diff --git a/unzip-zipbomb-manpage.patch b/unzip-zipbomb-manpage.patch new file mode 100644 index 0000000..cdeeea5 --- /dev/null +++ b/unzip-zipbomb-manpage.patch @@ -0,0 +1,25 @@ +From 6fe72291a5563cdbcd2bdd87e36528537b7cdcfb Mon Sep 17 00:00:00 2001 +From: Jakub Martisko +Date: Mon, 18 Nov 2019 14:17:46 +0100 +Subject: [PATCH] update the man page + +--- + man/unzip.1 | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/man/unzip.1 b/man/unzip.1 +index 21816d1..4d66073 100644 +--- a/man/unzip.1 ++++ b/man/unzip.1 +@@ -850,6 +850,8 @@ the specified zipfiles were not found. + invalid options were specified on the command line. + .IP 11 + no matching files were found. ++.IP 12 ++invalid zip file with overlapped components (possible zip bomb). + .IP 50 + the disk is (or was) full during extraction. + .IP 51 +-- +2.23.0 + diff --git a/unzip.spec b/unzip.spec index 3b99387..eef7d5e 100644 --- a/unzip.spec +++ b/unzip.spec @@ -7,7 +7,7 @@ Summary: A utility for unpacking zip files Name: unzip Version: 6.0 -Release: 45%{?dist} +Release: 46%{?dist} License: BSD Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz @@ -67,6 +67,7 @@ Patch25: unzip-6.0-COVSCAN-fix-unterminated-string.patch Patch26: unzip-zipbomb-part1.patch Patch27: unzip-zipbomb-part2.patch Patch28: unzip-zipbomb-part3.patch +Patch29: unzip-zipbomb-manpage.patch URL: http://www.info-zip.org/UnZip.html BuildRequires: bzip2-devel, gcc @@ -84,35 +85,36 @@ a zip archive. %prep %setup -q -n unzip60 -%patch1 -p1 -b .bzip2-configure -%patch2 -p1 -b .exec-shield -%patch3 -p1 -b .close -%patch4 -p1 -b .attribs-overflow -%patch5 -p1 -b .configure -%patch6 -p1 -b .manpage-fix -%patch7 -p1 -b .recmatch -%patch8 -p1 -b .symlink -%patch9 -p1 -b .caseinsensitive -%patch10 -p1 -b .format-secure -%patch11 -p1 -b .valgrind -%patch12 -p1 -b .x-option -%patch13 -p1 -b .overflow -%patch14 -p1 -b .cve-2014-8139 -%patch15 -p1 -b .cve-2014-8140 -%patch16 -p1 -b .cve-2014-8141 -%patch17 -p1 -b .overflow-long-fsize -%patch18 -p1 -b .heap-overflow-infloop -%patch19 -p1 -b .utf -%patch20 -p1 -b .utf-print -%patch21 -p1 -b .cve-2016-9844 -%patch22 -p1 -b .timestamp -%patch23 -p1 -b .cve-2018-1000035 -%patch24 -p1 -b .cve-2018-18384 -%patch25 -p1 -b .covscan-1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch29 -p1 %build # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X @@ -132,6 +134,10 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{ %{_mandir}/*/* %changelog +* Mon Nov 18 2019 Jakub Martisko - 6.0-46 +- Mention the zipbomb exit code in the manpage + Related: CVE-2019-13232 + * Wed Oct 23 2019 Jakub Martisko - 6.0-45 - Fix possible zipbomb in unzip Resolves: CVE-2019-13232