--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/00_6719511-i18.patch Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,512 @@
+diff -ur unzip60-orig/fileio.c unzip60/fileio.c
+--- unzip60-orig/fileio.c 2009-04-20 02:03:44.000000000 +0200
++++ unzip60/fileio.c 2011-02-25 11:57:38.242056429 +0100
+@@ -2126,9 +2126,16 @@
+ /* translate the text coded in the entry's host-dependent
+ "extended ASCII" charset into the compiler's (system's)
+ internal text code page */
++#ifdef UNIX
++ Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum,
++ G.pInfo->hostver, G.pInfo->HasUxAtt,
++ FALSE, OUTBUFSIZ);
++#else /* !UNIX */
+ Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum,
+ G.pInfo->hostver, G.pInfo->HasUxAtt,
+ FALSE);
++#endif /* UNIX */
++
+ #ifdef WINDLL
+ /* translate to ANSI (RTL internal codepage may be OEM) */
+ INTERN_TO_ISO((char *)G.outbuf, (char *)G.outbuf);
+@@ -2240,8 +2247,13 @@
+
+ /* translate the Zip entry filename coded in host-dependent "extended
+ ASCII" into the compiler's (system's) internal text code page */
++#ifdef UNIX
++ Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver,
++ G.pInfo->HasUxAtt, (option == DS_FN_L), FILNAMSIZ);
++#else /* !UNIX */
+ Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver,
+ G.pInfo->HasUxAtt, (option == DS_FN_L));
++#endif /* UNIX */
+
+ if (G.pInfo->lcflag) /* replace with lowercase filename */
+ STRLOWER(G.filename, G.filename);
+Only in unzip60: fileio.c.orig
+diff -ur unzip60-orig/unix/unix.c unzip60/unix/unix.c
+--- unzip60-orig/unix/unix.c 2009-01-24 00:31:26.000000000 +0100
++++ unzip60/unix/unix.c 2011-02-25 11:57:38.259028876 +0100
+@@ -30,6 +30,10 @@
+ #define UNZIP_INTERNAL
+ #include "unzip.h"
+
++#include <iconv.h>
++#include <langinfo.h>
++#include <strings.h>
++
+ #ifdef SCO_XENIX
+ # define SYSNDIR
+ #else /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */
+@@ -1874,3 +1878,128 @@
+ }
+ }
+ #endif /* QLZIP */
++
++
++typedef struct {
++ char *local_charset;
++ char *archive_charset;
++} CHARSET_MAP;
++
++/* A mapping of local <-> archive charsets used by default to convert filenames
++ * of DOS/Windows Zip archives. Currently very basic. */
++const static CHARSET_MAP dos_charset_map[] = {
++ { "ANSI_X3.4-1968", "CP850" },
++ { "ISO-8859-1", "CP850" },
++ { "CP1252", "CP850" },
++ { "KOI8-R", "CP866" },
++ { "KOI8-U", "CP866" },
++ { "ISO-8859-5", "CP866" }
++};
++
++typedef struct {
++ char *locale;
++ char *archive_charset;
++} UTF8_CHARSET_MAP;
++
++/* In case local charset is UTF-8, lookup archive_charset
++ by locale. Currently very basic. */
++#define UTF8_CHARSET_MAP_DEFAULT "CP866"
++const static UTF8_CHARSET_MAP utf8_charset_map[] = {
++ { "ja_JP", "CP932" },
++ { "zh_CN", "GBK" },
++ { "zh_TW", "BIG5" },
++ { "ko_KR", "CP949" },
++};
++
++char OEM_CP[MAX_CP_NAME] = "";
++char ISO_CP[MAX_CP_NAME] = "";
++
++/* Try to guess the default value of OEM_CP based on the current locale.
++ * ISO_CP is left alone for now. */
++void init_conversion_charsets(const char *loc)
++{
++ const char *local_charset;
++ int i;
++
++ /* Make a guess only if OEM_CP not already set. */
++ if(*OEM_CP == '\0')
++ {
++ local_charset = nl_langinfo(CODESET);
++ if (!strcasecmp(local_charset, "UTF-8") || !strcasecmp(local_charset,
++"UTF8") )
++ {
++ strcpy(OEM_CP, UTF8_CHARSET_MAP_DEFAULT);
++ for(i = 0; i < sizeof(utf8_charset_map)/sizeof(UTF8_CHARSET_MAP);
++ i++)
++ {
++ if (!strncmp(loc, utf8_charset_map[i].locale, 5))
++ {
++ strncpy(OEM_CP, utf8_charset_map[i].archive_charset,
++ sizeof(OEM_CP) - 1);
++ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++ break;
++ }
++ }
++ }
++ else
++ {
++ for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++)
++ {
++ if (!strcasecmp(local_charset,
++ dos_charset_map[i].local_charset))
++ {
++ strncpy(OEM_CP, dos_charset_map[i].archive_charset,
++ sizeof(OEM_CP) - 1);
++ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++ break;
++ }
++ }
++ }
++ }
++}
++
++/* Convert a string from one encoding to the current locale using iconv().
++ * Be as non-intrusive as possible. If error is encountered during covertion
++ * just leave the string intact. */
++static void charset_to_intern(char *string, size_t sbuflen, char *from_charset)
++{
++ iconv_t cd;
++ char *s,*d, *buf;
++ size_t slen, dlen;
++ const char *local_charset;
++
++ if(*from_charset == '\0')
++ return;
++
++ local_charset = nl_langinfo(CODESET);
++
++ if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1)
++ return;
++
++ slen = strlen(string);
++ s = string;
++ dlen = sbuflen - 1;
++ d = buf = malloc(sbuflen);
++ if(!d)
++ goto cleanup;
++ if(iconv(cd, (const char **)&s, &slen, &d, &dlen) != (size_t)-1) {
++ *d = '\0';
++ strcpy(string, buf);
++ }
++
++ free(buf);
++ cleanup:
++ iconv_close(cd);
++}
++
++/* Convert a string from OEM_CP to the current locale charset. */
++void oem_intern(char *string, size_t sbuflen)
++{
++ charset_to_intern(string, sbuflen, OEM_CP);
++}
++
++/* Convert a string from ISO_CP to the current locale charset. */
++void iso_intern(char *string, size_t sbuflen)
++{
++ charset_to_intern(string, sbuflen, ISO_CP);
++}
+Only in unzip60/unix: unix.c.orig
+diff -ur unzip60-orig/unix/unxcfg.h unzip60/unix/unxcfg.h
+--- unzip60-orig/unix/unxcfg.h 2009-04-16 20:36:12.000000000 +0200
++++ unzip60/unix/unxcfg.h 2011-02-25 11:57:38.262941301 +0100
+@@ -52,6 +52,7 @@
+
+ #include <sys/types.h> /* off_t, time_t, dev_t, ... */
+ #include <sys/stat.h>
++#include <unistd.h>
+
+ #ifdef NO_OFF_T
+ typedef long zoff_t;
+@@ -227,4 +228,30 @@
+ /* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */
+ /* and notfirstcall are used by do_wild(). */
+
++
++#define MAX_CP_NAME 25
++
++#ifdef SETLOCALE
++# undef SETLOCALE
++#endif
++#define SETLOCALE(category, locale) setlocale(category, locale)
++#include <locale.h>
++
