As noted in the comments of the GitHub commit referenced in the
existing patches:
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
There is another commit needed that fixes erroneous "bomb" detection
on legitimate zip files, like one that I'm trying to work with for a
port distfile.
https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
Index: Makefile
===================================================================
RCS file: /cvs/ports/archivers/unzip/Makefile,v
retrieving revision 1.65
diff -u -p -u -p -r1.65 Makefile
--- Makefile 11 Mar 2020 21:57:31 -0000 1.65
+++ Makefile 12 Nov 2020 18:01:37 -0000
@@ -7,7 +7,7 @@ COMMENT = extract, list & test files in
VERSION = 6.0
DISTNAME = unzip${VERSION:S/.//}
PKGNAME = unzip-${VERSION}
-REVISION = 13
+REVISION = 14
CATEGORIES = archivers
MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=infozip/} \
ftp://ftp.info-zip.org/pub/infozip/src/
Index: patches/patch-extract_c
===================================================================
RCS file: /cvs/ports/archivers/unzip/patches/patch-extract_c,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 patch-extract_c
--- patches/patch-extract_c 11 Mar 2020 21:57:32 -0000 1.3
+++ patches/patch-extract_c 12 Nov 2020 18:01:37 -0000
@@ -14,6 +14,7 @@ Fix CVE-2015-7697: infinite loop when ex
https://bugzilla.redhat.com/attachment.cgi?id=1073339
Fix CVE-2019-13232: a zip bomb using overlapped entries
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
+https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
Index: extract.c
--- extract.c.orig
@@ -165,12 +166,15 @@ Index: extract.c
/**************************************/
/* Function extract_or_test_files() */
/**************************************/
-@@ -374,6 +495,29 @@ int extract_or_test_files(__G) /* return PK-type er
+@@ -374,6 +495,42 @@ int extract_or_test_files(__G) /* return PK-type er
}
No comments:
Post a Comment