head 1.4; access; symbols pkgsrc-2026Q1:1.4.0.6 pkgsrc-2026Q1-base:1.4 pkgsrc-2025Q4:1.4.0.4 pkgsrc-2025Q4-base:1.4 pkgsrc-2025Q3:1.4.0.2 pkgsrc-2025Q3-base:1.4 pkgsrc-2025Q2:1.3.0.104 pkgsrc-2025Q2-base:1.3 pkgsrc-2025Q1:1.3.0.102 pkgsrc-2025Q1-base:1.3 pkgsrc-2024Q4:1.3.0.100 pkgsrc-2024Q4-base:1.3 pkgsrc-2024Q3:1.3.0.98 pkgsrc-2024Q3-base:1.3 pkgsrc-2024Q2:1.3.0.96 pkgsrc-2024Q2-base:1.3 pkgsrc-2024Q1:1.3.0.94 pkgsrc-2024Q1-base:1.3 pkgsrc-2023Q4:1.3.0.92 pkgsrc-2023Q4-base:1.3 pkgsrc-2023Q3:1.3.0.90 pkgsrc-2023Q3-base:1.3 pkgsrc-2023Q2:1.3.0.88 pkgsrc-2023Q2-base:1.3 pkgsrc-2023Q1:1.3.0.86 pkgsrc-2023Q1-base:1.3 pkgsrc-2022Q4:1.3.0.84 pkgsrc-2022Q4-base:1.3 pkgsrc-2022Q3:1.3.0.82 pkgsrc-2022Q3-base:1.3 pkgsrc-2022Q2:1.3.0.80 pkgsrc-2022Q2-base:1.3 pkgsrc-2022Q1:1.3.0.78 pkgsrc-2022Q1-base:1.3 pkgsrc-2021Q4:1.3.0.76 pkgsrc-2021Q4-base:1.3 pkgsrc-2021Q3:1.3.0.74 pkgsrc-2021Q3-base:1.3 pkgsrc-2021Q2:1.3.0.72 pkgsrc-2021Q2-base:1.3 pkgsrc-2021Q1:1.3.0.70 pkgsrc-2021Q1-base:1.3 pkgsrc-2020Q4:1.3.0.68 pkgsrc-2020Q4-base:1.3 pkgsrc-2020Q3:1.3.0.66 pkgsrc-2020Q3-base:1.3 pkgsrc-2020Q2:1.3.0.62 pkgsrc-2020Q2-base:1.3 pkgsrc-2020Q1:1.3.0.42 pkgsrc-2020Q1-base:1.3 pkgsrc-2019Q4:1.3.0.64 pkgsrc-2019Q4-base:1.3 pkgsrc-2019Q3:1.3.0.60 pkgsrc-2019Q3-base:1.3 pkgsrc-2019Q2:1.3.0.58 pkgsrc-2019Q2-base:1.3 pkgsrc-2019Q1:1.3.0.56 pkgsrc-2019Q1-base:1.3 pkgsrc-2018Q4:1.3.0.54 pkgsrc-2018Q4-base:1.3 pkgsrc-2018Q3:1.3.0.52 pkgsrc-2018Q3-base:1.3 pkgsrc-2018Q2:1.3.0.50 pkgsrc-2018Q2-base:1.3 pkgsrc-2018Q1:1.3.0.48 pkgsrc-2018Q1-base:1.3 pkgsrc-2017Q4:1.3.0.46 pkgsrc-2017Q4-base:1.3 pkgsrc-2017Q3:1.3.0.44 pkgsrc-2017Q3-base:1.3 pkgsrc-2017Q2:1.3.0.40 pkgsrc-2017Q2-base:1.3 pkgsrc-2017Q1:1.3.0.38 pkgsrc-2017Q1-base:1.3 pkgsrc-2016Q4:1.3.0.36 pkgsrc-2016Q4-base:1.3 pkgsrc-2016Q3:1.3.0.34 pkgsrc-2016Q3-base:1.3 pkgsrc-2016Q2:1.3.0.32 pkgsrc-2016Q2-base:1.3 pkgsrc-2016Q1:1.3.0.30 pkgsrc-2016Q1-base:1.3 pkgsrc-2015Q4:1.3.0.28 pkgsrc-2015Q4-base:1.3 pkgsrc-2015Q3:1.3.0.26 pkgsrc-2015Q3-base:1.3 pkgsrc-2015Q2:1.3.0.24 pkgsrc-2015Q2-base:1.3 pkgsrc-2015Q1:1.3.0.22 pkgsrc-2015Q1-base:1.3 pkgsrc-2014Q4:1.3.0.20 pkgsrc-2014Q4-base:1.3 pkgsrc-2014Q3:1.3.0.18 pkgsrc-2014Q3-base:1.3 pkgsrc-2014Q2:1.3.0.16 pkgsrc-2014Q2-base:1.3 pkgsrc-2014Q1:1.3.0.14 pkgsrc-2014Q1-base:1.3 pkgsrc-2013Q4:1.3.0.12 pkgsrc-2013Q4-base:1.3 pkgsrc-2013Q3:1.3.0.10 pkgsrc-2013Q3-base:1.3 pkgsrc-2013Q2:1.3.0.8 pkgsrc-2013Q2-base:1.3 pkgsrc-2013Q1:1.3.0.6 pkgsrc-2013Q1-base:1.3 pkgsrc-2012Q4:1.3.0.4 pkgsrc-2012Q4-base:1.3 pkgsrc-2012Q3:1.3.0.2 pkgsrc-2012Q3-base:1.3 pkgsrc-2012Q2:1.2.0.20 pkgsrc-2012Q2-base:1.2 pkgsrc-2012Q1:1.2.0.18 pkgsrc-2012Q1-base:1.2 pkgsrc-2011Q4:1.2.0.16 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q3:1.2.0.14 pkgsrc-2011Q3-base:1.2 