--- /dev/null
+From 170eddb01887e61a581ed1ac78aff05a476bbe59 Mon Sep 17 00:00:00 2001
+Date: Mon, 30 Oct 2023 14:37:54 +0100
+Subject: [PATCH] fix: heap-based buffer overflow in the CRC32
+ verification
+
+https://nvd.nist.gov/vuln/detail/CVE-2014-8139
+
+CVE: CVE-2014-8139
+---
+ extract.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index 1acd769..df0fa1c 100644
+--- a/extract.c
++++ b/extract.c
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] =
+ #ifndef SFX
+ static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+ EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
++ EF block length (%u bytes) invalid (< %d)\n";
+ static ZCONST char Far InvalidComprDataEAs[] =
+ " invalid compressed data for EAs\n";
+ # if (defined(WIN32) && defined(NTSD_EAS))
+@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_len)
+ ebID = makeword(ef);
+ ebLen = (unsigned)makeword(ef+EB_LEN);
+
+- if (ebLen > (ef_len - EB_HEADSIZE)) {
++ if (ebLen > (ef_len - EB_HEADSIZE))
++ {
+ /* Discovered some extra field inconsistency! */
+ if (uO.qflag)
+ Info(slide, 1, ((char *)slide, "%-22s ",
+@@ -2158,11 +2161,19 @@ static int TestExtraField(__G__ ef, ef_len)
+ }
+ break;
+ case EF_PKVMS:
+- if (makelong(ef+EB_HEADSIZE) !=
++ if (ebLen < 4)
++ {
++ Info(slide, 1,
++ ((char *)slide, LoadFarString(TooSmallEBlength),
++ ebLen, 4));
++ }
++ else if (makelong(ef+EB_HEADSIZE) !=
+ crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
+ (extent)(ebLen-4)))
++ {
+ Info(slide, 1, ((char *)slide,
+ LoadFarString(BadCRC_EAs)));
++ }
+ break;
+ case EF_PKW32:
+ case EF_PKUNIX:
+--
+
--- /dev/null
+From 03e6da41ba5d588fe072465589a64def3dc4d82b Mon Sep 17 00:00:00 2001
+Date: Mon, 30 Oct 2023 14:44:08 +0100
+Subject: [PATCH] fix: heap-based buffer overflow in the test_compr_eb
+ function
+
+https://nvd.nist.gov/vuln/detail/CVE-2014-8140
+
+CVE: CVE-2014-8140
+---
+ extract.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index df0fa1c..ec31e60 100644
+--- a/extract.c
++++ b/extract.c
+@@ -2232,10 +2232,17 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+
++ /* Return no/bad-data error status if any problem is found:
++ * 1. eb_size is too small to hold the uncompressed size
++ * (eb_ucsize). (Else extract eb_ucsize.)
++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
++ * 3. eb_ucsize is positive, but eb_size is too small to hold
++ * the compressed data header.
++ */
+ if ((eb_size < (EB_UCSIZE_P + 4)) ||
+- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
+- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+- return IZ_EF_TRUNC; /* no compressed data! */
++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
++ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
+ if (
+ #ifdef INT_16BIT
+--
+
--- /dev/null
+From 80614f70ca3a8ea0d1163a52ad670b631ac938cd Mon Sep 17 00:00:00 2001
+Date: Mon, 30 Oct 2023 14:45:21 +0100
+Subject: [PATCH] fix: heap-based buffer overflow in the getZip64Data
+ function
+
+https://nvd.nist.gov/vuln/detail/CVE-2014-8141
+
+CVE: CVE-2014-8141
+---
+ fileio.c | 9 +++++++-
+ process.c | 68 +++++++++++++++++++++++++++++++++++++++++--------------
+ 2 files changed, 59 insertions(+), 18 deletions(-)
+
+diff --git a/fileio.c b/fileio.c
+index ba0a1d0..36bfea3 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTrunc[] =
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+ "warning: extra field too long (%d). Ignoring...\n";
++static ZCONST char Far ExtraFieldCorrupt[] =
++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
+
+ #ifdef WINDLL
+ static ZCONST char Far DiskFullQuery[] =
+@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /* return PK-type error code */
+ if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+ return PK_EOF;
+ /* Looks like here is where extra fields are read */
+- getZip64Data(__G__ G.extra_field, length);
++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
++ {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
++ error = PK_WARN;
++ }
+ #ifdef UNICODE_SUPPORT
+ G.unipath_filename = NULL;
+ if (G.UzO.U_flag < 2) {
+diff --git a/process.c b/process.c
+index 1e9a1e1..e3a3f8c 100644
+--- a/process.c
++++ b/process.c
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
+ and a 4-byte version of disk start number.
