[packages/unzip] - rel 5; SECURITY fixes from FC
arekm
arekm at pld-linux.org
Thu Mar 26 20:15:18 CET 2020
commit b47192ccaa3f2fadf1cd0bc6ee398c0ed4501a98
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Thu Mar 26 20:15:08 2020 +0100
- rel 5; SECURITY fixes from FC
0001-Fix-CVE-2016-9844-rhbz-1404283.patch | 39 +++
unzip-6.0-COVSCAN-fix-unterminated-string.patch | 131 +++++++
unzip-6.0-alt-iconv-utf8-print.patch | 381 +++++++++++++++++++++
unzip-6.0-configure.patch | 12 +
...-6.0-cve-2018-1000035-heap-based-overflow.patch | 34 ++
unzip-6.0-cve-2018-18384.patch | 35 ++
unzip-6.0-heap-overflow-infloop.patch | 2 +-
unzip-6.0-timestamp.patch | 41 +++
unzip-zipbomb-manpage.patch | 25 ++
unzip-zipbomb-part1.patch | 25 ++
unzip-zipbomb-part2.patch | 349 +++++++++++++++++++
unzip-zipbomb-part3.patch | 112 ++++++
unzip.spec | 94 +++--
13 files changed, 1245 insertions(+), 35 deletions(-)
---
diff --git a/unzip.spec b/unzip.spec
index c6411cf..e12f409 100644
--- a/unzip.spec
+++ b/unzip.spec
@@ -13,7 +13,7 @@ Summary(tr.UTF-8): pkzip ve benzeri programların ürettiği zip arşivlerini a
Summary(uk.UTF-8): Розпаковувач файлів .zip
Name: unzip
Version: 6.00
-Release: 4
+Release: 5
License: distributable
Group: Applications/Archiving
Source0: ftp://ftp.info-zip.org/pub/infozip/src/%{name}60.tgz
@@ -21,9 +21,7 @@ Source0: ftp://ftp.info-zip.org/pub/infozip/src/%{name}60.tgz
#Source0: ftp://sunsite.icm.edu.pl/pub/unix/archiving/info-zip/src/%{name}552.tar.gz
Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
# Source1-md5: d7f8b0b09f6e8d89591b4dc25e335764
-Patch100: %{name}-opt.patch
-Patch101: %{name}-cve-2005-4667.patch
-Patch102: %{name}-method99_hint.patch
+Patch100: unzip-opt.patch
# Not sent to upstream.
Patch1: unzip-6.0-bzip2-configure.patch
# Upstream plans to do this in zip (hopefully also in unzip).
@@ -34,8 +32,9 @@ Patch3: unzip-6.0-close.patch
# Reported to upstream: http://www.info-zip.org/board/board.pl?m-1259575993/
Patch4: unzip-6.0-attribs-overflow.patch
# Not sent to upstream, as it's Fedora/RHEL specific.
-# Modify the configure script not to request the strip of binaries.
-Patch5: unzip-6.0-nostrip.patch
+# Modify the configure script to accept var LFLAGS2 so linking can be configurable
+# from the spec file. In addition '-s' is still removed as before
+Patch5: unzip-6.0-configure.patch
Patch6: unzip-6.0-manpage-fix.patch
# Update match.c with recmatch() from zip 3.0's util.c
# This also resolves the license issue in that old function.
@@ -48,6 +47,7 @@ Patch9: unzip-6.0-caseinsensitive.patch
# downstream fix for "-Werror=format-security"
# upstream doesn't want hear about this option again
Patch10: unzip-6.0-format-secure.patch
+
Patch11: unzip-6.0-valgrind.patch
Patch12: unzip-6.0-x-option.patch
Patch13: unzip-6.0-overflow.patch
@@ -55,10 +55,30 @@ Patch14: unzip-6.0-cve-2014-8139.patch
Patch15: unzip-6.0-cve-2014-8140.patch
Patch16: unzip-6.0-cve-2014-8141.patch
Patch17: unzip-6.0-overflow-long-fsize.patch
+
# Fix heap overflow and infinite loop when invalid input is given (#1260947)
Patch18: unzip-6.0-heap-overflow-infloop.patch
+
# support non-{latin,unicode} encoding
Patch19: unzip-6.0-alt-iconv-utf8.patch
+Patch20: unzip-6.0-alt-iconv-utf8-print.patch
+Patch21: 0001-Fix-CVE-2016-9844-rhbz-1404283.patch
+
+# restore unix timestamp accurately
+Patch22: unzip-6.0-timestamp.patch
+
+# fix possible heap based stack overflow in passwd protected files
+Patch23: unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
+
+Patch24: unzip-6.0-cve-2018-18384.patch
+
+# covscan issues
+Patch25: unzip-6.0-COVSCAN-fix-unterminated-string.patch
+
+Patch26: unzip-zipbomb-part1.patch
+Patch27: unzip-zipbomb-part2.patch
+Patch28: unzip-zipbomb-part3.patch
+Patch29: unzip-zipbomb-manpage.patch
URL: http://www.info-zip.org/
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
@@ -133,30 +153,36 @@ PKZIP та PKUNZIP від PKWARE для MS-DOS, але в багатьох ви
%prep
%setup -q -n %{name}60
%patch100 -p1
-%patch101 -p1
-%patch102 -p1
-
-%patch1 -p1 -b .bzip2-configure
-%patch2 -p1 -b .exec-shield
-%patch3 -p1 -b .close
-%patch4 -p1 -b .attribs-overflow
-%patch5 -p1 -b .nostrip
-%patch6 -p1 -b .manpage-fix
-%patch7 -p1 -b .recmatch
-%patch8 -p1 -b .symlink
-%patch9 -p1 -b .caseinsensitive
-%patch10 -p1 -b .format-secure
-%patch11 -p1 -b .valgrind
-%patch12 -p1 -b .x-option
-%patch13 -p1 -b .overflow
-%patch14 -p1 -b .cve-2014-8139
-%patch15 -p1 -b .cve-2014-8140
-%patch16 -p1 -b .cve-2014-8141
-%patch17 -p1 -b .overflow-long-fsize
-%patch18 -p1 -b .heap-overflow-infloop
-%patch19 -p1 -b .iconv
-
-ln -sf unix/Makefile Makefile
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+
+%patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
%build
# IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X
@@ -171,20 +197,20 @@ X86_OPT1="-Di386"
X86_OPT2="-DASM_CRC"
%endif
-%{__make} unzips \
+%{__make} -f unix/Makefile generic \
CC="%{__cc}" \
AS="%{__cc}" \
- CF="%{rpmcppflags} %{rpmcflags} -I. -Wall ${X86_OPT2} -DLARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT -DUNICODE_WCHAR -DUNICODE_SUPPORT -DUTF8_MAYBE_NATIVE -DNO_LCHMOD -DHAVE_DIRENT_H -DHAVE_TERMIOS_H -D_MBCS -DNOMEMCPY -DIZ_HAVE_UXUIDGID" \
+ CF_NOOPT="%{rpmcppflags} %{rpmcflags} -I. -Wall ${X86_OPT2} -DLARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT -DUNICODE_WCHAR -DUNICODE_SUPPORT -DUTF8_MAYBE_NATIVE -DNO_LCHMOD -DHAVE_DIRENT_H -DHAVE_TERMIOS_H -D_MBCS -DNOMEMCPY -DIZ_HAVE_UXUIDGID" \
AF="${X86_OPT} %{rpmldflags}" \
%ifarch %{ix86}
CRCA_O="crc_gcc.o" \
%endif
- LD="%{__cc} %{rpmldflags}"
+ LFLAGS2="%{rpmldflags}"
%install
rm -rf $RPM_BUILD_ROOT
-%{__make} install \
+%{__make} -f unix/Makefile install \
prefix=$RPM_BUILD_ROOT%{_prefix} \
MANDIR=$RPM_BUILD_ROOT%{_mandir}/man1
diff --git a/0001-Fix-CVE-2016-9844-rhbz-1404283.patch b/0001-Fix-CVE-2016-9844-rhbz-1404283.patch
new file mode 100644
index 0000000..0e4a173
--- /dev/null
+++ b/0001-Fix-CVE-2016-9844-rhbz-1404283.patch
@@ -0,0 +1,39 @@
+From 754137e70cf58a64ad524b704a86b651ba0cde07 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk at redhat.com>
+Date: Wed, 14 Dec 2016 16:30:36 +0100
+Subject: [PATCH] Fix CVE-2016-9844 (rhbz#1404283)
+
+Fixes buffer overflow in zipinfo in similar way like fix for
+CVE-2014-9913 provided by upstream.