pkgsrc-2011Q2:1.2.0.12 pkgsrc-2011Q2-base:1.2 pkgsrc-2011Q1:1.2.0.10 pkgsrc-2011Q1-base:1.2 pkgsrc-2010Q4:1.2.0.8 pkgsrc-2010Q4-base:1.2 pkgsrc-2010Q3:1.2.0.6 pkgsrc-2010Q3-base:1.2 pkgsrc-2010Q2:1.2.0.4 pkgsrc-2010Q2-base:1.2 pkgsrc-2010Q1:1.2.0.2 pkgsrc-2010Q1-base:1.2 pkgsrc-2009Q4:1.1.0.42 pkgsrc-2009Q4-base:1.1 pkgsrc-2009Q3:1.1.0.40 pkgsrc-2009Q3-base:1.1 pkgsrc-2009Q2:1.1.0.38 pkgsrc-2009Q2-base:1.1 pkgsrc-2009Q1:1.1.0.36 pkgsrc-2009Q1-base:1.1 pkgsrc-2008Q4:1.1.0.34 pkgsrc-2008Q4-base:1.1 pkgsrc-2008Q3:1.1.0.32 pkgsrc-2008Q3-base:1.1 cube-native-xorg:1.1.0.30 cube-native-xorg-base:1.1 pkgsrc-2008Q2:1.1.0.28 pkgsrc-2008Q2-base:1.1 cwrapper:1.1.0.26 pkgsrc-2008Q1:1.1.0.24 pkgsrc-2008Q1-base:1.1 pkgsrc-2007Q4:1.1.0.22 pkgsrc-2007Q4-base:1.1 pkgsrc-2007Q3:1.1.0.20 pkgsrc-2007Q3-base:1.1 pkgsrc-2007Q2:1.1.0.18 pkgsrc-2007Q2-base:1.1 pkgsrc-2007Q1:1.1.0.16 pkgsrc-2007Q1-base:1.1 pkgsrc-2006Q4:1.1.0.14 pkgsrc-2006Q4-base:1.1 pkgsrc-2006Q3:1.1.0.12 pkgsrc-2006Q3-base:1.1 pkgsrc-2006Q2:1.1.0.10 pkgsrc-2006Q2-base:1.1 pkgsrc-2006Q1:1.1.0.8 pkgsrc-2006Q1-base:1.1 pkgsrc-2005Q4:1.1.0.6 pkgsrc-2005Q4-base:1.1 pkgsrc-2005Q3:1.1.0.4 pkgsrc-2005Q3-base:1.1 pkgsrc-2005Q2:1.1.0.2; locks; strict; comment @# @; 1.4 date 2025.08.24.16.58.07; author kikadf; state Exp; branches; next 1.3; commitid gExYMQ2vYp5hl08G; 1.3 date 2012.09.14.13.10.48; author wiz; state Exp; branches; next 1.2; 1.2 date 2010.03.03.16.27.57; author wiz; state Exp; branches; next 1.1; 1.1 date 2005.08.04.14.20.35; author tron; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2005.08.04.14.20.35; author salo; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2005.08.04.15.22.02; author salo; state Exp; branches; next ; desc @@ 1.4 log @ archivers/unzip: fix some CVEs Fix CVE-2018-1000035 https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch Fix CVE-2019-13232 https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch https://www.bamsoftware.com/hacks/zipbomb/ With patches: $ /usr/pkg/bin/unzip zbsm.zip Archive: zbsm.zip inflating: 0 error: invalid zip file with overlapped components (possible zip bomb) To unzip the file anyway, rerun the command with UNZIP_DISABLE_ZIPBOMB_DETECTION=TRUE environmnent variable Fix CVE-2021-4217 https://gitlab.archlinux.org/archlinux/packaging/packages/unzip/-/raw/main/unzip-6.0_CVE-2021-4217.patch @ text @$NetBSD: patch-ac,v 1.3 2012/09/14 13:10:48 wiz Exp $ Fix build with -DFUNZIP. Fix CVE-2019-13232 https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part1.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part2.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part3.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-manpage.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part4.