+ Sets both local header and central header fields. Not terribly clever,
+ but it means that this procedure is only called in one place.
++
++ 2014-12-05 SMS.
++ Added checks to ensure that enough data are available before calling
++ makeint64() or makelong(). Replaced various sizeof() values with
++ simple ("4" or "8") constants. (The Zip64 structures do not depend
++ on our variable sizes.) Error handling is crude, but we should now
++ stay within the buffer.
+ ---------------------------------------------------------------------------*/
+
++#define Z64FLGS 0xffff
++#define Z64FLGL 0xffffffff
++
+ if (ef_len == 0 || ef_buf == NULL)
+ return PK_COOL;
+
+ Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
+ ef_len));
+
+- while (ef_len >= EB_HEADSIZE) {
++ while (ef_len >= EB_HEADSIZE)
++ {
+ eb_id = makeword(EB_ID + ef_buf);
+ eb_len = makeword(EB_LEN + ef_buf);
+
+- if (eb_len > (ef_len - EB_HEADSIZE)) {
+- /* discovered some extra field inconsistency! */
++ if (eb_len > (ef_len - EB_HEADSIZE))
++ {
++ /* Extra block length exceeds remaining extra field length. */
+ Trace((stderr,
+ "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
+ ef_len - EB_HEADSIZE));
+ break;
+ }
+- if (eb_id == EF_PKSZ64) {
+-
++ if (eb_id == EF_PKSZ64)
++ {
+ int offset = EB_HEADSIZE;
+
+- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
+- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.ucsize);
++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
++ offset += 8;
+ }
+- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
+- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.csize);
++
++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
++ offset += 8;
+ }
+- if (G.crec.relative_offset_local_header == 0xffffffff){
++
++ if (G.crec.relative_offset_local_header == Z64FLGL)
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
+ G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.relative_offset_local_header);
++ offset += 8;
+ }
+- if (G.crec.disk_number_start == 0xffff){
++
++ if (G.crec.disk_number_start == Z64FLGS)
++ {
++ if (offset+ 4 > ef_len)
++ return PK_ERR;
++
+ G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+- offset += sizeof(G.crec.disk_number_start);
++ offset += 4;
+ }
++#if 0
++ break; /* Expect only one EF_PKSZ64 block. */
++#endif /* 0 */
+ }
+
+- /* Skip this extra field block */
++ /* Skip this extra field block. */
+ ef_buf += (eb_len + EB_HEADSIZE);
+ ef_len -= (eb_len + EB_HEADSIZE);
+ }
+--
+
--- /dev/null
+From eca24c7ddd296fe8dd112fd89fb288411e407379 Mon Sep 17 00:00:00 2001
+Date: Mon, 30 Oct 2023 14:46:57 +0100
+Subject: [PATCH] fix: out-of-bounds read or write and crash
+
+https://nvd.nist.gov/vuln/detail/CVE-2014-9636
+
+CVE: CVE-2014-9636
+---
+ extract.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/extract.c b/extract.c
+index ec31e60..d816603 100644
+--- a/extract.c
++++ b/extract.c
+@@ -2228,6 +2228,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
+ ulg eb_ucsize;
+ uch *eb_ucptr;
+ int r;
++ ush eb_compr_method;
+
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+@@ -2244,6 +2245,14 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
++ /* 2014-11-03 Michal Zalewski, SMS.
++ * For STORE method, compressed and uncompressed sizes must agree.
++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
++ */
++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
++ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
++ return PK_ERR;
++
+ if (
+ #ifdef INT_16BIT
+ (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
+--
+
--- /dev/null
+From adc07e8e4ef9ff263c89d6e8f32ab5222e1a45a0 Mon Sep 17 00:00:00 2001
+Date: Mon, 30 Oct 2023 14:48:38 +0100
+Subject: [PATCH] fix: heap-based buffer over-read and application crash
+
+https://nvd.nist.gov/vuln/detail/CVE-2015-7696
+
+CVE: CVE-2015-7696
+---
+ crypt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/crypt.c b/crypt.c
+index 784e411..a8975f2 100644
+--- a/crypt.c
++++ b/crypt.c
+@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
+ GLOBAL(pInfo->encrypted) = FALSE;
+ defer_leftover_input(__G);
+ for (n = 0; n < RAND_HEAD_LEN; n++) {
+- b = NEXTBYTE;
++ /* 2012-11-23 SMS. (OUSPG report.)
