /**********************/
+ /*  Global constants  */
+ /**********************/
+Only in unzip60: unzpriv.h.orig
+diff -ur unzip60-orig/zipinfo.c unzip60/zipinfo.c
+--- unzip60-orig/zipinfo.c	2009-02-08 18:04:30.000000000 +0100
++++ unzip60/zipinfo.c	2011-02-25 11:57:38.281586457 +0100
[email protected]@ -457,6 +457,10 @@
+     int    tflag_slm=TRUE, tflag_2v=FALSE;
+     int    explicit_h=FALSE, explicit_t=FALSE;
+ 
++#ifdef UNIX
++    extern char OEM_CP[MAX_CP_NAME];
++    extern char ISO_CP[MAX_CP_NAME];
++#endif
+ 
+ #ifdef MACOS
+     uO.lflag = LFLAG;         /* reset default on each call */
[email protected]@ -501,6 +505,37 @@
+                             uO.lflag = 0;
+                     }
+                     break;
++#ifdef UNIX
++                case ('I'):
++                    if (negative) {
++                        Info(slide, 0x401, ((char *)slide,
++                          "error:  encodings can't be negated"));
++                        return(PK_PARAM);
++                    } else {
++                        if(*s) { /* Handle the -Icharset case */
++                            /* Assume that charsets can't start with a dash to spot arguments misuse */
++                            if(*s == '-') { 
++                                Info(slide, 0x401, ((char *)slide,
++                                  "error:  a valid character encoding should follow the -I argument"));
++                                return(PK_PARAM); 
++                            }
++                            strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
++                            ISO_CP[sizeof(ISO_CP) - 1] = '\0';
++                        } else { /* -I charset */
++                            ++argv;
++                            if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++                                Info(slide, 0x401, ((char *)slide,
++                                  "error:  a valid character encoding should follow the -I argument"));
++                                return(PK_PARAM); 
++                            }
++                            s = *argv;
++                            strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
++                            ISO_CP[sizeof(ISO_CP) - 1] = '\0';
++                        }
++                        while(*(++s)); /* No params straight after charset name */
++                    }
++                    break;
++#endif /* ?UNIX */
+                 case 'l':      /* longer form of "ls -l" type listing */
+                     if (negative)
+                         uO.lflag = -2, negative = 0;
[email protected]@ -521,6 +556,37 @@
+                         G.M_flag = TRUE;
+                     break;
+ #endif
++#ifdef UNIX
++                case ('O'):
++                    if (negative) {
++                        Info(slide, 0x401, ((char *)slide,
++                          "error:  encodings can't be negated"));
++                        return(PK_PARAM);
++                    } else {
++                        if(*s) { /* Handle the -Ocharset case */
++                            /* Assume that charsets can't start with a dash to spot arguments misuse */
++                            if(*s == '-') { 
++                                Info(slide, 0x401, ((char *)slide,
++                                  "error:  a valid character encoding should follow the -I argument"));
++                                return(PK_PARAM); 
++                            }
++                            strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
++                            OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++                        } else { /* -O charset */
++                            ++argv;
++                            if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++                                Info(slide, 0x401, ((char *)slide,
++                                  "error:  a valid character encoding should follow the -O argument"));
++                                return(PK_PARAM); 
++                            }
++                            s = *argv;
++                            strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
++                            OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++                        }
++                        while(*(++s)); /* No params straight after charset name */
++                    }
++                    break;
++#endif /* ?UNIX */
+                 case 's':      /* default:  shorter "ls -l" type listing */
+                     if (negative)
+                         uO.lflag = -2, negative = 0;
+Only in unzip60: zipinfo.c.orig
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/01_CVE-2014-8139.patch	Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,51 @@
+Source:
+https://bugzilla.redhat.com/show_bug.cgi?id=1174844
+Info:
+http://www.ocert.org/advisories/ocert-2014-011.html
+
+--- unzip60/extract.c	2010-04-03 14:41:55 -0500
++++ unzip60/extract.c	2014-12-03 15:33:35 -0600
[email protected]@ -1,5 +1,5 @@
+ /*
+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
++  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
+ 
+   See the accompanying file LICENSE, version 2009-Jan-02 or later
+   (the contents of which are also included in unzip.h) for terms of use.
[email protected]@ -298,6 +298,8 @@
+ #ifndef SFX
+    static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+      EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
++   static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
++     EF block length (%u bytes) invalid (< %d)\n";
+    static ZCONST char Far InvalidComprDataEAs[] =
+      " invalid compressed data for EAs\n";
+ #  if (defined(WIN32) && defined(NTSD_EAS))
[email protected]@ -2023,7 +2025,8 @@
+         ebID = makeword(ef);
+         ebLen = (unsigned)makeword(ef+EB_LEN);
+ 
+-        if (ebLen > (ef_len - EB_HEADSIZE)) {
++        if (ebLen > (ef_len - EB_HEADSIZE))
++        {
+            /* Discovered some extra field inconsistency! */
+             if (uO.qflag)
+                 Info(slide, 1, ((char *)slide, "%-22s ",
[email protected]@ -2032,6 +2035,16 @@
+               ebLen, (ef_len - EB_HEADSIZE)));
+             return PK_ERR;
+         }
++        else if (ebLen < EB_HEADSIZE)
++        {
++            /* Extra block length smaller than header length. */
++            if (uO.qflag)
++                Info(slide, 1, ((char *)slide, "%-22s ",
++                  FnFilter1(G.filename)));
++            Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
++              ebLen, EB_HEADSIZE));
++            return PK_ERR;
++        }
+ 
+         switch (ebID) {
+             case EF_OS2:
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/02_CVE-2014-8140.patch	Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,28 @@
+Source:
+https://bugzilla.redhat.com/show_bug.cgi?id=1174851
+Info:
+http://www.ocert.org/advisories/ocert-2014-011.html
+
+--- a/extract.c	2009-03-14 02:32:52.000000000 +0100
++++ b/extract.c	2014-12-05 22:43:13.000000000 +0100
[email protected]@ -2221,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_si
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+ 
++    /* Return no/bad-data error status if any problem is found:
++     *    1. eb_size is too small to hold the uncompressed size
++     *       (eb_ucsize).  (Else extract eb_ucsize.)
++     *    2. eb_ucsize is zero (invalid).  2014-12-04 SMS.
++     *    3. eb_ucsize is positive, but eb_size is too small to hold
++     *       the compressed data header.