++#ifdef _ISO_INTERN
++# undef _ISO_INTERN
++#endif
++#define _ISO_INTERN(str1, ssize) iso_intern(str1, ssize)
++
++#ifdef _OEM_INTERN
++# undef _OEM_INTERN
++#endif
++#ifndef IZ_OEM2ISO_ARRAY
++# define IZ_OEM2ISO_ARRAY
++#endif
++#define _OEM_INTERN(str1, ssize) oem_intern(str1, ssize)
++
++void iso_intern(char *, size_t);
++void oem_intern(char *, size_t);
++void init_conversion_charsets(const char *);
++
+ #endif /* !__unxcfg_h */
+Only in unzip60/unix: unxcfg.h.orig
+diff -ur unzip60-orig/unzip.c unzip60/unzip.c
+--- unzip60-orig/unzip.c 2009-04-16 20:26:52.000000000 +0200
++++ unzip60/unzip.c 2011-02-26 00:03:41.011389301 +0100
+@@ -327,11 +327,21 @@
+ -2 just filenames but allow -h/-t/-z -l long Unix \"ls -l\" format\n\
+ -v verbose, multi-page format\n";
+
++#ifdef UNIX
++static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
++ -h print header line -t print totals for listed files or for all\n\
++ -z print zipfile comment -T print file times in sortable decimal format\
++\n -C be case-insensitive %s\
++ -x exclude filenames that follow from listing\n\
++ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\
++ -I CHARSET specify a character encoding for UNIX and other archives\n";
++#else /* !UNIX */
+ static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
+ -h print header line -t print totals for listed files or for all\n\
+ -z print zipfile comment -T print file times in sortable decimal format\
+ \n -C be case-insensitive %s\
+ -x exclude filenames that follow from listing\n";
++#endif /* UNIX */
+ #ifdef MORE
+ static ZCONST char Far ZipInfoUsageLine4[] =
+ " -M page output through built-in \"more\"\n";
+@@ -666,6 +676,18 @@
+ -C match filenames case-insensitively -L make (some) names \
+ lowercase\n %-42s -V retain VMS version numbers\n%s";
+ #else /* !VMS */
++#ifdef UNIX
++static ZCONST char Far UnzipUsageLine4[] = "\
++modifiers:\n\
++ -n never overwrite existing files -q quiet mode (-qq => quieter)\n\
++ -o overwrite files WITHOUT prompting -a auto-convert any text files\n\
++ -j junk paths (do not make directories) -aa treat ALL files as text\n\
++ -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\
++ -C match filenames case-insensitively -L make (some) names \
++lowercase\n %-42s -V retain VMS version numbers\n%s\n\
++ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\
++ -I CHARSET specify a character encoding for UNIX and other archives\n\n";
++#else /* !UNIX */
+ static ZCONST char Far UnzipUsageLine4[] = "\
+ modifiers:\n\
+ -n never overwrite existing files -q quiet mode (-qq => quieter)\n\
+@@ -674,6 +696,7 @@
+ -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\
+ -C match filenames case-insensitively -L make (some) names \
+ lowercase\n %-42s -V retain VMS version numbers\n%s";
++#endif /* UNIX */
+ #endif /* ?VMS */
+ #else /* !UNICODE_SUPPORT */
+ #ifdef VMS
+@@ -742,6 +765,9 @@
+ int i;
+ #endif
+ int retcode, error=FALSE;
++#ifdef UNIX
++ const char *loc;
++#endif
+ #ifndef NO_EXCEPT_SIGNALS
+ #ifdef REENTRANT
+ savsigs_info *oldsighandlers = NULL;
+@@ -756,7 +782,12 @@
+ #endif /* NO_EXCEPT_SIGNALS */
+
+ /* initialize international char support to the current environment */
++#ifdef UNIX
++ loc = SETLOCALE(LC_CTYPE,"");
++ init_conversion_charsets(loc);
++#else /* !UNIX */
+ SETLOCALE(LC_CTYPE, "");
++#endif /* UNIX */
+
+ #ifdef UNICODE_SUPPORT
+ /* see if can use UTF-8 Unicode locale */
+@@ -1336,6 +1367,11 @@
+ argc = *pargc;
+ argv = *pargv;
+
++#ifdef UNIX
++ extern char OEM_CP[MAX_CP_NAME];
++ extern char ISO_CP[MAX_CP_NAME];
++#endif
++
+ while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) {
+ s = *argv + 1;
+ while ((c = *s++) != 0) { /* "!= 0": prevent Turbo C warning */
+@@ -1517,6 +1553,37 @@
+ }
+ break;
+ #endif /* MACOS */
++#ifdef UNIX
++ case ('I'):
++ if (negative) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: encodings can't be negated"));
++ return(PK_PARAM);
++ } else {
++ if(*s) { /* Handle the -Icharset case */
++ /* Assume that charsets can't start with a dash to spot arguments misuse */
++ if(*s == '-') {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
++ ISO_CP[sizeof(ISO_CP) - 1] = '\0';
++ } else { /* -I charset */
++ ++argv;
++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ s = *argv;
++ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
++ ISO_CP[sizeof(ISO_CP) - 1] = '\0';
++ }
++ while(*(++s)); /* No params straight after charset name */
++ }
++ break;
++#endif /* ?UNIX */
+ case ('j'): /* junk pathnames/directory structure */
+ if (negative)
+ uO.jflag = FALSE, negative = 0;
+@@ -1592,6 +1659,37 @@
+ } else
+ ++uO.overwrite_all;
+ break;
++#ifdef UNIX
++ case ('O'):
++ if (negative) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: encodings can't be negated"));
++ return(PK_PARAM);
++ } else {
++ if(*s) { /* Handle the -Ocharset case */
++ /* Assume that charsets can't start with a dash to spot arguments misuse */
++ if(*s == '-') {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
++ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++ } else { /* -O charset */
++ ++argv;
++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -O argument"));
++ return(PK_PARAM);
++ }
++ s = *argv;
++ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
++ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++ }
++ while(*(++s)); /* No params straight after charset name */
++ }
++ break;
++#endif /* ?UNIX */
+ case ('p'): /* pipes: extract to stdout, no messages */
+ if (negative) {
+ uO.cflag = FALSE;
+Only in unzip60: unzip.c.orig
+diff -ur unzip60-orig/unzpriv.h unzip60/unzpriv.h
+--- unzip60-orig/unzpriv.h 2009-04-20 01:59:26.000000000 +0200
++++ unzip60/unzpriv.h 2011-02-25 11:57:38.275212165 +0100
+@@ -3003,6 +3003,18 @@
+ * All other ports are assumed to code zip entry filenames in ISO 8859-1.