++ * Quit early if compressed size < HEAD_LEN. The resulting
++ * error message ("unable to get password") could be improved,
++ * but it's better than trying to read nonexistent data, and
++ * then continuing with a negative G.csize. (See
++ * fileio.c:readbyte()).
++ */
++ if ((b = NEXTBYTE) == (ush)EOF)
++ {
++ return PK_ERR;
++ }
+ h[n] = (uch)b;
+ Trace((stdout, " (%02x)", h[n]));
+ }
+--
+
--- /dev/null
+From d354ffc9e0d1920dfc54cf13f1fc5d89405ee3f1 Mon Sep 17 00:00:00 2001
+Date: Mon, 30 Oct 2023 14:49:12 +0100
+Subject: [PATCH] fix: infinite loop because of an empty bzip2 data
+
+https://nvd.nist.gov/vuln/detail/CVE-2015-7697
+
+CVE: CVE-2015-7697
+---
+ extract.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/extract.c b/extract.c
+index d816603..ad8b3f7 100644
+--- a/extract.c
++++ b/extract.c
+@@ -2728,6 +2728,12 @@ __GDEF
+ int repeated_buf_err;
+ bz_stream bstrm;
+
++ if (G.incnt <= 0 && G.csize <= 0L) {
++ /* avoid an infinite loop */
++ Trace((stderr, "UZbunzip2() got empty input\n"));
++ return 2;
++ }
++
+ #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
+ if (G.redirect_slide)
+ wsize = G.redirect_size, redirSlide = G.redirect_buffer;
+--
+
--- /dev/null
+From 673c5b95e5ead5b83cb81b208fe13a5352ccdafc Mon Sep 17 00:00:00 2001
+Date: Mon, 30 Oct 2023 14:51:36 +0100
+Subject: [PATCH] fix: error to prevent unsigned overflow
+
+---
+ extract.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/extract.c b/extract.c
+index ad8b3f7..17b201f 100644
+--- a/extract.c
++++ b/extract.c
+@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
+ if (G.lrec.compression_method == STORED) {
+ zusz_t csiz_decrypted = G.lrec.csize;
+
+- if (G.pInfo->encrypted)
++ if (G.pInfo->encrypted) {
++ if (csiz_decrypted <= 12) {
++ /* handle the error now to prevent unsigned overflow */
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarStringSmall(ErrUnzipNoFile),
++ LoadFarString(InvalidComprData),
++ LoadFarStringSmall2(Inflate)));
++ return PK_ERR;
++ }
+ csiz_decrypted -= 12;
++ }
+ if (G.lrec.ucsize != csiz_decrypted) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarStringSmall2(WrnStorUCSizCSizDiff),
+--
+
--- /dev/null
+From 2e856c62e68c9f53c232a9d74a210385ab6a3702 Mon Sep 17 00:00:00 2001
+Date: Mon, 30 Oct 2023 14:52:11 +0100
+Subject: [PATCH] fix: buffer overflow in the list_files function
+
+https://nvd.nist.gov/vuln/detail/CVE-2014-9913
+
+CVE: CVE-2014-9913
+---
+ list.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/list.c b/list.c
+index 15e0011..3a3d1cd 100644
+--- a/list.c
++++ b/list.c
+@@ -339,7 +339,18 @@ int list_files(__G) /* return PK-type error code */
+ G.crec.compression_method == ENHDEFLATED) {
+ methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
+ } else if (methnum >= NUM_METHODS) {
+- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
++ /* 2013-02-26 SMS.
++ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
++ * Unexpectedly large compression methods overflow
++ * &methbuf[]. Use the old, three-digit decimal format
++ * for values which fit. Otherwise, sacrifice the
++ * colon, and use four-digit hexadecimal.
