SOURCES/unzip-6.0-COVSCAN-strcpy-with-overlapping-strings.patch

@@ -1,34 +0,0 @@
-From 8f6be666289211661906922cdfe6ea5a08c5b458 Mon Sep 17 00:00:00 2001
-From: Jakub Martisko <jamartis@redhat.com>
-Date: Tue, 13 Nov 2018 09:57:43 +0100
-Subject: [PATCH] envargs.c: strcpy with overlapping strings
-
----
- envargs.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/envargs.c b/envargs.c
-index f0a230d..daa3e47 100644
---- a/envargs.c
-+++ b/envargs.c
-@@ -31,6 +31,7 @@
- #define __ENVARGS_C     /* identifies this source module */
- #define UNZIP_INTERNAL
- #include "unzip.h"
-+#include <string.h>
- 
- #ifdef __EMX__          /* emx isspace() returns TRUE on extended ASCII !! */
- #  define ISspace(c) ((c) & 0x80 ? 0 : isspace((unsigned)c))
-@@ -118,7 +119,8 @@ int envargs(Pargc, Pargv, envstr, envstr2)
- 
-             /* remove escape characters */
-             while ((argstart = MBSCHR(argstart, '\\')) != (char *)NULL) {
--                strcpy(argstart, argstart + 1);
-+                //strcpy(argstart, argstart + 1);
-+		memmove(argstart, argstart + 1,strlen(argstart + 1) + 1);
-                 if (*argstart)
-                     ++argstart;
-             }
--- 
-2.14.5
-

SOURCES/unzip-6.0-alt-iconv-utf8.patch

@@ -174,8 +174,8 @@ Index: unzip-6.0/unzip.c
 +#else /* UNIX */
 +static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
 +  -h  print header line       -t  print totals for listed files or for all\n\
-+  -z  print zipfile comment  %c-T%c print file times in sortable decimal format\
++  -z  print zipfile comment   -T  print file times in sortable decimal format\n\
-+\n %c-C%c be case-insensitive   %s\
++  -C  be case-insensitive   %s\
 +  -x  exclude filenames that follow from listing\n\
 +  -O CHARSET  specify a character encoding for DOS, Windows and OS/2 archives\n\
 +  -I CHARSET  specify a character encoding for UNIX and other archives\n";

SOURCES/unzip-zipbomb-switch.patch

@@ -140,29 +140,14 @@ index 878817d..3e58071 100644
          /* skip over data descriptor (harder than it sounds, due to signature
           * ambiguity)
           */
-@@ -2189,16 +2196,16 @@ static int extract_or_test_member(__G)    /* return PK-type error code */
+@@ -2189,6 +2196,7 @@ static int extract_or_test_member(__G)    /* return PK-type error code */
-               ((G.lrec.csize & LOW) != SIG ||   /* if not SIG, have signature */
+             shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
-                (ulen == SIG &&                  /* if not SIG, no signature */
-                 (G.pInfo->zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
--                                                /* if not SIG, have signature */
-+                /* if not SIG, have signature */
-                 )))))
--                   /* skip four more bytes to account for signature */
--                   shy += 4 - readbuf((char *)buf, 4);
-+          /* skip four more bytes to account for signature */
-+          shy += 4 - readbuf((char *)buf, 4);
-         if (G.pInfo->zip64)
--            shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
-+          shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
          if (shy)
--            error = PK_ERR;
+             error = PK_ERR;
-+          error = PK_ERR;
 +      }
      }
--
-     return error;
  
- } /* end function extract_or_test_member() */
+     return error;
 diff --git a/unzip.c b/unzip.c
 index 8dbfc95..abb3644 100644
 --- a/unzip.c

SPECS/unzip.spec

@@ -7,9 +7,8 @@
 Summary: A utility for unpacking zip files
 Name: unzip
 Version: 6.0
-Release: 47%{?dist}
+Release: 58%{?dist}
 License: BSD
-Group: Applications/Archiving
 Source: http://downloads.sourceforge.net/infozip/unzip60.tar.gz
 
 # Not sent to upstream.
@@ -59,27 +58,26 @@ Patch22: unzip-6.0-timestamp.patch
 
 # fix possible heap based stack overflow in passwd protected files
 Patch23: unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
+
 Patch24: unzip-6.0-cve-2018-18384.patch
+
+# covscan issues
 Patch25: unzip-6.0-COVSCAN-fix-unterminated-string.patch
 