+ */
+ #ifndef Ext_ASCII_TO_Native
++#ifdef UNIX
++# define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr, ssize) \
++ if (((hostnum) == FS_FAT_ && \
++ !(((islochdr) || (isuxatt)) && \
++ ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \
++ (hostnum) == FS_HPFS_ || \
++ ((hostnum) == FS_NTFS_/* && (hostver) == 50*/)) { \
++ _OEM_INTERN((string), (ssize)); \
++ } else { \
++ _ISO_INTERN((string), (ssize)); \
++ }
++#else /* !UNIX */
+ # define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr) \
+ if (((hostnum) == FS_FAT_ && \
+ !(((islochdr) || (isuxatt)) && \
+@@ -3013,10 +3025,10 @@
+ } else { \
+ _ISO_INTERN((string)); \
+ }
++#endif /* UNIX */
+ #endif
+
+
+-
+ /**********************/
+ /* Global constants */
+ /**********************/
+Only in unzip60: unzpriv.h.orig
+diff -ur unzip60-orig/zipinfo.c unzip60/zipinfo.c
+--- unzip60-orig/zipinfo.c 2009-02-08 18:04:30.000000000 +0100
++++ unzip60/zipinfo.c 2011-02-25 11:57:38.281586457 +0100
+@@ -457,6 +457,10 @@
+ int tflag_slm=TRUE, tflag_2v=FALSE;
+ int explicit_h=FALSE, explicit_t=FALSE;
+
++#ifdef UNIX
++ extern char OEM_CP[MAX_CP_NAME];
++ extern char ISO_CP[MAX_CP_NAME];
++#endif
+
+ #ifdef MACOS
+ uO.lflag = LFLAG; /* reset default on each call */
+@@ -501,6 +505,37 @@
+ uO.lflag = 0;
+ }
+ break;
++#ifdef UNIX
++ case ('I'):
++ if (negative) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: encodings can't be negated"));
++ return(PK_PARAM);
++ } else {
++ if(*s) { /* Handle the -Icharset case */
++ /* Assume that charsets can't start with a dash to spot arguments misuse */
++ if(*s == '-') {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
++ ISO_CP[sizeof(ISO_CP) - 1] = '\0';
++ } else { /* -I charset */
++ ++argv;
++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ s = *argv;
++ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
++ ISO_CP[sizeof(ISO_CP) - 1] = '\0';
++ }
++ while(*(++s)); /* No params straight after charset name */
++ }
++ break;
++#endif /* ?UNIX */
+ case 'l': /* longer form of "ls -l" type listing */
+ if (negative)
+ uO.lflag = -2, negative = 0;
+@@ -521,6 +556,37 @@
+ G.M_flag = TRUE;
+ break;
+ #endif
++#ifdef UNIX
++ case ('O'):
++ if (negative) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: encodings can't be negated"));
++ return(PK_PARAM);
++ } else {
++ if(*s) { /* Handle the -Ocharset case */
++ /* Assume that charsets can't start with a dash to spot arguments misuse */
++ if(*s == '-') {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
++ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++ } else { /* -O charset */
++ ++argv;
++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -O argument"));
++ return(PK_PARAM);
++ }
++ s = *argv;
++ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
++ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
++ }
++ while(*(++s)); /* No params straight after charset name */
++ }
++ break;
++#endif /* ?UNIX */
+ case 's': /* default: shorter "ls -l" type listing */
+ if (negative)
+ uO.lflag = -2, negative = 0;
+Only in unzip60: zipinfo.c.orig
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/01_CVE-2014-8139.patch Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,51 @@
+Source:
+https://bugzilla.redhat.com/show_bug.cgi?id=1174844
+Info:
+http://www.ocert.org/advisories/ocert-2014-011.html
+
+--- unzip60/extract.c 2010-04-03 14:41:55 -0500
++++ unzip60/extract.c 2014-12-03 15:33:35 -0600
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -298,6 +298,8 @@
+ #ifndef SFX
+ static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+ EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
++ static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
++ EF block length (%u bytes) invalid (< %d)\n";
+ static ZCONST char Far InvalidComprDataEAs[] =
+ " invalid compressed data for EAs\n";
+ # if (defined(WIN32) && defined(NTSD_EAS))
+@@ -2023,7 +2025,8 @@
+ ebID = makeword(ef);
+ ebLen = (unsigned)makeword(ef+EB_LEN);
+
+- if (ebLen > (ef_len - EB_HEADSIZE)) {
++ if (ebLen > (ef_len - EB_HEADSIZE))
++ {
+ /* Discovered some extra field inconsistency! */
+ if (uO.qflag)
+ Info(slide, 1, ((char *)slide, "%-22s ",
+@@ -2032,6 +2035,16 @@
+ ebLen, (ef_len - EB_HEADSIZE)));
+ return PK_ERR;
+ }
++ else if (ebLen < EB_HEADSIZE)
++ {
++ /* Extra block length smaller than header length. */
++ if (uO.qflag)
++ Info(slide, 1, ((char *)slide, "%-22s ",
++ FnFilter1(G.filename)));
++ Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
++ ebLen, EB_HEADSIZE));
++ return PK_ERR;
++ }
+
+ switch (ebID) {
+ case EF_OS2:
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/02_CVE-2014-8140.patch Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,28 @@
+Source:
+https://bugzilla.redhat.com/show_bug.cgi?id=1174851
+Info:
+http://www.ocert.org/advisories/ocert-2014-011.html
+
+--- a/extract.c 2009-03-14 02:32:52.000000000 +0100
++++ b/extract.c 2014-12-05 22:43:13.000000000 +0100
+@@ -2221,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_si
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+
++ /* Return no/bad-data error status if any problem is found:
++ * 1. eb_size is too small to hold the uncompressed size
++ * (eb_ucsize). (Else extract eb_ucsize.)
++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
++ * 3. eb_ucsize is positive, but eb_size is too small to hold
++ * the compressed data header.
++ */
+ if ((eb_size < (EB_UCSIZE_P + 4)) ||
+- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
+- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+- return IZ_EF_TRUNC; /* no compressed data! */
++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
++ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
+ if (
+ #ifdef INT_16BIT
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/03_CVE-2014-8141.patch Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,138 @@
+Source:
+https://bugzilla.redhat.com/show_bug.cgi?id=1174856
+Info:
+http://www.ocert.org/advisories/ocert-2014-011.html
+
+--- a/process.c 2009-03-06 02:25:10.000000000 +0100
++++ b/process.c 2014-12-05 22:42:39.000000000 +0100
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
+ and a 4-byte version of disk start number.
+ Sets both local header and central header fields. Not terribly clever,
+ but it means that this procedure is only called in one place.
++
++ 2014-12-05 SMS.
++ Added checks to ensure that enough data are available before calling
++ makeint64() or makelong(). Replaced various sizeof() values with
++ simple ("4" or "8") constants. (The Zip64 structures do not depend
++ on our variable sizes.) Error handling is crude, but we should now
++ stay within the buffer.
