debian/0000775000000000000000000000000012620134351007165 5ustar debian/postinst0000664000000000000000000000015711334363403011001 0ustar #!/bin/sh set -e if [ "$1" = "configure" ] && [ -x "`which update-mime 2> /dev/null`" ]; then update-mime fi debian/control0000664000000000000000000000136512144152655010605 0ustar Source: unzip Section: utils Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Santiago Vila Standards-Version: 3.9.2 Build-Depends: libbz2-dev Homepage: http://www.info-zip.org/UnZip.html Package: unzip Architecture: any Depends: ${shlibs:Depends} Conflicts: unzip-crypt (<< 5.41) Replaces: unzip-crypt (<< 5.41) Suggests: zip Multi-Arch: foreign Description: De-archiver for .zip files InfoZIP's unzip program. With the exception of multi-volume archives (ie, .ZIP files that are split across several disks using PKZIP's /& option), this can handle any file produced either by PKZIP, or the corresponding InfoZIP zip program. . This version supports encryption. debian/changelog0000664000000000000000000003742012620134351011045 0ustar unzip (6.0-9ubuntu1.5) trusty-security; urgency=medium * debian/patches/16-fix-integer-underflow-csiz-decrypted: updated to fix regression in handling 0-byte files (LP: #1513293) -- Marc Deslauriers Mon, 09 Nov 2015 09:16:57 -0600 unzip (6.0-9ubuntu1.4) trusty-security; urgency=medium * SECURITY UPDATE: denial of service and possible code execution via heap overflow - debian/patches/14-cve-2015-7696: add check to crypt.c. - CVE-2015-7696 * SECURITY UPDATE: infinite loop when extracting empty bzip2 data - debian/patches/15-cve-2015-7697: check for empty input in extract.c. - CVE-2015-7697 * SECURITY UPDATE: unsigned overflow on invalid input - debian/patches/16-fix-integer-underflow-csiz-decrypted: make sure csiz_decrypted doesn't overflow in extract.c. - No CVE number -- Marc Deslauriers Thu, 29 Oct 2015 10:33:05 -0400 unzip (6.0-9ubuntu1.3) trusty-security; urgency=medium * SECURITY UPDATE: heap overflow in charset_to_intern() - debian/patches/06-unzip60-alt-iconv-utf8: updated to fix buffer overflow in unix/unix.c. - CVE-2015-1315 * SECURITY REGRESSION: regression with executable jar files - debian/patches/09-cve-2014-8139-crc-overflow: updated to fix regression. * SECURITY REGRESSION: regression with certain compressed data headers - debian/patches/12-cve-2014-9636-test-compr-eb: updated to fix regression. -- Marc Deslauriers Tue, 17 Feb 2015 14:17:20 -0500 unzip (6.0-9ubuntu1.2) trusty-security; urgency=medium * SECURITY UPDATE: heap overflow via mismatched block sizes - debian/patches/12-cve-2014-9636-test-compr-eb: ensure compressed and uncompressed block sizes match when using STORED method in extract.c. - CVE-2014-9636 -- Marc Deslauriers Thu, 29 Jan 2015 11:37:34 -0500 unzip (6.0-9ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: CRC32 verification heap-based overflow - debian/patches/09-cve-2014-8139-crc-overflow: check extra block length in extract.c. - CVE-2014-8139 * SECURITY UPDATE: out-of-bounds write issue in test_compr_eb() - debian/patches/10-cve-2014-8140-test-compr-eb: properly validate sizes in extract.c. - CVE-2014-8140 * SECURITY UPDATE: out-of-bounds read issues in getZip64Data() - debian/patches/11-cve-2014-8141-getzip64data: validate extra fields in fileio.c, check sizes in process.c. - CVE-2014-8141 -- Marc Deslauriers Wed, 07 Jan 2015 16:14:02 -0500 unzip (6.0-9ubuntu1) saucy; urgency=low * Resynchronise with Debian. Remaining changes: - Add patch from archlinux which adds the -O option, allowing a charset to be specified for the proper unzipping of non-Latin and non-Unicode filenames. -- Colin Watson Mon, 13 May 2013 13:00:12 +0100 unzip (6.0-9) unstable; urgency=low * Added NO_WORKING_ISPRINT to DEFINES so that UTF8 filenames are displayed correctly. Reported by Slavek Banko. Closes: #682682. * Use the right strip command when cross-building. Closes: #695141. -- Santiago Vila Sun, 24 Feb 2013 17:12:00 +0100 unzip (6.0-8ubuntu1) raring; urgency=low * Resynchronise with Debian. Remaining changes: - Add patch from archlinux which adds the -O option, allowing a charset to be specified for the proper unzipping of non-Latin and non-Unicode filenames. - Use correct strip program when cross-building. -- Colin Watson Thu, 13 Dec 2012 16:08:03 +0000 unzip (6.0-8) unstable; urgency=low * Made unzip -X to actually restore uid/gid information. Closes: #689212. Thanks to Axel Scheepers for the report. * Disabled memcpy, as it is being used on overlapping buffers, leading to data corruption. Closes: #694601. Thanks to M Joonas Pihlaja for the report. -- Santiago Vila Wed, 28 Nov 2012 12:41:34 +0100 unzip (6.0-7ubuntu2) raring; urgency=low * Use correct strip program when cross-building. -- Colin Watson Tue, 04 Dec 2012 15:15:23 +0000 unzip (6.0-7ubuntu1) quantal; urgency=low * Merge from Debian unstable. Remaining change: - Added patch from archlinux which adds the -O option allowing a charset to be specified for the proper unzipping of non-latin and non-unicode filenames. * Merge adds Multi-Arch: foreign. (LP: #1010450) -- Logan Rosen Sun, 05 Aug 2012 21:31:45 -0400 unzip (6.0-7) unstable; urgency=low * Added Multi-Arch: foreign. Closes: #678812. -- Santiago Vila Sat, 30 Jun 2012 14:17:42 +0200 unzip (6.0-6) unstable; urgency=low * Added hardening flags. Closes: #656268. -- Santiago Vila Sun, 01 Apr 2012 00:01:40 +0200 unzip (6.0-5) unstable; urgency=low * Handle the PKWare verification bit of internal attributes. Patch taken from 6.10 beta. Thanks to sms. Closes: #630078. -- Santiago Vila Fri, 01 Jul 2011 19:06:08 +0200 unzip (6.0-4ubuntu1) natty; urgency=low * Added patch from archlinux which adds the -O option allowing a charset to be specified for the proper unzipping of non-latin and non-unicode filenames. (LP: #580961) -- Brian Thomason Wed, 12 Jan 2011 20:08:14 -0500 unzip (6.0-4) unstable; urgency=low * Added homepage field to control file. * Switch to 3.0 (quilt) source format. * Support cross-build. -- Santiago Vila Sun, 21 Feb 2010 17:01:00 +0100 unzip (6.0-3) unstable; urgency=low * Added "set -e" to postinst and postrm. -- Santiago Vila Tue, 09 Feb 2010 23:53:42 +0100 unzip (6.0-2) unstable; urgency=low * Do not ignore errors from make clean (lintian warning) * Remove .comment section from executables (lintian warning). * Added mime stuff so that mutt is able to see the contents of a zipfile using "unzip -l". Closes: #474538. -- Santiago Vila Mon, 08 Feb 2010 18:44:00 +0100 unzip (6.0-1) unstable; urgency=low * New upstream release. Closes: #496989. * Enabled new Unicode support. Closes: #197427. This may or may not work for your already created zipfiles, but it's not a bug unless they were created using the Unicode feature present in zip 3.0. * Built using DATE_FORMAT=DF_YMD so that unzip -l show dates in ISO format, as that's the only available one which makes sense. Closes: #312886. * Enabled new bzip2 support. Closes: #426798. * Exit code for zipgrep should now be the right one. Closes: #441997. * The reason why a file may not be created is now shown. Closes: #478791. * Summary of changes in this version not being the debian/* files: - Manpages in section 1, not 1L. - Branding patch. UnZip by Debian. Original by