ALT Linux repos
Group :: Archiving/Compression
RPM: unzip
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: deb-unzip-CVE-2008-0888.patch
Download
Download
diff -Nru unzip-5.52/consts.h unzip-5.52-fixed/consts.h
--- unzip-5.52/consts.h 2002-03-23 17:52:48 +0200
+++ unzip-5.52-fixed/consts.h 2008-03-18 09:26:13 +0200
@@ -34,9 +34,9 @@
"error: expected central file header signature not found (file #%lu).\n";
ZCONST char Far SeekMsg[] =
"error [%s]: attempt to seek before beginning of zipfile\n%s";
-ZCONST char Far FilenameNotMatched[] = "caution: filename not matched: %s\n";
+ZCONST char Far FilenameNotMatched[] = "caution: filename not matched: %.512s\n";
ZCONST char Far ExclFilenameNotMatched[] =
- "caution: excluded filename not matched: %s\n";
+ "caution: excluded filename not matched: %.512s\n";
#ifdef VMS
ZCONST char Far ReportMsg[] = "\
diff -Nru unzip-5.52/fileio.c unzip-5.52-fixed/fileio.c
--- unzip-5.52/fileio.c 2005-02-27 04:10:12 +0200
+++ unzip-5.52-fixed/fileio.c 2008-03-18 09:26:13 +0200
@@ -413,7 +413,11 @@
#endif /* NOVELL_BUG_FAILSAFE */
Trace((stderr, "open_outfile: doing fopen(%s) for writing\n",
FnFilter1(G.filename)));
+#if defined(SYMLINKS) || defined(QLZIP)
+ if ((G.outfile = fopen(G.filename, FOPWR)) == (FILE *)NULL) {
+#else
if ((G.outfile = fopen(G.filename, FOPW)) == (FILE *)NULL) {
+#endif
Info(slide, 0x401, ((char *)slide, LoadFarString(CannotCreateFile),
FnFilter1(G.filename)));
return 1;
diff -Nru unzip-5.52/inflate.c unzip-5.52-fixed/inflate.c
--- unzip-5.52/inflate.c 2005-02-27 08:08:46 +0200
+++ unzip-5.52-fixed/inflate.c 2008-03-18 09:26:13 +0200
@@ -983,6 +983,7 @@
unsigned l; /* last length */
unsigned m; /* mask for bit lengths table */
unsigned n; /* number of lengths to get */
+ struct huft *tlp;
struct huft *tl; /* literal/length code table */
struct huft *td; /* distance code table */
unsigned bl; /* lookup bits for tl */
@@ -996,6 +997,8 @@
int retval = 0; /* error code returned: initialized to "no error" */
+ td = tlp = tl = (struct huft *)NULL;
+
/* make local bit buffer */
Trace((stderr, "\ndynamic block"));
b = G.bb;
@@ -1047,9 +1050,9 @@
while (i < n)
{
NEEDBITS(bl)
- j = (td = tl + ((unsigned)b & m))->b;
+ j = (tlp = tl + ((unsigned)b & m))->b;
DUMPBITS(j)
- j = td->v.n;
+ j = tlp->v.n;
if (j < 16) /* length of code in bits (0..15) */
ll[i++] = l = j; /* save last length in l */
else if (j == 16) /* repeat last length 3 to 6 times */
@@ -1141,6 +1144,7 @@
huft_free(td);
}
huft_free(tl);
+
return retval;
}
@@ -1149,8 +1153,8 @@
cleanup_and_exit:
/* free the decoding tables, return */
- huft_free(tl);
- huft_free(td);
+ if (tl) huft_free(tl);
+ if (td) huft_free(td);
return retval;
}
diff -Nru unzip-5.52/process.c unzip-5.52-fixed/process.c
--- unzip-5.52/process.c 2004-11-22 02:42:54 +0200
+++ unzip-5.52-fixed/process.c 2008-03-18 09:26:13 +0200
@@ -74,20 +74,20 @@
/* do_seekable() strings */
# ifdef UNIX
static ZCONST char Far CannotFindZipfileDirMsg[] =
- "%s: cannot find zipfile directory in one of %s or\n\
- %s%s.zip, and cannot find %s, period.\n";
+ "%s: cannot find zipfile directory in one of %.512s or\n\
+ %s%.512s.zip, and cannot find %.512s, period.\n";
static ZCONST char Far CannotFindEitherZipfile[] =
- "%s: cannot find or open %s, %s.zip or %s.\n";
+ "%s: cannot find or open %.512s, %.512s.zip or %.512s.\n";
# else /* !UNIX */
# ifndef AMIGA
static ZCONST char Far CannotFindWildcardMatch[] =
- "%s: cannot find any matches for wildcard specification \"%s\".\n";
+ "%s: cannot find any matches for wildcard specification \"%.512s\".\n";
# endif /* !AMIGA */
static ZCONST char Far CannotFindZipfileDirMsg[] =
- "%s: cannot find zipfile directory in %s,\n\
- %sand cannot find %s, period.\n";
+ "%s: cannot find zipfile directory in %.512s,\n\
+ %sand cannot find %.512s, period.\n";
static ZCONST char Far CannotFindEitherZipfile[] =
- "%s: cannot find either %s or %s.\n";
+ "%s: cannot find either %.512s or %.512s.\n";
# endif /* ?UNIX */
extern ZCONST char Far Zipnfo[]; /* in unzip.c */
#ifndef WINDLL
diff -Nru unzip-5.52/unix/unix.c unzip-5.52-fixed/unix/unix.c
