Security fixes adopted/reimplemented from Debian:

CVE-2008-0888, CVE-2005-4667, CAN-2005-2475
Enable ACORN_FTYPE_NFS and WILD_STOP_AT_DIR options

PR:             122367
Submitted by:   Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
This commit is contained in:
Andrey A. Chernov 2008-04-02 15:04:46 +00:00
parent fe3afaa421
commit d775f2b68c
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=210384
7 changed files with 242 additions and 25 deletions

View file

@ -7,7 +7,7 @@
PORTNAME= unzip
PORTVERSION= 5.52
PORTREVISION= 3
PORTREVISION= 4
CATEGORIES?= archivers
MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ ${MASTER_SITE_TEX_CTAN}
MASTER_SITE_SUBDIR= tools/zip/info-zip/src
@ -27,7 +27,8 @@ CFLAGS+= -D_FILE_OFFSET_BITS=64
.if defined(WITH_UNZIP_UNREDUCE)
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} unreduce_full.zip
EXTRACT_ONLY= ${PORTNAME}552.tar.gz
MAKE_ENV= LOCAL_UNZIP="${CFLAGS} -DUSE_UNSHRINK -DUSE_SMITH_CODE"
MAKE_ENV= LOCAL_UNZIP="${CFLAGS} \
-DUSE_UNSHRINK -DUSE_SMITH_CODE -DACORN_FTYPE_NFS -DWILD_STOP_AT_DIR"
.endif
.ifdef USE_UNZIP

View file

@ -0,0 +1,14 @@
--- unzip-5.52.orig/consts.h
+++ consts.h
@@ -34,9 +34,9 @@
"error: expected central file header signature not found (file #%lu).\n";
ZCONST char Far SeekMsg[] =
"error [%s]: attempt to seek before beginning of zipfile\n%s";
-ZCONST char Far FilenameNotMatched[] = "caution: filename not matched: %s\n";
+ZCONST char Far FilenameNotMatched[] = "caution: filename not matched: %.512s\n";
ZCONST char Far ExclFilenameNotMatched[] =
- "caution: excluded filename not matched: %s\n";
+ "caution: excluded filename not matched: %.512s\n";
#ifdef VMS
ZCONST char Far ReportMsg[] = "\

View file

@ -0,0 +1,14 @@
--- unzip-5.52.orig/fileio.c
+++ fileio.c
@@ -413,7 +413,11 @@
#endif /* NOVELL_BUG_FAILSAFE */
Trace((stderr, "open_outfile: doing fopen(%s) for writing\n",
FnFilter1(G.filename)));
+#if defined(SYMLINKS) || defined(QLZIP)
+ if ((G.outfile = fopen(G.filename, FOPWR)) == (FILE *)NULL) {
+#else
if ((G.outfile = fopen(G.filename, FOPW)) == (FILE *)NULL) {
+#endif
Info(slide, 0x401, ((char *)slide, LoadFarString(CannotCreateFile),
FnFilter1(G.filename)));
return 1;

View file

@ -0,0 +1,50 @@
--- unzip-5.52.orig/inflate.c
+++ inflate.c
@@ -983,6 +983,7 @@
unsigned l; /* last length */
unsigned m; /* mask for bit lengths table */
unsigned n; /* number of lengths to get */
+ struct huft *tlp;
struct huft *tl; /* literal/length code table */
struct huft *td; /* distance code table */
unsigned bl; /* lookup bits for tl */
@@ -996,6 +997,8 @@
int retval = 0; /* error code returned: initialized to "no error" */
+ td = tlp = tl = (struct huft *)NULL;
+
/* make local bit buffer */
Trace((stderr, "\ndynamic block"));
b = G.bb;
@@ -1047,9 +1050,9 @@
while (i < n)
{
NEEDBITS(bl)
- j = (td = tl + ((unsigned)b & m))->b;
+ j = (tlp = tl + ((unsigned)b & m))->b;
DUMPBITS(j)
- j = td->v.n;
+ j = tlp->v.n;
if (j < 16) /* length of code in bits (0..15) */
ll[i++] = l = j; /* save last length in l */
else if (j == 16) /* repeat last length 3 to 6 times */
@@ -1141,6 +1144,7 @@
huft_free(td);
}
huft_free(tl);
+
return retval;
}
@@ -1149,8 +1153,8 @@
cleanup_and_exit:
/* free the decoding tables, return */
- huft_free(tl);
- huft_free(td);
+ if (tl) huft_free(tl);
+ if (td) huft_free(td);
return retval;
}