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part5.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-part6.patch https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-zipbomb-switch.patch --- inflate.c.orig 2008-07-30 03:31:08.000000000 +0200 +++ inflate.c @@@@ -473,7 +473,11 @@@@ int UZinflate(__G__ is_defl64) retval = 2; } else { /* output write failure */ +#ifdef FUNZIP + retval = PK_DISK; +#else retval = (G.disk_full != 0 ? PK_DISK : IZ_CTRLC); +#endif } } else { Trace((stderr, "oops! (inflateBack9() err = %d)\n", err)); @@@@ -538,7 +542,11 @@@@ int UZinflate(__G__ is_defl64) retval = 2; } else { /* output write failure */ +#ifdef FUNZIP + retval = PK_DISK; +#else retval = (G.disk_full != 0 ? PK_DISK : IZ_CTRLC); +#endif } } else { Trace((stderr, "oops! (inflateBack() err = %d)\n", err)); @@@@ -700,7 +708,7 @@@@ int UZinflate(__G__ is_defl64) G.dstrm.total_out)); G.inptr = (uch *)G.dstrm.next_in; - G.incnt = (G.inbuf + INBUFSIZ) - G.inptr; /* reset for other routines */ + G.incnt -= G.inptr - G.inbuf; /* reset for other routines */ uzinflate_cleanup_exit: err = inflateReset(&G.dstrm); @ 1.3 log @Add comment to patch. @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.2 2010/03/03 16:27:57 wiz Exp $ d4 9 d14 1 a14 1 --- inflate.c.orig 2008-07-30 01:31:08.000000000 +0000 d40 9 @ 1.2 log @Update to 6.0: New features in UnZip 6.0, released 20 April 2009: * Support PKWARE ZIP64 extensions, allowing Zip archives and Zip archive entries larger than 4 GiBytes and more than 65536 entries within a single Zip archive. This support is currently only available for Unix, OpenVMS and Win32/Win64. * Support for bzip2 compression method. * Support for UTF-8 encoded entry names, both through PKWARE's "General Purpose Flags Bit 11" indicator and Info-ZIP's new "up" unicode path extra field. (Currently, on Windows the UTF-8 handling is limited to the character subset contained in the configured non-unicode "system code page".) * Added "wrong implementation used" warning to error messages of the MSDOS port when used under Win32, in an attempt to reduce false bug reports. * Fixed "Time of Creation/Time of Use" vulnerability when setting attributes of extracted files, for Unix and Unix-like ports. * Fixed memory leak when processing invalid deflated data. * Fixed long-standing bug in unshrink (partial_clear), added boundary checks against invalid compressed data. * On Unix, keep inherited SGID attribute bit for extracted directories unless restoration of owner/group id or SUID/SGID/Tacky attributes was requested. * On Unix, allow extracted filenames to contain embedded control characters when explicitly requested by specifying the new command line option "-^". * On Unix, support restoration of symbolic link