From 874f1688f1662bb3baf76021969277cafeea6ea8 Mon Sep 17 00:00:00 2001 From: Petr Stodulka Date: Wed, 4 Jun 2014 17:04:55 +0200 Subject: [PATCH] - fix bug with caseinsensitive matching - #1104018 - fix false positives for build option "-Werror=format-security" --- unzip-6.0-caseinsensitive.patch | 28 ++++++++++ unzip-6.0-format-secure.patch | 90 +++++++++++++++++++++++++++++++++ unzip.spec | 16 +++++- 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 unzip-6.0-caseinsensitive.patch create mode 100644 unzip-6.0-format-secure.patch diff --git a/unzip-6.0-caseinsensitive.patch b/unzip-6.0-caseinsensitive.patch new file mode 100644 index 0000000..8be33a8 --- /dev/null +++ b/unzip-6.0-caseinsensitive.patch @@ -0,0 +1,28 @@ +diff --git a/match.c b/match.c +index 6cd656f..bf92d62 100644 +--- a/match.c ++++ b/match.c +@@ -353,12 +353,12 @@ int cs; /* flag: force case-sensitive matching */ + c = *(p-1); + else + { +- uch cc = (cs ? (uch)*s : case_map((uch)*s)); ++ uch cc = (cs ? (uch)*s : to_up((uch)*s)); + uch uc = (uch) c; + if (*(p+1) != '-') + for (uc = uc ? uc : (uch)*p; uc <= (uch)*p; uc++) + /* compare range */ +- if ((cs ? uc : case_map(uc)) == cc) ++ if ((cs ? uc : to_up(uc)) == cc) + return r ? 0 : recmatch(q + CLEN(q), s + CLEN(s), cs); + c = e = 0; /* clear range, escape flags */ + } +@@ -402,7 +402,7 @@ int cs; /* flag: force case-sensitive matching */ + #endif /* def VMS */ + + /* Just a character--compare it */ +- return (cs ? c == *s : case_map((uch)c) == case_map((uch)*s)) ? ++ return (cs ? c == *s : to_up((uch)c) == to_up((uch)*s)) ? + recmatch(p, s + CLEN(s), cs) : 0; + } + diff --git a/unzip-6.0-format-secure.patch b/unzip-6.0-format-secure.patch new file mode 100644 index 0000000..81cf860 --- /dev/null +++ b/unzip-6.0-format-secure.patch @@ -0,0 +1,90 @@ +diff --git a/extract.c b/extract.c +index eeb2f57..a0a4929 100644 +--- a/extract.c ++++ b/extract.c +@@ -472,8 +472,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + */ + Info(slide, 0x401, ((char *)slide, + LoadFarString(CentSigMsg), j + blknum*DIR_BLKSIZ + 1)); +- Info(slide, 0x401, ((char *)slide, +- LoadFarString(ReportMsg))); ++ Info(slide, 0x401, ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + error_in_archive = PK_BADERR; + } + reached_end = TRUE; /* ...so no more left to do */ +@@ -752,8 +752,8 @@ int extract_or_test_files(__G) /* return PK-type error code */ + + #ifndef SFX + if (no_endsig_found) { /* just to make sure */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); +- Info(slide, 0x401, ((char *)slide, LoadFarString(ReportMsg))); ++ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(ReportMsg))); + if (!error_in_archive) /* don't overwrite stronger error */ + error_in_archive = PK_WARN; + } +diff --git a/list.c b/list.c +index 15e0011..f7359c3 100644 +--- a/list.c ++++ b/list.c +@@ -181,7 +181,7 @@ int list_files(__G) /* return PK-type error code */ + Info(slide, 0x401, + ((char *)slide, LoadFarString(CentSigMsg), j)); + Info(slide, 0x401, +- ((char *)slide, LoadFarString(ReportMsg))); ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + return PK_BADERR; /* sig not found */ + } + } +@@ -507,7 +507,8 @@ int list_files(__G) /* return PK-type error code */ + && (!G.ecrec.is_zip64_archive) + && (memcmp(G.sig, end_central_sig, 4) != 