++ */
++ if (G.crec.compression_method <= 999) {
++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
++ } else {
++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
++ }
+ }
+
+ #if 0 /* GRR/Euro: add this? */
+--
+
--- /dev/null
+From 39aef60cc5c9fd870dd4fc26cec4ff5a49e8c559 Mon Sep 17 00:00:00 2001
+Date: Mon, 30 Oct 2023 14:53:08 +0100
+Subject: [PATCH] fix: buffer overflow in the zi_short function
+
+https://nvd.nist.gov/vuln/detail/CVE-2016-9844
+
+CVE: CVE-2016-9844
+---
+ zipinfo.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/zipinfo.c b/zipinfo.c
+index a92bca9..0148255 100644
+--- a/zipinfo.c
++++ b/zipinfo.c
+@@ -1921,7 +1921,18 @@ static int zi_short(__G) /* return PK-type error code */
+ ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
+ methbuf[3] = dtype[dnum];
+ } else if (methnum >= NUM_METHODS) { /* unknown */
+- sprintf(&methbuf[1], "%03u", G.crec.compression_method);
++ /* 2016-12-05 SMS.
++ * https://launchpad.net/bugs/1643750
++ * Unexpectedly large compression methods overflow
++ * &methbuf[]. Use the old, three-digit decimal format
++ * for values which fit. Otherwise, sacrifice the "u",
++ * and use four-digit hexadecimal.
++ */
++ if (G.crec.compression_method <= 999) {
++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
++ } else {
++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
++ }
+ }
+
+ for (k = 0; k < 15; ++k)
+--
+
+++ /dev/null
---- a/extract.c
-+++ b/extract.c
-@@ -1,5 +1,5 @@
- /*
-- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
-+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
-
- See the accompanying file LICENSE, version 2009-Jan-02 or later
- (the contents of which are also included in unzip.h) for terms of use.
-@@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] =
- #ifndef SFX
- static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
- EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
-+ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
-+ EF block length (%u bytes) invalid (< %d)\n";
- static ZCONST char Far InvalidComprDataEAs[] =
- " invalid compressed data for EAs\n";
- # if (defined(WIN32) && defined(NTSD_EAS))
-@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_l
- ebID = makeword(ef);
- ebLen = (unsigned)makeword(ef+EB_LEN);
-
-- if (ebLen > (ef_len - EB_HEADSIZE)) {
-+ if (ebLen > (ef_len - EB_HEADSIZE))
-+ {
- /* Discovered some extra field inconsistency! */
- if (uO.qflag)
- Info(slide, 1, ((char *)slide, "%-22s ",
-@@ -2158,11 +2161,19 @@ static int TestExtraField(__G__ ef, ef_l
- }
- break;
- case EF_PKVMS:
-- if (makelong(ef+EB_HEADSIZE) !=
-+ if (ebLen < 4)
-+ {
-+ Info(slide, 1,
-+ ((char *)slide, LoadFarString(TooSmallEBlength),
-+ ebLen, 4));
-+ }
-+ else if (makelong(ef+EB_HEADSIZE) !=
- crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
- (extent)(ebLen-4)))
-+ {
- Info(slide, 1, ((char *)slide,
- LoadFarString(BadCRC_EAs)));
-+ }
- break;
- case EF_PKW32:
- case EF_PKUNIX:
--- /dev/null
+From 634103b6311206b8206ef15b076b21fd32fd495f Mon Sep 17 00:00:00 2001
+Date: Mon, 30 Oct 2023 14:54:43 +0100
+Subject: [PATCH] unix.c: Remove build date
+
+In order to make unzip build reproducibly, we remove the (already optional)
+build date from the binary.
