update to unzip 5.51

This commit is contained in:
sturm 2004-06-24 21:35:14 +00:00
parent d58c0e4dd1
commit 3c67f35287
5 changed files with 29 additions and 146 deletions

View File

@ -1,10 +1,9 @@
# $OpenBSD: Makefile,v 1.32 2003/08/17 23:48:40 brad Exp $
# $OpenBSD: Makefile,v 1.33 2004/06/24 21:35:14 sturm Exp $
COMMENT= "extract, list & test files in a ZIP archive"
VERSION= 5.50
VERSION= 5.51
DISTNAME= unzip${VERSION:S/.//}
PKGNAME= unzip-${VERSION}p2
CATEGORIES= archivers
MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ \
ftp://ftp.uu.net/pub/archiving/zip/src/ \

View File

@ -1,3 +1,3 @@
MD5 (unzip550.tar.gz) = 798592d62e37f92571184236947122ed
RMD160 (unzip550.tar.gz) = 4eb8e5b4130b523681dd5ccf9c2f1434f9695c98
SHA1 (unzip550.tar.gz) = 51034a8098eddc8facb4db9ea1a935e813dbdb73
MD5 (unzip551.tar.gz) = 8a25712aac642430d87d21491f7c6bd1
RMD160 (unzip551.tar.gz) = c38cf2c4c1341afcc75282caf088b3001bd99553
SHA1 (unzip551.tar.gz) = 4643ca31419cfb34c9de8a182aabebd79662ba04

View File

@ -1,18 +0,0 @@
$OpenBSD: patch-man_unzip_1,v 1.1 2003/08/17 23:48:40 brad Exp $
--- man/unzip.1.orig 2002-02-10 17:09:20.000000000 -0500
+++ man/unzip.1 2003-08-17 19:25:19.000000000 -0400
@@ -396,7 +396,13 @@ version 5.50) prevents \fIunzip\fP from
\fB\-:\fP option lets \fIunzip\fP switch back to its previous, more liberal
behaviour, to allow exact extraction of (older) archives that used ``../''
components to create multiple directory trees at the level of the current
-extraction folder.
+extraction folder. Use of this will not enable writing explicitly to the
+root directory (``/''). To do this, it is necessary to unzip the file from
+within the root directory itself. However, when the \fB\-:\fP option is
+specified, it is still possible to write to implicitly write to the root
+directory by specifiying enough ``../'' path components within the zip file.
+Use this option with extreme caution.
+
.PD
.\" =========================================================================
.SH "ENVIRONMENT OPTIONS"