++     */
+     if ((eb_size < (EB_UCSIZE_P + 4)) ||
+-        ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
+-         eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+-        return IZ_EF_TRUNC;               /* no compressed data! */
++     ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
++     ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
++        return IZ_EF_TRUNC;             /* no/bad compressed data! */
+ 
+     if (
+ #ifdef INT_16BIT
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/03_CVE-2014-8141.patch	Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,138 @@
+Source:
+https://bugzilla.redhat.com/show_bug.cgi?id=1174856
+Info:
+http://www.ocert.org/advisories/ocert-2014-011.html
+
+--- a/process.c	2009-03-06 02:25:10.000000000 +0100
++++ b/process.c	2014-12-05 22:42:39.000000000 +0100
[email protected]@ -1,5 +1,5 @@
+ /*
+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
++  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
+ 
+   See the accompanying file LICENSE, version 2009-Jan-02 or later
+   (the contents of which are also included in unzip.h) for terms of use.
[email protected]@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
+     and a 4-byte version of disk start number.
+     Sets both local header and central header fields.  Not terribly clever,
+     but it means that this procedure is only called in one place.
++
++    2014-12-05 SMS.
++    Added checks to ensure that enough data are available before calling
++    makeint64() or makelong().  Replaced various sizeof() values with
++    simple ("4" or "8") constants.  (The Zip64 structures do not depend
++    on our variable sizes.)  Error handling is crude, but we should now
++    stay within the buffer.
+   ---------------------------------------------------------------------------*/
+ 
++#define Z64FLGS 0xffff
++#define Z64FLGL 0xffffffff
++
+     if (ef_len == 0 || ef_buf == NULL)
+         return PK_COOL;
+ 
+     Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
+       ef_len));
+ 
+-    while (ef_len >= EB_HEADSIZE) {
++    while (ef_len >= EB_HEADSIZE)
++    {
+         eb_id = makeword(EB_ID + ef_buf);
+         eb_len = makeword(EB_LEN + ef_buf);
+ 
+-        if (eb_len > (ef_len - EB_HEADSIZE)) {
+-            /* discovered some extra field inconsistency! */
++        if (eb_len > (ef_len - EB_HEADSIZE))
++        {
++            /* Extra block length exceeds remaining extra field length. */
+             Trace((stderr,
+               "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
+               ef_len - EB_HEADSIZE));
+             break;
+         }
+-        if (eb_id == EF_PKSZ64) {
+-
++        if (eb_id == EF_PKSZ64)
++        {
+           int offset = EB_HEADSIZE;
+ 
+-          if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
+-            G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.ucsize);
++          if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
++          {
++            if (offset+ 8 > ef_len)
++              return PK_ERR;
++
++            G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
++            offset += 8;
+           }
+-          if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
+-            G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.csize);
++
++          if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
++          {
++            if (offset+ 8 > ef_len)
++              return PK_ERR;
++
++            G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
++            offset += 8;
+           }
+-          if (G.crec.relative_offset_local_header == 0xffffffff){
++
++          if (G.crec.relative_offset_local_header == Z64FLGL)
++          {
++            if (offset+ 8 > ef_len)
++              return PK_ERR;
++
+             G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
+-            offset += sizeof(G.crec.relative_offset_local_header);
++            offset += 8;
+           }
+-          if (G.crec.disk_number_start == 0xffff){
++
++          if (G.crec.disk_number_start == Z64FLGS)
++          {
++            if (offset+ 4 > ef_len)
++              return PK_ERR;
++
+             G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+-            offset += sizeof(G.crec.disk_number_start);
++            offset += 4;
+           }
++#if 0
++          break;                /* Expect only one EF_PKSZ64 block. */
++#endif /* 0 */
+         }
+ 
+-        /* Skip this extra field block */
++        /* Skip this extra field block. */
+         ef_buf += (eb_len + EB_HEADSIZE);
+         ef_len -= (eb_len + EB_HEADSIZE);
+     }
+--- a/fileio.c	2009-04-20 02:03:44.000000000 +0200
++++ b/fileio.c	2014-12-05 22:44:16.000000000 +0100
[email protected]@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+   "warning:  extra field too long (%d).  Ignoring...\n";
++static ZCONST char Far ExtraFieldCorrupt[] =
++  "warning:  extra field (type: 0x%04x) corrupt.  Continuing...\n";
+ 
+ #ifdef WINDLL
+    static ZCONST char Far DiskFullQuery[] =
[email protected]@ -2295,7 +2297,12 @@ int do_string(__G__ length, option)   /*
+             if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+                 return PK_EOF;
+             /* Looks like here is where extra fields are read */
+-            getZip64Data(__G__ G.extra_field, length);
++            if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
++            {
++                Info(slide, 0x401, ((char *)slide,
++                 LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
++                error = PK_WARN;
++            }
+ #ifdef UNICODE_SUPPORT
+             G.unipath_filename = NULL;
+             if (G.UzO.U_flag < 2) {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/04_CVE-2014-9636.patch	Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,44 @@
+Patch source: http://www.info-zip.org/phpBB3/download/file.php?id=95&sid=ec5c7dac6dd48459f3be4effa1a30945
+More info: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
+
+From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 3 Nov 2014
+Subject: Info-ZIP UnZip buffer overflow
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+---
+ extract.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/extract.c
++++ b/extract.c
[email protected]@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
+     ulg eb_ucsize;
+     uch *eb_ucptr;
+     int r;
++    ush method;
+ 
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
[email protected]@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si
+          eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+         return IZ_EF_TRUNC;               /* no compressed data! */
+ 
++    method = makeword(eb + (EB_HEADSIZE + compr_offset));
++    if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))
++	return PK_ERR;			  /* compressed & uncompressed
++					   * should match in STORED
++					   * method */
++
+     if (
+ #ifdef INT_16BIT
+         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/05_unix-configure.patch	Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,11 @@
+--- unzip60/unix/configure.bkp	2011-07-28 07:07:08.691240200 -0700
++++ unzip60/unix/configure	2011-07-28 07:07:47.315977300 -0700
[email protected]@ -646,7 +646,7 @@
+ 
+ 
+ echo CC=\"${CC}\" CF=\"${CFLAGSR} ${D_USE_BZ2}\" CRCA_O=\"${CRC32OA}\" \
+-       AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1}\" LF2=\"${LFLAGS2}\" \
++       AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1} ${LD_OPTIONS}\" LF2=\"${LFLAGS2}\" \
+        CC_BZ=\"${CC_BZ}\" CFLAGS_BZ=\"${CFLAGS_BZ}\" \
+        IZ_BZIP2=\"${IZ_BZIP2}\" D_USE_BZ2=\"${D_USE_BZ2}\" \
+        L_BZ2=\"${L_BZ2}\" LIBBZ2=\"${LIBBZ2}\"  > flags
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/06_CVE-2014-8139.2.patch	Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,160 @@
+The fix is taken from http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=454
+and should be available in next unzip release.