+---
+ zipinfo.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/zipinfo.c b/zipinfo.c
+index c03620e..accca2a 100644
+--- a/zipinfo.c
++++ b/zipinfo.c
+@@ -1984,7 +1984,19 @@ static int zi_short(__G) /* return PK-type error code */
+ ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
+ methbuf[3] = dtype[dnum];
+ } else if (methnum >= NUM_METHODS) { /* unknown */
+- sprintf(&methbuf[1], "%03u", G.crec.compression_method);
++ /* 2016-12-05 SMS.
++ * https://launchpad.net/bugs/1643750
++ * Unexpectedly large compression methods overflow
++ * &methbuf[]. Use the old, three-digit decimal format
++ * for values which fit. Otherwise, sacrifice the "u",
++ * and use four-digit hexadecimal.
++ */
++ if (G.crec.compression_method <= 999) {
++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
++ } else {
++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
++ }
++
+ }
+
+ for (k = 0; k < 15; ++k)
+--
+2.5.5
+
diff --git a/unzip-6.0-COVSCAN-fix-unterminated-string.patch b/unzip-6.0-COVSCAN-fix-unterminated-string.patch
new file mode 100644
index 0000000..7173771
--- /dev/null
+++ b/unzip-6.0-COVSCAN-fix-unterminated-string.patch
@@ -0,0 +1,131 @@
+From 06d1b08aef94984256cad3c5a54cedb10295681f Mon Sep 17 00:00:00 2001
+From: Jakub Martisko <jamartis at redhat.com>
+Date: Thu, 8 Nov 2018 09:31:18 +0100
+Subject: [PATCH] Possible unterminated string fix
+
+---
+ unix/unix.c | 4 +++-
+ unix/unxcfg.h | 2 +-
+ unzip.c | 12 ++++++++----
+ zipinfo.c | 12 ++++++++----
+ 4 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/unix/unix.c b/unix/unix.c
+index 59b622d..cd57f80 100644
+--- a/unix/unix.c
++++ b/unix/unix.c
+@@ -1945,7 +1945,9 @@ void init_conversion_charsets()
+ for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++)
+ if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) {
+ strncpy(OEM_CP, dos_charset_map[i].archive_charset,
+- sizeof(OEM_CP));
++ MAX_CP_NAME - 1);
++
++ OEM_CP[MAX_CP_NAME - 1] = '\0';
+ break;
+ }
+ }
+diff --git a/unix/unxcfg.h b/unix/unxcfg.h
+index 8729de2..9ee8cfe 100644
+--- a/unix/unxcfg.h
++++ b/unix/unxcfg.h
+@@ -228,7 +228,7 @@ typedef struct stat z_stat;
+ /* and notfirstcall are used by do_wild(). */
+
+
+-#define MAX_CP_NAME 25
++#define MAX_CP_NAME 25 + 1
+
+ #ifdef SETLOCALE
+ # undef SETLOCALE
+diff --git a/unzip.c b/unzip.c
+index 2d94a38..a485f2b 100644
+--- a/unzip.c
++++ b/unzip.c
+@@ -1561,7 +1561,8 @@ int uz_opts(__G__ pargc, pargv)
+ "error: a valid character encoding should follow the -I argument"));
+ return(PK_PARAM);
+ }
+- strncpy(ISO_CP, s, sizeof(ISO_CP));
++ strncpy(ISO_CP, s, MAX_CP_NAME - 1);
++ ISO_CP[MAX_CP_NAME - 1] = '\0';
+ } else { /* -I charset */
+ ++argv;
+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+@@ -1570,7 +1571,8 @@ int uz_opts(__G__ pargc, pargv)
+ return(PK_PARAM);
+ }
+ s = *argv;
+- strncpy(ISO_CP, s, sizeof(ISO_CP));
++ strncpy(ISO_CP, s, MAX_CP_NAME - 1);
++ ISO_CP[MAX_CP_NAME - 1] = '\0';
+ }
+ while(*(++s)); /* No params straight after charset name */
+ }
+@@ -1665,7 +1667,8 @@ int uz_opts(__G__ pargc, pargv)
+ "error: a valid character encoding should follow the -I argument"));
+ return(PK_PARAM);
+ }
+- strncpy(OEM_CP, s, sizeof(OEM_CP));
++ strncpy(OEM_CP, s, MAX_CP_NAME - 1);
++ OEM_CP[MAX_CP_NAME - 1] = '\0';
+ } else { /* -O charset */
+ ++argv;
+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+@@ -1674,7 +1677,8 @@ int uz_opts(__G__ pargc, pargv)
+ return(PK_PARAM);
+ }
+ s = *argv;
+- strncpy(OEM_CP, s, sizeof(OEM_CP));
++ strncpy(OEM_CP, s, MAX_CP_NAME - 1);
++ OEM_CP[MAX_CP_NAME - 1] = '\0';
+ }
+ while(*(++s)); /* No params straight after charset name */
+ }
+diff --git a/zipinfo.c b/zipinfo.c
+index accca2a..cb7e08d 100644
+--- a/zipinfo.c
++++ b/zipinfo.c
+@@ -519,7 +519,8 @@ int zi_opts(__G__ pargc, pargv)
+ "error: a valid character encoding should follow the -I argument"));
+ return(PK_PARAM);
+ }
+- strncpy(ISO_CP, s, sizeof(ISO_CP));
++ strncpy(ISO_CP, s, MAX_CP_NAME - 1);
++ ISO_CP[MAX_CP_NAME - 1] = '\0';
+ } else { /* -I charset */
+ ++argv;
+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+@@ -528,7 +529,8 @@ int zi_opts(__G__ pargc, pargv)