View File

@ -1,6 +1,17 @@
$OpenBSD: patch-unix_Makefile,v 1.2 2002/07/05 01:07:26 brad Exp $
--- unix/Makefile.orig Sat Feb 16 12:00:38 2002
+++ unix/Makefile Thu Jul 4 21:00:37 2002
$OpenBSD: patch-unix_Makefile,v 1.3 2004/06/24 21:35:15 sturm Exp $
--- unix/Makefile.orig Mon Mar 1 10:37:24 2004
+++ unix/Makefile Thu Jun 24 15:28:24 2004
@@ -42,8 +42,8 @@
# such as -DDOSWILD).
# UnZip flags
-CC = cc# try using "gcc" target rather than changing this (CC and LD
-LD = $(CC)# must match, else "unresolved symbol: ___main" is possible)
+#CC = cc# try using "gcc" target rather than changing this (CC and LD
+#LD = $(CC)# must match, else "unresolved symbol: ___main" is possible)
AS = as
LOC = $(LOCAL_UNZIP)
AF = $(LOC)
@@ -61,8 +61,8 @@ FL2 = $(LF2)
# general-purpose stuff
@ -8,22 +19,23 @@ $OpenBSD: patch-unix_Makefile,v 1.2 2002/07/05 01:07:26 brad Exp $
-CP = ln
-LN = ln
+CP = ln -s
+LN = ln -fs
+LN = ln -sf
RM = rm -f
CHMOD = chmod
BINPERMS = 755
@@ -450,18 +450,16 @@ svr4package: unzips
@@ -449,19 +449,17 @@ svr4package: unzips
@echo " "
install: $(MANS)
-$(INSTALL_D) $(BINDIR)
- -$(INSTALL_D) $(BINDIR)
- $(INSTALL_PROGRAM) $(UNZIPS) $(BINDIR)
- $(INSTALL) unix/zipgrep $(BINDIR)
+ -$(BSD_INSTALL_PROGRAM_DIR) $(BINDIR)
+ $(BSD_INSTALL_PROGRAM) $(UNZIPS) $(BINDIR)
+ $(BSD_INSTALL_SCRIPT) unix/zipgrep $(BINDIR)
$(RM) $(BINDIR)/zipinfo$E
- $(LN) $(BINDIR)/unzip$E $(BINDIR)/zipinfo$E
+ cd $(BINDIR); $(LN) unzip$E zipinfo$E
-$(INSTALL_D) $(MANDIR)
- -$(INSTALL_D) $(MANDIR)
- $(INSTALL) man/funzip.1 $(MANDIR)/funzip.$(manext)
- $(INSTALL) man/unzip.1 $(MANDIR)/unzip.$(manext)
- $(INSTALL) man/unzipsfx.1 $(MANDIR)/unzipsfx.$(manext)
@ -31,6 +43,8 @@ $OpenBSD: patch-unix_Makefile,v 1.2 2002/07/05 01:07:26 brad Exp $
- $(INSTALL) man/zipinfo.1 $(MANDIR)/zipinfo.$(manext)
- $(CHMOD) $(BINPERMS) $(INSTALLEDBIN)
- $(CHMOD) $(MANPERMS) $(INSTALLEDMAN)
+ $(LN) $(TRUEPREFIX)/bin/unzip$E $(BINDIR)/zipinfo$E
+ -$(BSD_INSTALL_MAN_DIR) $(MANDIR)
+ $(BSD_INSTALL_MAN) man/funzip.1 $(MANDIR)/funzip.$(manext)
+ $(BSD_INSTALL_MAN) man/unzip.1 $(MANDIR)/unzip.$(manext)
+ $(BSD_INSTALL_MAN) man/unzipsfx.1 $(MANDIR)/unzipsfx.$(manext)
@ -39,14 +53,12 @@ $OpenBSD: patch-unix_Makefile,v 1.2 2002/07/05 01:07:26 brad Exp $
uninstall:
$(RM) $(INSTALLEDBIN) $(INSTALLEDMAN)
@@ -569,8 +567,8 @@ generic_shlib: unix_make
$(MAKE) objsdll CC=gcc CF="-O3 -Wall -I. -fPIC -DDLL $(LOC)"
@@ -569,8 +567,6 @@ generic_shlib: unix_make
$(MAKE) objsdll CC=gcc CF="-O3 -Wall -I. -fPIC -DDLL -DUNIX $(LOC)"
gcc -shared -Wl,-soname,libunzip.so.0 -o libunzip.so.0.4 $(OBJSDLL)
$(RM) libunzip.so.0 libunzip.so
- $(LN) -s libunzip.so.0.4 libunzip.so.0
- $(LN) -s libunzip.so.0 libunzip.so
+ $(LN) libunzip.so.0.4 libunzip.so.0
+ $(LN) libunzip.so.0 libunzip.so
gcc -c -O unzipstb.c
gcc -o unzip_shlib unzipstb.o -L. -lunzip