+ ---------------------------------------------------------------------------*/
+
++#define Z64FLGS 0xffff
++#define Z64FLGL 0xffffffff
++
+ if (ef_len == 0 || ef_buf == NULL)
+ return PK_COOL;
+
+ Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
+ ef_len));
+
+- while (ef_len >= EB_HEADSIZE) {
++ while (ef_len >= EB_HEADSIZE)
++ {
+ eb_id = makeword(EB_ID + ef_buf);
+ eb_len = makeword(EB_LEN + ef_buf);
+
+- if (eb_len > (ef_len - EB_HEADSIZE)) {
+- /* discovered some extra field inconsistency! */
++ if (eb_len > (ef_len - EB_HEADSIZE))
++ {
++ /* Extra block length exceeds remaining extra field length. */
+ Trace((stderr,
+ "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
+ ef_len - EB_HEADSIZE));
+ break;
+ }
+- if (eb_id == EF_PKSZ64) {
+-
++ if (eb_id == EF_PKSZ64)
++ {
+ int offset = EB_HEADSIZE;
+
+- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
+- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.ucsize);
++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
++ offset += 8;
+ }
+- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
+- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.csize);
++
++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
++ offset += 8;
+ }
+- if (G.crec.relative_offset_local_header == 0xffffffff){
++
++ if (G.crec.relative_offset_local_header == Z64FLGL)
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
+ G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.relative_offset_local_header);
++ offset += 8;
+ }
+- if (G.crec.disk_number_start == 0xffff){
++
++ if (G.crec.disk_number_start == Z64FLGS)
++ {
++ if (offset+ 4 > ef_len)
++ return PK_ERR;
++
+ G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+- offset += sizeof(G.crec.disk_number_start);
++ offset += 4;
+ }
++#if 0
++ break; /* Expect only one EF_PKSZ64 block. */
++#endif /* 0 */
+ }
+
+- /* Skip this extra field block */
++ /* Skip this extra field block. */
+ ef_buf += (eb_len + EB_HEADSIZE);
+ ef_len -= (eb_len + EB_HEADSIZE);
+ }
+--- a/fileio.c 2009-04-20 02:03:44.000000000 +0200
++++ b/fileio.c 2014-12-05 22:44:16.000000000 +0100
+@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+ "warning: extra field too long (%d). Ignoring...\n";
++static ZCONST char Far ExtraFieldCorrupt[] =
++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
+
+ #ifdef WINDLL
+ static ZCONST char Far DiskFullQuery[] =
+@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /*
+ if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+ return PK_EOF;
+ /* Looks like here is where extra fields are read */
+- getZip64Data(__G__ G.extra_field, length);
++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
++ {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
++ error = PK_WARN;
++ }
+ #ifdef UNICODE_SUPPORT
+ G.unipath_filename = NULL;
+ if (G.UzO.U_flag < 2) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/04_CVE-2014-9636.patch Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,44 @@
+Patch source: http://www.info-zip.org/phpBB3/download/file.php?id=95&sid=ec5c7dac6dd48459f3be4effa1a30945
+More info: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
+
+From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 3 Nov 2014
+Subject: Info-ZIP UnZip buffer overflow
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+---
+ extract.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/extract.c
++++ b/extract.c
+@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
+ ulg eb_ucsize;
+ uch *eb_ucptr;
+ int r;
++ ush method;
+
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+@@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si
+ eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+ return IZ_EF_TRUNC; /* no compressed data! */
+
++ method = makeword(eb + (EB_HEADSIZE + compr_offset));
++ if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))
++ return PK_ERR; /* compressed & uncompressed
++ * should match in STORED
++ * method */
++
+ if (
+ #ifdef INT_16BIT
+ (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/05_unix-configure.patch Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,11 @@
+--- unzip60/unix/configure.bkp 2011-07-28 07:07:08.691240200 -0700
++++ unzip60/unix/configure 2011-07-28 07:07:47.315977300 -0700
+@@ -646,7 +646,7 @@
+
+
+ echo CC=\"${CC}\" CF=\"${CFLAGSR} ${D_USE_BZ2}\" CRCA_O=\"${CRC32OA}\" \
+- AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1}\" LF2=\"${LFLAGS2}\" \
++ AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1} ${LD_OPTIONS}\" LF2=\"${LFLAGS2}\" \
+ CC_BZ=\"${CC_BZ}\" CFLAGS_BZ=\"${CFLAGS_BZ}\" \
+ IZ_BZIP2=\"${IZ_BZIP2}\" D_USE_BZ2=\"${D_USE_BZ2}\" \
+ L_BZ2=\"${L_BZ2}\" LIBBZ2=\"${LIBBZ2}\" > flags
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/unzip/patches/06_CVE-2014-8139.2.patch Wed Mar 02 10:35:32 2016 +0100
@@ -0,0 +1,160 @@
+The fix is taken from http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=454
+and should be available in next unzip release.
+
+--- unzip60/extract.c Fri Feb 26 07:14:44 2016
++++ /home/vmarek/extract.c Mon Feb 22 08:32:56 2016
+@@ -298,7 +298,7 @@
+ #ifndef SFX
+ static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+ EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
+- static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
+ EF block length (%u bytes) invalid (< %d)\n";
+ static ZCONST char Far InvalidComprDataEAs[] =
+ " invalid compressed data for EAs\n";
+@@ -2035,16 +2035,6 @@
+ ebLen, (ef_len - EB_HEADSIZE)));
+ return PK_ERR;
+ }
+- else if (ebLen < EB_HEADSIZE)
+- {
+- /* Extra block length smaller than header length. */
+- if (uO.qflag)
+- Info(slide, 1, ((char *)slide, "%-22s ",
+- FnFilter1(G.filename)));
+- Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
+- ebLen, EB_HEADSIZE));
+- return PK_ERR;
+- }
+
+ switch (ebID) {
+ case EF_OS2:
+@@ -2171,11 +2161,19 @@
+ }
+ break;
+ case EF_PKVMS:
+- if (makelong(ef+EB_HEADSIZE) !=
++ if (ebLen < 4)
++ {
++ Info(slide, 1,
++ ((char *)slide, LoadFarString(TooSmallEBlength),
++ ebLen, 4));
++ }
++ else if (makelong(ef+EB_HEADSIZE) !=
+ crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
+ (extent)(ebLen-4)))
++ {
+ Info(slide, 1, ((char *)slide,
+ LoadFarString(BadCRC_EAs)));
++ }
+ break;
+ case EF_PKW32:
+ case EF_PKUNIX:
+@@ -2230,7 +2228,7 @@
+ ulg eb_ucsize;
+ uch *eb_ucptr;
+ int r;
+- ush method;
++ ush eb_compr_method;
+
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+@@ -2247,11 +2245,14 @@
+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
+- method = makeword(eb + (EB_HEADSIZE + compr_offset));
+- if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))
+- return PK_ERR; /* compressed & uncompressed
+- * should match in STORED
+- * method */
++ /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS.
++ * For STORE method, compressed and uncompressed sizes must agree.
++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
++ */
++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
++ if ((eb_compr_method == STORED) &&
++ (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize))
++ return PK_ERR;
+
+ if (
+ #ifdef INT_16BIT
+@@ -2523,10 +2524,28 @@
+ __GDEF
+ slinkentry *slnk_entry;
+ {
++ int sts;
+ extent ucsize = slnk_entry->targetlen;
+ char *linkfname = slnk_entry->fname;
+ char *linktarget = (char *)malloc(ucsize+1);
+
++#ifdef VMS
++ static int vms_symlink_works = -1;
++
++ if (vms_symlink_works < 0)
++ {
++ /* Test symlink() with an invalid file name. If errno comes
++ * back ENOSYS ("Function not implemented"), then don't try to
++ * use it below on the symlink placeholder text files.
++ */
++ vms_symlink_works = symlink( "", "?");
++ if (errno == ENOSYS)
++ vms_symlink_works = 0;
++ else
++ vms_symlink_works = 1;
++ }
++#endif /* def VMS */
++
+ if (!linktarget) {
+ Info(slide, 0x201, ((char *)slide,
+ LoadFarString(SymLnkWarnNoMem), FnFilter1(linkfname)));
+@@ -2554,11 +2573,29 @@
+ return;
+ }
+ fclose(G.outfile); /* close "data" file for good... */
++
++#ifdef VMS
++ if (vms_symlink_works == 0)
++ {
++ /* Should we be using some UnZip error message function instead
++ * of perror() (or equivalent) for these "symlink error"
++ * messages?