+
+Bug-Debian: https://bugs.debian.org/782851
+---
+ unix/unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/unix/unix.c b/unix/unix.c
+index efa97fc..816e3da 100644
+--- a/unix/unix.c
++++ b/unix/unix.c
+@@ -1705,7 +1705,7 @@ void version(__G)
+ #endif /* Sun */
+ #endif /* SGI */
+
+-#ifdef __DATE__
++#if 0
+ " on ", __DATE__
+ #else
+ "", ""
+--
+
--- /dev/null
+From 3c252bd75cab0e4b6a0983f3353cc4df2c6d2d5c Mon Sep 17 00:00:00 2001
+Date: Mon, 30 Oct 2023 14:55:12 +0100
+Subject: [PATCH] fix: heap-based buffer overflow in the
+ password-protected processing
+
+https://nvd.nist.gov/vuln/detail/CVE-2018-1000035
+
+CVE: CVE-2018-1000035
+---
+ fileio.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/fileio.c b/fileio.c
+index 36bfea3..cb05903 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2017 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -1582,6 +1582,8 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
+ int r = IZ_PW_ENTERED;
+ char *m;
+ char *prompt;
++ char *ep;
++ char *zp;
+
+ #ifndef REENTRANT
+ /* tell picky compilers to shut up about "unused variable" warnings */
+@@ -1590,9 +1592,12 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
+
+ if (*rcnt == 0) { /* First call for current entry */
+ *rcnt = 2;
+- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+- sprintf(prompt, LoadFarString(PasswPrompt),
+- FnFilter1(zfn), FnFilter2(efn));
++ zp = FnFilter1( zfn);
++ ep = FnFilter2( efn);
++ prompt = (char *)malloc( /* Slightly too long (2* "%s"). */
++ sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
++ if (prompt != (char *)NULL) {
++ sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
+ m = prompt;
+ } else
+ m = (char *)LoadFarString(PasswPrompt2);
+--
+
+++ /dev/null
---- a/extract.c
-+++ b/extract.c
-@@ -2232,10 +2232,17 @@ static int test_compr_eb(__G__ eb, eb_si
- if (compr_offset < 4) /* field is not compressed: */
- return PK_OK; /* do nothing and signal OK */
-
-+ /* Return no/bad-data error status if any problem is found:
-+ * 1. eb_size is too small to hold the uncompressed size
-+ * (eb_ucsize). (Else extract eb_ucsize.)
-+ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
-+ * 3. eb_ucsize is positive, but eb_size is too small to hold
-+ * the compressed data header.
-+ */
- if ((eb_size < (EB_UCSIZE_P + 4)) ||
-- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
-- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
-- return IZ_EF_TRUNC; /* no compressed data! */
-+ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
-+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
-+ return IZ_EF_TRUNC; /* no/bad compressed data! */
-
- if (
- #ifdef INT_16BIT
+++ /dev/null
---- a/fileio.c
-+++ b/fileio.c
-@@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr
- #endif
- static ZCONST char Far ExtraFieldTooLong[] =
- "warning: extra field too long (%d). Ignoring...\n";
-+static ZCONST char Far ExtraFieldCorrupt[] =
-+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
-
- #ifdef WINDLL
- static ZCONST char Far DiskFullQuery[] =
-@@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /*
- if (readbuf(__G__ (char *)G.extra_field, length) == 0)
- return PK_EOF;
- /* Looks like here is where extra fields are read */
-- getZip64Data(__G__ G.extra_field, length);
-+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
-+ {
-+ Info(slide, 0x401, ((char *)slide,
-+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
-+ error = PK_WARN;
-+ }
- #ifdef UNICODE_SUPPORT
- G.unipath_filename = NULL;
- if (G.UzO.U_flag < 2) {
---- a/process.c
-+++ b/process.c
-@@ -1,5 +1,5 @@
- /*
-- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
-+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
-
- See the accompanying file LICENSE, version 2009-Jan-02 or later
- (the contents of which are also included in unzip.h) for terms of use.
-@@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
- and a 4-byte version of disk start number.
- Sets both local header and central header fields. Not terribly clever,
- but it means that this procedure is only called in one place.
-+
-+ 2014-12-05 SMS.
-+ Added checks to ensure that enough data are available before calling
-+ makeint64() or makelong(). Replaced various sizeof() values with
-+ simple ("4" or "8") constants. (The Zip64 structures do not depend
-+ on our variable sizes.) Error handling is crude, but we should now
-+ stay within the buffer.