+ return(PK_PARAM);
+ }
+ s = *argv;
+- strncpy(ISO_CP, s, sizeof(ISO_CP));
++ strncpy(ISO_CP, s, MAX_CP_NAME - 1);
++ ISO_CP[MAX_CP_NAME - 1] = '\0';
+ }
+ while(*(++s)); /* No params straight after charset name */
+ }
+@@ -568,7 +570,8 @@ int zi_opts(__G__ pargc, pargv)
+ "error: a valid character encoding should follow the -I argument"));
+ return(PK_PARAM);
+ }
+- strncpy(OEM_CP, s, sizeof(OEM_CP));
++ strncpy(OEM_CP, s, MAX_CP_NAME - 1);
++ OEM_CP[MAX_CP_NAME - 1] = '\0';
+ } else { /* -O charset */
+ ++argv;
+ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+@@ -577,7 +580,8 @@ int zi_opts(__G__ pargc, pargv)
+ return(PK_PARAM);
+ }
+ s = *argv;
+- strncpy(OEM_CP, s, sizeof(OEM_CP));
++ strncpy(OEM_CP, s, MAX_CP_NAME - 1);
++ OEM_CP[MAX_CP_NAME - 1] = '\0';
+ }
+ while(*(++s)); /* No params straight after charset name */
+ }
+--
+2.14.5
+
diff --git a/unzip-6.0-alt-iconv-utf8-print.patch b/unzip-6.0-alt-iconv-utf8-print.patch
new file mode 100644
index 0000000..0b0153b
--- /dev/null
+++ b/unzip-6.0-alt-iconv-utf8-print.patch
@@ -0,0 +1,381 @@
+From ca0212ba19b64488b9e8459a762c11ecd6e7d0bd Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk at redhat.com>
+Date: Tue, 24 Nov 2015 17:56:11 +0100
+Subject: [PATCH] print correctly non-ascii filenames
+
+---
+ extract.c | 289 ++++++++++++++++++++++++++++++++++++++++++++++++--------------
+ unzpriv.h | 7 ++
+ 2 files changed, 233 insertions(+), 63 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index 0ee4e93..741b7e0 100644
+--- a/extract.c
++++ b/extract.c
+@@ -2648,8 +2648,21 @@ static void set_deferred_symlink(__G__ slnk_entry)
+ } /* end function set_deferred_symlink() */
+ #endif /* SYMLINKS */
+
++/*
++ * If Unicode is supported, assume we have what we need to do this
++ * check using wide characters, avoiding MBCS issues.
++ */
+
+-
++#ifndef UZ_FNFILTER_REPLACECHAR
++ /* A convenient choice for the replacement of unprintable char codes is
++ * the "single char wildcard", as this character is quite unlikely to
++ * appear in filenames by itself. The following default definition
++ * sets the replacement char to a question mark as the most common
++ * "single char wildcard"; this setting should be overridden in the
++ * appropiate system-specific configuration header when needed.
++ */
++# define UZ_FNFILTER_REPLACECHAR '?'
++#endif
+
+ /*************************/
+ /* Function fnfilter() */ /* here instead of in list.c for SFX */
+@@ -2661,48 +2674,168 @@ char *fnfilter(raw, space, size) /* convert name to safely printable form */
+ extent size;
+ {
+ #ifndef NATIVE /* ASCII: filter ANSI escape codes, etc. */
+- ZCONST uch *r=(ZCONST uch *)raw;
++ ZCONST uch *r; // =(ZCONST uch *)raw;
+ uch *s=space;
+ uch *slim=NULL;
+ uch *se=NULL;
+ int have_overflow = FALSE;
+
+- if (size > 0) {
+- slim = space + size
+-#ifdef _MBCS
+- - (MB_CUR_MAX - 1)
+-#endif
+- - 4;
++# if defined( UNICODE_SUPPORT) && defined( _MBCS)
++/* If Unicode support is enabled, and we have multi-byte characters,
++ * then do the isprint() checks by first converting to wide characters
++ * and checking those. This avoids our having to parse multi-byte
++ * characters for ourselves. After the wide-char replacements have been
++ * made, the wide string is converted back to the local character set.
++ */
++ wchar_t *wstring; /* wchar_t version of raw */
++ size_t wslen; /* length of wstring */
++ wchar_t *wostring; /* wchar_t version of output string */
++ size_t woslen; /* length of wostring */
++ char *newraw; /* new raw */
++
++ /* 2012-11-06 SMS.
++ * Changed to check the value returned by mbstowcs(), and bypass the
++ * Unicode processing if it fails. This seems to fix a problem
++ * reported in the SourceForge forum, but it's not clear that we
++ * should be doing any Unicode processing without some evidence that
++ * the name actually is Unicode. (Check bit 11 in the flags before
++ * coming here?)
++ * http://sourceforge.net/p/infozip/bugs/40/
++ */
++
++ if (MB_CUR_MAX <= 1)
++ {
++ /* There's no point to converting multi-byte chars if there are
++ * no multi-byte chars.