+Patch26: unzip-zipbomb-part1.patch
+Patch27: unzip-zipbomb-part2.patch
+Patch28: unzip-zipbomb-part3.patch
+Patch29: unzip-zipbomb-manpage.patch
+Patch30: unzip-zipbomb-part4.patch
+Patch31: unzip-zipbomb-part5.patch
+Patch32: unzip-zipbomb-part6.patch
+Patch33: unzip-zipbomb-switch.patch
 
-Patch26: unzip-6.0-COVSCAN-strcpy-with-overlapping-strings.patch
+Patch34: unzip-6.0-fix-warning-messages-on-big-files.patch
 
-#zipbomb related patches (CVE-2019-13232)
-Patch27: unzip-zipbomb-part1.patch
-Patch28: unzip-zipbomb-part2.patch
-Patch29: unzip-zipbomb-part3.patch
-Patch30: unzip-zipbomb-manpage.patch
-
-Patch31: unzip-zipbomb-part4.patch
-Patch32: unzip-zipbomb-part5.patch
-Patch33: unzip-zipbomb-part6.patch
-
-Patch34: unzip-zipbomb-switch.patch
-
-Patch35: unzip-6.0-fix-warning-messages-on-big-files.patch
 URL: http://www.info-zip.org/UnZip.html
-BuildRequires:  bzip2-devel
+BuildRequires: make
+BuildRequires:  bzip2-devel, gcc
 
 %description
 The unzip utility is used to list, test, or extract files from a zip
@@ -94,104 +92,138 @@ a zip archive.
 
 %prep
 %setup -q -n unzip60
-%patch1 -p1 -b .bzip2-configure
+%patch1 -p1
-%patch2 -p1 -b .exec-shield
+%patch2 -p1
-%patch3 -p1 -b .close
+%patch3 -p1
-%patch4 -p1 -b .attribs-overflow
+%patch4 -p1
-%patch5 -p1 -b .configure
+%patch5 -p1
-%patch6 -p1 -b .manpage-fix
+%patch6 -p1
-%patch7 -p1 -b .recmatch
+%patch7 -p1
-%patch8 -p1 -b .symlink
+%patch8 -p1
-%patch9 -p1 -b .caseinsensitive
+%patch9 -p1
-%patch10 -p1 -b .format-secure
+%patch10 -p1
-%patch11 -p1 -b .valgrind
+%patch11 -p1
-%patch12 -p1 -b .x-option
+%patch12 -p1
-%patch13 -p1 -b .overflow
+%patch13 -p1
-%patch14 -p1 -b .cve-2014-8139
+%patch14 -p1
-%patch15 -p1 -b .cve-2014-8140
+%patch15 -p1
-%patch16 -p1 -b .cve-2014-8141
+%patch16 -p1
-%patch17 -p1 -b .overflow-long-fsize
+%patch17 -p1
-%patch18 -p1 -b .heap-overflow-infloop
+%patch18 -p1
-%patch19 -p1 -b .utf
+%patch19 -p1
-%patch20 -p1 -b .utf-print
+%patch20 -p1
-%patch21 -p1 -b .cve-2016-9844
+%patch21 -p1
-%patch22 -p1 -b .timestamp
+%patch22 -p1
-%patch23 -p1 -b .cve-2018-1000035
+%patch23 -p1
-%patch24 -p1 -b .cve-2018-18384
+%patch24 -p1
+%patch25 -p1
 
-%patch25 -p1 -b .covscan1 
+%patch26 -p1
-%patch26 -p1 -b .covscan2
+%patch27 -p1
-
+%patch28 -p1
-%patch27 -p1 -b .zipbomb1
+%patch29 -p1
-%patch28 -p1 -b .zipbomb2
-%patch29 -p1 -b .zipbomb3
 %patch30 -p1
-
 %patch31 -p1
 %patch32 -p1
 %patch33 -p1
 %patch34 -p1
-%patch35 -p1
 
 %build
+# Use the C implementation of CRC instead of assembly (only on i386, other architectures use C by default)
+sed -i -e 's:-DASM_CRC::g' unix/configure
+sed -i -e 's:CRC32OA="crc_gcc.o":CRC32OA="":g' unix/configure
+
 # IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X
 # NOMEMCPY solve problem with memory overlapping - decomression is slowly,
 # but successfull.
-make -f unix/Makefile CF_NOOPT="-I. -DUNIX $RPM_OPT_FLAGS -DNOMEMCPY -DIZ_HAVE_UXUIDGID -DNO_LCHMOD" \
+%make_build -f unix/Makefile CF_NOOPT="-I. -DUNIX $RPM_OPT_FLAGS -DNOMEMCPY -DIZ_HAVE_UXUIDGID -DNO_LCHMOD" \
-                      LFLAGS2="%{?__global_ldflags}" generic_gcc %{?_smp_mflags}
+                      LFLAGS2="%{?__global_ldflags}" generic_gcc
 