attributes. * On Unix, support restoration of 32-bit UID/GID data using the new "ux" IZUNIX3 extra field introduced with Zip 3.0. * Support for ODS5 extended filename syntax on new OpenVMS systems. * Support symbolic links zipped up on VMS. * On VMS (only 8.x or better), support symbolic link creation. * On VMS, support option to create converted text files in Stream_LF format. * New -D option to suppress restoration of timestamps for extracted directory entries (on those ports that support setting of directory timestamps). By specifying "-DD", this new option also allows to suppress timestamp restoration for ALL extracted files on all UnZip ports which support restoration of timestamps. On VMS, the default behaviour is now to skip restoration of directory timestamps; here, "--D" restores ALL timestamps, "-D" restores none. * On OS/2, Win32, and Unix, the (previously optional) feature UNIXBACKUP to allow saving backup copies of overwritten files on extraction is now enabled by default. For the UnZip 6.0 release, we want to give special credit to Myles Bennet, who started the job of supporting ZIP64 extensions and Large-File (> 2GiB) and provided a first (alpha-state) port. @ text @d1 3 a3 1 $NetBSD$ @ 1.1 log @Add patch to fix the security problem described in SA16309. @ text @d3 10 a12 27 --- unix/unix.c.orig 2005-02-26 19:43:42.000000000 +0000 +++ unix/unix.c 2005-08-04 15:15:17.000000000 +0100 @@@@ -1042,8 +1042,6 @@@@ ush z_uidgid[2]; int have_uidgid_flg; - fclose(G.outfile); - /*--------------------------------------------------------------------------- If symbolic links are supported, allocate storage for a symlink control structure, put the uncompressed "data" and other required info in it, and @@@@ -1059,6 +1057,8 @@@@ strlen(G.filename); slinkentry *slnk_entry; + fclose(G.outfile); + if ((unsigned)slnk_entrysize < ucsize) { Info(slide, 0x201, ((char *)slide, "warning: symbolic link (%s) failed: mem alloc overflow\n", @@@@ -1107,6 +1107,11 @@@@ } #endif /* SYMLINKS */ +#ifndef NO_CHMOD + if (fchmod(fileno(G.outfile), filtattr(__G__ G.pInfo->file_attr))) + perror("chmod (file attributes) error"); d14 15 a28 34 + #ifdef QLZIP if (G.extra_field) { static void qlfix OF((__GPRO__ uch *ef_ptr, unsigned ef_len)); @@@@ -1120,7 +1125,7 @@@@ /* if -X option was specified and we have UID/GID info, restore it */ if (have_uidgid_flg) { TTrace((stderr, "close_outfile: restoring Unix UID/GID info\n")); - if (chown(G.filename, (uid_t)z_uidgid[0], (gid_t)z_uidgid[1])) + if (fchown(fileno(G.outfile), (uid_t)z_uidgid[0], (gid_t)z_uidgid[1])) { if (uO.qflag) Info(slide, 0x201, ((char *)slide, @@@@ -1133,6 +1138,8 @@@@ } } + fclose(G.outfile); + /* set the file's access and modification times */ if (utime(G.filename, &(zt.t2))) { #ifdef