+
+--- unzip60/extract.c	Fri Feb 26 07:14:44 2016
++++ /home/vmarek/extract.c	Mon Feb 22 08:32:56 2016
[email protected]@ -298,7 +298,7 @@
+ #ifndef SFX
+    static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+      EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
+-   static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
++   static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
+      EF block length (%u bytes) invalid (< %d)\n";
+    static ZCONST char Far InvalidComprDataEAs[] =
+      " invalid compressed data for EAs\n";
[email protected]@ -2035,16 +2035,6 @@
+               ebLen, (ef_len - EB_HEADSIZE)));
+             return PK_ERR;
+         }
+-        else if (ebLen < EB_HEADSIZE)
+-        {
+-            /* Extra block length smaller than header length. */
+-            if (uO.qflag)
+-                Info(slide, 1, ((char *)slide, "%-22s ",
+-                  FnFilter1(G.filename)));
+-            Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
+-              ebLen, EB_HEADSIZE));
+-            return PK_ERR;
+-        }
+ 
+         switch (ebID) {
+             case EF_OS2:
[email protected]@ -2171,11 +2161,19 @@
+                 }
+                 break;
+             case EF_PKVMS:
+-                if (makelong(ef+EB_HEADSIZE) !=
++                if (ebLen < 4)
++                {
++                    Info(slide, 1,
++                     ((char *)slide, LoadFarString(TooSmallEBlength),
++                     ebLen, 4));
++                }
++                else if (makelong(ef+EB_HEADSIZE) !=
+                     crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
+                           (extent)(ebLen-4)))
++                {
+                     Info(slide, 1, ((char *)slide,
+                       LoadFarString(BadCRC_EAs)));
++                }
+                 break;
+             case EF_PKW32:
+             case EF_PKUNIX:
[email protected]@ -2230,7 +2228,7 @@
+     ulg eb_ucsize;
+     uch *eb_ucptr;
+     int r;
+-    ush method;
++    ush eb_compr_method;
+ 
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
[email protected]@ -2247,11 +2245,14 @@
+      ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+         return IZ_EF_TRUNC;             /* no/bad compressed data! */
+ 
+-    method = makeword(eb + (EB_HEADSIZE + compr_offset));
+-    if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))
+-	return PK_ERR;			  /* compressed & uncompressed
+-					   * should match in STORED
+-					   * method */
++    /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS.
++     * For STORE method, compressed and uncompressed sizes must agree.
++     * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
++     */
++    eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
++    if ((eb_compr_method == STORED) &&
++     (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize))
++        return PK_ERR;
+ 
+     if (
+ #ifdef INT_16BIT
[email protected]@ -2523,10 +2524,28 @@
+     __GDEF
+     slinkentry *slnk_entry;
+ {
++    int sts;
+     extent ucsize = slnk_entry->targetlen;
+     char *linkfname = slnk_entry->fname;
+     char *linktarget = (char *)malloc(ucsize+1);
+ 
++#ifdef VMS
++    static int vms_symlink_works = -1;
++
++    if (vms_symlink_works < 0)
++    {
++        /* Test symlink() with an invalid file name.  If errno comes
++         * back ENOSYS ("Function not implemented"), then don't try to
++         * use it below on the symlink placeholder text files.
++         */
++        vms_symlink_works = symlink( "", "?");
++        if (errno == ENOSYS)
++            vms_symlink_works = 0;
++        else
++            vms_symlink_works = 1;
++    }
++#endif /* def VMS */
++
+     if (!linktarget) {
+         Info(slide, 0x201, ((char *)slide,
+           LoadFarString(SymLnkWarnNoMem), FnFilter1(linkfname)));
[email protected]@ -2554,11 +2573,29 @@
+         return;
+     }
+     fclose(G.outfile);                  /* close "data" file for good... */
++
++#ifdef VMS
++    if (vms_symlink_works == 0)
++    {
++        /* Should we be using some UnZip error message function instead
++         * of perror() (or equivalent) for these "symlink error"
++         * messages?