++ */
++ wslen = (size_t)-1;
+ }
+- while (*r) {
+- if (size > 0 && s >= slim && se == NULL) {
+- se = s;
++ else
++ {
++ /* Get Unicode wide character count (for storage allocation). */
++ wslen = mbstowcs( NULL, raw, 0);
++ }
++
++ if (wslen != (size_t)-1)
++ {
++ /* Apparently valid Unicode. Allocate wide-char storage. */
++ wstring = (wchar_t *)malloc((wslen + 1) * sizeof(wchar_t));
++ if (wstring == NULL) {
++ strcpy( (char *)space, raw);
++ return (char *)space;
+ }
+-#ifdef QDOS
+- if (qlflag & 2) {
+- if (*r == '/' || *r == '.') {
++ wostring = (wchar_t *)malloc(2 * (wslen + 1) * sizeof(wchar_t));
++ if (wostring == NULL) {
++ free(wstring);
++ strcpy( (char *)space, raw);
++ return (char *)space;
++ }
++
++ /* Convert the multi-byte Unicode to wide chars. */
++ wslen = mbstowcs(wstring, raw, wslen + 1);
++
++ /* Filter the wide-character string. */
++ fnfilterw( wstring, wostring, (2 * (wslen + 1) * sizeof(wchar_t)));
++
++ /* Convert filtered wide chars back to multi-byte. */
++ woslen = wcstombs( NULL, wostring, 0);
++ if ((newraw = malloc(woslen + 1)) == NULL) {
++ free(wstring);
++ free(wostring);
++ strcpy( (char *)space, raw);
++ return (char *)space;
++ }
++ woslen = wcstombs( newraw, wostring, (woslen * MB_CUR_MAX) + 1);
++
++ if (size > 0) {
++ slim = space + size - 4;
++ }
++ r = (ZCONST uch *)newraw;
++ while (*r) {
++ if (size > 0 && s >= slim && se == NULL) {
++ se = s;
++ }
++# ifdef QDOS
++ if (qlflag & 2) {
++ if (*r == '/' || *r == '.') {
++ if (se != NULL && (s > (space + (size-3)))) {
++ have_overflow = TRUE;
++ break;
++ }
++ ++r;
++ *s++ = '_';
++ continue;
++ }
++ } else
++# endif
++ {
+ if (se != NULL && (s > (space + (size-3)))) {
+ have_overflow = TRUE;
+ break;
+ }
+- ++r;
+- *s++ = '_';
+- continue;
++ *s++ = *r++;
+ }
+- } else
++ }
++ if (have_overflow) {
++ strcpy((char *)se, "...");
++ } else {
++ *s = '\0';
++ }
++
++ free(wstring);
++ free(wostring);
++ free(newraw);
++ }
++ else
++# endif /* defined( UNICODE_SUPPORT) && defined( _MBCS) */
++ {
++ /* No Unicode support, or apparently invalid Unicode. */
++ r = (ZCONST uch *)raw;
++
++ if (size > 0) {
++ slim = space + size
++#ifdef _MBCS
++ - (MB_CUR_MAX - 1)
++#endif
++ - 4;
++ }
++ while (*r) {
++ if (size > 0 && s >= slim && se == NULL) {
++ se = s;
++ }
++#ifdef QDOS
++ if (qlflag & 2) {
++ if (*r == '/' || *r == '.') {
++ if (se != NULL && (s > (space + (size-3)))) {
++ have_overflow = TRUE;
++ break;
++ }
++ ++r;
++ *s++ = '_';
++ continue;
++ }
++ } else
+ #endif
+ #ifdef HAVE_WORKING_ISPRINT
+-# ifndef UZ_FNFILTER_REPLACECHAR
+- /* A convenient choice for the replacement of unprintable char codes is
+- * the "single char wildcard", as this character is quite unlikely to
+- * appear in filenames by itself. The following default definition
+- * sets the replacement char to a question mark as the most common
+- * "single char wildcard"; this setting should be overridden in the
+- * appropiate system-specific configuration header when needed.
+- */
+-# define UZ_FNFILTER_REPLACECHAR '?'
+-# endif
+- if (!isprint(*r)) {
++ if (!isprint(*r)) {
++ if (*r < 32) {
++ /* ASCII control codes are escaped as "^{letter}". */
++ if (se != NULL && (s > (space + (size-4)))) {
++ have_overflow = TRUE;
++ break;
++ }
++ *s++ = '^', *s++ = (uch)(64 + *r++);
++ } else {
++ /* Other unprintable codes are replaced by the
++ * placeholder character. */
++ if (se != NULL && (s > (space + (size-3)))) {
++ have_overflow = TRUE;
++ break;
++ }
++ *s++ = UZ_FNFILTER_REPLACECHAR;
++ INCSTR(r);
++ }
++#else /* !HAVE_WORKING_ISPRINT */
+ if (*r < 32) {
+ /* ASCII control codes are escaped as "^{letter}". */
+ if (se != NULL && (s > (space + (size-4)))) {
+@@ -2710,47 +2843,30 @@ char *fnfilter(raw, space, size) /* convert name to safely printable form */
+ break;
+ }
+ *s++ = '^', *s++ = (uch)(64 + *r++);
++#endif /* ?HAVE_WORKING_ISPRINT */
+ } else {
+- /* Other unprintable codes are replaced by the
+- * placeholder character. */
++#ifdef _MBCS
++ unsigned i = CLEN(r);
++ if (se != NULL && (s > (space + (size-i-2)))) {
++ have_overflow = TRUE;
++ break;
++ }
++ for (; i > 0; i--)
++ *s++ = *r++;
++#else
+ if (se != NULL && (s > (space + (size-3)))) {
+ have_overflow = TRUE;
+ break;
+ }
+- *s++ = UZ_FNFILTER_REPLACECHAR;
+- INCSTR(r);
+- }
+-#else /* !HAVE_WORKING_ISPRINT */
+- if (*r < 32) {
+- /* ASCII control codes are escaped as "^{letter}". */
+- if (se != NULL && (s > (space + (size-4)))) {
+- have_overflow = TRUE;
+- break;
+- }
+- *s++ = '^', *s++ = (uch)(64 + *r++);
+-#endif /* ?HAVE_WORKING_ISPRINT */
+- } else {
+-#ifdef _MBCS
+- unsigned i = CLEN(r);
+- if (se != NULL && (s > (space + (size-i-2)))) {
+- have_overflow = TRUE;
+- break;
+- }
+- for (; i > 0; i--)
+ *s++ = *r++;
+-#else
+- if (se != NULL && (s > (space + (size-3)))) {
+- have_overflow = TRUE;
+- break;
+- }
+- *s++ = *r++;
+ #endif
+- }
+- }
+- if (have_overflow) {
+- strcpy((char *)se, "...");
+- } else {
+- *s = '\0';
++ }
++ }
++ if (have_overflow) {
++ strcpy((char *)se, "...");
++ } else {
++ *s = '\0';
++ }
+ }
+
+ #ifdef WINDLL
+@@ -2772,6 +2888,53 @@ char *fnfilter(raw, space, size) /* convert name to safely printable form */
+ } /* end function fnfilter() */
+
+
++#if defined( UNICODE_SUPPORT) && defined( _MBCS)
++
++/****************************/
++/* Function fnfilter[w]() */ /* (Here instead of in list.c for SFX.) */
++/****************************/
++
++/* fnfilterw() - Convert wide name to safely printable form. */
++
++/* fnfilterw() - Convert wide-character name to safely printable form. */
++
++wchar_t *fnfilterw( src, dst, siz)
++ ZCONST wchar_t *src; /* Pointer to source char (string). */