Info-ZIP. - Always #include . Debian GNU/kFreeBSD needs it. -- Santiago Vila Fri, 08 May 2009 20:02:40 +0200 unzip (5.52-12) unstable; urgency=medium * Fixed stack underflow in unshrink.c. Closes: #454037. Thanks to Christian Spieler for the patch. -- Santiago Vila Sat, 26 Jul 2008 16:51:38 +0200 unzip (5.52-11) unstable; urgency=high * Apply patch from Tavis Ormandy to address invalid free() calls in the inflate_dynamic() function (CVE-2008-0888). -- Santiago Vila Thu, 20 Mar 2008 17:53:00 +0100 unzip (5.52-10) unstable; urgency=low * Fixed typo in unzipsfx(1). Thanks to Kevin Ryde. Closes: #419479. -- Santiago Vila Mon, 2 Jul 2007 18:08:44 +0200 unzip (5.52-9) unstable; urgency=low * Added appropriate compiler flags for Large File Support (Closes: #192253). This procedure is blessed by upstream in the FAQ, and as a result, some .zip archives may now be uncompressed using Debian unzip. For those which still may not, please test unzip 6.0 beta. -- Santiago Vila Wed, 30 Aug 2006 10:34:24 +0200 unzip (5.52-8) unstable; urgency=low * Modified unix/unxcfg.h to always #include . This should now work on GNU/kFreeBSD (Closes: #340693). -- Santiago Vila Tue, 25 Apr 2006 19:50:24 +0200 unzip (5.52-7) unstable; urgency=medium * Fixed buffer overflow when insanely long filenames are given on the command line. Patch from Johnny Lee. Changed some format strings so that they use 512 characters at most. The "right" fix will be in 5.53, but this should work well enough for now. Closes: #349794. * This is CVE-2005-4667. -- Santiago Vila Thu, 16 Mar 2006 10:31:20 +0100 unzip (5.52-6) unstable; urgency=medium * Symlinks should work again (Closes: #343680). Fix provided by Christian Spieler. Thanks to Carl W. Hoffman for the report. -- Santiago Vila Tue, 20 Dec 2005 19:18:32 +0100 unzip (5.52-5) unstable; urgency=low * Fixed CAN-2005-2475 the same way it will be fixed in unzip 5.53. Patch extracted from a prerelease provided by upstream. * Changed unzip banner line to reflect the fact that this is a "modified" release. Debian-derived distributions should probably do the same if they deviate from the Debian version. -- Santiago Vila Thu, 17 Nov 2005 16:34:24 +0100 unzip (5.52-4) unstable; urgency=medium * Fixed toctou vulnerability (Closes: #321927). Modified unix/unix.c to use fchmod() and fchown() instead of chmod() and chown() to change permissions and ownerships on the files actually created by unzip. Patch from Dan Yefimov. CAN-2005-2475. -- Santiago Vila Wed, 9 Nov 2005 18:05:02 +0100 unzip (5.52-3) unstable; urgency=low * Put manpages in section 1, not 1L. * Fixed more typos (Closes: #309885). -- Santiago Vila Wed, 25 May 2005 16:09:02 +0200 unzip (5.52-2) unstable; urgency=low * Fixed typos in manpage (Closes: #301915). -- Santiago Vila Sun, 24 Apr 2005 19:27:02 +0200 unzip (5.52-1) unstable; urgency=low * New upstream release. * Enabled new -W option via WILD_STOP_AT_DIR macro. * Macro USE_UNSHRINK is no longer defined, as it's now the default. -- Santiago Vila Tue, 1 Mar 2005 15:33:54 +0100 unzip (5.51-2) unstable; urgency=low * Added unshrinking support (Closes: #252563). -- Santiago Vila Sun, 6 Jun 2004 17:57:46 +0200 unzip (5.51-1) unstable; urgency=low * New upstream release, improves error message when a zipfile is not readable (Closes: #139331). * Added a newline character to the CannotOpenZipfile string for the previous fix to be really complete. -- Santiago Vila Tue, 25 May 2004 14:38:26 +0200 unzip (5.50-4) unstable; urgency=low * Changed __GNU__ to __GLIBC__ in unix/unxcfg.h to support glibc-based systems not being GNU itself, like GNU/KFreeBSD and GNU/KNetBSD. -- Santiago Vila Sun, 16 Nov 2003 14:45:28 +0100 unzip (5.50-3) unstable; urgency=high * Fixed "unzip directory traversal revisited" again (Bug #206439). There was still a missing case that the previous patch didn't catch. Patch borrowed from unzip-5.50-33.src.rpm. * For reference, this is (still) CAN-2003-0282. -- Santiago Vila Wed, 20 Aug 2003 23:00:42 +0200 unzip (5.50-2) unstable; urgency=high * Fixed "unzip directory traversal revisited" problem (Bug #199648). A filename containing ".somenonprintablechar." will not unpack into .. anymore. Patch borrowed from unzip-5.50-11.src.rpm. * For reference, this is CAN-2003-0282. * No more doc symlinks. -- Santiago Vila Mon, 7 Jul 2003 20:25:20 +0200 unzip (5.50-1) unstable; urgency=low * New upstream release. * Moved from non-US/main to main. Section: utils. -- Santiago Vila Sun, 24 Mar 2002 15:54:12 +0100 unzip (5.42-3) unstable; urgency=low * Added support for DEB_BUILD_OPTIONS. -- Santiago Vila Sun, 11 Nov 2001 16:25:00 +0100 unzip (5.42-2) unstable; urgency=low * Applied a patch from Marcus Brinkmann: - Closes: #99699: unzip does not build on the Hurd. - Modified debian/rules to support cross-compilation. -- Santiago Vila Wed, 6 Jun 2001 16:40:14 +0200 unzip (5.42-1) unstable; urgency=low * New upstream release. * Changed to Section: non-US. * Removed "packaged for Debian" from extended description. -- Santiago Vila Thu, 10 May 2001 16:47:41 +0200 unzip (5.41-1) unstable; urgency=low * New upstream release, featuring a new BSD-like license and built-in encryption support. Moved to non-US/main. * Copyright file now generated from LICENSE file. * Versioned Conflicts and Replaces. * Standards-Version: 3.1.1 -- Santiago Vila Fri, 18 Aug 2000 19:03:59 +0200 unzip (5.40-1) unstable; urgency=low * New upstream release. * Removed `email-from-greg'. * Fixed URL location in copyright file. * Enabled -F option, as suggested by James Aylett. -- Santiago Vila Fri, 22 Oct 1999 10:30:49 +0200 unzip (5.32-1) unstable; urgency=low * New upstream release, using pristine source. -- Santiago Vila Tue, 4 Nov 1997 14:19:20 +0100 unzip (5.31-2) unstable; urgency=low * Removed debstd dependency. -- Santiago Vila Fri, 17 Oct 1997 17:22:22 +0200 unzip (5.31-1) unstable; urgency=low * `copyright' file is generated from COPYING automatically. * Distribution unstable, Section non-free. * Conflicts and Replaces "unzip-crypt". * New upstream release. * First libc6 release. * Added md5sums. -- Santiago Vila Fri, 12 Sep 1997 19:16:59 +0200 unzip (5.20-3) unstable; urgency=low * Changed priority from `extra' to `optional'. * Changed section from `misc' to `utils'. * Simplified debian/rules a little bit. No debstd yet. * Copied `History.520' as is. Added the symlink changelog -> History.520. * Added ToDo and BUGS to /usr/doc/unzip. * New maintainer. -- Santiago Vila Sun, 16 Feb 1997 19:29:13 +0100 unzip (5.20-2) unstable; urgency=low * zipgrep manpage is now installed through the unix/Makefile * permissions guaranteed to be set properly for the zipgrep script (did not work for those who compiled from the straight sources.) * removed several superfluous commands from debian/rules. * All changes this revision are courtesy of Santiago Vila. -- Stuart Lamble Wed, 8 Jan 1997 18:48:00 +1100 unzip (5.20-1) unstable; urgency=low * new upstream version * modified the copyright to include 5.2's COPYING, just in case it's changed. * minor modifications to debian/rules * added zipgrep (from the zip package). -- Stuart Lamble Wed, 13 Nov 1996 19:35:24 +1100 unzip (5.12-15) unstable; urgency=low * received email from the upstream maintainers: unzip can now go into the distribution proper. Yippee! :-) * added the email in question to the copyright file. -- Stuart Lamble Sat, 19 Oct 1996 18:34:21 +1000 unzip (5.12-14) non-free; urgency=low * moved to the 2.1.1.0 source format * fixed a typo in the Maintainer field (missing the ">". Oops.) -- Stuart Lamble Sun, 1 Sep 1996 07:36:16 +1000 unzip (5.12-13) non-free; urgency=low * new maintainer * mods to make the "binary" rule portable to different platforms * uses dpkg-name rather than manual moving -- Stuart Lamble Tue, 30 Jul 1996 00:00:00 +0000 unzip (5.12-12) non-free; urgency=low * initial release (used 2 to avoid confusion with old unzip) -- Carl Streeter Tue, 5 Sep 1995 00:00:00 +0000 debian/source/0000775000000000000000000000000011340011577010467 5ustar debian/source/format0000664000000000000000000000001411340011577011675 0ustar 3.0 (quilt) debian/patches/0000775000000000000000000000000012614427033010621 5ustar debian/patches/01-manpages-in-section-1-not-in-section-1l0000664000000000000000000003321611340246751020145 0ustar From: Santiago Vila Subject: In Debian, manpages are in section 1, not in section 1L X-Debian-version: 5.52-3 --- a/man/funzip.1 +++ b/man/funzip.1 @@ -20,7 +20,7 @@ .in -4n .. .\" ========================================================================= -.TH FUNZIP 1L "20 April 2009 (v3.95)" "Info-ZIP" +.TH FUNZIP 1 "20 April 2009 (v3.95)" "Info-ZIP" .SH NAME funzip \- filter for extracting from a ZIP archive in a pipe .PD @@ -78,7 +78,7 @@ .EE .PP To use \fIzip\fP and \fIfunzip\fP in place of \fIcompress\fP(1) and -\fIzcat\fP(1) (or \fIgzip\fP(1L) and \fIgzcat\fP(1L)) for tape backups: +\fIzcat\fP(1) (or \fIgzip\fP(1) and \fIgzcat\fP(1)) for tape backups: .PP .EX tar cf \- . | zip \-7 | dd of=/dev/nrst0 obs=8k @@ -108,8 +108,8 @@ .PD .\" ========================================================================= .SH "SEE ALSO" -\fIgzip\fP(1L), \fIunzip\fP(1L), \fIunzipsfx\fP(1L), \fIzip\fP(1L), -\fIzipcloak\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L) +\fIgzip\fP(1), \fIunzip\fP(1), \fIunzipsfx\fP(1), \fIzip\fP(1), +\fIzipcloak\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1) .PD .\" ========================================================================= .SH URL --- a/man/unzip.1 +++ b/man/unzip.1 @@ -20,7 +20,7 @@ .in -4n .. .\" ========================================================================= -.TH UNZIP 1L "20 April 2009 (v6.0)" "Info-ZIP" +.TH UNZIP 1 "20 April 2009 (v6.0)" "Info-ZIP" .SH NAME unzip \- list, test and extract compressed files in a ZIP archive .PD @@ -34,7 +34,7 @@ \fIunzip\fP will list, test, or extract files from a ZIP archive, commonly found on MS-DOS systems. The default behavior (with no options) is to extract into the current directory (and subdirectories below it) all files from the -specified ZIP archive. A companion program, \fIzip\fP(1L), creates ZIP +specified ZIP archive. A companion program, \fIzip\fP(1), creates ZIP archives; both programs are compatible with archives created by PKWARE's \fIPKZIP\fP and \fIPKUNZIP\fP for MS-DOS, but in many cases the program options or default behaviors differ. @@ -105,8 +105,8 @@ list of all possible flags. The exhaustive list follows: .TP .B \-Z -\fIzipinfo\fP(1L) mode. If the first option on the command line is \fB\-Z\fP, -the remaining options are taken to be \fIzipinfo\fP(1L) options. See the +\fIzipinfo\fP(1) mode. If the first option on the command line is \fB\-Z\fP, +the remaining options are taken to be \fIzipinfo\fP(1) options. See the appropriate manual page for a description of these options. .TP .B \-A @@ -178,7 +178,7 @@ compressed size and compression ratio figures are independent of the entry's encryption status and show the correct compression performance. (The complete size of the encrypted compressed data stream for zipfile entries is reported -by the more verbose \fIzipinfo\fP(1L) reports, see the separate manual.) +by the more verbose \fIzipinfo\fP(1) reports, see the separate manual.) When no zipfile is specified (that is, the complete command is simply ``\fCunzip \-v\fR''), a diagnostic screen is printed. In addition to the normal header with release date and version, \fIunzip\fP lists the @@ -379,8 +379,8 @@ .TP .B \-N [Amiga] extract file comments as Amiga filenotes. File comments are created -with the \-c option of \fIzip\fP(1L), or with the \-N option of the Amiga port -of \fIzip\fP(1L), which stores filenotes as comments. +with the \-c option of \fIzip\fP(1), or with the \-N option of the Amiga port +of \fIzip\fP(1), which stores filenotes as comments. .TP .B \-o overwrite existing files without prompting. This is a dangerous option, so @@ -598,7 +598,7 @@ As suggested by the examples above, the default variable names are UNZIP_OPTS for VMS (where the symbol used to install \fIunzip\fP as a foreign command would otherwise be confused with the environment variable), and UNZIP -for all other operating systems. For compatibility with \fIzip\fP(1L), +for all other operating systems. For compatibility with \fIzip\fP(1), UNZIPOPT is also accepted (don't ask). If both UNZIP and UNZIPOPT are defined, however, UNZIP takes precedence. \fIunzip\fP's diagnostic option (\fB\-v\fP with no zipfile name) can be used to check the values @@ -648,8 +648,8 @@ a password is not known, entering a null password (that is, just a carriage return or ``Enter'') is taken as a signal to skip all further prompting. Only unencrypted files in the archive(s) will thereafter be extracted. (In -fact, that's not quite true; older versions of \fIzip\fP(1L) and -\fIzipcloak\fP(1L) allowed null passwords, so \fIunzip\fP checks each encrypted +fact, that's not quite true; older versions of \fIzip\fP(1) and +\fIzipcloak\fP(1) allowed null passwords, so \fIunzip\fP checks each encrypted file to see if the null password works. This may result in ``false positives'' and extraction errors, as noted above.) .PP @@ -943,8 +943,8 @@ .PD .\" ========================================================================= .SH "SEE ALSO" -\fIfunzip\fP(1L), \fIzip\fP(1L), \fIzipcloak\fP(1L), \fIzipgrep\fP(1L), -\fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L) +\fIfunzip\fP(1), \fIzip\fP(1), \fIzipcloak\fP(1), \fIzipgrep\fP(1), +\fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1) .PD .\" ========================================================================= .SH URL --- a/man/unzipsfx.1 +++ b/man/unzipsfx.1 @@ -20,7 +20,7 @@ .in -4n .. .\" ========================================================================= -.TH UNZIPSFX 1L "20 April 2009 (v6.0)" "Info-ZIP" +.TH UNZIPSFX 1 "20 April 2009 (v6.0)" "Info-ZIP" .SH NAME unzipsfx \- self-extracting stub for prepending to ZIP archives .PD @@ -30,7 +30,7 @@ .PD .\" ========================================================================= .SH DESCRIPTION -\fIunzipsfx\fP is a modified version of \fIunzip\fP(1L) designed to be +\fIunzipsfx\fP is a modified version of \fIunzip\fP(1) designed to be prepended to existing ZIP archives in order to form self-extracting archives. Instead of taking its first non-flag argument to be the zipfile(s) to be extracted, \fIunzipsfx\fP seeks itself under the name by which it was invoked @@ -109,7 +109,7 @@ .PD .