++         */
++        Info(slide, 0, ((char *)slide, LoadFarString(SymLnkFinish),
++          FnFilter1(linkfname), FnFilter2(linktarget)));
++
++        fprintf( stderr, "Symlink error: %s\n", strerror( ENOSYS));
++        free(linktarget);
++        return;
++    }
++#endif /* def VMS */
++
+     unlink(linkfname);                  /* ...and delete it */
+-    if (QCOND2)
++    sts = symlink(linktarget, linkfname);       /* create the real link */
++    if (QCOND2 || (sts != 0))
+         Info(slide, 0, ((char *)slide, LoadFarString(SymLnkFinish),
+           FnFilter1(linkfname), FnFilter2(linktarget)));
+-    if (symlink(linktarget, linkfname))  /* create the real link */
++    if (sts != 0)
+         perror("symlink error");
+     free(linktarget);
+ #ifdef SET_SYMLINK_ATTRIBS
[email protected]@ -2652,7 +2689,7 @@
+ #endif /* ?HAVE_WORKING_ISPRINT */
+         } else {
+ #ifdef _MBCS
+-            unsigned i = CLEN(r);
++            extent i = CLEN(r);
+             if (se != NULL && (s > (space + (size-i-2)))) {
+                 have_overflow = TRUE;
+                 break;
[email protected]@ -2835,7 +2872,7 @@
+ #endif
+ 
+     G.inptr = (uch *)bstrm.next_in;
+-    G.incnt = (G.inbuf + INBUFSIZ) - G.inptr;  /* reset for other routines */
++    G.incnt = (int)((G.inbuf + INBUFSIZ) - G.inptr);  /* Reset for others. */
+ 
+ uzbunzip_cleanup_exit:
+     err = BZ2_bzDecompressEnd(&bstrm);
--- a/components/unzip/patches/6719511-i18.patch	Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,512 +0,0 @@
-diff -ur unzip60-orig/fileio.c unzip60/fileio.c
---- unzip60-orig/fileio.c	2009-04-20 02:03:44.000000000 +0200
-+++ unzip60/fileio.c	2011-02-25 11:57:38.242056429 +0100
[email protected]@ -2126,9 +2126,16 @@
-                 /* translate the text coded in the entry's host-dependent
-                    "extended ASCII" charset into the compiler's (system's)
-                    internal text code page */
-+#ifdef UNIX
-+                Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum,
-+                                    G.pInfo->hostver, G.pInfo->HasUxAtt,
-+                                    FALSE, OUTBUFSIZ);
-+#else /* !UNIX */
-                 Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum,
-                                     G.pInfo->hostver, G.pInfo->HasUxAtt,
-                                     FALSE);
-+#endif /* UNIX */
-+
- #ifdef WINDLL
-                 /* translate to ANSI (RTL internal codepage may be OEM) */
-                 INTERN_TO_ISO((char *)G.outbuf, (char *)G.outbuf);
[email protected]@ -2240,8 +2247,13 @@
- 
-         /* translate the Zip entry filename coded in host-dependent "extended
-            ASCII" into the compiler's (system's) internal text code page */
-+#ifdef UNIX
-+        Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver,
-+                            G.pInfo->HasUxAtt, (option == DS_FN_L), FILNAMSIZ);
-+#else /* !UNIX */
-         Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver,
-                             G.pInfo->HasUxAtt, (option == DS_FN_L));
-+#endif /* UNIX */
- 
-         if (G.pInfo->lcflag)      /* replace with lowercase filename */
-             STRLOWER(G.filename, G.filename);
-Only in unzip60: fileio.c.orig
-diff -ur unzip60-orig/unix/unix.c unzip60/unix/unix.c
---- unzip60-orig/unix/unix.c	2009-01-24 00:31:26.000000000 +0100
-+++ unzip60/unix/unix.c	2011-02-25 11:57:38.259028876 +0100
[email protected]@ -30,6 +30,10 @@
- #define UNZIP_INTERNAL
- #include "unzip.h"
- 
-+#include <iconv.h>
-+#include <langinfo.h>
-+#include <strings.h>
-+
- #ifdef SCO_XENIX
- #  define SYSNDIR
- #else  /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */
[email protected]@ -1874,3 +1878,128 @@
-     }
- }
- #endif /* QLZIP */
-+
-+
-+typedef struct {
-+    char *local_charset;
-+    char *archive_charset;
-+} CHARSET_MAP;
-+
-+/* A mapping of local <-> archive charsets used by default to convert filenames
-+ * of DOS/Windows Zip archives. Currently very basic. */
-+const static CHARSET_MAP dos_charset_map[] = {
-+    { "ANSI_X3.4-1968", "CP850" },
-+    { "ISO-8859-1", "CP850" },
-+    { "CP1252", "CP850" },
-+    { "KOI8-R", "CP866" },
-+    { "KOI8-U", "CP866" },
-+    { "ISO-8859-5", "CP866" }
-+};
-+
-+typedef struct {
-+    char *locale;
-+    char *archive_charset;
-+} UTF8_CHARSET_MAP;
-+
-+/* In case local charset is UTF-8, lookup archive_charset
-+   by locale.  Currently very basic. */
-+#define	UTF8_CHARSET_MAP_DEFAULT	"CP866"
-+const static UTF8_CHARSET_MAP utf8_charset_map[] = {
-+    { "ja_JP", "CP932" },
-+    { "zh_CN", "GBK" },
-+    { "zh_TW", "BIG5" },
-+    { "ko_KR", "CP949" },
-+};
-+
-+char OEM_CP[MAX_CP_NAME] = "";
-+char ISO_CP[MAX_CP_NAME] = "";
-+
-+/* Try to guess the default value of OEM_CP based on the current locale.
-+ * ISO_CP is left alone for now. */
-+void init_conversion_charsets(const char *loc)
-+{
-+    const char *local_charset;
-+    int i;
-+
-+    /* Make a guess only if OEM_CP not already set. */ 
-+    if(*OEM_CP == '\0')
-+    {
-+	local_charset = nl_langinfo(CODESET);
-+	if (!strcasecmp(local_charset, "UTF-8") || !strcasecmp(local_charset,
-+"UTF8") )
-+	{
-+	    strcpy(OEM_CP, UTF8_CHARSET_MAP_DEFAULT);
-+	    for(i = 0; i < sizeof(utf8_charset_map)/sizeof(UTF8_CHARSET_MAP);
-+		i++)
-+	    {
-+		if (!strncmp(loc, utf8_charset_map[i].locale, 5))
-+		{
-+		    strncpy(OEM_CP, utf8_charset_map[i].archive_charset,
-+			sizeof(OEM_CP) - 1);
-+		    OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+		    break;
-+		}
-+	    }
-+	}
-+	else
-+	{
-+	    for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++)
-+            {
-+		if (!strcasecmp(local_charset, 
-+		    dos_charset_map[i].local_charset))
-+		{
-+		    strncpy(OEM_CP, dos_charset_map[i].archive_charset,
-+			sizeof(OEM_CP) - 1);
-+		    OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+		    break;
-+		}
-+	    }
-+	}
-+    }
-+}
-+
-+/* Convert a string from one encoding to the current locale using iconv().