++ wchar_t *dst; /* Pointer to destination char (string). */
++ extent siz; /* Not used (!). */
++{
++ wchar_t *dsx = dst;
++
++ /* Filter the wide chars. */
++ while (*src)
++ {
++ if (iswprint( *src))
++ {
++ /* Printable code. Copy it. */
++ *dst++ = *src;
++ }
++ else
++ {
++ /* Unprintable code. Substitute something printable for it. */
++ if (*src < 32)
++ {
++ /* Replace ASCII control code with "^{letter}". */
++ *dst++ = (wchar_t)'^';
++ *dst++ = (wchar_t)(64 + *src);
++ }
++ else
++ {
++ /* Replace other unprintable code with the placeholder. */
++ *dst++ = (wchar_t)UZ_FNFILTER_REPLACECHAR;
++ }
++ }
++ src++;
++ }
++ *dst = (wchar_t)0; /* NUL-terminate the destination string. */
++ return dsx;
++} /* fnfilterw(). */
++
++#endif /* defined( UNICODE_SUPPORT) && defined( _MBCS) */
+
+
+ #ifdef SET_DIR_ATTRIB
+diff --git a/unzpriv.h b/unzpriv.h
+index 22d3923..e48a652 100644
+--- a/unzpriv.h
++++ b/unzpriv.h
+@@ -1212,6 +1212,7 @@
+ # ifdef UNICODE_WCHAR
+ # if !(defined(_WIN32_WCE) || defined(POCKET_UNZIP))
+ # include <wchar.h>
++# include <wctype.h>
+ # endif
+ # endif
+ # ifndef _MBCS /* no need to include <locale.h> twice, see below */
+@@ -2410,6 +2411,12 @@ int memflush OF((__GPRO__ ZCONST uch *rawbuf, ulg size));
+ char *fnfilter OF((ZCONST char *raw, uch *space,
+ extent size));
+
++# if defined( UNICODE_SUPPORT) && defined( _MBCS)
++wchar_t *fnfilterw OF((ZCONST wchar_t *src, wchar_t *dst,
++ extent siz));
++#endif
++
++
+ /*---------------------------------------------------------------------------
+ Decompression functions:
+ ---------------------------------------------------------------------------*/
+--
+2.4.3
+
diff --git a/unzip-6.0-configure.patch b/unzip-6.0-configure.patch
new file mode 100644
index 0000000..9eead42
--- /dev/null
+++ b/unzip-6.0-configure.patch
@@ -0,0 +1,12 @@
+diff -up unzip60/unix/configure.nostrip unzip60/unix/configure
+--- unzip60/unix/configure.nostrip 2009-11-30 10:18:09.000000000 +0100
++++ unzip60/unix/configure 2009-11-30 10:21:08.354264213 +0100
+@@ -17,7 +17,7 @@ CFLAGSR=${CFLAGS}
+ IZ_BZIP2=${3}
+ CFLAGS="${CFLAGS} -I. -DUNIX"
+ LFLAGS1=""
+-LFLAGS2="-s"
++LFLAGS2="${LFLAGS2}"
+ LN="ln -s"
+
+ CFLAGS_OPT=''
diff --git a/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch b/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
new file mode 100644
index 0000000..8ca7138
--- /dev/null
+++ b/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
@@ -0,0 +1,34 @@
+--- a/fileio.c 2014-12-05 05:06:05 -0600
++++ b/fileio.c 2017-11-14 01:06:28 -0600
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2017 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -1582,6 +1582,8 @@
+ int r = IZ_PW_ENTERED;
+ char *m;
+ char *prompt;
++ char *ep;
++ char *zp;
+
+ #ifndef REENTRANT
+ /* tell picky compilers to shut up about "unused variable" warnings */
+@@ -1590,9 +1592,12 @@
+
+ if (*rcnt == 0) { /* First call for current entry */
+ *rcnt = 2;
+- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+- sprintf(prompt, LoadFarString(PasswPrompt),
+- FnFilter1(zfn), FnFilter2(efn));
++ zp = FnFilter1( zfn);
++ ep = FnFilter2( efn);
++ prompt = (char *)malloc( /* Slightly too long (2* "%s"). */
++ sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
++ if (prompt != (char *)NULL) {
++ sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
+ m = prompt;
+ } else
+ m = (char *)LoadFarString(PasswPrompt2);
diff --git a/unzip-6.0-cve-2018-18384.patch b/unzip-6.0-cve-2018-18384.patch
new file mode 100644
index 0000000..54d4b8c
--- /dev/null
+++ b/unzip-6.0-cve-2018-18384.patch
@@ -0,0 +1,35 @@
+--- unzip60/list.c
++++ unzip60/list.c
+@@ -97,7 +97,7 @@ int list_files(__G) /* return PK-type
+ {
+ int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+- char sgn, cfactorstr[13];
++ char sgn, cfactorstr[1+10+1+1]; /* <sgn><int>%NUL */
+ int longhdr=(uO.vflag>1);
+ #endif
+ int date_format;
+@@ -389,9 +389,9 @@ int list_files(__G) /* return PK-type
+ }
+ #else /* !WINDLL */
+ if (cfactor == 100)
+- sprintf(cfactorstr, LoadFarString(CompFactor100));
++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
+ else
+- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
+ if (longhdr)
+ Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats),
+ FmZofft(G.crec.ucsize, "8", "u"), methbuf,
+@@ -471,9 +471,9 @@ int list_files(__G) /* return PK-type
+
+ #else /* !WINDLL */
+ if (cfactor == 100)
+- sprintf(cfactorstr, LoadFarString(CompFactor100));
++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
+ else
+- sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
++ snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
+ if (longhdr) {
+ Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer),
+ FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"),
diff --git a/unzip-6.0-heap-overflow-infloop.patch b/unzip-6.0-heap-overflow-infloop.patch
index 160c512..b517c40 100644
--- a/unzip-6.0-heap-overflow-infloop.patch
+++ b/unzip-6.0-heap-overflow-infloop.patch
@@ -86,7 +86,7 @@ index 29db027..b9ae667 100644
- if (G.pInfo->encrypted)
+ if (G.pInfo->encrypted) {
-+ if (csiz_decrypted <= 12) {
++ if (csiz_decrypted < 12) {
+ /* handle the error now to prevent unsigned overflow */
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarStringSmall(ErrUnzipNoFile),
diff --git a/unzip-6.0-timestamp.patch b/unzip-6.0-timestamp.patch
new file mode 100644
index 0000000..2aa9424
--- /dev/null
+++ b/unzip-6.0-timestamp.patch
@@ -0,0 +1,41 @@
+From: "Steven M. Schweda" <sms at antinode.info>
+Subject: Do not ignore extra fields containing Unix Timestamps
+Bug-Debian: https://bugs.debian.org/842993
+X-Debian-version: 6.0-21
+