\" ========================================================================= .SH OPTIONS -\fIunzipsfx\fP supports the following \fIunzip\fP(1L) options: \fB\-c\fP +\fIunzipsfx\fP supports the following \fIunzip\fP(1) options: \fB\-c\fP and \fB\-p\fP (extract to standard output/screen), \fB\-f\fP and \fB\-u\fP (freshen and update existing files upon extraction), \fB\-t\fP (test archive) and \fB\-z\fP (print archive comment). All normal listing options @@ -118,11 +118,11 @@ those creating self-extracting archives may wish to include a short listing in the zipfile comment. .PP -See \fIunzip\fP(1L) for a more complete description of these options. +See \fIunzip\fP(1) for a more complete description of these options. .PD .\" ========================================================================= .SH MODIFIERS -\fIunzipsfx\fP currently supports all \fIunzip\fP(1L) modifiers: \fB\-a\fP +\fIunzipsfx\fP currently supports all \fIunzip\fP(1) modifiers: \fB\-a\fP (convert text files), \fB\-n\fP (never overwrite), \fB\-o\fP (overwrite without prompting), \fB\-q\fP (operate quietly), \fB\-C\fP (match names case-insensitively), \fB\-L\fP (convert uppercase-OS names to lowercase), @@ -137,18 +137,18 @@ of course continue to be supported since the zipfile format implies ASCII storage of text files.) .PP -See \fIunzip\fP(1L) for a more complete description of these modifiers. +See \fIunzip\fP(1) for a more complete description of these modifiers. .PD .\" ========================================================================= .SH "ENVIRONMENT OPTIONS" -\fIunzipsfx\fP uses the same environment variables as \fIunzip\fP(1L) does, +\fIunzipsfx\fP uses the same environment variables as \fIunzip\fP(1) does, although this is likely to be an issue only for the person creating and -testing the self-extracting archive. See \fIunzip\fP(1L) for details. +testing the self-extracting archive. See \fIunzip\fP(1) for details. .PD .\" ========================================================================= .SH DECRYPTION -Decryption is supported exactly as in \fIunzip\fP(1L); that is, interactively -with a non-echoing prompt for the password(s). See \fIunzip\fP(1L) for +Decryption is supported exactly as in \fIunzip\fP(1); that is, interactively +with a non-echoing prompt for the password(s). See \fIunzip\fP(1) for details. Once again, note that if the archive has no encrypted files there is no reason to use a version of \fIunzipsfx\fP with decryption support; that only adds to the size of the archive. @@ -286,7 +286,7 @@ from anywhere in the user's path. The situation is not known for AmigaDOS, Atari TOS, MacOS, etc. .PP -As noted above, a number of the normal \fIunzip\fP(1L) functions have +As noted above, a number of the normal \fIunzip\fP(1) functions have been removed in order to make \fIunzipsfx\fP smaller: usage and diagnostic info, listing functions and extraction to other directories. Also, only stored and deflated files are supported. The latter limitation is mainly @@ -303,17 +303,17 @@ defined as a ``debug hunk.'') There may be compatibility problems between the ROM levels of older Amigas and newer ones. .PP -All current bugs in \fIunzip\fP(1L) exist in \fIunzipsfx\fP as well. +All current bugs in \fIunzip\fP(1) exist in \fIunzipsfx\fP as well. .PD .\" ========================================================================= .SH DIAGNOSTICS \fIunzipsfx\fP's exit status (error level) is identical to that of -\fIunzip\fP(1L); see the corresponding man page. +\fIunzip\fP(1); see the corresponding man page. .PD .\" ========================================================================= .SH "SEE ALSO" -\fIfunzip\fP(1L), \fIunzip\fP(1L), \fIzip\fP(1L), \fIzipcloak\fP(1L), -\fIzipgrep\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L) +\fIfunzip\fP(1), \fIunzip\fP(1), \fIzip\fP(1), \fIzipcloak\fP(1), +\fIzipgrep\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1) .PD .PD .\" ========================================================================= @@ -330,7 +330,7 @@ .\" ========================================================================= .SH AUTHORS Greg Roelofs was responsible for the basic modifications to UnZip necessary -to create UnZipSFX. See \fIunzip\fP(1L) for the current list of Zip-Bugs +to create UnZipSFX. See \fIunzip\fP(1) for the current list of Zip-Bugs authors, or the file CONTRIBS in the UnZip source distribution for the full list of Info-ZIP contributors. .PD --- a/man/zipgrep.1 +++ b/man/zipgrep.1 @@ -8,7 +8,7 @@ .\" zipgrep.1 by Greg Roelofs. .\" .\" ========================================================================= -.TH ZIPGREP 1L "20 April 2009" "Info-ZIP" +.TH ZIPGREP 1 "20 April 2009" "Info-ZIP" .SH NAME zipgrep \- search files in a ZIP archive for lines matching a pattern .PD @@ -21,7 +21,7 @@ .SH DESCRIPTION \fIzipgrep\fP will search files within a ZIP archive for lines matching the given string or pattern. \fIzipgrep\fP is a shell script and requires -\fIegrep\fP(1) and \fIunzip\fP(1L) to function. Its output is identical to +\fIegrep\fP(1) and \fIunzip\fP(1) to function. Its output is identical to that of \fIegrep\fP(1). .PD .\" ========================================================================= @@ -69,8 +69,8 @@ .PD .\" ========================================================================= .SH "SEE ALSO" -\fIegrep\fP(1), \fIunzip\fP(1L), \fIzip\fP(1L), \fIfunzip\fP(1L), -\fIzipcloak\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L) +\fIegrep\fP(1), \fIunzip\fP(1), \fIzip\fP(1), \fIfunzip\fP(1), +\fIzipcloak\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1) .PD .\" ========================================================================= .SH URL --- a/man/zipinfo.1 +++ b/man/zipinfo.1 @@ -34,7 +34,7 @@ .in -4n .. .\" ========================================================================= -.TH ZIPINFO 1L "20 April 2009 (v3.0)" "Info-ZIP" +.TH ZIPINFO 1 "20 April 2009 (v3.0)" "Info-ZIP" .SH NAME zipinfo \- list detailed information about a ZIP archive .PD @@ -272,7 +272,7 @@ Note that because of limitations in the MS-DOS format used to store file times, the seconds field is always rounded to the nearest even second. For Unix files this is expected to change in the next major releases of -\fIzip\fP(1L) and \fIunzip\fP. +\fIzip\fP(1) and \fIunzip\fP. .PP In addition to individual file information, a default zipfile listing also includes header and trailer lines: @@ -361,7 +361,7 @@ As suggested above, the default variable names are ZIPINFO_OPTS for VMS (where the symbol used to install \fIzipinfo\fP as a foreign command would otherwise be confused with the environment variable), and ZIPINFO -for all other operating systems. For compatibility with \fIzip\fP(1L), +for all other operating systems. For compatibility with \fIzip\fP(1), ZIPINFOOPT is also accepted (don't ask). If both ZIPINFO and ZIPINFOOPT are defined, however, ZIPINFO takes precedence. \fIunzip\fP's diagnostic option (\fB\-v\fP with no zipfile name) can be used to check the values @@ -496,8 +496,8 @@ .PP .