- ---------------------------------------------------------------------------*/
-
-+#define Z64FLGS 0xffff
-+#define Z64FLGL 0xffffffff
-+
- if (ef_len == 0 || ef_buf == NULL)
- return PK_COOL;
-
- Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
- ef_len));
-
-- while (ef_len >= EB_HEADSIZE) {
-+ while (ef_len >= EB_HEADSIZE)
-+ {
- eb_id = makeword(EB_ID + ef_buf);
- eb_len = makeword(EB_LEN + ef_buf);
-
-- if (eb_len > (ef_len - EB_HEADSIZE)) {
-- /* discovered some extra field inconsistency! */
-+ if (eb_len > (ef_len - EB_HEADSIZE))
-+ {
-+ /* Extra block length exceeds remaining extra field length. */
- Trace((stderr,
- "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
- ef_len - EB_HEADSIZE));
- break;
- }
-- if (eb_id == EF_PKSZ64) {
--
-+ if (eb_id == EF_PKSZ64)
-+ {
- int offset = EB_HEADSIZE;
-
-- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
-- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
-- offset += sizeof(G.crec.ucsize);
-+ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
-+ {
-+ if (offset+ 8 > ef_len)
-+ return PK_ERR;
-+
-+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
-+ offset += 8;
- }
-- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
-- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
-- offset += sizeof(G.crec.csize);
-+
-+ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
-+ {
-+ if (offset+ 8 > ef_len)
-+ return PK_ERR;
-+
-+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
-+ offset += 8;
- }
-- if (G.crec.relative_offset_local_header == 0xffffffff){
-+
-+ if (G.crec.relative_offset_local_header == Z64FLGL)
-+ {
-+ if (offset+ 8 > ef_len)
-+ return PK_ERR;
-+
- G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
-- offset += sizeof(G.crec.relative_offset_local_header);
-+ offset += 8;
- }
-- if (G.crec.disk_number_start == 0xffff){
-+
-+ if (G.crec.disk_number_start == Z64FLGS)
-+ {
-+ if (offset+ 4 > ef_len)
-+ return PK_ERR;
-+
- G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
-- offset += sizeof(G.crec.disk_number_start);
-+ offset += 4;
- }
-+#if 0
-+ break; /* Expect only one EF_PKSZ64 block. */
-+#endif /* 0 */
- }
-
-- /* Skip this extra field block */
-+ /* Skip this extra field block. */
- ef_buf += (eb_len + EB_HEADSIZE);
- ef_len -= (eb_len + EB_HEADSIZE);
- }
+++ /dev/null
---- a/extract.c
-+++ b/extract.c
-@@ -2228,6 +2228,7 @@ static int test_compr_eb(__G__ eb, eb_si
- ulg eb_ucsize;
- uch *eb_ucptr;
- int r;
-+ ush eb_compr_method;
-
- if (compr_offset < 4) /* field is not compressed: */
- return PK_OK; /* do nothing and signal OK */
-@@ -2244,6 +2245,14 @@ static int test_compr_eb(__G__ eb, eb_si
- ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
- return IZ_EF_TRUNC; /* no/bad compressed data! */
-
-+ /* 2014-11-03 Michal Zalewski, SMS.
-+ * For STORE method, compressed and uncompressed sizes must agree.
-+ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
-+ */
-+ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
-+ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
-+ return PK_ERR;
-+
- if (
- #ifdef INT_16BIT
- (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
+++ /dev/null
---- a/crypt.c
-+++ b/crypt.c
-@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
- GLOBAL(pInfo->encrypted) = FALSE;
- defer_leftover_input(__G);
- for (n = 0; n < RAND_HEAD_LEN; n++) {
-- b = NEXTBYTE;
-+ /* 2012-11-23 SMS. (OUSPG report.)
-+ * Quit early if compressed size < HEAD_LEN. The resulting
-+ * error message ("unable to get password") could be improved,
-+ * but it's better than trying to read nonexistent data, and
-+ * then continuing with a negative G.csize. (See
-+ * fileio.c:readbyte()).
-+ */
-+ if ((b = NEXTBYTE) == (ush)EOF)
-+ {
-+ return PK_ERR;
-+ }
- h[n] = (uch)b;
- Trace((stdout, " (%02x)", h[n]));
- }
+++ /dev/null
---- a/extract.c
-+++ b/extract.c
-@@ -2728,6 +2728,12 @@ __GDEF
- int repeated_buf_err;
- bz_stream bstrm;
-
-+ if (G.incnt <= 0 && G.csize <= 0L) {
-+ /* avoid an infinite loop */
-+ Trace((stderr, "UZbunzip2() got empty input\n"));
-+ return 2;
-+ }
-+
- #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
- if (G.redirect_slide)
- wsize = G.redirect_size, redirSlide = G.redirect_buffer;
+++ /dev/null
---- a/extract.c
-+++ b/extract.c
-@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G
- if (G.lrec.compression_method == STORED) {
- zusz_t csiz_decrypted = G.lrec.csize;
-
-- if (G.pInfo->encrypted)
-+ if (G.pInfo->encrypted) {
-+ if (csiz_decrypted <= 12) {
-+ /* handle the error now to prevent unsigned overflow */
-+ Info(slide, 0x401, ((char *)slide,
-+ LoadFarStringSmall(ErrUnzipNoFile),
-+ LoadFarString(InvalidComprData),
-+ LoadFarStringSmall2(Inflate)));
-+ return PK_ERR;
-+ }
- csiz_decrypted -= 12;
-+ }
- if (G.lrec.ucsize != csiz_decrypted) {
- Info(slide, 0x401, ((char *)slide,
- LoadFarStringSmall2(WrnStorUCSizCSizDiff),
+++ /dev/null
-Subject: Fix CVE-2014-9913, buffer overflow in unzip
-Bug: https://sourceforge.net/p/infozip/bugs/27/
-Bug-Debian: https://bugs.debian.org/847485
-Bug-Ubuntu: https://launchpad.net/bugs/387350
-X-Debian-version: 6.0-21
-
---- a/list.c
-+++ b/list.c
-@@ -339,7 +339,18 @@ int list_files(__G) /* return PK-type
- G.crec.compression_method == ENHDEFLATED) {
- methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
- } else if (methnum >= NUM_METHODS) {
-- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
-+ /* 2013-02-26 SMS.