View File

@ -1,110 +0,0 @@
$OpenBSD: patch-unix_unix_c,v 1.2 2003/08/17 23:48:40 brad Exp $
--- unix/unix.c.orig 2002-01-21 17:54:42.000000000 -0500
+++ unix/unix.c 2003-08-17 19:25:19.000000000 -0400
@@ -421,7 +421,8 @@ int mapname(__G__ renamed)
*/
{
char pathcomp[FILNAMSIZ]; /* path-component buffer */
- char *pp, *cp=(char *)NULL; /* character pointers */
+ char *pp, *cp=(char *)NULL, /* character pointers */
+ *dp=(char *)NULL;
char *lastsemi=(char *)NULL; /* pointer to last semi-colon in pathcomp */
#ifdef ACORN_FTYPE_NFS
char *lastcomma=(char *)NULL; /* pointer to last comma in pathcomp */
@@ -429,6 +430,8 @@ int mapname(__G__ renamed)
#endif
int quote = FALSE; /* flags */
int killed_ddot = FALSE; /* is set when skipping "../" pathcomp */
+ int killed_qslash = FALSE; /* is set when skipping "^V/" pathcomp */
+ int snarf_ddot = FALSE; /* Is set while scanning for "../" */
int error = MPN_OK;
register unsigned workch; /* hold the character being tested */
@@ -467,6 +470,18 @@ int mapname(__G__ renamed)
while ((workch = (uch)*cp++) != 0) {
if (quote) { /* if character quoted, */
+ if (pp == pathcomp) {
+ quote = FALSE;
+ if (workch == '.')
+ /* Oh no you don't... */
+ goto ddot_hack;
+ if (workch == '/') {
+ /* We *never* allow quote-slash at the beginning */
+ killed_qslash = TRUE;
+ continue;
+ }
+ }
+
*pp++ = (char)workch; /* include it literally */
quote = FALSE;
} else
@@ -481,15 +496,45 @@ int mapname(__G__ renamed)
break;
case '.':
- if (pp == pathcomp) { /* nothing appended yet... */
+ if (pp == pathcomp) {
+ddot_hack:
+ /* nothing appended yet... */
if (*cp == '/') { /* don't bother appending "./" to */
++cp; /* the path: skip behind the '/' */
break;
- } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') {
- /* "../" dir traversal detected */
- cp += 2; /* skip over behind the '/' */
- killed_ddot = TRUE; /* set "show message" flag */
- break;
+ } else if (!uO.ddotflag) {
+
+ /*
+ * SECURITY: Skip past control characters if the user
+ * didn't OK use of absolute pathnames. lhh - this is
+ * a very quick, ugly, inefficient fix; it traverses
+ * the WHOLE path, eating up these as it comes to it.
+ */
+ dp = cp;
+ do {
+ workch = (uch)(*dp);
+ if (workch == '/' && snarf_ddot) {
+ /* "../" dir traversal detected */
+ cp = dp + 1; /* skip past the '/' */
+ killed_ddot = TRUE; /* set "show msg" flag */
+ break;
+ } else if (workch == '.' && !snarf_ddot) {
+ snarf_ddot = TRUE;
+ } else if (isprint(workch) ||
+ ((workch > 127) && (workch <= 254))) {
+ /*
+ * Since we found a printable, non-ctrl char,
+ * we can stop looking for '../', the amount
+ * in ../!
+ */
+ break;
+ }
+
+ dp++;
+ } while (*dp != 0);
+
+ if (killed_ddot)
+ break;
}
}
*pp++ = '.';
@@ -534,6 +579,16 @@ int mapname(__G__ renamed)
error = (error & MPN_MASK) | PK_WARN;
}
+ /* Show warning when stripping insecure quoted-slash at beginning of
+ path components */
+ if (killed_qslash && QCOND2) {
+ Info(slide, 0, ((char *)slide,
+ "warning: skipped root directory component(s) in %s\n",
+ FnFilter1(G.filename)));
+ if (!(error & ~MPN_MASK))
+ error = (error & MPN_MASK) | PK_WARN;
+ }
+
/*---------------------------------------------------------------------------
Report if directory was created (and no file to create: filename ended
in '/'), check name to be sure it exists, and combine path and name be-