+--- a/process.c
++++ b/process.c
+@@ -2914,10 +2914,13 @@
+ break;
+
+ case EF_IZUNIX2:
+- if (have_new_type_eb == 0) {
+- flags &= ~0x0ff; /* ignore any previous IZUNIX field */
++ if (have_new_type_eb == 0) { /* (< 1) */
+ have_new_type_eb = 1;
+ }
++ if (have_new_type_eb <= 1) {
++ /* Ignore any prior (EF_IZUNIX/EF_PKUNIX) UID/GID. */
++ flags &= 0x0ff;
++ }
+ #ifdef IZ_HAVE_UXUIDGID
+ if (have_new_type_eb > 1)
+ break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */
+@@ -2933,6 +2936,8 @@
+ /* new 3rd generation Unix ef */
+ have_new_type_eb = 2;
+
++ /* Ignore any prior EF_IZUNIX/EF_PKUNIX/EF_IZUNIX2 UID/GID. */
++ flags &= 0x0ff;
+ /*
+ Version 1 byte version of this extra field, currently 1
+ UIDSize 1 byte Size of UID field
+@@ -2953,8 +2958,6 @@
+ uid_size = *((EB_HEADSIZE + 1) + ef_buf);
+ gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf);
+
+- flags &= ~0x0ff; /* ignore any previous UNIX field */
+-
+ if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf,
+ uid_size, &z_uidgid[0])
+ &&
diff --git a/unzip-zipbomb-manpage.patch b/unzip-zipbomb-manpage.patch
new file mode 100644
index 0000000..cdeeea5
--- /dev/null
+++ b/unzip-zipbomb-manpage.patch
@@ -0,0 +1,25 @@
+From 6fe72291a5563cdbcd2bdd87e36528537b7cdcfb Mon Sep 17 00:00:00 2001
+From: Jakub Martisko <jamartis at redhat.com>
+Date: Mon, 18 Nov 2019 14:17:46 +0100
+Subject: [PATCH] update the man page
+
+---
+ man/unzip.1 | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/man/unzip.1 b/man/unzip.1
+index 21816d1..4d66073 100644
+--- a/man/unzip.1
++++ b/man/unzip.1
+@@ -850,6 +850,8 @@ the specified zipfiles were not found.
+ invalid options were specified on the command line.
+ .IP 11
+ no matching files were found.
++.IP 12
++invalid zip file with overlapped components (possible zip bomb).
+ .IP 50
+ the disk is (or was) full during extraction.
+ .IP 51
+--
+2.23.0
+
diff --git a/unzip-zipbomb-part1.patch b/unzip-zipbomb-part1.patch
new file mode 100644
index 0000000..35cf856
--- /dev/null
+++ b/unzip-zipbomb-part1.patch
@@ -0,0 +1,25 @@
+From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler at alumni.caltech.edu>
+Date: Mon, 27 May 2019 08:20:32 -0700
+Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state.
+
+---
+ fileio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fileio.c b/fileio.c
+index c042987..bc00d74 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -530,8 +530,10 @@ void undefer_input(__G)
+ * This condition was checked when G.incnt_leftover was set > 0 in
+ * defer_leftover_input(), and it is NOT allowed to touch G.csize
+ * before calling undefer_input() when (G.incnt_leftover > 0)
+- * (single exception: see read_byte()'s "G.csize <= 0" handling) !!
++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !!
+ */
++ if (G.csize < 0L)
++ G.csize = 0L;
+ G.incnt = G.incnt_leftover + (int)G.csize;
+ G.inptr = G.inptr_leftover - (int)G.csize;
+ G.incnt_leftover = 0;
diff --git a/unzip-zipbomb-part2.patch b/unzip-zipbomb-part2.patch
new file mode 100644
index 0000000..903c845
--- /dev/null
+++ b/unzip-zipbomb-part2.patch
@@ -0,0 +1,349 @@
+From 47b3ceae397d21bf822bc2ac73052a4b1daf8e1c Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler at alumni.caltech.edu>
+Date: Tue, 11 Jun 2019 22:01:18 -0700
+Subject: [PATCH] Detect and reject a zip bomb using overlapped entries.
+
+This detects an invalid zip file that has at least one entry that
+overlaps with another entry or with the central directory to the
+end of the file. A Fifield zip bomb uses overlapped local entries
+to vastly increase the potential inflation ratio. Such an invalid
+zip file is rejected.
+
+See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's
+analysis, construction, and examples of such zip bombs.
+
+The detection maintains a list of covered spans of the zip files
+so far, where the central directory to the end of the file and any
+bytes preceding the first entry at zip file offset zero are
+considered covered initially. Then as each entry is decompressed
+or tested, it is considered covered. When a new entry is about to
+be processed, its initial offset is checked to see if it is
+contained by a covered span. If so, the zip file is rejected as
+invalid.
+
+This commit depends on a preceding commit: "Fix bug in
+undefer_input() that misplaced the input state."
+---
+ extract.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ globals.c | 1 +
+ globals.h | 3 +
+ process.c | 11 ++++
+ unzip.h | 1 +
+ 5 files changed, 205 insertions(+), 1 deletion(-)
+
+diff --git a/extract.c b/extract.c
+index 1acd769..0973a33 100644
+--- a/extract.c
++++ b/extract.c
+@@ -319,6 +319,125 @@ static ZCONST char Far UnsupportedExtraField[] =
+ "\nerror: unsupported extra-field compression type (%u)--skipping\n";
+ static ZCONST char Far BadExtraFieldCRC[] =
+ "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n";
++static ZCONST char Far NotEnoughMemCover[] =
++ "error: not enough memory for bomb detection\n";
++static ZCONST char Far OverlappedComponents[] =
++ "error: invalid zip file with overlapped components (possible zip bomb)\n";
++
++
++
++
++
++/* A growable list of spans. */
++typedef zoff_t bound_t;
++typedef struct {
++ bound_t beg; /* start of the span */
++ bound_t end; /* one past the end of the span */
++} span_t;
++typedef struct {
++ span_t *span; /* allocated, distinct, and sorted list of spans */
++ size_t num; /* number of spans in the list */
++ size_t max; /* allocated number of spans (num <= max) */
++} cover_t;
++
++/*
++ * Return the index of the first span in cover whose beg is greater than val.
++ * If there is no such span, then cover->num is returned.