 %install
 rm -rf $RPM_BUILD_ROOT
 make -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT/%{_mandir}/man1 INSTALL="cp -p" install
 
 %files
-%defattr(-,root,root)
 %license LICENSE COPYING.OLD
 %doc README BUGS
 %{_bindir}/*
 %{_mandir}/*/*
 
 %changelog
-* Wed Jul 03 2024 Jakub Martisko <jamartis@redhat.com> - 6.0-47
+* Tue Sep 24 2024 Matteo Croce <teknoraver@meta.com> - 6.0-58
+- Fix obscure invalid memory access in zipinfo
+Resolves: RHEL-60054
+
+* Wed Jul 03 2024 Jakub Martisko <jamartis@redhat.com> - 6.0-57
 - Fix: Unzip Fails on Large Zip Files
 - Use the patch from Debian dealing with this
-Resolves: RHEL-45997
+Resolves: RHEL-45994
 
-* Thu Dec 16 2021 Jakub Martisko <jamartis@redhat.com> - 6.0-46
+* Wed Jan 26 2022 Jakub Martisko <jamartis@redhat.com> - 6.0-56
-- Add environment variable that disables the zipbomb detection
+- Use the C crc implementation instead of the asm (i686 only, other arches already use C)
-- Resolves: rhbz#2020320
+Related: rhbz#2045075
 
-* Tue Nov 24 2020 Jakub Martisko <jamartis@redhat.com> - 6.0-45
+* Wed Jan 05 2022 Jakub Martisko <jamartis@redhat.com> - 6.0-55
-Fix a false positive zipbomb detection
+- Rebuild with the gating tests enabled
-Related: 1954649
+Related: rhbz#2036946
-Related: 1953565
 
-* Tue Nov 24 2020 Jakub Martisko <jamartis@redhat.com> - 6.0-44
+* Mon Dec 20 2021 Jakub Martisko <jamartis@redhat.com> - 6.0-54
-* Fix out of memory errors while checking for zip-bombs
+- Add an environment variable that disables the zipbomb detection
-Resolves: #1900915
+  Resolves: rhbz#2031730
 
-* Mon Nov 18 2019 Jakub Martisko <jamartis@redhat.com> - 6.0-43
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 6.0-53
-- Update the man page with the new exit code introduced in 6.0-42
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-- Related: CVE-2019-13232
+  Related: rhbz#1991688
 
-* Thu Oct 17 2019 Jakub Martisko <jamartis@redhat.com> - 6.0-42
+* Fri Apr 30 2021 Jakub Martisko <jamartis@redhat.com> - 6.0-52
-- Fix CVE-2019-13232
+- Add several patches dealing with false positice zipbomb detection
-- Resolves: CVE-2019-13232
+Resolves: #1954651
 
-* Wed Nov 14 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-41
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 6.0-51
-- Fix strcpy call with possibly overlapping src/dest strings.
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-- Related: #1602721
 
-* Mon Nov 12 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-40
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 6.0-50
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.0-49
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 6.0-48
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.0-47
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Nov 18 2019 Jakub Martisko <jamartis@redhat.com> - 6.0-46
+- Mention the zipbomb exit code in the manpage
+  Related: CVE-2019-13232
+
+* Wed Oct 23 2019 Jakub Martisko <jamartis@redhat.com> - 6.0-45
+- Fix possible zipbomb in unzip
+  Resolves: CVE-2019-13232
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 6.0-44
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 6.0-43
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Nov 08 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-42
 - fix several possibly unterminated strings
   When copying to OEM_CP and ISO_CP strings, the string could end unterminated
   (stncpy does not append '\0').
-- Related: #1602721
 
-* Mon Nov 05 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-39
+* Thu Nov 08 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-41
 - Fix CVE-2018-18384
   Resolves: CVE-2018-18384
 
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6.0-40
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Mar 01 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-39
+- Add gcc to buildrequires
+
 * Tue Feb 13 2018 Jakub Martisko <jamartis@redhat.com> - 6.0-38
 - Fix CVE-2018-1000035 - heap based buffer overflow when opening
   password protected files.