-+ * Be as non-intrusive as possible. If error is encountered during covertion
-+ * just leave the string intact. */
-+static void charset_to_intern(char *string, size_t sbuflen, char *from_charset)
-+{
-+    iconv_t cd;
-+    char *s,*d, *buf;
-+    size_t slen, dlen;
-+    const char *local_charset;
-+
-+    if(*from_charset == '\0')
-+    	return;
-+
-+    local_charset = nl_langinfo(CODESET);
-+
-+    if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1)
-+        return;
-+
-+    slen = strlen(string);
-+    s = string;
-+    dlen = sbuflen - 1;
-+    d = buf = malloc(sbuflen);
-+    if(!d)
-+    	goto cleanup;
-+    if(iconv(cd, (const char **)&s, &slen, &d, &dlen) != (size_t)-1) {
-+	*d = '\0';
-+	strcpy(string, buf);
-+    }
-+    
-+    free(buf);
-+    cleanup:
-+    iconv_close(cd);
-+}
-+
-+/* Convert a string from OEM_CP to the current locale charset. */
-+void oem_intern(char *string, size_t sbuflen)
-+{
-+    charset_to_intern(string, sbuflen, OEM_CP);
-+}
-+
-+/* Convert a string from ISO_CP to the current locale charset. */
-+void iso_intern(char *string, size_t sbuflen)
-+{
-+    charset_to_intern(string, sbuflen, ISO_CP);
-+}
-Only in unzip60/unix: unix.c.orig
-diff -ur unzip60-orig/unix/unxcfg.h unzip60/unix/unxcfg.h
---- unzip60-orig/unix/unxcfg.h	2009-04-16 20:36:12.000000000 +0200
-+++ unzip60/unix/unxcfg.h	2011-02-25 11:57:38.262941301 +0100
[email protected]@ -52,6 +52,7 @@
- 
- #include <sys/types.h>          /* off_t, time_t, dev_t, ... */
- #include <sys/stat.h>
-+#include <unistd.h>
- 
- #ifdef NO_OFF_T
-   typedef long zoff_t;
[email protected]@ -227,4 +228,30 @@
- /* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */
- /*    and notfirstcall are used by do_wild().                          */
- 
-+
-+#define MAX_CP_NAME 25 
-+   
-+#ifdef SETLOCALE
-+#  undef SETLOCALE
-+#endif
-+#define SETLOCALE(category, locale) setlocale(category, locale)
-+#include <locale.h>
-+   
-+#ifdef _ISO_INTERN
-+#  undef _ISO_INTERN
-+#endif
-+#define _ISO_INTERN(str1, ssize) iso_intern(str1, ssize)
-+
-+#ifdef _OEM_INTERN
-+#  undef _OEM_INTERN
-+#endif
-+#ifndef IZ_OEM2ISO_ARRAY
-+#  define IZ_OEM2ISO_ARRAY
-+#endif
-+#define _OEM_INTERN(str1, ssize) oem_intern(str1, ssize)
-+
-+void iso_intern(char *, size_t);
-+void oem_intern(char *, size_t);
-+void init_conversion_charsets(const char *);
-+   
- #endif /* !__unxcfg_h */
-Only in unzip60/unix: unxcfg.h.orig
-diff -ur unzip60-orig/unzip.c unzip60/unzip.c
---- unzip60-orig/unzip.c	2009-04-16 20:26:52.000000000 +0200
-+++ unzip60/unzip.c	2011-02-26 00:03:41.011389301 +0100
[email protected]@ -327,11 +327,21 @@
-   -2  just filenames but allow -h/-t/-z  -l  long Unix \"ls -l\" format\n\
-                                          -v  verbose, multi-page format\n";
- 
-+#ifdef UNIX
-+static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
-+  -h  print header line       -t  print totals for listed files or for all\n\
-+  -z  print zipfile comment   -T  print file times in sortable decimal format\
-+\n  -C  be case-insensitive   %s\
-+  -x  exclude filenames that follow from listing\n\
-+  -O CHARSET  specify a character encoding for DOS, Windows and OS/2 archives\n\
-+  -I CHARSET  specify a character encoding for UNIX and other archives\n";
-+#else /* !UNIX */
- static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
-   -h  print header line       -t  print totals for listed files or for all\n\
-   -z  print zipfile comment   -T  print file times in sortable decimal format\
- \n  -C  be case-insensitive   %s\
-   -x  exclude filenames that follow from listing\n";
-+#endif /* UNIX */
- #ifdef MORE
-    static ZCONST char Far ZipInfoUsageLine4[] =
-      "  -M  page output through built-in \"more\"\n";
[email protected]@ -666,6 +676,18 @@
-   -C  match filenames case-insensitively     -L  make (some) names \
- lowercase\n %-42s  -V  retain VMS version numbers\n%s";
- #else /* !VMS */
-+#ifdef UNIX
-+static ZCONST char Far UnzipUsageLine4[] = "\
-+modifiers:\n\
-+  -n  never overwrite existing files         -q  quiet mode (-qq => quieter)\n\
-+  -o  overwrite files WITHOUT prompting      -a  auto-convert any text files\n\
-+  -j  junk paths (do not make directories)   -aa treat ALL files as text\n\
-+  -U  use escapes for all non-ASCII Unicode  -UU ignore any Unicode fields\n\
-+  -C  match filenames case-insensitively     -L  make (some) names \
-+lowercase\n %-42s  -V  retain VMS version numbers\n%s\n\
-+  -O CHARSET  specify a character encoding for DOS, Windows and OS/2 archives\n\
-+  -I CHARSET  specify a character encoding for UNIX and other archives\n\n";
-+#else /* !UNIX */
- static ZCONST char Far UnzipUsageLine4[] = "\
- modifiers:\n\
-   -n  never overwrite existing files         -q  quiet mode (-qq => quieter)\n\
[email protected]@ -674,6 +696,7 @@
-   -U  use escapes for all non-ASCII Unicode  -UU ignore any Unicode fields\n\
-   -C  match filenames case-insensitively     -L  make (some) names \
- lowercase\n %-42s  -V  retain VMS version numbers\n%s";
-+#endif /* UNIX */
- #endif /* ?VMS */
- #else /* !UNICODE_SUPPORT */
- #ifdef VMS
[email protected]@ -742,6 +765,9 @@
-     int i;
- #endif
-     int retcode, error=FALSE;
-+#ifdef UNIX
-+    const char *loc;
-+#endif
- #ifndef NO_EXCEPT_SIGNALS
- #ifdef REENTRANT
-     savsigs_info *oldsighandlers = NULL;
[email protected]@ -756,7 +782,12 @@
- #endif /* NO_EXCEPT_SIGNALS */
- 
-     /* initialize international char support to the current environment */
-+#ifdef UNIX
-+    loc = SETLOCALE(LC_CTYPE,"");
-+    init_conversion_charsets(loc);
-+#else /* !UNIX */
-     SETLOCALE(LC_CTYPE, "");
-+#endif /* UNIX */
- 
- #ifdef UNICODE_SUPPORT
-     /* see if can use UTF-8 Unicode locale */
[email protected]@ -1336,6 +1367,11 @@
-     argc = *pargc;
-     argv = *pargv;
- 
-+#ifdef UNIX
-+    extern char OEM_CP[MAX_CP_NAME];
-+    extern char ISO_CP[MAX_CP_NAME];
-+#endif
-+    
-     while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) {
-         s = *argv + 1;
-         while ((c = *s++) != 0) {    /* "!= 0":  prevent Turbo C warning */
[email protected]@ -1517,6 +1553,37 @@
-                     }
-                     break;
- #endif  /* MACOS */
-+#ifdef UNIX
-+                case ('I'):
-+                    if (negative) {
-+                        Info(slide, 0x401, ((char *)slide,
-+                          "error:  encodings can't be negated"));
-+                        return(PK_PARAM);
-+                    } else {
-+                        if(*s) { /* Handle the -Icharset case */
-+                            /* Assume that charsets can't start with a dash to spot arguments misuse */
-+                            if(*s == '-') { 
-+                                Info(slide, 0x401, ((char *)slide,
-+                                  "error:  a valid character encoding should follow the -I argument"));
