From e5d8e0389449ccf21bf3a0c6febd95b09b8bb9b1 Mon Sep 17 00:00:00 2001 From: Jakub Martisko Date: Tue, 26 Nov 2024 13:49:53 +0100 Subject: [PATCH] Fix a sast issue (overlapping strcopy) Resolves: RHEL-44659 --- unzip-6.0-sast.patch | 11 +++++++++++ unzip.spec | 9 ++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 unzip-6.0-sast.patch diff --git a/unzip-6.0-sast.patch b/unzip-6.0-sast.patch new file mode 100644 index 0000000..71b7cb9 --- /dev/null +++ b/unzip-6.0-sast.patch @@ -0,0 +1,11 @@ +--- a/envargs.c 2005-03-04 03:23:38.000000000 +0100 ++++ b/envargs.c 2024-11-26 13:17:22.289650230 +0100 +@@ -118,7 +118,7 @@ + + /* remove escape characters */ + while ((argstart = MBSCHR(argstart, '\\')) != (char *)NULL) { +- strcpy(argstart, argstart + 1); ++ memmove(argstart, argstart + 1, strlen(argstart + 1) + 1); + if (*argstart) + ++argstart; + } diff --git a/unzip.spec b/unzip.spec index c1a1da5..da8dd22 100644 --- a/unzip.spec +++ b/unzip.spec @@ -6,7 +6,7 @@ Summary: A utility for unpacking zip files Name: unzip Version: 6.0 -Release: 67%{?dist} +Release: 68%{?dist} License: Info-ZIP Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz @@ -78,6 +78,8 @@ Patch35: unzip-6.0-wcstombs-fortify.patch Patch36: unzip-6.0-fix-warning-messages-on-big-files.patch Patch37: unzip-zipbomb-part7.patch +Patch38: unzip-6.0-sast.patch + URL: http://infozip.sourceforge.net BuildRequires: make BuildRequires: bzip2-devel, gcc @@ -133,6 +135,7 @@ a zip archive. %patch35 -p1 %patch36 -p1 %patch37 -p1 +%patch38 -p1 %build # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X @@ -151,6 +154,10 @@ make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT%{_ %{_mandir}/*/* %changelog +* Tue Nov 26 2024 Jakub Martisko - 6.0-68 +- Fix a sast issue (overlapping strcopy) +Resolves: RHEL-44659 + * Mon Nov 25 2024 Jakub Martisko - 6.0-67 - zipinfo: remove the extra %c that caused invalid reads - zipinfo: fix the whitespaces in the output