++ */
++ Info(slide, 0, ((char *)slide, LoadFarString(SymLnkFinish),
++ FnFilter1(linkfname), FnFilter2(linktarget)));
++
++ fprintf( stderr, "Symlink error: %s\n", strerror( ENOSYS));
++ free(linktarget);
++ return;
++ }
++#endif /* def VMS */
++
+ unlink(linkfname); /* ...and delete it */
+- if (QCOND2)
++ sts = symlink(linktarget, linkfname); /* create the real link */
++ if (QCOND2 || (sts != 0))
+ Info(slide, 0, ((char *)slide, LoadFarString(SymLnkFinish),
+ FnFilter1(linkfname), FnFilter2(linktarget)));
+- if (symlink(linktarget, linkfname)) /* create the real link */
++ if (sts != 0)
+ perror("symlink error");
+ free(linktarget);
+ #ifdef SET_SYMLINK_ATTRIBS
+@@ -2652,7 +2689,7 @@
+ #endif /* ?HAVE_WORKING_ISPRINT */
+ } else {
+ #ifdef _MBCS
+- unsigned i = CLEN(r);
++ extent i = CLEN(r);
+ if (se != NULL && (s > (space + (size-i-2)))) {
+ have_overflow = TRUE;
+ break;
+@@ -2835,7 +2872,7 @@
+ #endif
+
+ G.inptr = (uch *)bstrm.next_in;
+- G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */
++ G.incnt = (int)((G.inbuf + INBUFSIZ) - G.inptr); /* Reset for others. */
+
+ uzbunzip_cleanup_exit:
+ err = BZ2_bzDecompressEnd(&bstrm);
--- a/components/unzip/patches/6719511-i18.patch Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,512 +0,0 @@
-diff -ur unzip60-orig/fileio.c unzip60/fileio.c
---- unzip60-orig/fileio.c 2009-04-20 02:03:44.000000000 +0200
-+++ unzip60/fileio.c 2011-02-25 11:57:38.242056429 +0100
-@@ -2126,9 +2126,16 @@
- /* translate the text coded in the entry's host-dependent
- "extended ASCII" charset into the compiler's (system's)
- internal text code page */
-+#ifdef UNIX
-+ Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum,
-+ G.pInfo->hostver, G.pInfo->HasUxAtt,
-+ FALSE, OUTBUFSIZ);
-+#else /* !UNIX */
- Ext_ASCII_TO_Native((char *)G.outbuf, G.pInfo->hostnum,
- G.pInfo->hostver, G.pInfo->HasUxAtt,
- FALSE);
-+#endif /* UNIX */
-+
- #ifdef WINDLL
- /* translate to ANSI (RTL internal codepage may be OEM) */
- INTERN_TO_ISO((char *)G.outbuf, (char *)G.outbuf);
-@@ -2240,8 +2247,13 @@
-
- /* translate the Zip entry filename coded in host-dependent "extended
- ASCII" into the compiler's (system's) internal text code page */
-+#ifdef UNIX
-+ Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver,
-+ G.pInfo->HasUxAtt, (option == DS_FN_L), FILNAMSIZ);
-+#else /* !UNIX */
- Ext_ASCII_TO_Native(G.filename, G.pInfo->hostnum, G.pInfo->hostver,
- G.pInfo->HasUxAtt, (option == DS_FN_L));
-+#endif /* UNIX */
-
- if (G.pInfo->lcflag) /* replace with lowercase filename */
- STRLOWER(G.filename, G.filename);
-Only in unzip60: fileio.c.orig
-diff -ur unzip60-orig/unix/unix.c unzip60/unix/unix.c
---- unzip60-orig/unix/unix.c 2009-01-24 00:31:26.000000000 +0100
-+++ unzip60/unix/unix.c 2011-02-25 11:57:38.259028876 +0100
-@@ -30,6 +30,10 @@
- #define UNZIP_INTERNAL
- #include "unzip.h"
-
-+#include <iconv.h>
-+#include <langinfo.h>
-+#include <strings.h>
-+
- #ifdef SCO_XENIX
- # define SYSNDIR
- #else /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */
-@@ -1874,3 +1878,128 @@
- }
- }
- #endif /* QLZIP */
-+
-+
-+typedef struct {
-+ char *local_charset;
-+ char *archive_charset;
-+} CHARSET_MAP;
-+
-+/* A mapping of local <-> archive charsets used by default to convert filenames
-+ * of DOS/Windows Zip archives. Currently very basic. */
-+const static CHARSET_MAP dos_charset_map[] = {
-+ { "ANSI_X3.4-1968", "CP850" },
-+ { "ISO-8859-1", "CP850" },
-+ { "CP1252", "CP850" },
-+ { "KOI8-R", "CP866" },
-+ { "KOI8-U", "CP866" },
-+ { "ISO-8859-5", "CP866" }
-+};
-+
-+typedef struct {
-+ char *locale;
-+ char *archive_charset;
-+} UTF8_CHARSET_MAP;
-+
-+/* In case local charset is UTF-8, lookup archive_charset
-+ by locale. Currently very basic. */
-+#define UTF8_CHARSET_MAP_DEFAULT "CP866"
-+const static UTF8_CHARSET_MAP utf8_charset_map[] = {
-+ { "ja_JP", "CP932" },
-+ { "zh_CN", "GBK" },
-+ { "zh_TW", "BIG5" },
-+ { "ko_KR", "CP949" },
-+};
-+
-+char OEM_CP[MAX_CP_NAME] = "";
-+char ISO_CP[MAX_CP_NAME] = "";
-+
-+/* Try to guess the default value of OEM_CP based on the current locale.
-+ * ISO_CP is left alone for now. */
-+void init_conversion_charsets(const char *loc)
-+{
-+ const char *local_charset;
-+ int i;
-+
-+ /* Make a guess only if OEM_CP not already set. */
-+ if(*OEM_CP == '\0')
-+ {
-+ local_charset = nl_langinfo(CODESET);
-+ if (!strcasecmp(local_charset, "UTF-8") || !strcasecmp(local_charset,
-+"UTF8") )
-+ {
-+ strcpy(OEM_CP, UTF8_CHARSET_MAP_DEFAULT);
-+ for(i = 0; i < sizeof(utf8_charset_map)/sizeof(UTF8_CHARSET_MAP);
-+ i++)
-+ {
-+ if (!strncmp(loc, utf8_charset_map[i].locale, 5))
-+ {
-+ strncpy(OEM_CP, utf8_charset_map[i].archive_charset,
-+ sizeof(OEM_CP) - 1);
-+ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+ break;
-+ }
-+ }
-+ }
-+ else
-+ {
-+ for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++)
-+ {
-+ if (!strcasecmp(local_charset,
-+ dos_charset_map[i].local_charset))
-+ {
-+ strncpy(OEM_CP, dos_charset_map[i].archive_charset,
-+ sizeof(OEM_CP) - 1);
-+ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+ break;
-+ }
-+ }
-+ }
-+ }
-+}
-+
-+/* Convert a string from one encoding to the current locale using iconv().