\" ========================================================================= .SH "SEE ALSO" -\fIls\fP(1), \fIfunzip\fP(1L), \fIunzip\fP(1L), \fIunzipsfx\fP(1L), -\fIzip\fP(1L), \fIzipcloak\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L) +\fIls\fP(1), \fIfunzip\fP(1), \fIunzip\fP(1), \fIunzipsfx\fP(1), +\fIzip\fP(1), \fIzipcloak\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1) .PD .\" ========================================================================= .SH URL debian/patches/15-cve-2015-76970000664000000000000000000000171712614427030012546 0ustar From: Kamil Dudka Date: Mon, 14 Sep 2015 18:24:56 +0200 Subject: fix infinite loop when extracting empty bzip2 data Bug-Debian: https://bugs.debian.org/802160 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339 --- extract.c | 6 ++++++ 1 file changed, 6 insertions(+) Index: unzip-6.0/extract.c =================================================================== --- unzip-6.0.orig/extract.c 2015-10-29 10:32:54.575296433 -0400 +++ unzip-6.0/extract.c 2015-10-29 10:32:54.571296467 -0400 @@ -2729,6 +2729,12 @@ int repeated_buf_err; bz_stream bstrm; + if (G.incnt <= 0 && G.csize <= 0L) { + /* avoid an infinite loop */ + Trace((stderr, "UZbunzip2() got empty input\n")); + return 2; + } + #if (defined(DLL) && !defined(NO_SLIDE_REDIR)) if (G.redirect_slide) wsize = G.redirect_size, redirSlide = G.redirect_buffer; debian/patches/11-cve-2014-8141-getzip64data0000664000000000000000000001226112453320622015022 0ustar From: sms Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data() Bug-Debian: http://bugs.debian.org/773722 Index: unzip-6.0/fileio.c =================================================================== --- unzip-6.0.orig/fileio.c 2015-01-07 16:13:48.643786382 -0500 +++ unzip-6.0/fileio.c 2015-01-07 16:13:48.639786351 -0500 @@ -176,6 +176,8 @@ #endif static ZCONST char Far ExtraFieldTooLong[] = "warning: extra field too long (%d). Ignoring...\n"; +static ZCONST char Far ExtraFieldCorrupt[] = + "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; #ifdef WINDLL static ZCONST char Far DiskFullQuery[] = @@ -2295,7 +2297,12 @@ if (readbuf(__G__ (char *)G.extra_field, length) == 0) return PK_EOF; /* Looks like here is where extra fields are read */ - getZip64Data(__G__ G.extra_field, length); + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) + { + Info(slide, 0x401, ((char *)slide, + LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); + error = PK_WARN; + } #ifdef UNICODE_SUPPORT G.unipath_filename = NULL; if (G.UzO.U_flag < 2) { Index: unzip-6.0/process.c =================================================================== --- unzip-6.0.orig/process.c 2015-01-07 16:13:48.643786382 -0500 +++ unzip-6.0/process.c 2015-01-07 16:13:48.639786351 -0500 @@ -1,5 +1,5 @@ /* - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. See the accompanying file LICENSE, version 2009-Jan-02 or later (the contents of which are also included in unzip.h) for terms of use. @@ -1895,48 +1895,82 @@ and a 4-byte version of disk start number. Sets both local header and central header fields. Not terribly clever, but it means that this procedure is only called in one place. + + 2014-12-05 SMS. + Added checks to ensure that enough data are available before calling + makeint64() or makelong(). Replaced various sizeof() values with + simple ("4" or "8") constants. (The Zip64 structures do not depend + on our variable sizes.) Error handling is crude, but we should now + stay within the buffer. ---------------------------------------------------------------------------*/ +#define Z64FLGS 0xffff +#define Z64FLGL 0xffffffff + if (ef_len == 0 || ef_buf == NULL) return PK_COOL; Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", ef_len)); - while (ef_len >= EB_HEADSIZE) { + while (ef_len >= EB_HEADSIZE) + { eb_id = makeword(EB_ID + ef_buf); eb_len = makeword(EB_LEN + ef_buf); - if (eb_len > (ef_len - EB_HEADSIZE)) { - /* discovered some extra field inconsistency! */ + if (eb_len > (ef_len - EB_HEADSIZE)) + { + /* Extra block length exceeds remaining extra field length. */ Trace((stderr, "getZip64Data: block length %u > rest ef_size %u\n", eb_len, ef_len - EB_HEADSIZE)); break; } - if (eb_id == EF_PKSZ64) { - + if (eb_id == EF_PKSZ64) + { int offset = EB_HEADSIZE; - if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ - G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); - offset += sizeof(G.crec.ucsize); + if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) + { + if (offset+ 8 > ef_len) + return PK_ERR; + + G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); + offset += 8; } - if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ - G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); - offset += sizeof(G.crec.csize); + + if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) + { + if (offset+ 8 > ef_len) + return PK_ERR; + + G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); + offset += 8; } - if (G.crec.relative_offset_local_header == 0xffffffff){ + + if (G.crec.relative_offset_local_header == Z64FLGL) + { + if (offset+ 8 > ef_len) + return PK_ERR; + G.crec.relative_offset_local_header = makeint64(offset + ef_buf); - offset += sizeof(G.crec.relative_offset_local_header); + offset += 8; } - if (G.crec.disk_number_start == 0xffff){ + + if (G.crec.disk_number_start == Z64FLGS) + { + if (offset+ 4 > ef_len) + return PK_ERR; + G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); - offset += sizeof(G.crec.disk_number_start); + offset += 4; } +#if 0 + break; /* Expect only one EF_PKSZ64 block. */ +#endif /* 0 */ } - /* Skip this extra field block */ + /* Skip this extra field block. */ ef_buf += (eb_len + EB_HEADSIZE); ef_len -= (eb_len + EB_HEADSIZE); } debian/patches/05-fix-uid-gid-handling0000664000000000000000000000214212055373123014654 0ustar From: sms Subject: Restore uid and gid information when requested Bug-Debian: http://bugs.debian.org/689212 X-Debian-version: 6.0-8 --- a/process.c +++ b/process.c @@ -2904,7 +2904,7 @@ #ifdef IZ_HAVE_UXUIDGID if (eb_len >= EB_UX3_MINLEN && z_uidgid != NULL - && (*((EB_HEADSIZE + 0) + ef_buf) == 1) + && (*((EB_HEADSIZE + 0) + ef_buf) == 1)) /* only know about version 1 */ { uch uid_size; @@ -2916,10 +2916,10 @@ flags &= ~0x0ff; /* ignore any previous UNIX field */ if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf, - uid_size, z_uidgid[0]) + uid_size, &z_uidgid[0]) && read_ux3_value((EB_HEADSIZE + uid_size + 3) + ef_buf, - gid_size, z_uidgid[1]) ) + gid_size, &z_uidgid[1]) ) { flags |= EB_UX2_VALID; /* signal success */ } debian/patches/series0000664000000000000000000000061112614427033012034 0ustar 01-manpages-in-section-1-not-in-section-1l 02-branding-patch-this-is-debian-unzip 03-include-unistd-for-kfreebsd 04-handle-pkware-verification-bit 05-fix-uid-gid-handling 06-unzip60-alt-iconv-utf8 09-cve-2014-8139-crc-overflow 10-cve-2014-8140-test-compr-eb 11-cve-2014-8141-getzip64data 12-cve-2014-9636-test-compr-eb 14-cve-2015-7696 15-cve-2015-7697 16-fix-integer-underflow-csiz-decrypted debian/patches/12-cve-2014-9636-test-compr-eb0000664000000000000000000000234512470711727015223 0ustar Description: fix heap overflow via mismatched block sizes Origin: upstream, http://antinode.info/ftp/info-zip/unzip60/extract.c Index: unzip-6.0/extract.c =================================================================== --- unzip-6.0.orig/extract.c 2015-02-17 