-+ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
-+ * Unexpectedly large compression methods overflow
-+ * &methbuf[]. Use the old, three-digit decimal format
-+ * for values which fit. Otherwise, sacrifice the
-+ * colon, and use four-digit hexadecimal.
-+ */
-+ if (G.crec.compression_method <= 999) {
-+ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
-+ } else {
-+ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
-+ }
- }
-
- #if 0 /* GRR/Euro: add this? */
+++ /dev/null
-Subject: Fix CVE-2016-9844, buffer overflow in zipinfo
-Bug-Debian: https://bugs.debian.org/847486
-Bug-Ubuntu: https://launchpad.net/bugs/1643750
-X-Debian-version: 6.0-21
-
---- a/zipinfo.c
-+++ b/zipinfo.c
-@@ -1921,7 +1921,18 @@ static int zi_short(__G) /* return PK-
- ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
- methbuf[3] = dtype[dnum];
- } else if (methnum >= NUM_METHODS) { /* unknown */
-- sprintf(&methbuf[1], "%03u", G.crec.compression_method);
-+ /* 2016-12-05 SMS.
-+ * https://launchpad.net/bugs/1643750
-+ * Unexpectedly large compression methods overflow
-+ * &methbuf[]. Use the old, three-digit decimal format
-+ * for values which fit. Otherwise, sacrifice the "u",
-+ * and use four-digit hexadecimal.
-+ */
-+ if (G.crec.compression_method <= 999) {
-+ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
-+ } else {
-+ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
-+ }
- }
-
- for (k = 0; k < 15; ++k)
+++ /dev/null
-Subject: Remove build date
-Bug-Debian: https://bugs.debian.org/782851
- In order to make unzip build reproducibly, we remove the
- (already optional) build date from the binary.
-
---- a/unix/unix.c
-+++ b/unix/unix.c
-@@ -1705,7 +1705,7 @@ void version(__G)
- #endif /* Sun */
- #endif /* SGI */
-
--#ifdef __DATE__
-+#if 0
- " on ", __DATE__
- #else
- "", ""
+++ /dev/null
---- a/fileio.c
-+++ b/fileio.c
-@@ -1,5 +1,5 @@
- /*
-- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
-+ Copyright (c) 1990-2017 Info-ZIP. All rights reserved.
-
- See the accompanying file LICENSE, version 2009-Jan-02 or later
- (the contents of which are also included in unzip.h) for terms of use.
-@@ -1582,6 +1582,8 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf,
- int r = IZ_PW_ENTERED;
- char *m;
- char *prompt;
-+ char *ep;
-+ char *zp;
-
- #ifndef REENTRANT
- /* tell picky compilers to shut up about "unused variable" warnings */
-@@ -1590,9 +1592,12 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf,
-
- if (*rcnt == 0) { /* First call for current entry */
- *rcnt = 2;
-- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
-- sprintf(prompt, LoadFarString(PasswPrompt),
-- FnFilter1(zfn), FnFilter2(efn));
-+ zp = FnFilter1( zfn);
-+ ep = FnFilter2( efn);
-+ prompt = (char *)malloc( /* Slightly too long (2* "%s"). */
-+ sizeof( PasswPrompt)+ strlen( zp)+ strlen( ep));
-+ if (prompt != (char *)NULL) {
-+ sprintf(prompt, LoadFarString(PasswPrompt), zp, ep);
- m = prompt;
- } else
- m = (char *)LoadFarString(PasswPrompt2);
projects / feed / packages.git / commitdiff