View file

@ -0,0 +1,30 @@
--- unzip-5.52.orig/process.c
+++ process.c
@@ -74,20 +74,20 @@
/* do_seekable() strings */
# ifdef UNIX
static ZCONST char Far CannotFindZipfileDirMsg[] =
- "%s: cannot find zipfile directory in one of %s or\n\
- %s%s.zip, and cannot find %s, period.\n";
+ "%s: cannot find zipfile directory in one of %.512s or\n\
+ %s%.512s.zip, and cannot find %.512s, period.\n";
static ZCONST char Far CannotFindEitherZipfile[] =
- "%s: cannot find or open %s, %s.zip or %s.\n";
+ "%s: cannot find or open %.512s, %.512s.zip or %.512s.\n";
# else /* !UNIX */
# ifndef AMIGA
static ZCONST char Far CannotFindWildcardMatch[] =
- "%s: cannot find any matches for wildcard specification \"%s\".\n";
+ "%s: cannot find any matches for wildcard specification \"%.512s\".\n";
# endif /* !AMIGA */
static ZCONST char Far CannotFindZipfileDirMsg[] =
- "%s: cannot find zipfile directory in %s,\n\
- %sand cannot find %s, period.\n";
+ "%s: cannot find zipfile directory in %.512s,\n\
+ %sand cannot find %.512s, period.\n";
static ZCONST char Far CannotFindEitherZipfile[] =
- "%s: cannot find either %s or %s.\n";
+ "%s: cannot find either %.512s or %.512s.\n";
# endif /* ?UNIX */
extern ZCONST char Far Zipnfo[]; /* in unzip.c */
#ifndef WINDLL