-+ * Be as non-intrusive as possible. If error is encountered during covertion
-+ * just leave the string intact. */
-+static void charset_to_intern(char *string, size_t sbuflen, char *from_charset)
-+{
-+ iconv_t cd;
-+ char *s,*d, *buf;
-+ size_t slen, dlen;
-+ const char *local_charset;
-+
-+ if(*from_charset == '\0')
-+ return;
-+
-+ local_charset = nl_langinfo(CODESET);
-+
-+ if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1)
-+ return;
-+
-+ slen = strlen(string);
-+ s = string;
-+ dlen = sbuflen - 1;
-+ d = buf = malloc(sbuflen);
-+ if(!d)
-+ goto cleanup;
-+ if(iconv(cd, (const char **)&s, &slen, &d, &dlen) != (size_t)-1) {
-+ *d = '\0';
-+ strcpy(string, buf);
-+ }
-+
-+ free(buf);
-+ cleanup:
-+ iconv_close(cd);
-+}
-+
-+/* Convert a string from OEM_CP to the current locale charset. */
-+void oem_intern(char *string, size_t sbuflen)
-+{
-+ charset_to_intern(string, sbuflen, OEM_CP);
-+}
-+
-+/* Convert a string from ISO_CP to the current locale charset. */
-+void iso_intern(char *string, size_t sbuflen)
-+{
-+ charset_to_intern(string, sbuflen, ISO_CP);
-+}
-Only in unzip60/unix: unix.c.orig
-diff -ur unzip60-orig/unix/unxcfg.h unzip60/unix/unxcfg.h
---- unzip60-orig/unix/unxcfg.h 2009-04-16 20:36:12.000000000 +0200
-+++ unzip60/unix/unxcfg.h 2011-02-25 11:57:38.262941301 +0100
-@@ -52,6 +52,7 @@
-
- #include <sys/types.h> /* off_t, time_t, dev_t, ... */
- #include <sys/stat.h>
-+#include <unistd.h>
-
- #ifdef NO_OFF_T
- typedef long zoff_t;
-@@ -227,4 +228,30 @@
- /* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */
- /* and notfirstcall are used by do_wild(). */
-
-+
-+#define MAX_CP_NAME 25
-+
-+#ifdef SETLOCALE
-+# undef SETLOCALE
-+#endif
-+#define SETLOCALE(category, locale) setlocale(category, locale)
-+#include <locale.h>
-+
-+#ifdef _ISO_INTERN
-+# undef _ISO_INTERN
-+#endif
-+#define _ISO_INTERN(str1, ssize) iso_intern(str1, ssize)
-+
-+#ifdef _OEM_INTERN
-+# undef _OEM_INTERN
-+#endif
-+#ifndef IZ_OEM2ISO_ARRAY
-+# define IZ_OEM2ISO_ARRAY
-+#endif
-+#define _OEM_INTERN(str1, ssize) oem_intern(str1, ssize)
-+
-+void iso_intern(char *, size_t);
-+void oem_intern(char *, size_t);
-+void init_conversion_charsets(const char *);
-+
- #endif /* !__unxcfg_h */
-Only in unzip60/unix: unxcfg.h.orig
-diff -ur unzip60-orig/unzip.c unzip60/unzip.c
---- unzip60-orig/unzip.c 2009-04-16 20:26:52.000000000 +0200
-+++ unzip60/unzip.c 2011-02-26 00:03:41.011389301 +0100
-@@ -327,11 +327,21 @@
- -2 just filenames but allow -h/-t/-z -l long Unix \"ls -l\" format\n\
- -v verbose, multi-page format\n";
-
-+#ifdef UNIX
-+static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
-+ -h print header line -t print totals for listed files or for all\n\
-+ -z print zipfile comment -T print file times in sortable decimal format\
-+\n -C be case-insensitive %s\
-+ -x exclude filenames that follow from listing\n\
-+ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\
-+ -I CHARSET specify a character encoding for UNIX and other archives\n";
-+#else /* !UNIX */
- static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
- -h print header line -t print totals for listed files or for all\n\
- -z print zipfile comment -T print file times in sortable decimal format\
- \n -C be case-insensitive %s\
- -x exclude filenames that follow from listing\n";
-+#endif /* UNIX */
- #ifdef MORE
- static ZCONST char Far ZipInfoUsageLine4[] =
- " -M page output through built-in \"more\"\n";
-@@ -666,6 +676,18 @@
- -C match filenames case-insensitively -L make (some) names \
- lowercase\n %-42s -V retain VMS version numbers\n%s";
- #else /* !VMS */
-+#ifdef UNIX
-+static ZCONST char Far UnzipUsageLine4[] = "\
-+modifiers:\n\
-+ -n never overwrite existing files -q quiet mode (-qq => quieter)\n\
-+ -o overwrite files WITHOUT prompting -a auto-convert any text files\n\
-+ -j junk paths (do not make directories) -aa treat ALL files as text\n\
-+ -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\
-+ -C match filenames case-insensitively -L make (some) names \
-+lowercase\n %-42s -V retain VMS version numbers\n%s\n\
-+ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\
-+ -I CHARSET specify a character encoding for UNIX and other archives\n\n";
-+#else /* !UNIX */
- static ZCONST char Far UnzipUsageLine4[] = "\
- modifiers:\n\
- -n never overwrite existing files -q quiet mode (-qq => quieter)\n\
-@@ -674,6 +696,7 @@
- -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\
- -C match filenames case-insensitively -L make (some) names \
- lowercase\n %-42s -V retain VMS version numbers\n%s";
-+#endif /* UNIX */
- #endif /* ?VMS */
- #else /* !UNICODE_SUPPORT */
- #ifdef VMS
-@@ -742,6 +765,9 @@
- int i;
- #endif
- int retcode, error=FALSE;
-+#ifdef UNIX
-+ const char *loc;
-+#endif
- #ifndef NO_EXCEPT_SIGNALS
- #ifdef REENTRANT
- savsigs_info *oldsighandlers = NULL;
-@@ -756,7 +782,12 @@
- #endif /* NO_EXCEPT_SIGNALS */
-
- /* initialize international char support to the current environment */
-+#ifdef UNIX
-+ loc = SETLOCALE(LC_CTYPE,"");
-+ init_conversion_charsets(loc);
-+#else /* !UNIX */
- SETLOCALE(LC_CTYPE, "");
-+#endif /* UNIX */
-
- #ifdef UNICODE_SUPPORT
- /* see if can use UTF-8 Unicode locale */
-@@ -1336,6 +1367,11 @@
- argc = *pargc;
- argv = *pargv;
-
-+#ifdef UNIX
-+ extern char OEM_CP[MAX_CP_NAME];
-+ extern char ISO_CP[MAX_CP_NAME];
-+#endif
-+
- while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) {
- s = *argv + 1;
- while ((c = *s++) != 0) { /* "!= 0": prevent Turbo C warning */
-@@ -1517,6 +1553,37 @@
- }
- break;
- #endif /* MACOS */
-+#ifdef UNIX
-+ case ('I'):
-+ if (negative) {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: encodings can't be negated"));
-+ return(PK_PARAM);
-+ } else {
-+ if(*s) { /* Handle the -Icharset case */
-+ /* Assume that charsets can't start with a dash to spot arguments misuse */
-+ if(*s == '-') {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: a valid character encoding should follow the -I argument"));
-+ return(PK_PARAM);
-+ }
-+ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
-+ ISO_CP[sizeof(ISO_CP) - 1] = '\0';
-+ } else { /* -I charset */
-+ ++argv;
-+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: a valid character encoding should follow the -I argument"));
-+ return(PK_PARAM);
-+ }
-+ s = *argv;
-+ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
-+ ISO_CP[sizeof(ISO_CP) - 1] = '\0';
-+ }
-+ while(*(++s)); /* No params straight after charset name */
-+ }
-+ break;
-+#endif /* ?UNIX */
- case ('j'): /* junk pathnames/directory structure */
- if (negative)
- uO.jflag = FALSE, negative = 0;
-@@ -1592,6 +1659,37 @@
- } else
- ++uO.overwrite_all;
- break;
-+#ifdef UNIX
-+ case ('O'):
-+ if (negative) {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: encodings can't be negated"));
-+ return(PK_PARAM);
-+ } else {
-+ if(*s) { /* Handle the -Ocharset case */
-+ /* Assume that charsets can't start with a dash to spot arguments misuse */
-+ if(*s == '-') {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: a valid character encoding should follow the -I argument"));
-+ return(PK_PARAM);
-+ }
-+ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
-+ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+ } else { /* -O charset */
-+ ++argv;
-+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: a valid character encoding should follow the -O argument"));
-+ return(PK_PARAM);
-+ }
-+ s = *argv;
-+ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
-+ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+ }
-+ while(*(++s)); /* No params straight after charset name */
-+ }
-+ break;
-+#endif /* ?UNIX */
- case ('p'): /* pipes: extract to stdout, no messages */
- if (negative) {
- uO.cflag = FALSE;
-Only in unzip60: unzip.c.orig
-diff -ur unzip60-orig/unzpriv.h unzip60/unzpriv.h
---- unzip60-orig/unzpriv.h 2009-04-20 01:59:26.000000000 +0200
-+++ unzip60/unzpriv.h 2011-02-25 11:57:38.275212165 +0100
-@@ -3003,6 +3003,18 @@
- * All other ports are assumed to code zip entry filenames in ISO 8859-1.