++ */
++static size_t cover_find(cover, val)
++ cover_t *cover;
++ bound_t val;
++{
++ size_t lo = 0, hi = cover->num;
++ while (lo < hi) {
++ size_t mid = (lo + hi) >> 1;
++ if (val < cover->span[mid].beg)
++ hi = mid;
++ else
++ lo = mid + 1;
++ }
++ return hi;
++}
++
++/* Return true if val lies within any one of the spans in cover. */
++static int cover_within(cover, val)
++ cover_t *cover;
++ bound_t val;
++{
++ size_t pos = cover_find(cover, val);
++ return pos > 0 && val < cover->span[pos - 1].end;
++}
++
++/*
++ * Add a new span to the list, but only if the new span does not overlap any
++ * spans already in the list. The new span covers the values beg..end-1. beg
++ * must be less than end.
++ *
++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for
++ * the list as needed. On success, 0 is returned. If the new span overlaps any
++ * existing spans, then 1 is returned and the new span is not added to the
++ * list. If the new span is invalid because beg is greater than or equal to
++ * end, then -1 is returned. If the list needs to be grown but the memory
++ * allocation fails, then -2 is returned.
++ */
++static int cover_add(cover, beg, end)
++ cover_t *cover;
++ bound_t beg;
++ bound_t end;
++{
++ size_t pos;
++ int prec, foll;
++
++ if (beg >= end)
++ /* The new span is invalid. */
++ return -1;
++
++ /* Find where the new span should go, and make sure that it does not
++ overlap with any existing spans. */
++ pos = cover_find(cover, beg);
++ if ((pos > 0 && beg < cover->span[pos - 1].end) ||
++ (pos < cover->num && end > cover->span[pos].beg))
++ return 1;
++
++ /* Check for adjacencies. */
++ prec = pos > 0 && beg == cover->span[pos - 1].end;
++ foll = pos < cover->num && end == cover->span[pos].beg;
++ if (prec && foll) {
++ /* The new span connects the preceding and following spans. Merge the
++ following span into the preceding span, and delete the following
++ span. */
++ cover->span[pos - 1].end = cover->span[pos].end;
++ cover->num--;
++ memmove(cover->span + pos, cover->span + pos + 1,
++ (cover->num - pos) * sizeof(span_t));
++ }
++ else if (prec)
++ /* The new span is adjacent only to the preceding span. Extend the end
++ of the preceding span. */
++ cover->span[pos - 1].end = end;
++ else if (foll)
++ /* The new span is adjacent only to the following span. Extend the
++ beginning of the following span. */
++ cover->span[pos].beg = beg;
++ else {
++ /* The new span has gaps between both the preceding and the following
++ spans. Assure that there is room and insert the span. */
++ if (cover->num == cover->max) {
++ size_t max = cover->max == 0 ? 16 : cover->max << 1;
++ span_t *span = realloc(cover->span, max * sizeof(span_t));
++ if (span == NULL)
++ return -2;
++ cover->span = span;
++ cover->max = max;
++ }
++ memmove(cover->span + pos + 1, cover->span + pos,
++ (cover->num - pos) * sizeof(span_t));
++ cover->num++;
++ cover->span[pos].beg = beg;
++ cover->span[pos].end = end;
++ }
++ return 0;
++}
+
+
+
+@@ -374,6 +493,29 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ }
+ #endif /* !SFX || SFX_EXDIR */
+
++ /* One more: initialize cover structure for bomb detection. Start with a
++ span that covers the central directory though the end of the file. */
++ if (G.cover == NULL) {
++ G.cover = malloc(sizeof(cover_t));
++ if (G.cover == NULL) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++ ((cover_t *)G.cover)->span = NULL;
++ ((cover_t *)G.cover)->max = 0;
++ }
++ ((cover_t *)G.cover)->num = 0;
++ if ((G.extra_bytes != 0 &&
++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++ cover_add((cover_t *)G.cover,
++ G.extra_bytes + G.ecrec.offset_start_central_directory,
++ G.ziplen) != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++
+ /*---------------------------------------------------------------------------
+ The basic idea of this function is as follows. Since the central di-
+ rectory lies at the end of the zipfile and the member files lie at the
+@@ -591,7 +733,8 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ if (error > error_in_archive)
+ error_in_archive = error;
+ /* ...and keep going (unless disk full or user break) */
+- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
++ error == PK_BOMB) {
+ /* clear reached_end to signal premature stop ... */
+ reached_end = FALSE;
+ /* ... and cancel scanning the central directory */
+@@ -1060,6 +1203,11 @@ static int extract_or_test_entrylist(__G__ numchunk,
+
+ /* seek_zipf(__G__ pInfo->offset); */
+ request = G.pInfo->offset + G.extra_bytes;
++ if (cover_within((cover_t *)G.cover, request)) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+ inbuf_offset = request % INBUFSIZ;
+ bufstart = request - inbuf_offset;
+
+@@ -1591,6 +1739,18 @@ static int extract_or_test_entrylist(__G__ numchunk,
+ return IZ_CTRLC; /* cancel operation by user request */
+ }
+ #endif
++ error = cover_add((cover_t *)G.cover, request,
++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf));
++ if (error < 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++ if (error != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+ #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */
+ UserStop();
+ #endif
+@@ -1992,6 +2152,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */
+ }
+
+ undefer_input(__G);
++
++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
++ /* skip over data descriptor (harder than it sounds, due to signature
++ * ambiguity)
++ */
++# define SIG 0x08074b50
++# define LOW 0xffffffff
++ uch buf[12];
++ unsigned shy = 12 - readbuf((char *)buf, 12);
++ ulg crc = shy ? 0 : makelong(buf);
++ ulg clen = shy ? 0 : makelong(buf + 4);
++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */
++ if (crc == SIG && /* if not SIG, no signature */
++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */
++ (clen == SIG && /* if not SIG, no signature */
++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */
++ (ulen == SIG && /* if not SIG, no signature */
++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
++ /* if not SIG, have signature */
++ )))))
++ /* skip four more bytes to account for signature */
++ shy += 4 - readbuf((char *)buf, 4);
++ if (G.zip64)
++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
++ if (shy)
++ error = PK_ERR;
++ }
++
+ return error;
+
+ } /* end function extract_or_test_member() */
+diff --git a/globals.c b/globals.c
+index fa8cca5..1e0f608 100644
+--- a/globals.c
++++ b/globals.c
+@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor()
+ # if (!defined(NO_TIMESTAMPS))
+ uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */
+ # endif