-+                                return(PK_PARAM); 
-+                            }
-+                            strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
-+                            ISO_CP[sizeof(ISO_CP) - 1] = '\0';
-+                        } else { /* -I charset */
-+                            ++argv;
-+                            if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
-+                                Info(slide, 0x401, ((char *)slide,
-+                                  "error:  a valid character encoding should follow the -I argument"));
-+                                return(PK_PARAM); 
-+                            }
-+                            s = *argv;
-+                            strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
-+                            ISO_CP[sizeof(ISO_CP) - 1] = '\0';
-+                        }
-+                        while(*(++s)); /* No params straight after charset name */
-+                    }
-+                    break;
-+#endif /* ?UNIX */
-                 case ('j'):    /* junk pathnames/directory structure */
-                     if (negative)
-                         uO.jflag = FALSE, negative = 0;
[email protected]@ -1592,6 +1659,37 @@
-                     } else
-                         ++uO.overwrite_all;
-                     break;
-+#ifdef UNIX
-+                case ('O'):
-+                    if (negative) {
-+                        Info(slide, 0x401, ((char *)slide,
-+                          "error:  encodings can't be negated"));
-+                        return(PK_PARAM);
-+                    } else {
-+                        if(*s) { /* Handle the -Ocharset case */
-+                            /* Assume that charsets can't start with a dash to spot arguments misuse */
-+                            if(*s == '-') { 
-+                                Info(slide, 0x401, ((char *)slide,
-+                                  "error:  a valid character encoding should follow the -I argument"));
-+                                return(PK_PARAM); 
-+                            }
-+                            strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
-+                            OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+                        } else { /* -O charset */
-+                            ++argv;
-+                            if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
-+                                Info(slide, 0x401, ((char *)slide,
-+                                  "error:  a valid character encoding should follow the -O argument"));
-+                                return(PK_PARAM); 
-+                            }
-+                            s = *argv;
-+                            strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
-+                            OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+                        }
-+                        while(*(++s)); /* No params straight after charset name */
-+                    }
-+                    break;
-+#endif /* ?UNIX */
-                 case ('p'):    /* pipes:  extract to stdout, no messages */
-                     if (negative) {
-                         uO.cflag = FALSE;
-Only in unzip60: unzip.c.orig
-diff -ur unzip60-orig/unzpriv.h unzip60/unzpriv.h
---- unzip60-orig/unzpriv.h	2009-04-20 01:59:26.000000000 +0200
-+++ unzip60/unzpriv.h	2011-02-25 11:57:38.275212165 +0100
[email protected]@ -3003,6 +3003,18 @@
-  * All other ports are assumed to code zip entry filenames in ISO 8859-1.
-  */
- #ifndef Ext_ASCII_TO_Native
-+#ifdef UNIX
-+#  define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr, ssize) \
-+    if (((hostnum) == FS_FAT_ && \
-+         !(((islochdr) || (isuxatt)) && \
-+           ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \
-+        (hostnum) == FS_HPFS_ || \
-+        ((hostnum) == FS_NTFS_/* && (hostver) == 50*/)) { \
-+        _OEM_INTERN((string), (ssize)); \
-+    } else { \
-+        _ISO_INTERN((string), (ssize)); \
-+    }
-+#else /* !UNIX */
- #  define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr) \
-     if (((hostnum) == FS_FAT_ && \
-          !(((islochdr) || (isuxatt)) && \
[email protected]@ -3013,10 +3025,10 @@
-     } else { \
-         _ISO_INTERN((string)); \
-     }
-+#endif /* UNIX */
- #endif
- 
- 
--
- /**********************/
- /*  Global constants  */
- /**********************/
-Only in unzip60: unzpriv.h.orig
-diff -ur unzip60-orig/zipinfo.c unzip60/zipinfo.c
---- unzip60-orig/zipinfo.c	2009-02-08 18:04:30.000000000 +0100
-+++ unzip60/zipinfo.c	2011-02-25 11:57:38.281586457 +0100
[email protected]@ -457,6 +457,10 @@
-     int    tflag_slm=TRUE, tflag_2v=FALSE;
-     int    explicit_h=FALSE, explicit_t=FALSE;
- 
-+#ifdef UNIX
-+    extern char OEM_CP[MAX_CP_NAME];
-+    extern char ISO_CP[MAX_CP_NAME];
-+#endif
- 
- #ifdef MACOS
-     uO.lflag = LFLAG;         /* reset default on each call */
[email protected]@ -501,6 +505,37 @@
-                             uO.lflag = 0;
-                     }
-                     break;
-+#ifdef UNIX
-+                case ('I'):
-+                    if (negative) {
-+                        Info(slide, 0x401, ((char *)slide,
-+                          "error:  encodings can't be negated"));
-+                        return(PK_PARAM);
-+                    } else {
-+                        if(*s) { /* Handle the -Icharset case */
-+                            /* Assume that charsets can't start with a dash to spot arguments misuse */
-+                            if(*s == '-') { 
-+                                Info(slide, 0x401, ((char *)slide,
-+                                  "error:  a valid character encoding should follow the -I argument"));
-+                                return(PK_PARAM); 
-+                            }
-+                            strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
-+                            ISO_CP[sizeof(ISO_CP) - 1] = '\0';
-+                        } else { /* -I charset */
-+                            ++argv;
-+                            if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
-+                                Info(slide, 0x401, ((char *)slide,
-+                                  "error:  a valid character encoding should follow the -I argument"));
-+                                return(PK_PARAM); 
-+                            }
-+                            s = *argv;
-+                            strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
-+                            ISO_CP[sizeof(ISO_CP) - 1] = '\0';
-+                        }
-+                        while(*(++s)); /* No params straight after charset name */
-+                    }
-+                    break;
-+#endif /* ?UNIX */
-                 case 'l':      /* longer form of "ls -l" type listing */