- */
- #ifndef Ext_ASCII_TO_Native
-+#ifdef UNIX
-+# define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr, ssize) \
-+ if (((hostnum) == FS_FAT_ && \
-+ !(((islochdr) || (isuxatt)) && \
-+ ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \
-+ (hostnum) == FS_HPFS_ || \
-+ ((hostnum) == FS_NTFS_/* && (hostver) == 50*/)) { \
-+ _OEM_INTERN((string), (ssize)); \
-+ } else { \
-+ _ISO_INTERN((string), (ssize)); \
-+ }
-+#else /* !UNIX */
- # define Ext_ASCII_TO_Native(string, hostnum, hostver, isuxatt, islochdr) \
- if (((hostnum) == FS_FAT_ && \
- !(((islochdr) || (isuxatt)) && \
-@@ -3013,10 +3025,10 @@
- } else { \
- _ISO_INTERN((string)); \
- }
-+#endif /* UNIX */
- #endif
-
-
--
- /**********************/
- /* Global constants */
- /**********************/
-Only in unzip60: unzpriv.h.orig
-diff -ur unzip60-orig/zipinfo.c unzip60/zipinfo.c
---- unzip60-orig/zipinfo.c 2009-02-08 18:04:30.000000000 +0100
-+++ unzip60/zipinfo.c 2011-02-25 11:57:38.281586457 +0100
-@@ -457,6 +457,10 @@
- int tflag_slm=TRUE, tflag_2v=FALSE;
- int explicit_h=FALSE, explicit_t=FALSE;
-
-+#ifdef UNIX
-+ extern char OEM_CP[MAX_CP_NAME];
-+ extern char ISO_CP[MAX_CP_NAME];
-+#endif
-
- #ifdef MACOS
- uO.lflag = LFLAG; /* reset default on each call */
-@@ -501,6 +505,37 @@
- uO.lflag = 0;
- }
- break;
-+#ifdef UNIX
-+ case ('I'):
-+ if (negative) {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: encodings can't be negated"));
-+ return(PK_PARAM);
-+ } else {
-+ if(*s) { /* Handle the -Icharset case */
-+ /* Assume that charsets can't start with a dash to spot arguments misuse */
-+ if(*s == '-') {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: a valid character encoding should follow the -I argument"));
-+ return(PK_PARAM);
-+ }
-+ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
-+ ISO_CP[sizeof(ISO_CP) - 1] = '\0';
-+ } else { /* -I charset */
-+ ++argv;
-+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: a valid character encoding should follow the -I argument"));
-+ return(PK_PARAM);
-+ }
-+ s = *argv;
-+ strncpy(ISO_CP, s, sizeof(ISO_CP) - 1);
-+ ISO_CP[sizeof(ISO_CP) - 1] = '\0';
-+ }
-+ while(*(++s)); /* No params straight after charset name */
-+ }
-+ break;
-+#endif /* ?UNIX */
- case 'l': /* longer form of "ls -l" type listing */
- if (negative)
- uO.lflag = -2, negative = 0;
-@@ -521,6 +556,37 @@
- G.M_flag = TRUE;
- break;
- #endif
-+#ifdef UNIX
-+ case ('O'):
-+ if (negative) {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: encodings can't be negated"));
-+ return(PK_PARAM);
-+ } else {
-+ if(*s) { /* Handle the -Ocharset case */
-+ /* Assume that charsets can't start with a dash to spot arguments misuse */
-+ if(*s == '-') {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: a valid character encoding should follow the -I argument"));
-+ return(PK_PARAM);
-+ }
-+ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
-+ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+ } else { /* -O charset */
-+ ++argv;
-+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
-+ Info(slide, 0x401, ((char *)slide,
-+ "error: a valid character encoding should follow the -O argument"));
-+ return(PK_PARAM);
-+ }
-+ s = *argv;
-+ strncpy(OEM_CP, s, sizeof(OEM_CP) - 1);
-+ OEM_CP[sizeof(OEM_CP) - 1] = '\0';
-+ }
-+ while(*(++s)); /* No params straight after charset name */
-+ }
-+ break;
-+#endif /* ?UNIX */
- case 's': /* default: shorter "ls -l" type listing */
- if (negative)
- uO.lflag = -2, negative = 0;
-Only in unzip60: zipinfo.c.orig
--- a/components/unzip/patches/CVE-2014-8139.patch Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,51 +0,0 @@
-Source:
-https://bugzilla.redhat.com/show_bug.cgi?id=1174844
-Info:
-http://www.ocert.org/advisories/ocert-2014-011.html
-
---- unzip60/extract.c 2010-04-03 14:41:55 -0500
-+++ unzip60/extract.c 2014-12-03 15:33:35 -0600
-@@ -1,5 +1,5 @@
- /*
-- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
-+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
-
- See the accompanying file LICENSE, version 2009-Jan-02 or later
- (the contents of which are also included in unzip.h) for terms of use.
-@@ -298,6 +298,8 @@
- #ifndef SFX
- static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
- EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
-+ static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
-+ EF block length (%u bytes) invalid (< %d)\n";
- static ZCONST char Far InvalidComprDataEAs[] =
- " invalid compressed data for EAs\n";
- # if (defined(WIN32) && defined(NTSD_EAS))
-@@ -2023,7 +2025,8 @@
- ebID = makeword(ef);
- ebLen = (unsigned)makeword(ef+EB_LEN);
-
-- if (ebLen > (ef_len - EB_HEADSIZE)) {
-+ if (ebLen > (ef_len - EB_HEADSIZE))
-+ {
- /* Discovered some extra field inconsistency! */
- if (uO.qflag)
- Info(slide, 1, ((char *)slide, "%-22s ",
-@@ -2032,6 +2035,16 @@
- ebLen, (ef_len - EB_HEADSIZE)));
- return PK_ERR;
- }
-+ else if (ebLen < EB_HEADSIZE)
-+ {
-+ /* Extra block length smaller than header length. */
-+ if (uO.qflag)
-+ Info(slide, 1, ((char *)slide, "%-22s ",
-+ FnFilter1(G.filename)));
-+ Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
-+ ebLen, EB_HEADSIZE));
-+ return PK_ERR;
-+ }
-
- switch (ebID) {
- case EF_OS2:
-
--- a/components/unzip/patches/CVE-2014-8140.patch Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,28 +0,0 @@
-Source:
-https://bugzilla.redhat.com/show_bug.cgi?id=1174851
-Info:
-http://www.ocert.org/advisories/ocert-2014-011.html
-
---- a/extract.c 2009-03-14 02:32:52.000000000 +0100
-+++ b/extract.c 2014-12-05 22:43:13.000000000 +0100
-@@ -2221,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_si
- if (compr_offset < 4) /* field is not compressed: */
- return PK_OK; /* do nothing and signal OK */
-
-+ /* Return no/bad-data error status if any problem is found:
-+ * 1. eb_size is too small to hold the uncompressed size
-+ * (eb_ucsize). (Else extract eb_ucsize.)