View file

@ -1,36 +1,114 @@
--- unix/unix.c.orig Sat Feb 26 16:43:42 2005
+++ unix/unix.c Fri Sep 9 14:36:35 2005
@@ -1042,6 +1042,16 @@
--- unzip-5.52.orig/unix/unix.c
+++ unix/unix.c
@@ -1042,8 +1042,6 @@
ush z_uidgid[2];
int have_uidgid_flg;
- fclose(G.outfile);
-
/*---------------------------------------------------------------------------
If symbolic links are supported, allocate storage for a symlink control
structure, put the uncompressed "data" and other required info in it, and
@@ -1063,6 +1061,7 @@
Info(slide, 0x201, ((char *)slide,
"warning: symbolic link (%s) failed: mem alloc overflow\n",
FnFilter1(G.filename)));
+ fclose(G.outfile);
return;
}
@@ -1070,6 +1069,7 @@
Info(slide, 0x201, ((char *)slide,
"warning: symbolic link (%s) failed: no mem\n",
FnFilter1(G.filename)));
+ fclose(G.outfile);
return;
}
slnk_entry->next = NULL;
@@ -1079,11 +1079,10 @@
slnk_entry->fname = slnk_entry->target + ucsize + 1;
strcpy(slnk_entry->fname, G.filename);
- /* reopen the "link data" file for reading */
- G.outfile = fopen(G.filename, FOPR);
+ /* move back to the start of the file to re-read the "link data" */
+ rewind(G.outfile);
- if (!G.outfile ||
- fread(slnk_entry->target, 1, ucsize, G.outfile) != (int)ucsize)
+ if (fread(slnk_entry->target, 1, ucsize, G.outfile) != (int)ucsize)
{
Info(slide, 0x201, ((char *)slide,
"warning: symbolic link (%s) failed\n",
@@ -1115,12 +1114,20 @@
}
#endif
+#if (defined(NO_FCHOWN) || defined(NO_FCHMOD))
+ fclose(G.outfile);
+#endif
+
have_uidgid_flg = get_extattribs(__G__ &(zt.t3), z_uidgid);
/* if -X option was specified and we have UID/GID info, restore it */
if (have_uidgid_flg) {
TTrace((stderr, "close_outfile: restoring Unix UID/GID info\n"));
+#if (defined(NO_FCHOWN) || defined(NO_FCHMOD))
if (chown(G.filename, (uid_t)z_uidgid[0], (gid_t)z_uidgid[1]))
+#else
+ if (fchown(fileno(G.outfile), (uid_t)z_uidgid[0], (gid_t)z_uidgid[1]))
+#endif
{
if (uO.qflag)
Info(slide, 0x201, ((char *)slide,
@@ -1133,6 +1140,18 @@
}
}
+#if (!defined(NO_FCHOWN) && !defined(NO_FCHMOD))
+/*---------------------------------------------------------------------------
+ Change the file permissions from default ones to those stored in the
+ zipfile.
+ ---------------------------------------------------------------------------*/
+
+#ifndef NO_CHMOD
+ if (fchmod(fileno(G.outfile), filtattr(__G__ G.pInfo->file_attr)))
+ perror("fchmod (file attributes) error");
+#endif
+ perror("chmod (file attributes) error");
+
fclose(G.outfile);
/*---------------------------------------------------------------------------
@@ -1150,16 +1160,6 @@
" (warning) cannot set times"));
+ fclose(G.outfile);
+#endif /* !NO_FCHOWN && !NO_FCHMOD */
+
/* set the file's access and modification times */
if (utime(G.filename, &(zt.t2))) {
#ifdef AOS_VS
@@ -1151,6 +1170,7 @@
#endif /* ?AOS_VS */
}
-
-/*---------------------------------------------------------------------------
- Change the file permissions from default ones to those stored in the
- zipfile.
- ---------------------------------------------------------------------------*/
-
-#ifndef NO_CHMOD
- if (chmod(G.filename, filtattr(__G__ G.pInfo->file_attr)))
- perror("chmod (file attributes) error");
-#endif
+#if (defined(NO_FCHOWN) || defined(NO_FCHMOD))
/*---------------------------------------------------------------------------
Change the file permissions from default ones to those stored in the
zipfile.
@@ -1160,6 +1180,7 @@
if (chmod(G.filename, filtattr(__G__ G.pInfo->file_attr)))
perror("chmod (file attributes) error");
#endif
+#endif /* NO_FCHOWN || NO_FCHMOD */
} /* end function close_outfile() */
@@ -1640,7 +1661,6 @@
if ((long)LG(dlen) > 0)
{
- G.outfile = fopen(G.filename,"r+");
fseek(G.outfile, -8, SEEK_END);
fread(&ntc, 8, 1, G.outfile);
if(ntc.id != *(long *)"XTcc")
@@ -1650,7 +1670,6 @@
fwrite (&ntc, 8, 1, G.outfile);
}
Info(slide, 0x201, ((char *)slide, "QData = %d", LG(dlen)));
- fclose(G.outfile);
}
return; /* finished, cancel further extra field scanning */
}

View file

@ -0,0 +1,30 @@
--- unzip-5.52.orig/unzpriv.h
+++ unzpriv.h
@@ -1081,6 +1081,7 @@
# define FOPR "r","ctx=stm"
# define FOPM "r+","ctx=stm","rfm=fix","mrs=512"
# define FOPW "w","ctx=stm","rfm=fix","mrs=512"
+# define FOPWR "w+","ctx=stm","rfm=fix","mrs=512"
#endif /* VMS */
#ifdef CMS_MVS
@@ -1117,6 +1118,9 @@
# ifndef FOPWT
# define FOPWT "wt"
# endif
+# ifndef FOPWR
+# define FOPWR "w+b"
+# endif
#else /* !MODERN */
# ifndef FOPR
# define FOPR "r"
@@ -1130,6 +1134,9 @@
# ifndef FOPWT
# define FOPWT "w"
# endif
+# ifndef FOPWR
+# define FOPWR "w+b"
+# endif
#endif /* ?MODERN */
/*