-                     if (negative)
-                         uO.lflag = -2, negative = 0;
[email protected]@ -521,6 +556,37 @@
-                         G.M_flag = TRUE;
-                     break;
- #endif
-+#ifdef UNIX
-+                case ('O'):
-+                    if (negative) {
-+                        Info(slide, 0x401, ((char *)slide,
-+                          "error:  encodings can't be negated"));
-+                        return(PK_PARAM);
-+                    } else {
-+                        if(*s) { /* Handle the -Ocharset case */
-+                            /* Assume that charsets can't start with a dash to spot arguments misuse */
-+                            if(*s == '-') { 
-+                                Info(slide, 0x401, ((char *)slide,
-+                                  "error:  a valid character encoding should follow the -I argument"));
-+                                return(PK_PARAM); 
-+                            }
-+                            strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
-+                            OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+                        } else { /* -O charset */
-+                            ++argv;
-+                            if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
-+                                Info(slide, 0x401, ((char *)slide,
-+                                  "error:  a valid character encoding should follow the -O argument"));
-+                                return(PK_PARAM); 
-+                            }
-+                            s = *argv;
-+                            strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
-+                            OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+                        }
-+                        while(*(++s)); /* No params straight after charset name */
-+                    }
-+                    break;
-+#endif /* ?UNIX */
-                 case 's':      /* default:  shorter "ls -l" type listing */
-                     if (negative)
-                         uO.lflag = -2, negative = 0;
-Only in unzip60: zipinfo.c.orig
--- a/components/unzip/patches/CVE-2014-8139.patch	Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,51 +0,0 @@
-Source:
-https://bugzilla.redhat.com/show_bug.cgi?id=1174844
-Info:
-http://www.ocert.org/advisories/ocert-2014-011.html
-
---- unzip60/extract.c	2010-04-03 14:41:55 -0500
-+++ unzip60/extract.c	2014-12-03 15:33:35 -0600
[email protected]@ -1,5 +1,5 @@
- /*
--  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
-+  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
- 
-   See the accompanying file LICENSE, version 2009-Jan-02 or later
-   (the contents of which are also included in unzip.h) for terms of use.
[email protected]@ -298,6 +298,8 @@
- #ifndef SFX
-    static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
-      EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
-+   static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
-+     EF block length (%u bytes) invalid (< %d)\n";
-    static ZCONST char Far InvalidComprDataEAs[] =
-      " invalid compressed data for EAs\n";
- #  if (defined(WIN32) && defined(NTSD_EAS))
[email protected]@ -2023,7 +2025,8 @@
-         ebID = makeword(ef);
-         ebLen = (unsigned)makeword(ef+EB_LEN);
- 
--        if (ebLen > (ef_len - EB_HEADSIZE)) {
-+        if (ebLen > (ef_len - EB_HEADSIZE))
-+        {
-            /* Discovered some extra field inconsistency! */
-             if (uO.qflag)
-                 Info(slide, 1, ((char *)slide, "%-22s ",
[email protected]@ -2032,6 +2035,16 @@
-               ebLen, (ef_len - EB_HEADSIZE)));
-             return PK_ERR;
-         }
-+        else if (ebLen < EB_HEADSIZE)
-+        {
-+            /* Extra block length smaller than header length. */
-+            if (uO.qflag)
-+                Info(slide, 1, ((char *)slide, "%-22s ",
-+                  FnFilter1(G.filename)));
-+            Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
-+              ebLen, EB_HEADSIZE));
-+            return PK_ERR;
-+        }
- 
-         switch (ebID) {
-             case EF_OS2:
-
--- a/components/unzip/patches/CVE-2014-8140.patch	Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,28 +0,0 @@
-Source:
-https://bugzilla.redhat.com/show_bug.cgi?id=1174851
-Info:
-http://www.ocert.org/advisories/ocert-2014-011.html
-
---- a/extract.c	2009-03-14 02:32:52.000000000 +0100
-+++ b/extract.c	2014-12-05 22:43:13.000000000 +0100
[email protected]@ -2221,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_si
-     if (compr_offset < 4)                /* field is not compressed: */
-         return PK_OK;                    /* do nothing and signal OK */
- 
-+    /* Return no/bad-data error status if any problem is found:
-+     *    1. eb_size is too small to hold the uncompressed size
-+     *       (eb_ucsize).  (Else extract eb_ucsize.)
-+     *    2. eb_ucsize is zero (invalid).  2014-12-04 SMS.
-+     *    3. eb_ucsize is positive, but eb_size is too small to hold
-+     *       the compressed data header.
-+     */
-     if ((eb_size < (EB_UCSIZE_P + 4)) ||
--        ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
--         eb_size <= (compr_offset + EB_CMPRHEADLEN)))
--        return IZ_EF_TRUNC;               /* no compressed data! */
-+     ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
-+     ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
-+        return IZ_EF_TRUNC;             /* no/bad compressed data! */
- 
-     if (
- #ifdef INT_16BIT
--- a/components/unzip/patches/CVE-2014-8141.patch	Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,138 +0,0 @@
-Source:
-https://bugzilla.redhat.com/show_bug.cgi?id=1174856
-Info:
-http://www.ocert.org/advisories/ocert-2014-011.html
-
---- a/process.c	2009-03-06 02:25:10.000000000 +0100
-+++ b/process.c	2014-12-05 22:42:39.000000000 +0100
[email protected]@ -1,5 +1,5 @@
- /*
--  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
-+  Copyright (c) 1990-2014 Info-ZIP.  All rights reserved.
- 
-   See the accompanying file LICENSE, version 2009-Jan-02 or later
-   (the contents of which are also included in unzip.h) for terms of use.
[email protected]@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
-     and a 4-byte version of disk start number.
-     Sets both local header and central header fields.  Not terribly clever,
-     but it means that this procedure is only called in one place.
-+
-+    2014-12-05 SMS.
-+    Added checks to ensure that enough data are available before calling
-+    makeint64() or makelong().  Replaced various sizeof() values with
-+    simple ("4" or "8") constants.  (The Zip64 structures do not depend
-+    on our variable sizes.)  Error handling is crude, but we should now
-+    stay within the buffer.