++ G.cover = NULL; /* not allocated yet */
+ #endif
+
+ uO.lflag=(-1);
+diff --git a/globals.h b/globals.h
+index 11b7215..2bdcdeb 100644
+--- a/globals.h
++++ b/globals.h
+@@ -260,12 +260,15 @@ typedef struct Globals {
+ ecdir_rec ecrec; /* used in unzip.c, extract.c */
+ z_stat statbuf; /* used by main, mapname, check_for_newer */
+
++ int zip64; /* true if Zip64 info in extra field */
++
+ int mem_mode;
+ uch *outbufptr; /* extract.c static */
+ ulg outsize; /* extract.c static */
+ int reported_backslash; /* extract.c static */
+ int disk_full;
+ int newfile;
++ void **cover; /* used in extract.c for bomb detection */
+
+ int didCRlast; /* fileio static */
+ ulg numlines; /* fileio static: number of lines printed */
+diff --git a/process.c b/process.c
+index 1e9a1e1..d2e4dc3 100644
+--- a/process.c
++++ b/process.c
+@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */
+ }
+ #endif
+
++ /* Free the cover span list and the cover structure. */
++ if (G.cover != NULL) {
++ free(*(G.cover));
++ free(G.cover);
++ G.cover = NULL;
++ }
++
+ } /* end function free_G_buffers() */
+
+
+@@ -1890,6 +1897,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
+ #define Z64FLGS 0xffff
+ #define Z64FLGL 0xffffffff
+
++ G.zip64 = FALSE;
++
+ if (ef_len == 0 || ef_buf == NULL)
+ return PK_COOL;
+
+@@ -1927,6 +1936,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
+ #if 0
+ break; /* Expect only one EF_PKSZ64 block. */
+ #endif /* 0 */
++
++ G.zip64 = TRUE;
+ }
+
+ /* Skip this extra field block. */
+diff --git a/unzip.h b/unzip.h
+index 5b2a326..ed24a5b 100644
+--- a/unzip.h
++++ b/unzip.h
+@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec {
+ #define PK_NOZIP 9 /* zipfile not found */
+ #define PK_PARAM 10 /* bad or illegal parameters specified */
+ #define PK_FIND 11 /* no files found */
++#define PK_BOMB 12 /* likely zip bomb */
+ #define PK_DISK 50 /* disk full */
+ #define PK_EOF 51 /* unexpected EOF */
+
diff --git a/unzip-zipbomb-part3.patch b/unzip-zipbomb-part3.patch
new file mode 100644
index 0000000..3b8d67b
--- /dev/null
+++ b/unzip-zipbomb-part3.patch
@@ -0,0 +1,112 @@
+From 6d351831be705cc26d897db44f878a978f4138fc Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler at alumni.caltech.edu>
+Date: Thu, 25 Jul 2019 20:43:17 -0700
+Subject: [PATCH] Do not raise a zip bomb alert for a misplaced central
+ directory.
+
+There is a zip-like file in the Firefox distribution, omni.ja,
+which is a zip container with the central directory placed at the
+start of the file instead of after the local entries as required
+by the zip standard. This commit marks the actual location of the
+central directory, as well as the end of central directory records,
+as disallowed locations. This now permits such containers to not
+raise a zip bomb alert, where in fact there are no overlaps.
+---
+ extract.c | 25 +++++++++++++++++++------
+ process.c | 6 ++++++
+ unzpriv.h | 10 ++++++++++
+ 3 files changed, 35 insertions(+), 6 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index 0973a33..1b73cb0 100644
+--- a/extract.c
++++ b/extract.c
+@@ -493,8 +493,11 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ }
+ #endif /* !SFX || SFX_EXDIR */
+
+- /* One more: initialize cover structure for bomb detection. Start with a
+- span that covers the central directory though the end of the file. */
++ /* One more: initialize cover structure for bomb detection. Start with
++ spans that cover any extra bytes at the start, the central directory,
++ the end of central directory record (including the Zip64 end of central
++ directory locator, if present), and the Zip64 end of central directory
++ record, if present. */
+ if (G.cover == NULL) {
+ G.cover = malloc(sizeof(cover_t));
+ if (G.cover == NULL) {
+@@ -506,15 +509,25 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ ((cover_t *)G.cover)->max = 0;
+ }
+ ((cover_t *)G.cover)->num = 0;
+- if ((G.extra_bytes != 0 &&
+- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+- cover_add((cover_t *)G.cover,
++ if (cover_add((cover_t *)G.cover,
+ G.extra_bytes + G.ecrec.offset_start_central_directory,
+- G.ziplen) != 0) {
++ G.extra_bytes + G.ecrec.offset_start_central_directory +
++ G.ecrec.size_central_directory) != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
++ if ((G.extra_bytes != 0 &&
++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++ (G.ecrec.have_ecr64 &&
++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
++ G.ecrec.ec64_end) != 0) ||
++ cover_add((cover_t *)G.cover, G.ecrec.ec_start,
++ G.ecrec.ec_end) != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+
+ /*---------------------------------------------------------------------------
+ The basic idea of this function is as follows. Since the central di-
+diff --git a/process.c b/process.c
+index d2e4dc3..d75d405 100644
+--- a/process.c
++++ b/process.c
+@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */
+
+ /* Now, we are (almost) sure that we have a Zip64 archive. */
+ G.ecrec.have_ecr64 = 1;
++ G.ecrec.ec_start -= ECLOC64_SIZE+4;
++ G.ecrec.ec64_start = ecrec64_start_offset;
++ G.ecrec.ec64_end = ecrec64_start_offset +
++ 12 + makeint64(&byterec[ECREC64_LENGTH]);
+
+ /* Update the "end-of-central-dir offset" for later checks. */
+ G.real_ecrec_offset = ecrec64_start_offset;
+@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */
+ makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]);
+ G.ecrec.zipfile_comment_length =
+ makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
++ G.ecrec.ec_start = G.real_ecrec_offset;
++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
+
+ /* Now, we have to read the archive comment, BEFORE the file pointer
+ is moved away backwards to seek for a Zip64 ECLOC64 structure.
+diff --git a/unzpriv.h b/unzpriv.h
+index dc9eff5..297b3c7 100644
+--- a/unzpriv.h
++++ b/unzpriv.h
+@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf {
+ int have_ecr64; /* valid Zip64 ecdir-record exists */
+ int is_zip64_archive; /* Zip64 ecdir-record is mandatory */
+ ush zipfile_comment_length;
++ zusz_t ec_start, ec_end; /* offsets of start and end of the
++ end of central directory record,
++ including if present the Zip64
++ end of central directory locator,
++ which immediately precedes the
++ end of central directory record */
++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these
++ are the offsets of the start and
++ end of the Zip64 end of central
++ directory record */
+ } ecdir_rec;
+
+
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/unzip.git/commitdiff/b47192ccaa3f2fadf1cd0bc6ee398c0ed4501a98
More information about the pld-cvs-commit
mailing list