[UPDATE] CVE-2018-10860 archivers/p5-Archive-Zip 1.59 -> 1.64

Hi ports,

Here is an update for Archive::Zip, it also fixes CVE-2018-10860 [1]
(directory traversal).

What's new upstream (full changelog [2]):

- Partial fix for tainted mode (more on this later)
- Year 2030 bug fixed
- Prevent from traversing symlinks and parent directories when
extracting (the CVE)

What's new in the port:

- Changed dependencies, some were useless, and added archivers/unzip to
allow full testing.
- Dropped all patches. They don't work with 1.59, and the same can be
said about 1.64. Upstream recognizes [3] that tainted path handling
is bad, the manpage mentions it, so even as an acknowledgment of the
issue, they're no longer useful.

Testing:

- 'make test' passes
- There are consumers: all builds were fine, only net/p5-Net-FTPServer
is failing 'make test' because of an OOM error, but it's currently
already the case.

Comments/feedback are welcome :)

Charlène.

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10860
[2] https://metacpan.org/changes/distribution/Archive-Zip
[3]
https://metacpan.org/pod/release/PHRED/Archive-Zip-1.64/lib/Archive/Zip.pm#TO-DO


Index: Makefile
===================================================================
RCS file: /cvs/ports/archivers/p5-Archive-Zip/Makefile,v
retrieving revision 1.31
diff -u -p -u -p -r1.31 Makefile
--- Makefile 2 Nov 2016 22:28:52 -0000 1.31
+++ Makefile 11 Dec 2018 20:02:06 -0000
@@ -5,16 +5,16 @@ COMMENT = perl interface to ZIP files
MODULES = cpan
PKG_ARCH = *

-DISTNAME = Archive-Zip-1.59
+DISTNAME = Archive-Zip-1.64

CATEGORIES = archivers

# Perl
PERMIT_PACKAGE_CDROM = Yes

-TEST_DEPENDS = archivers/zip \
- devel/p5-Test-MockModule \
- devel/p5-Test-Pod
+TEST_DEPENDS = archivers/unzip \
+ archivers/zip \
+ devel/p5-Test-MockModule

pre-configure:
find ${WRKSRC} -type f -name \*.orig -exec rm {} \;
Index: distinfo
===================================================================
RCS file: /cvs/ports/archivers/p5-Archive-Zip/distinfo,v
retrieving revision 1.17
diff -u -p -u -p -r1.17 distinfo
--- distinfo 2 Nov 2016 22:28:52 -0000 1.17
+++ distinfo 11 Dec 2018 20:02:06 -0000
@@ -1,2 +1,2 @@
-SHA256 (Archive-Zip-1.59.tar.gz) = eksbCqQ65yMbsyEuhqtrU4clYl3wboJ3LD2iTIsm510=
-SIZE (Archive-Zip-1.59.tar.gz) = 192151
+SHA256 (Archive-Zip-1.64.tar.gz) = 3l+E8hSAODY9VXsfoz9Y7cIIER94n3KZ/j2PbhG00X0=
+SIZE (Archive-Zip-1.64.tar.gz) = 192005
Index: patches/patch-lib_Archive_Zip_Member_pm
===================================================================
RCS file: patches/patch-lib_Archive_Zip_Member_pm
diff -N patches/patch-lib_Archive_Zip_Member_pm
--- patches/patch-lib_Archive_Zip_Member_pm 2 Nov 2016 22:28:52 -0000 1.3
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,43 +0,0 @@
-$OpenBSD: patch-lib_Archive_Zip_Member_pm,v 1.3 2016/11/02 22:28:52 jasper Exp $
-
-http://rt.cpan.org/Public/Bug/Display.html?id=61930
-
---- lib/Archive/Zip/Member.pm.orig Thu Aug 11 22:06:33 2016
-+++ lib/Archive/Zip/Member.pm Wed Nov 2 20:27:03 2016
-@@ -304,7 +304,7 @@ sub _mapPermissionsToUnix {
- if ($format == FA_AMIGA) {
- $attribs = $attribs >> 17 & 7; # Amiga RWE bits
- $mode = $attribs << 6 | $attribs << 3 | $attribs;
-- return $mode;
-+ return sprintf("%d", $mode);
- }
-
- if ($format == FA_THEOS) {
-@@ -324,7 +324,10 @@ sub _mapPermissionsToUnix {
- || $format == FA_QDOS
- || $format == FA_TANDEM) {
- $mode = $attribs >> 16;
-- return $mode if $mode != 0 or not $self->localExtraField;
-+ if( $mode != 0 or not $self->localExtraField) {
-+ $mode = sprintf("%d", $mode);
-+ return sprintf("%d", $mode);
-+ }
-
- # warn("local extra field is: ", $self->localExtraField, "\n");
-
-@@ -360,9 +363,13 @@ sub _mapPermissionsToUnix {
-
- # keep previous $mode setting when its "owner"
- # part appears to be consistent with DOS attribute flags!
-- return $mode if ($mode & 0700) == (0400 | $attribs << 6);
-+ if( ( $mode & 0700 ) == ( 0400 | $attribs << 6 )) {
-+ $mode = sprintf("%d", $mode);
-+ return sprintf("%d", $mode);
-+ }
- $mode = 0444 | $attribs << 6 | $attribs << 3 | $attribs;
-- return $mode;
-+ $mode = sprintf("%d", $mode);
-+ return sprintf("%d", $mode);
- }
-
- sub unixFileAttributes {
Index: patches/patch-t_10_chmod_t
===================================================================
RCS file: patches/patch-t_10_chmod_t
diff -N patches/patch-t_10_chmod_t
--- patches/patch-t_10_chmod_t 20 Nov 2015 15:15:21 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-$OpenBSD: patch-t_10_chmod_t,v 1.2 2015/11/20 15:15:21 ajacoutot Exp $
-
-http://rt.cpan.org/Public/Bug/Display.html?id=61930
-
---- t/10_chmod.t.orig Wed Jun 17 20:42:51 2015
-+++ t/10_chmod.t Fri Nov 20 16:04:14 2015
-@@ -1,4 +1,4 @@
--#!/usr/bin/perl
-+#!/usr/bin/perl -T
-
- use strict;
-