0) + ) { /* just to make sure again */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ++ ((char *)slide,"%s", LoadFarString(EndSigMsg))); + error_in_archive = PK_WARN; /* didn't find sig */ + } + +@@ -591,7 +592,7 @@ int get_time_stamp(__G__ last_modtime, nmember) /* return PK-type error code */ + Info(slide, 0x401, + ((char *)slide, LoadFarString(CentSigMsg), j)); + Info(slide, 0x401, +- ((char *)slide, LoadFarString(ReportMsg))); ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + return PK_BADERR; /* sig not found */ + } + } +@@ -674,7 +675,7 @@ int get_time_stamp(__G__ last_modtime, nmember) /* return PK-type error code */ + ---------------------------------------------------------------------------*/ + + if (memcmp(G.sig, end_central_sig, 4)) { /* just to make sure again */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ((char *)slide,"%s", LoadFarString(EndSigMsg))); + error_in_archive = PK_WARN; + } + if (*nmember == 0L && error_in_archive <= PK_WARN) +diff --git a/zipinfo.c b/zipinfo.c +index 6e22cc8..ac5c61b 100644 +--- a/zipinfo.c ++++ b/zipinfo.c +@@ -771,7 +771,7 @@ int zipinfo(__G) /* return PK-type error code */ + Info(slide, 0x401, + ((char *)slide, LoadFarString(CentSigMsg), j)); + Info(slide, 0x401, +- ((char *)slide, LoadFarString(ReportMsg))); ++ ((char *)slide,"%s", LoadFarString(ReportMsg))); + error_in_archive = PK_BADERR; /* sig not found */ + break; + } +@@ -960,7 +960,8 @@ int zipinfo(__G) /* return PK-type error code */ + && (!G.ecrec.is_zip64_archive) + && (memcmp(G.sig, end_central_sig, 4) != 0) + ) { /* just to make sure again */ +- Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg))); ++ Info(slide, 0x401, ++ ((char *)slide,"%s", LoadFarString(EndSigMsg))); + error_in_archive = PK_WARN; /* didn't find sig */ + } + diff --git a/unzip.spec b/unzip.spec index 8890285..394ddbf 100644 --- a/unzip.spec +++ b/unzip.spec @@ -1,7 +1,7 @@ Summary: A utility for unpacking zip files Name: unzip Version: 6.0 -Release: 12%{?dist} +Release: 13%{?dist} License: BSD Group: Applications/Archiving Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz @@ -24,6 +24,11 @@ Patch6: unzip-6.0-manpage-fix.patch Patch7: unzip-6.0-fix-recmatch.patch # Update process.c Patch8: unzip-6.0-symlink.patch +# change using of macro "case_map" by "to_up" +Patch9: unzip-6.0-caseinsensitive.patch +# downstream fix for "-Werror=format-security" +# upstream doesn't want hear about this option again +Patch10: unzip-6.0-format-secure.patch URL: http://www.info-zip.org/UnZip.html BuildRequires: bzip2-devel @@ -48,6 +53,8 @@ a zip archive. %patch6 -p1 -b .manpage-fix %patch7 -p1 -b .recmatch %patch8 -p1 -b .symlink +%patch9 -p1 -b .caseinsensitive +%patch10 -p1 -b .format-secure %build make -f unix/Makefile CF_NOOPT="-I. -DUNIX $RPM_OPT_FLAGS" generic_gcc %{?_smp_mflags} @@ -63,6 +70,13 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{ %{_mandir}/*/* %changelog +* Wed Jun 04 2014 Petr Stodulka - 6.0-13 +- Solve problem with non-functional case-insensitive matching + (#1104018) +- Added patch for build option "-Werror=format-security" + However solve only false positives - here is not really + vulnerable print. + * Mon Oct 21 2013 Petr Stodulka - 6.0.-12 - Solve problem with symlink errors in archive with many files (#740012,#972427)