--- unzip-5.52/unix/unix.c 2008-03-18 09:43:34 +0200
+++ unzip-5.52-fixed/unix/unix.c 2008-03-18 09:42:35 +0200
@@ -1055,8 +1055,6 @@
perror("chmod (file attributes) error");
#endif
- fclose(G.outfile);
-
/*---------------------------------------------------------------------------
If symbolic links are supported, allocate storage for a symlink control
structure, put the uncompressed "data" and other required info in it, and
@@ -1076,6 +1074,7 @@
Info(slide, 0x201, ((char *)slide,
"warning: symbolic link (%s) failed: mem alloc overflow\n",
FnFilter1(G.filename)));
+ fclose(G.outfile);
return;
}
@@ -1083,6 +1082,7 @@
Info(slide, 0x201, ((char *)slide,
"warning: symbolic link (%s) failed: no mem\n",
FnFilter1(G.filename)));
+ fclose(G.outfile);
return;
}
slnk_entry->next = NULL;
@@ -1092,11 +1092,10 @@
slnk_entry->fname = slnk_entry->target + ucsize + 1;
strcpy(slnk_entry->fname, G.filename);
- /* reopen the "link data" file for reading */
- G.outfile = fopen(G.filename, FOPR);
+ /* move back to the start of the file to re-read the "link data" */
+ rewind(G.outfile);
- if (!G.outfile ||
- fread(slnk_entry->target, 1, ucsize, G.outfile) != (int)ucsize)
+ if (fread(slnk_entry->target, 1, ucsize, G.outfile) != (int)ucsize)
{
Info(slide, 0x201, ((char *)slide,
"warning: symbolic link (%s) failed\n",
@@ -1128,12 +1127,20 @@
}
#endif
+#if (defined(NO_FCHOWN) || defined(NO_FCHMOD))
+ fclose(G.outfile);
+#endif
+
have_uidgid_flg = get_extattribs(__G__ &(zt.t3), z_uidgid);
/* if -X option was specified and we have UID/GID info, restore it */
if (have_uidgid_flg) {
TTrace((stderr, "close_outfile: restoring Unix UID/GID info\n"));
+#if (defined(NO_FCHOWN) || defined(NO_FCHMOD))
if (chown(G.filename, (uid_t)z_uidgid[0], (gid_t)z_uidgid[1]))
+#else
+ if (fchown(fileno(G.outfile), (uid_t)z_uidgid[0], (gid_t)z_uidgid[1]))
+#endif
{
if (uO.qflag)
Info(slide, 0x201, ((char *)slide,
@@ -1146,6 +1153,18 @@
}
}
+#if (!defined(NO_FCHOWN) && !defined(NO_FCHMOD))
+/*---------------------------------------------------------------------------
+ Change the file permissions from default ones to those stored in the
+ zipfile.
+ ---------------------------------------------------------------------------*/
+
+ if (fchmod(fileno(G.outfile), filtattr(__G__ G.pInfo->file_attr)))
+ perror("chmod (file attributes) error");
+
+ fclose(G.outfile);
+#endif /* !NO_FCHOWN && !NO_FCHMOD */
+
/* set the file's access and modification times */
if (utime(G.filename, &(zt.t2))) {
#ifdef AOS_VS
@@ -1643,7 +1662,6 @@
if ((long)LG(dlen) > 0)
{
- G.outfile = fopen(G.filename,"r+");
fseek(G.outfile, -8, SEEK_END);
fread(&ntc, 8, 1, G.outfile);
if(ntc.id != *(long *)"XTcc")
@@ -1653,7 +1671,6 @@
fwrite (&ntc, 8, 1, G.outfile);
}
Info(slide, 0x201, ((char *)slide, "QData = %d", LG(dlen)));
- fclose(G.outfile);
}
return; /* finished, cancel further extra field scanning */
}
diff -Nru unzip-5.52/unzip.c unzip-5.52-fixed/unzip.c
--- unzip-5.52/unzip.c 2008-03-18 09:43:34 +0200
+++ unzip-5.52-fixed/unzip.c 2008-03-18 09:26:13 +0200
@@ -528,8 +528,7 @@
#else /* !VMS */
# ifdef COPYRIGHT_CLEAN
static ZCONST char Far UnzipUsageLine1[] = "\
-UnZip %d.%d%d%s of %s, by Info-ZIP. Maintained by C. Spieler. Send\n\
-bug reports using http://www.info-zip.org/zip-bug.html; see README for details.\
+UnZip %d.%d%d%s of %s, by Debian. Original by Info-ZIP.\
\n\n";
# else
static ZCONST char Far UnzipUsageLine1[] = "\
diff -Nru unzip-5.52/unzpriv.h unzip-5.52-fixed/unzpriv.h
--- unzip-5.52/unzpriv.h 2008-03-18 09:43:34 +0200
+++ unzip-5.52-fixed/unzpriv.h 2008-03-18 09:26:13 +0200
@@ -1081,6 +1081,7 @@
# define FOPR "r","ctx=stm"
# define FOPM "r+","ctx=stm","rfm=fix","mrs=512"
# define FOPW "w","ctx=stm","rfm=fix","mrs=512"
+# define FOPWR "w+","ctx=stm","rfm=fix","mrs=512"
#endif /* VMS */
#ifdef CMS_MVS
@@ -1117,6 +1118,9 @@
# ifndef FOPWT
# define FOPWT "wt"
# endif
+# ifndef FOPWR
+# define FOPWR "w+b"
+# endif
#else /* !MODERN */
# ifndef FOPR
# define FOPR "r"
@@ -1130,6 +1134,9 @@
# ifndef FOPWT
# define FOPWT "w"
# endif
+# ifndef FOPWR
+# define FOPWR "w+b"
+# endif
#endif /* ?MODERN */
/*