14:16:15.222079032 -0500 +++ unzip-6.0/extract.c 2015-02-17 14:16:15.218078999 -0500 @@ -2228,6 +2228,7 @@ ulg eb_ucsize; uch *eb_ucptr; int r; + ush eb_compr_method; if (compr_offset < 4) /* field is not compressed: */ return PK_OK; /* do nothing and signal OK */ @@ -2244,6 +2245,15 @@ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) return IZ_EF_TRUNC; /* no/bad compressed data! */ + /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS. + * For STORE method, compressed and uncompressed sizes must agree. + * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 + */ + eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset)); + if ((eb_compr_method == STORED) && + (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize)) + return PK_ERR; + if ( #ifdef INT_16BIT (((ulg)(extent)eb_ucsize) != eb_ucsize) || debian/patches/16-fix-integer-underflow-csiz-decrypted0000664000000000000000000000236612620134374020152 0ustar From: Kamil Dudka Date: Tue, 22 Sep 2015 18:52:23 +0200 Subject: [PATCH] extract: prevent unsigned overflow on invalid input Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1075942 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 Updated: 2015-11-09 Suggested-by: Stefan Cornelius --- extract.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/extract.c +++ b/extract.c @@ -1257,8 +1257,17 @@ if (G.lrec.compression_method == STORED) { zusz_t csiz_decrypted = G.lrec.csize; - if (G.pInfo->encrypted) + if (G.pInfo->encrypted) { + if (csiz_decrypted < 12) { + /* handle the error now to prevent unsigned overflow */ + Info(slide, 0x401, ((char *)slide, + LoadFarStringSmall(ErrUnzipNoFile), + LoadFarString(InvalidComprData), + LoadFarStringSmall2(Inflate))); + return PK_ERR; + } csiz_decrypted -= 12; + } if (G.lrec.ucsize != csiz_decrypted) { Info(slide, 0x401, ((char *)slide, LoadFarStringSmall2(WrnStorUCSizCSizDiff), debian/patches/14-cve-2015-76960000664000000000000000000000211312614427020012532 0ustar From: Petr Stodulka Date: Mon, 14 Sep 2015 18:23:17 +0200 Subject: Upstream fix for heap overflow Bug-Debian: https://bugs.debian.org/802162 Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944 Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002 Forwarded: yes --- crypt.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/crypt.c +++ b/crypt.c @@ -465,7 +465,17 @@ GLOBAL(pInfo->encrypted) = FALSE; defer_leftover_input(__G); for (n = 0; n < RAND_HEAD_LEN; n++) { - b = NEXTBYTE; + /* 2012-11-23 SMS. (OUSPG report.) + * Quit early if compressed size < HEAD_LEN. The resulting + * error message ("unable to get password") could be improved, + * but it's better than trying to read nonexistent data, and + * then continuing with a negative G.csize. (See + * fileio.c:readbyte()). + */ + if ((b = NEXTBYTE) == (ush)EOF) + { + return PK_ERR; + } h[n] = (uch)b; Trace((stdout, " (%02x)", h[n])); } debian/patches/10-cve-2014-8140-test-compr-eb0000664000000000000000000000253012470711742015177 0ustar From: sms Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb() Bug-Debian: http://bugs.debian.org/773722 Index: unzip-6.0/extract.c =================================================================== --- unzip-6.0.orig/extract.c 2015-02-17 14:17:52.830884764 -0500 +++ unzip-6.0/extract.c 2015-02-17 14:17:52.826884730 -0500 @@ -2232,10 +2232,17 @@ if (compr_offset < 4) /* field is not compressed: */ return PK_OK; /* do nothing and signal OK */ + /* Return no/bad-data error status if any problem is found: + * 1. eb_size is too small to hold the uncompressed size + * (eb_ucsize). (Else extract eb_ucsize.) + * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. + * 3. eb_ucsize is positive, but eb_size is too small to hold + * the compressed data header. + */ if ((eb_size < (EB_UCSIZE_P + 4)) || - ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && - eb_size <= (compr_offset + EB_CMPRHEADLEN))) - return IZ_EF_TRUNC; /* no compressed data! */ + ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) + return IZ_EF_TRUNC; /* no/bad compressed data! */ if ( #ifdef INT_16BIT debian/patches/03-include-unistd-for-kfreebsd0000664000000000000000000000055411340246766016275 0ustar From: Aurelien Jarno Subject: #include for kFreeBSD Bug-Debian: http://bugs.debian.org/340693 X-Debian-version: 5.52-8 --- a/unix/unxcfg.h +++ b/unix/unxcfg.h @@ -52,6 +52,7 @@ #include /* off_t, time_t, dev_t, ... */ #include +#include #ifdef NO_OFF_T typedef long zoff_t; debian/patches/02-branding-patch-this-is-debian-unzip0000664000000000000000000000105111340246757017611 0ustar From: Santiago Vila Subject: "Branding patch": UnZip by Debian. Original by Info-ZIP. X-Debian-version: 5.52-5 --- a/unzip.c +++ b/unzip.c @@ -570,8 +570,7 @@ #else /* !VMS */ # ifdef COPYRIGHT_CLEAN static ZCONST char Far UnzipUsageLine1[] = "\ -UnZip %d.%d%d%s of %s, by Info-ZIP. Maintained by C. Spieler. Send\n\ -bug reports using http://www.info-zip.org/zip-bug.html; see README for details.\ +UnZip %d.%d%d%s of %s, by Debian. Original by Info-ZIP.\ \n\n"; # else static ZCONST char Far UnzipUsageLine1[] = "\ debian/patches/09-cve-2014-8139-crc-overflow0000664000000000000000000000367212470711724015156 0ustar From: sms Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow Bug-Debian: http://bugs.debian.org/773722 --- a/extract.c +++ b/extract.c @@ -1,5 +1,5 @@ /* - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. See the accompanying file LICENSE, version 2009-Jan-02 or later (the contents of which are also included in unzip.h) for terms of use. @@ -298,6 +298,8 @@ #ifndef SFX static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; + static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) invalid (< %d)\n"; static ZCONST char Far InvalidComprDataEAs[] = " invalid compressed data for EAs\n"; # if (defined(WIN32) && defined(NTSD_EAS)) @@ -2023,7 +2025,8 @@ ebID = makeword(ef); ebLen = (unsigned)makeword(ef+EB_LEN); - if (ebLen > (ef_len - EB_HEADSIZE)) { + if (ebLen > (ef_len - EB_HEADSIZE)) + { /* Discovered some extra field inconsistency! */ if (uO.qflag) Info(slide, 1, ((char *)slide, "%-22s ", @@ -2158,11 +2161,19 @@ } break; case EF_PKVMS: - if (makelong(ef+EB_HEADSIZE) != + if (ebLen < 4) + { + Info(slide, 1, + ((char *)slide, LoadFarString(TooSmallEBlength), + ebLen, 4)); + } + else if (makelong(ef+EB_HEADSIZE) != crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), (extent)(ebLen-4))) + { Info(slide, 1, ((char *)slide, LoadFarString(BadCRC_EAs))); + } break; case EF_PKW32: case EF_PKUNIX: debian/patches/06-unzip60-alt-iconv-utf80000664000000000000000000003402412470711720015062 0ustar From: Giovanni Scafora Subject: unzip files encoded with non-latin, non-unicode file names Last-Update: 2015-02-11 Updated 2015-02-11 by Marc Deslauriers to fix buffer overflow in charset_to_intern() Index: unzip-6.0/unix/unix.c =================================================================== --- unzip-6.0.orig/unix/unix.c 2015-02-11 08:46:43.675324290 -0500 +++ unzip-6.0/unix/unix.c 2015-02-11 09:18:04.902081319 -0500 @@ -30,6 +30,9 @@ #define UNZIP_INTERNAL #include "unzip.h" +#include +#include + #ifdef SCO_XENIX # define SYSNDIR #else /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */ @@ -1874,3 +1877,102 @@ } } #endif /* QLZIP */ + + +typedef struct { + char *local_charset; + char *archive_charset; +} CHARSET_MAP; + +/* A mapping of local <-> archive charsets used by default to convert filenames + * of DOS/Windows Zip archives. Currently very basic. */ +static CHARSET_MAP dos_charset_map[] = { + { "ANSI_X3.4-1968", "CP850" }, + { "ISO-8859-1", "CP850" }, + { "CP1252", "CP850" }, + { "UTF-8", "CP866" }, + { "KOI8-R", "CP866" }, + { "KOI8-U", "CP866" }, + { "ISO-8859-5", "CP866" } +}; + +char OEM_CP[MAX_CP_NAME] = ""; +char ISO_CP[MAX_CP_NAME] = ""; + +/* Try to guess the default value of OEM_CP based on the current locale. + * ISO_CP is left alone for now. */ +void init_conversion_charsets() +{ + const char *local_charset; + int i; + + /* Make a guess only if OEM_CP not already set. */ + if(*OEM_CP == '\0') { + local_charset = nl_langinfo(CODESET); + for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++) + if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) { + strncpy(OEM_CP, dos_charset_map[i].archive_charset, + sizeof(OEM_CP)); + break; + } + } +} + +/* Convert a string from one encoding to the current locale using iconv(). + * Be as non-intrusive as possible. If error is encountered during covertion + * just leave the string intact. */ +static void charset_to_intern(char *string, char *from_charset) +{ + iconv_t cd; + char *s,*d, *buf; + size_t slen, dlen, buflen; + const char *local_charset; + + if(*from_charset == '\0') + return; + + buf = NULL; + local_charset = nl_langinfo(CODESET); + + if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1) + return; + + slen = strlen(string); + s = string; + + /* Make sure OUTBUFSIZ + 1 never ends up smaller than FILNAMSIZ + * as this function also gets called with G.outbuf in fileio.c + */ + buflen = FILNAMSIZ; + if (OUTBUFSIZ + 1 < FILNAMSIZ) + { + buflen = OUTBUFSIZ + 1; + } + + d = buf = malloc(buflen); + if(!d) + goto cleanup; + + bzero(buf,buflen); + dlen = buflen - 1; + + if(iconv(cd, &s, &slen, &d, &dlen) == (size_t)-1) + goto cleanup; + strncpy(string, buf, buflen); + + cleanup: + free(buf); + iconv_close(cd); +} + +/* Convert a string from OEM_CP to the current locale charset. */ +inline void oem_intern(char *string) +{ + charset_to_intern(string, OEM_CP); +} + +/* Convert a string from ISO_CP to the current locale charset. */ +inline void iso_intern(char *string) +{ + charset_to_intern(string, ISO_CP); +} Index: unzip-6.0/unix/unxcfg.h =================================================================== --- unzip-6.0.orig/unix/unxcfg.h 2015-02-11 08:46:43.675324290 -0500 +++ unzip-6.0/unix/unxcfg.h 2015-02-11 08:46:43.671324260 -0500 @@ -228,4 +228,30 @@ /* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */ /* and notfirstcall are used by do_wild(). */ + +#define MAX_CP_NAME 25 + +#ifdef SETLOCALE +# undef SETLOCALE +#endif +#define SETLOCALE(category, locale) setlocale(category, locale) +#include + +#ifdef _ISO_INTERN +# undef _ISO_INTERN +#endif +#define _ISO_INTERN(str1) iso_intern(str1) + +#ifdef _OEM_INTERN +# undef _OEM_INTERN +#endif +#ifndef IZ_OEM2ISO_ARRAY +# define IZ_OEM2ISO_ARRAY +#endif +#define _OEM_INTERN(str1) oem_intern(str1) + +void iso_intern(char *); +void oem_intern(char *); +void init_conversion_charsets(void); + #endif /* !__unxcfg_h */ Index: unzip-6.0/unzip.c =================================================================== --- unzip-6.0.orig/unzip.c 2015-02-11 08:46:43.675324290 -0500 +++ unzip-6.0/unzip.c 2015-02-11 08:46:43.675324290 -0500 @@ -327,11 +327,21 @@ -2 just filenames but allow -h/-t/-z -l long Unix \"ls -l\" format\n\ -v verbose, multi-page format\n"; +#ifndef UNIX static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\ -h print header line -t print totals for listed files or for all\n\ -z print zipfile comment -T print file times in sortable decimal format\ \n -C be case-insensitive %s\ -x exclude filenames that follow from listing\n"; +#else /* UNIX */ +static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\ + -h print header line -t print totals for listed files or for all\n\ + -z print zipfile comment %c-T%c print file times in sortable decimal format\ +\n %c-C%c be case-insensitive %s\ + -x exclude filenames that follow from listing\n\ + -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\ + -I CHARSET specify a character encoding for UNIX and other archives\n"; +#endif /* !UNIX */ #ifdef MORE static ZCONST char Far ZipInfoUsageLine4[] = " -M page output through built-in \"more\"\n"; @@ -664,6 +674,17 @@ -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\ -C match filenames case-insensitively -L make (some) names \ lowercase\n %-42s -V retain VMS version numbers\n%s"; +#elif (defined UNIX) +static ZCONST char Far UnzipUsageLine4[] = "\ +modifiers:\n\ + -n never overwrite existing files -q quiet mode (-qq => quieter)\n\ + -o overwrite files WITHOUT prompting -a auto-convert any text files\n\ + -j junk paths (do not make directories) -aa treat ALL files as text\n\ + -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\ + -C match filenames case-insensitively -L make (some) names \ +lowercase\n %-42s -V retain VMS version numbers\n%s\ + -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\ + -I CHARSET specify a character encoding for UNIX and other archives\n\n"; #else /* !VMS */ static ZCONST char Far UnzipUsageLine4[] = "\ modifiers:\n\ @@ -802,6 +823,10 @@ #endif /* UNICODE_SUPPORT */ +#ifdef UNIX + init_conversion_charsets(); +#endif + #if (defined(__IBMC__) && defined(__DEBUG_ALLOC__)) extern void DebugMalloc(void); @@ -1335,6 +1360,11 @@ argc = *pargc; argv = *pargv; +#ifdef UNIX + extern char OEM_CP[MAX_CP_NAME]; + extern char ISO_CP[MAX_CP_NAME]; +#endif + while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) { s = *argv + 1; while ((c = *s++) != 0) { /* "!= 0": prevent Turbo C warning */ @@ -1516,6 +1546,35 @@ } break; #endif /* MACOS */ +#ifdef UNIX + case ('I'): + if (negative) { + Info(slide, 0x401, ((char *)slide, + "error: encodings can't be negated")); + return(PK_PARAM); + } else { + if(*s) { /* Handle the -Icharset case */ + /* Assume that charsets can't start with a dash to spot arguments misuse */ + if(*s == '-') { + Info(slide, 0x401, ((char *)slide, + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } + strncpy(ISO_CP, s, sizeof(ISO_CP)); + } else { /* -I charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { + Info(slide, 0x401, ((char *)slide, + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } + s = *argv; + strncpy(ISO_CP, s, sizeof(ISO_CP)); + } + while(*(++s)); /* No params straight after charset name */ + } + break; +#endif /* ?UNIX */ case ('j'): /* junk pathnames/directory structure */ if (negative) uO.jflag = FALSE, negative = 0; @@ -1591,6 +1650,35 @@ } else ++uO.overwrite_all; break; +#ifdef UNIX + case ('O'): + if (negative) { + Info(slide, 0x401, ((char *)slide, + "error: encodings can't be negated")); + return(PK_PARAM); + } else { + if(*s) { /* Handle the -Ocharset case */ + /* Assume that charsets can't start with a dash to spot arguments misuse */ + if(*s == '-') { + Info(slide, 0x401, ((char *)slide, + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } + strncpy(OEM_CP, s, sizeof(OEM_CP)); + } else { /* -O charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { + Info(slide, 0x401, ((char *)slide, + "error: a valid character encoding should follow the -O argument")); + return(PK_PARAM); + } + s = *argv; + strncpy(OEM_CP, s, sizeof(OEM_CP)); + } + while(*(++s)); /* No params straight after charset name */ + } + break; +#endif /* ?UNIX */ case ('p'): /* pipes: extract to stdout, no messages */ if (negative) { uO.cflag = FALSE; Index: unzip-6.0/unzpriv.h =================================================================== --- unzip-6.0.orig/unzpriv.h 2015-02-11 08:46:43.675324290 -0500 +++ unzip-6.0/unzpriv.h 2015-02-11 08:46:43.675324290 -0500 @@ -3008,7 +3008,7 @@ !