AOS_VS @@@@ -1156,11 +1163,6 @@@@ zipfile. ---------------------------------------------------------------------------*/ -#ifndef NO_CHMOD - if (chmod(G.filename, filtattr(__G__ G.pInfo->file_attr))) - perror("chmod (file attributes) error"); -#endif - } /* end function close_outfile() */ #endif /* !MTS */ @ 1.1.2.1 log @file patch-ac was added on branch pkgsrc-2005Q2 on 2005-08-04 14:20:35 +0000 @ text @d1 64 @ 1.1.2.2 log @Pullup ticket 654 - requested by Matthias Scheler security fix for unzip Revisions pulled up: - pkgsrc/archivers/unzip/Makefile 1.56 - pkgsrc/archivers/unzip/distinfo 1.14 - pkgsrc/archivers/unzip/patches/patch-ac 1.1 Module Name: pkgsrc Committed By: tron Date: Thu Aug 4 14:20:35 UTC 2005 Modified Files: pkgsrc/archivers/unzip: Makefile distinfo Added Files: pkgsrc/archivers/unzip/patches: patch-ac Log Message: Add patch to fix the security problem described in SA16309. @ text @a0 64 $NetBSD: patch-ac,v 1.1.2.1 2005/08/04 15:22:02 salo Exp $ --- unix/unix.c.orig 2005-02-26 19:43:42.000000000 +0000 +++ unix/unix.c 2005-08-04 15:15:17.000000000 +0100 @@@@ -1042,8 +1042,6 @@@@ ush z_uidgid[2]; int have_uidgid_flg; - fclose(G.outfile); - /*--------------------------------------------------------------------------- If symbolic links are supported, allocate storage for a symlink control structure, put the uncompressed "data" and other required info in it, and @@@@ -1059,6 +1057,8 @@@@ strlen(G.filename); slinkentry *slnk_entry; + fclose(G.outfile); + if ((unsigned)slnk_entrysize < ucsize) { Info(slide, 0x201, ((char *)slide, "warning: symbolic link (%s) failed: mem alloc overflow\n", @@@@ -1107,6 +1107,11 @@@@ } #endif /* SYMLINKS */ +#ifndef NO_CHMOD + if (fchmod(fileno(G.outfile), filtattr(__G__ G.pInfo->file_attr))) + perror("chmod (file attributes) error"); +#endif + #ifdef QLZIP if (G.extra_field) { static void qlfix OF((__GPRO__ uch *ef_ptr, unsigned ef_len)); @@@@ -1120,7 +1125,7 @@@@ /* if -X option was specified and we have UID/GID info, restore it */ if (have_uidgid_flg) { TTrace((stderr, "close_outfile: restoring Unix UID/GID info\n")); - if (chown(G.filename, (uid_t)z_uidgid[0], (gid_t)z_uidgid[1])) + if (fchown(fileno(G.outfile), (uid_t)z_uidgid[0], (gid_t)z_uidgid[1])) { if (uO.qflag) Info(slide, 0x201, ((char *)slide, @@@@ -1133,6 +1138,8 @@@@ } } + fclose(G.outfile); + /* set the file's access and modification times */ if (utime(G.filename, &(zt.t2))) { #ifdef AOS_VS @@@@ -1156,11 +1163,6 @@@@ zipfile. ---------------------------------------------------------------------------*/ -#ifndef NO_CHMOD - if (chmod(G.filename, filtattr(__G__ G.pInfo->file_attr))) - perror("chmod (file attributes) error"); -#endif - } /* end function close_outfile() */ #endif /* !MTS */ @