-+ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
-+ * 3. eb_ucsize is positive, but eb_size is too small to hold
-+ * the compressed data header.
-+ */
- if ((eb_size < (EB_UCSIZE_P + 4)) ||
-- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
-- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
-- return IZ_EF_TRUNC; /* no compressed data! */
-+ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
-+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
-+ return IZ_EF_TRUNC; /* no/bad compressed data! */
-
- if (
- #ifdef INT_16BIT
--- a/components/unzip/patches/CVE-2014-8141.patch Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,138 +0,0 @@
-Source:
-https://bugzilla.redhat.com/show_bug.cgi?id=1174856
-Info:
-http://www.ocert.org/advisories/ocert-2014-011.html
-
---- a/process.c 2009-03-06 02:25:10.000000000 +0100
-+++ b/process.c 2014-12-05 22:42:39.000000000 +0100
-@@ -1,5 +1,5 @@
- /*
-- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
-+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
-
- See the accompanying file LICENSE, version 2009-Jan-02 or later
- (the contents of which are also included in unzip.h) for terms of use.
-@@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
- and a 4-byte version of disk start number.
- Sets both local header and central header fields. Not terribly clever,
- but it means that this procedure is only called in one place.
-+
-+ 2014-12-05 SMS.
-+ Added checks to ensure that enough data are available before calling
-+ makeint64() or makelong(). Replaced various sizeof() values with
-+ simple ("4" or "8") constants. (The Zip64 structures do not depend
-+ on our variable sizes.) Error handling is crude, but we should now
-+ stay within the buffer.
- ---------------------------------------------------------------------------*/
-
-+#define Z64FLGS 0xffff
-+#define Z64FLGL 0xffffffff
-+
- if (ef_len == 0 || ef_buf == NULL)
- return PK_COOL;
-
- Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
- ef_len));
-
-- while (ef_len >= EB_HEADSIZE) {
-+ while (ef_len >= EB_HEADSIZE)
-+ {
- eb_id = makeword(EB_ID + ef_buf);
- eb_len = makeword(EB_LEN + ef_buf);
-
-- if (eb_len > (ef_len - EB_HEADSIZE)) {
-- /* discovered some extra field inconsistency! */
-+ if (eb_len > (ef_len - EB_HEADSIZE))
-+ {
-+ /* Extra block length exceeds remaining extra field length. */
- Trace((stderr,
- "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
- ef_len - EB_HEADSIZE));
- break;
- }
-- if (eb_id == EF_PKSZ64) {
--
-+ if (eb_id == EF_PKSZ64)
-+ {
- int offset = EB_HEADSIZE;
-
-- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
-- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
-- offset += sizeof(G.crec.ucsize);
-+ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
-+ {
-+ if (offset+ 8 > ef_len)
-+ return PK_ERR;
-+
-+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
-+ offset += 8;
- }
-- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
-- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
-- offset += sizeof(G.crec.csize);
-+
-+ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
-+ {
-+ if (offset+ 8 > ef_len)
-+ return PK_ERR;
-+
-+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
-+ offset += 8;
- }
-- if (G.crec.relative_offset_local_header == 0xffffffff){
-+
-+ if (G.crec.relative_offset_local_header == Z64FLGL)
-+ {
-+ if (offset+ 8 > ef_len)
-+ return PK_ERR;
-+
- G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
-- offset += sizeof(G.crec.relative_offset_local_header);
-+ offset += 8;
- }
-- if (G.crec.disk_number_start == 0xffff){
-+
-+ if (G.crec.disk_number_start == Z64FLGS)
-+ {
-+ if (offset+ 4 > ef_len)
-+ return PK_ERR;
-+
- G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
-- offset += sizeof(G.crec.disk_number_start);
-+ offset += 4;
- }
-+#if 0
-+ break; /* Expect only one EF_PKSZ64 block. */
-+#endif /* 0 */
- }
-
-- /* Skip this extra field block */
-+ /* Skip this extra field block. */
- ef_buf += (eb_len + EB_HEADSIZE);
- ef_len -= (eb_len + EB_HEADSIZE);
- }
---- a/fileio.c 2009-04-20 02:03:44.000000000 +0200
-+++ b/fileio.c 2014-12-05 22:44:16.000000000 +0100
-@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr
- #endif
- static ZCONST char Far ExtraFieldTooLong[] =
- "warning: extra field too long (%d). Ignoring...\n";
-+static ZCONST char Far ExtraFieldCorrupt[] =
-+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
-
- #ifdef WINDLL
- static ZCONST char Far DiskFullQuery[] =
-@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /*
- if (readbuf(__G__ (char *)G.extra_field, length) == 0)
- return PK_EOF;
- /* Looks like here is where extra fields are read */
-- getZip64Data(__G__ G.extra_field, length);
-+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
-+ {
-+ Info(slide, 0x401, ((char *)slide,
-+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
-+ error = PK_WARN;
-+ }
- #ifdef UNICODE_SUPPORT
- G.unipath_filename = NULL;
- if (G.UzO.U_flag < 2) {
--- a/components/unzip/patches/CVE-2014-9636.patch Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,44 +0,0 @@
-Patch source: http://www.info-zip.org/phpBB3/download/file.php?id=95&sid=ec5c7dac6dd48459f3be4effa1a30945
-More info: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
-
-From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001
-From: mancha <mancha1 AT zoho DOT com>
-Date: Mon, 3 Nov 2014
-Subject: Info-ZIP UnZip buffer overflow
-
-By carefully crafting a corrupt ZIP archive with "extra fields" that
-purport to have compressed blocks larger than the corresponding
-uncompressed blocks in STORED no-compression mode, an attacker can
-trigger a heap overflow that can result in application crash or
-possibly have other unspecified impact.
-
-This patch ensures that when extra fields use STORED mode, the
-"compressed" and uncompressed block sizes match.
-
----
- extract.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/extract.c
-+++ b/extract.c
-@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
- ulg eb_ucsize;
- uch *eb_ucptr;
- int r;
-+ ush method;
-
- if (compr_offset < 4) /* field is not compressed: */
- return PK_OK; /* do nothing and signal OK */
-@@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si
- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
- return IZ_EF_TRUNC; /* no compressed data! */
-
-+ method = makeword(eb + (EB_HEADSIZE + compr_offset));
-+ if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))
-+ return PK_ERR; /* compressed & uncompressed
-+ * should match in STORED
-+ * method */
-+
- if (
- #ifdef INT_16BIT
- (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
--- a/components/unzip/patches/unix-configure.patch Thu Mar 03 16:51:26 2016 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,11 +0,0 @@
---- unzip60/unix/configure.bkp 2011-07-28 07:07:08.691240200 -0700
-+++ unzip60/unix/configure 2011-07-28 07:07:47.315977300 -0700
-@@ -646,7 +646,7 @@
-
-
- echo CC=\"${CC}\" CF=\"${CFLAGSR} ${D_USE_BZ2}\" CRCA_O=\"${CRC32OA}\" \
-- AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1}\" LF2=\"${LFLAGS2}\" \
-+ AS=\"${CC} -c\" LFLAGS1=\"${LFLAGS1} ${LD_OPTIONS}\" LF2=\"${LFLAGS2}\" \
- CC_BZ=\"${CC_BZ}\" CFLAGS_BZ=\"${CFLAGS_BZ}\" \
- IZ_BZIP2=\"${IZ_BZIP2}\" D_USE_BZ2=\"${D_USE_BZ2}\" \
- L_BZ2=\"${L_BZ2}\" LIBBZ2=\"${LIBBZ2}\" > flags