(((islochdr) || (isuxatt)) && \ ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \ (hostnum) == FS_HPFS_ || \ - ((hostnum) == FS_NTFS_ && (hostver) == 50)) { \ + ((hostnum) == FS_NTFS_ /* && (hostver) == 50 */ )) { \ _OEM_INTERN((string)); \ } else { \ _ISO_INTERN((string)); \ Index: unzip-6.0/zipinfo.c =================================================================== --- unzip-6.0.orig/zipinfo.c 2015-02-11 08:46:43.675324290 -0500 +++ unzip-6.0/zipinfo.c 2015-02-11 08:46:43.675324290 -0500 @@ -457,6 +457,10 @@ int tflag_slm=TRUE, tflag_2v=FALSE; int explicit_h=FALSE, explicit_t=FALSE; +#ifdef UNIX + extern char OEM_CP[MAX_CP_NAME]; + extern char ISO_CP[MAX_CP_NAME]; +#endif #ifdef MACOS uO.lflag = LFLAG; /* reset default on each call */ @@ -501,6 +505,35 @@ uO.lflag = 0; } break; +#ifdef UNIX + case ('I'): + if (negative) { + Info(slide, 0x401, ((char *)slide, + "error: encodings can't be negated")); + return(PK_PARAM); + } else { + if(*s) { /* Handle the -Icharset case */ + /* Assume that charsets can't start with a dash to spot arguments misuse */ + if(*s == '-') { + Info(slide, 0x401, ((char *)slide, + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } + strncpy(ISO_CP, s, sizeof(ISO_CP)); + } else { /* -I charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { + Info(slide, 0x401, ((char *)slide, + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } + s = *argv; + strncpy(ISO_CP, s, sizeof(ISO_CP)); + } + while(*(++s)); /* No params straight after charset name */ + } + break; +#endif /* ?UNIX */ case 'l': /* longer form of "ls -l" type listing */ if (negative) uO.lflag = -2, negative = 0; @@ -521,6 +554,35 @@ G.M_flag = TRUE; break; #endif +#ifdef UNIX + case ('O'): + if (negative) { + Info(slide, 0x401, ((char *)slide, + "error: encodings can't be negated")); + return(PK_PARAM); + } else { + if(*s) { /* Handle the -Ocharset case */ + /* Assume that charsets can't start with a dash to spot arguments misuse */ + if(*s == '-') { + Info(slide, 0x401, ((char *)slide, + "error: a valid character encoding should follow the -I argument")); + return(PK_PARAM); + } + strncpy(OEM_CP, s, sizeof(OEM_CP)); + } else { /* -O charset */ + ++argv; + if(!(--argc > 0 && *argv != NULL && **argv != '-')) { + Info(slide, 0x401, ((char *)slide, + "error: a valid character encoding should follow the -O argument")); + return(PK_PARAM); + } + s = *argv; + strncpy(OEM_CP, s, sizeof(OEM_CP)); + } + while(*(++s)); /* No params straight after charset name */ + } + break; +#endif /* ?UNIX */ case 's': /* default: shorter "ls -l" type listing */ if (negative) uO.lflag = -2, negative = 0; debian/patches/04-handle-pkware-verification-bit0000664000000000000000000000161511603377142016750 0ustar From: Steven Schweda Subject: Handle the PKWare verification bit of internal attributes Bug-Debian: http://bugs.debian.org/630078 X-Debian-version: 6.0-5 --- a/process.c +++ b/process.c @@ -1729,6 +1729,13 @@ else if (uO.L_flag > 1) /* let -LL force lower case for all names */ G.pInfo->lcflag = 1; + /* Handle the PKWare verification bit, bit 2 (0x0004) of internal + attributes. If this is set, then a verification checksum is in the + first 3 bytes of the external attributes. In this case all we can use + for setting file attributes is the last external attributes byte. */ + if (G.crec.internal_file_attributes & 0x0004) + G.crec.external_file_attributes &= (ulg)0xff; + /* do Amigas (AMIGA_) also have volume labels? */ if (IS_VOLID(G.crec.external_file_attributes) && (G.pInfo->hostnum == FS_FAT_ || G.pInfo->hostnum == FS_HPFS_ || debian/postrm0000664000000000000000000000011611334363414010437 0ustar #!/bin/sh set -e if which update-mime > /dev/null 2>&1; then update-mime fi debian/copyright.in0000664000000000000000000000072411200574412011527 0ustar This is the Debian prepackaged version of "unzip", Info-Zip's fast, portable, zipfile decompression utility. This package is currently maintained by Santiago Vila and built from sources obtained from: ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz The changes were fairly minimal, and consisted solely of adding various debian/* files to the distribution, plus several miscellaneous fixes as reflected in the Debian changelog. Copyright: debian/mime0000664000000000000000000000010111333535065010036 0ustar application/zip; unzip -l %s; nametemplate=%s.zip; copiousoutput debian/rules0000775000000000000000000000434612112436055010256 0ustar #!/usr/bin/make -f package = unzip docdir = debian/tmp/usr/share/doc/$(package) history = History.600 CC = gcc export DEB_BUILD_MAINT_OPTIONS=hardening=-format CFLAGS := `dpkg-buildflags --get CFLAGS` -Wall LDFLAGS := `dpkg-buildflags --get LDFLAGS` CPPFLAGS := `dpkg-buildflags --get CPPFLAGS` DEFINES = -DACORN_FTYPE_NFS -DWILD_STOP_AT_DIR -DLARGE_FILE_SUPPORT \ -DUNICODE_SUPPORT -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE -DNO_LCHMOD \ -DDATE_FORMAT=DF_YMD -DUSE_BZIP2 -DIZ_HAVE_UXUIDGID -DNOMEMCPY \ -DNO_WORKING_ISPRINT STRIP = true DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE)) CC=$(DEB_HOST_GNU_TYPE)-gcc STRIPCMD=$(DEB_HOST_GNU_TYPE)-strip else STRIPCMD=strip endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) STRIP = $(STRIPCMD) --remove-section=.comment --remove-section=.note endif build: $(MAKE) -f unix/Makefile D_USE_BZ2=-DUSE_BZIP2 L_BZ2=-lbz2 \ CC="$(CC)" LF2="$(LDFLAGS)" \ CF="$(CFLAGS) $(CPPFLAGS) -I. $(DEFINES)" unzips touch build clean: rm -f build $(MAKE) -f unix/Makefile clean rm -rf *~ debian/tmp debian/*~ debian/files* debian/substvars binary-indep: build binary-arch: build rm -rf debian/tmp install -d debian/tmp/DEBIAN $(docdir) cd debian/tmp && install -d usr/bin usr/man/man1 usr/lib/mime/packages $(MAKE) -f unix/Makefile install prefix=`pwd`/debian/tmp/usr install -m 755 debian/postinst debian/postrm debian/tmp/DEBIAN install -m 644 debian/mime debian/tmp/usr/lib/mime/packages/$(package) cat debian/copyright.in LICENSE > $(docdir)/copyright cp debian/changelog $(docdir)/changelog.Debian cp -p History.* BUGS ToDo $(docdir) cd $(docdir) && gzip -9 changelog.Debian History.* ln -s $(history).gz $(docdir)/changelog.gz cd debian/tmp/usr/bin && $(STRIP) funzip unzip unzipsfx zipinfo gzip -r9 debian/tmp/usr/man cd debian/tmp && mv usr/man usr/share dpkg-shlibdeps debian/tmp/usr/bin/unzip dpkg-gencontrol cd debian/tmp && \ md5sum `find * -type f ! -regex "DEBIAN/.*"` > DEBIAN/md5sums chown -R 0:0 debian/tmp chmod -R go=rX debian/tmp dpkg --build debian/tmp .. binary: binary-indep binary-arch .PHONY: binary binary-arch binary-indep clean