-   ---------------------------------------------------------------------------*/
- 
-+#define Z64FLGS 0xffff
-+#define Z64FLGL 0xffffffff
-+
-     if (ef_len == 0 || ef_buf == NULL)
-         return PK_COOL;
- 
-     Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
-       ef_len));
- 
--    while (ef_len >= EB_HEADSIZE) {
-+    while (ef_len >= EB_HEADSIZE)
-+    {
-         eb_id = makeword(EB_ID + ef_buf);
-         eb_len = makeword(EB_LEN + ef_buf);
- 
--        if (eb_len > (ef_len - EB_HEADSIZE)) {
--            /* discovered some extra field inconsistency! */
-+        if (eb_len > (ef_len - EB_HEADSIZE))
-+        {
-+            /* Extra block length exceeds remaining extra field length. */
-             Trace((stderr,
-               "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
-               ef_len - EB_HEADSIZE));
-             break;
-         }
--        if (eb_id == EF_PKSZ64) {
--
-+        if (eb_id == EF_PKSZ64)
-+        {
-           int offset = EB_HEADSIZE;
- 
--          if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
--            G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
--            offset += sizeof(G.crec.ucsize);
-+          if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
-+          {
-+            if (offset+ 8 > ef_len)
-+              return PK_ERR;
-+
-+            G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
-+            offset += 8;
-           }
--          if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
--            G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
--            offset += sizeof(G.crec.csize);
-+
-+          if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
-+          {
-+            if (offset+ 8 > ef_len)
-+              return PK_ERR;
-+
-+            G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
-+            offset += 8;
-           }
--          if (G.crec.relative_offset_local_header == 0xffffffff){
-+
-+          if (G.crec.relative_offset_local_header == Z64FLGL)
-+          {
-+            if (offset+ 8 > ef_len)
-+              return PK_ERR;
-+
-             G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
--            offset += sizeof(G.crec.relative_offset_local_header);
-+            offset += 8;
-           }
--          if (G.crec.disk_number_start == 0xffff){
-+
-+          if (G.crec.disk_number_start == Z64FLGS)
-+          {
-+            if (offset+ 4 > ef_len)
-+              return PK_ERR;
-+
-             G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
--            offset += sizeof(G.crec.disk_number_start);
-+            offset += 4;
-           }
-+#if 0
-+          break;                /* Expect only one EF_PKSZ64 block. */
-+#endif /* 0 */
-         }
- 
--        /* Skip this extra field block */
-+        /* Skip this extra field block. */
-         ef_buf += (eb_len + EB_HEADSIZE);
-         ef_len -= (eb_len + EB_HEADSIZE);
-     }
---- a/fileio.c	2009-04-20 02:03:44.000000000 +0200
-+++ b/fileio.c	2014-12-05 22:44:16.000000000 +0100
[email protected]@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr
- #endif
- static ZCONST char Far ExtraFieldTooLong[] =
-   "warning:  extra field too long (%d).  Ignoring...\n";
-+static ZCONST char Far ExtraFieldCorrupt[] =
-+  "warning:  extra field (type: 0x%04x) corrupt.  Continuing...\n";
- 
- #ifdef WINDLL
-    static ZCONST char Far DiskFullQuery[] =
[email protected]@ -2295,7 +2297,12 @@ int do_string(__G__ length, option)   /*
-             if (readbuf(__G__ (char *)G.extra_field, length) == 0)
-                 return PK_EOF;
-             /* Looks like here is where extra fields are read */
--            getZip64Data(__G__ G.extra_field, length);
-+            if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
-+            {
-+                Info(slide, 0x401, ((char *)slide,
-+                 LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
-+                error = PK_WARN;
-+            }
- #ifdef UNICODE_SUPPORT
-             G.unipath_filename = NULL;
-             if (G.UzO.U_flag < 2) {
--- a/components/unzip/patches/CVE-2014-9636.patch	Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,44 +0,0 @@
-Patch source: http://www.info-zip.org/phpBB3/download/file.php?id=95&sid=ec5c7dac6dd48459f3be4effa1a30945
-More info: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
-
-From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001
-From: mancha <mancha1 AT zoho DOT com>
-Date: Mon, 3 Nov 2014
-Subject: Info-ZIP UnZip buffer overflow
-
-By carefully crafting a corrupt ZIP archive with "extra fields" that
-purport to have compressed blocks larger than the corresponding
-uncompressed blocks in STORED no-compression mode, an attacker can
-trigger a heap overflow that can result in application crash or
-possibly have other unspecified impact.
-
-This patch ensures that when extra fields use STORED mode, the
-"compressed" and uncompressed block sizes match.
-
----
- extract.c |    8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/extract.c
-+++ b/extract.c
[email protected]@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
-     ulg eb_ucsize;
-     uch *eb_ucptr;
-     int r;
-+    ush method;
- 
-     if (compr_offset < 4)                /* field is not compressed: */
-         return PK_OK;                    /* do nothing and signal OK */
[email protected]@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si
-          eb_size <= (compr_offset + EB_CMPRHEADLEN)))
-         return IZ_EF_TRUNC;               /* no compressed data! */
- 
-+    method = makeword(eb + (EB_HEADSIZE + compr_offset));
-+    if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))
-+	return PK_ERR;			  /* compressed & uncompressed
-+					   * should match in STORED
-+					   * method */
-+
-     if (
- #ifdef INT_16BIT
-         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
--- a/components/unzip/patches/unix-configure.patch	Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,11 +0,0 @@
---- unzip60/unix/configure.bkp	2011-07-28 07:07:08.691240200 -0700
-+++ unzip60/unix/configure	2011-07-28 07:07:47.315977300 -0700
[email protected]@ -646,7 +646,7 @@
- 
- 
- echo CC=\"${CC}\" CF=\"${CFLAGSR} ${D_USE_BZ2}\" CRCA_O=\"${CRC32OA}\" \
--       AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1}\" LF2=\"${LFLAGS2}\" \
-+       AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1} ${LD_OPTIONS}\" LF2=\"${LFLAGS2}\" \
-        CC_BZ=\"${CC_BZ}\" CFLAGS_BZ=\"${CFLAGS_BZ}\" \
-        IZ_BZIP2=\"${IZ_BZIP2}\" D_USE_BZ2=\"${D_USE_BZ2}\" \
-        L_BZ2=\"${L_BZ2}\" LIBBZ2=\"${LIBBZ2}\"  > flags