diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile index 994c1ece9de..58a2075dcc5 100644 --- a/archivers/unzip/Makefile +++ b/archivers/unzip/Makefile @@ -1,10 +1,9 @@ -# $OpenBSD: Makefile,v 1.32 2003/08/17 23:48:40 brad Exp $ +# $OpenBSD: Makefile,v 1.33 2004/06/24 21:35:14 sturm Exp $ COMMENT= "extract, list & test files in a ZIP archive" -VERSION= 5.50 +VERSION= 5.51 DISTNAME= unzip${VERSION:S/.//} -PKGNAME= unzip-${VERSION}p2 CATEGORIES= archivers MASTER_SITES= ftp://ftp.info-zip.org/pub/infozip/src/ \ ftp://ftp.uu.net/pub/archiving/zip/src/ \ diff --git a/archivers/unzip/distinfo b/archivers/unzip/distinfo index 942c69712ce..483dfeeaa1d 100644 --- a/archivers/unzip/distinfo +++ b/archivers/unzip/distinfo @@ -1,3 +1,3 @@ -MD5 (unzip550.tar.gz) = 798592d62e37f92571184236947122ed -RMD160 (unzip550.tar.gz) = 4eb8e5b4130b523681dd5ccf9c2f1434f9695c98 -SHA1 (unzip550.tar.gz) = 51034a8098eddc8facb4db9ea1a935e813dbdb73 +MD5 (unzip551.tar.gz) = 8a25712aac642430d87d21491f7c6bd1 +RMD160 (unzip551.tar.gz) = c38cf2c4c1341afcc75282caf088b3001bd99553 +SHA1 (unzip551.tar.gz) = 4643ca31419cfb34c9de8a182aabebd79662ba04 diff --git a/archivers/unzip/patches/patch-man_unzip_1 b/archivers/unzip/patches/patch-man_unzip_1 deleted file mode 100644 index 47938bce58a..00000000000 --- a/archivers/unzip/patches/patch-man_unzip_1 +++ /dev/null @@ -1,18 +0,0 @@ -$OpenBSD: patch-man_unzip_1,v 1.1 2003/08/17 23:48:40 brad Exp $ ---- man/unzip.1.orig 2002-02-10 17:09:20.000000000 -0500 -+++ man/unzip.1 2003-08-17 19:25:19.000000000 -0400 -@@ -396,7 +396,13 @@ version 5.50) prevents \fIunzip\fP from - \fB\-:\fP option lets \fIunzip\fP switch back to its previous, more liberal - behaviour, to allow exact extraction of (older) archives that used ``../'' - components to create multiple directory trees at the level of the current --extraction folder. -+extraction folder. Use of this will not enable writing explicitly to the -+root directory (``/''). To do this, it is necessary to unzip the file from -+within the root directory itself. However, when the \fB\-:\fP option is -+specified, it is still possible to write to implicitly write to the root -+directory by specifiying enough ``../'' path components within the zip file. -+Use this option with extreme caution. -+ - .PD - .\" ========================================================================= - .SH "ENVIRONMENT OPTIONS" diff --git a/archivers/unzip/patches/patch-unix_Makefile b/archivers/unzip/patches/patch-unix_Makefile index c0806cd4110..cd470e6c1f4 100644 --- a/archivers/unzip/patches/patch-unix_Makefile +++ b/archivers/unzip/patches/patch-unix_Makefile @@ -1,6 +1,17 @@ -$OpenBSD: patch-unix_Makefile,v 1.2 2002/07/05 01:07:26 brad Exp $ ---- unix/Makefile.orig Sat Feb 16 12:00:38 2002 -+++ unix/Makefile Thu Jul 4 21:00:37 2002 +$OpenBSD: patch-unix_Makefile,v 1.3 2004/06/24 21:35:15 sturm Exp $ +--- unix/Makefile.orig Mon Mar 1 10:37:24 2004 ++++ unix/Makefile Thu Jun 24 15:28:24 2004 +@@ -42,8 +42,8 @@ + # such as -DDOSWILD). + + # UnZip flags +-CC = cc# try using "gcc" target rather than changing this (CC and LD +-LD = $(CC)# must match, else "unresolved symbol: ___main" is possible) ++#CC = cc# try using "gcc" target rather than changing this (CC and LD ++#LD = $(CC)# must match, else "unresolved symbol: ___main" is possible) + AS = as + LOC = $(LOCAL_UNZIP) + AF = $(LOC) @@ -61,8 +61,8 @@ FL2 = $(LF2) # general-purpose stuff @@ -8,22 +19,23 @@ $OpenBSD: patch-unix_Makefile,v 1.2 2002/07/05 01:07:26 brad Exp $ -CP = ln -LN = ln +CP = ln -s -+LN = ln -fs ++LN = ln -sf RM = rm -f CHMOD = chmod BINPERMS = 755 -@@ -450,18 +450,16 @@ svr4package: unzips +@@ -449,19 +449,17 @@ svr4package: unzips + @echo " " install: $(MANS) - -$(INSTALL_D) $(BINDIR) +- -$(INSTALL_D) $(BINDIR) - $(INSTALL_PROGRAM) $(UNZIPS) $(BINDIR) - $(INSTALL) unix/zipgrep $(BINDIR) ++ -$(BSD_INSTALL_PROGRAM_DIR) $(BINDIR) + $(BSD_INSTALL_PROGRAM) $(UNZIPS) $(BINDIR) + $(BSD_INSTALL_SCRIPT) unix/zipgrep $(BINDIR) $(RM) $(BINDIR)/zipinfo$E - $(LN) $(BINDIR)/unzip$E $(BINDIR)/zipinfo$E -+ cd $(BINDIR); $(LN) unzip$E zipinfo$E - -$(INSTALL_D) $(MANDIR) +- -$(INSTALL_D) $(MANDIR) - $(INSTALL) man/funzip.1 $(MANDIR)/funzip.$(manext) - $(INSTALL) man/unzip.1 $(MANDIR)/unzip.$(manext) - $(INSTALL) man/unzipsfx.1 $(MANDIR)/unzipsfx.$(manext) @@ -31,6 +43,8 @@ $OpenBSD: patch-unix_Makefile,v 1.2 2002/07/05 01:07:26 brad Exp $ - $(INSTALL) man/zipinfo.1 $(MANDIR)/zipinfo.$(manext) - $(CHMOD) $(BINPERMS) $(INSTALLEDBIN) - $(CHMOD) $(MANPERMS) $(INSTALLEDMAN) ++ $(LN) $(TRUEPREFIX)/bin/unzip$E $(BINDIR)/zipinfo$E ++ -$(BSD_INSTALL_MAN_DIR) $(MANDIR) + $(BSD_INSTALL_MAN) man/funzip.1 $(MANDIR)/funzip.$(manext) + $(BSD_INSTALL_MAN) man/unzip.1 $(MANDIR)/unzip.$(manext) + $(BSD_INSTALL_MAN) man/unzipsfx.1 $(MANDIR)/unzipsfx.$(manext) @@ -39,14 +53,12 @@ $OpenBSD: patch-unix_Makefile,v 1.2 2002/07/05 01:07:26 brad Exp $ uninstall: $(RM) $(INSTALLEDBIN) $(INSTALLEDMAN) -@@ -569,8 +567,8 @@ generic_shlib: unix_make - $(MAKE) objsdll CC=gcc CF="-O3 -Wall -I. -fPIC -DDLL $(LOC)" +@@ -569,8 +567,6 @@ generic_shlib: unix_make + $(MAKE) objsdll CC=gcc CF="-O3 -Wall -I. -fPIC -DDLL -DUNIX $(LOC)" gcc -shared -Wl,-soname,libunzip.so.0 -o libunzip.so.0.4 $(OBJSDLL) $(RM) libunzip.so.0 libunzip.so - $(LN) -s libunzip.so.0.4 libunzip.so.0 - $(LN) -s libunzip.so.0 libunzip.so -+ $(LN) libunzip.so.0.4 libunzip.so.0 -+ $(LN) libunzip.so.0 libunzip.so gcc -c -O unzipstb.c gcc -o unzip_shlib unzipstb.o -L. -lunzip diff --git a/archivers/unzip/patches/patch-unix_unix_c b/archivers/unzip/patches/patch-unix_unix_c deleted file mode 100644 index 43a70fb44c3..00000000000 --- a/archivers/unzip/patches/patch-unix_unix_c +++ /dev/null @@ -1,110 +0,0 @@ -$OpenBSD: patch-unix_unix_c,v 1.2 2003/08/17 23:48:40 brad Exp $ ---- unix/unix.c.orig 2002-01-21 17:54:42.000000000 -0500 -+++ unix/unix.c 2003-08-17 19:25:19.000000000 -0400 -@@ -421,7 +421,8 @@ int mapname(__G__ renamed) - */ - { - char pathcomp[FILNAMSIZ]; /* path-component buffer */ -- char *pp, *cp=(char *)NULL; /* character pointers */ -+ char *pp, *cp=(char *)NULL, /* character pointers */ -+ *dp=(char *)NULL; - char *lastsemi=(char *)NULL; /* pointer to last semi-colon in pathcomp */ - #ifdef ACORN_FTYPE_NFS - char *lastcomma=(char *)NULL; /* pointer to last comma in pathcomp */ -@@ -429,6 +430,8 @@ int mapname(__G__ renamed) - #endif - int quote = FALSE; /* flags */ - int killed_ddot = FALSE; /* is set when skipping "../" pathcomp */ -+ int killed_qslash = FALSE; /* is set when skipping "^V/" pathcomp */ -+ int snarf_ddot = FALSE; /* Is set while scanning for "../" */ - int error = MPN_OK; - register unsigned workch; /* hold the character being tested */ - -@@ -467,6 +470,18 @@ int mapname(__G__ renamed) - while ((workch = (uch)*cp++) != 0) { - - if (quote) { /* if character quoted, */ -+ if (pp == pathcomp) { -+ quote = FALSE; -+ if (workch == '.') -+ /* Oh no you don't... */ -+ goto ddot_hack; -+ if (workch == '/') { -+ /* We *never* allow quote-slash at the beginning */ -+ killed_qslash = TRUE; -+ continue; -+ } -+ } -+ - *pp++ = (char)workch; /* include it literally */ - quote = FALSE; - } else -@@ -481,15 +496,45 @@ int mapname(__G__ renamed) - break; - - case '.': -- if (pp == pathcomp) { /* nothing appended yet... */ -+ if (pp == pathcomp) { -+ddot_hack: -+ /* nothing appended yet... */ - if (*cp == '/') { /* don't bother appending "./" to */ - ++cp; /* the path: skip behind the '/' */ - break; -- } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') { -- /* "../" dir traversal detected */ -- cp += 2; /* skip over behind the '/' */ -- killed_ddot = TRUE; /* set "show message" flag */ -- break; -+ } else if (!uO.ddotflag) { -+ -+ /* -+ * SECURITY: Skip past control characters if the user -+ * didn't OK use of absolute pathnames. lhh - this is -+ * a very quick, ugly, inefficient fix; it traverses -+ * the WHOLE path, eating up these as it comes to it. -+ */ -+ dp = cp; -+ do { -+ workch = (uch)(*dp); -+ if (workch == '/' && snarf_ddot) { -+ /* "../" dir traversal detected */ -+ cp = dp + 1; /* skip past the '/' */ -+ killed_ddot = TRUE; /* set "show msg" flag */ -+ break; -+ } else if (workch == '.' && !snarf_ddot) { -+ snarf_ddot = TRUE; -+ } else if (isprint(workch) || -+ ((workch > 127) && (workch <= 254))) { -+ /* -+ * Since we found a printable, non-ctrl char, -+ * we can stop looking for '../', the amount -+ * in ../! -+ */ -+ break; -+ } -+ -+ dp++; -+ } while (*dp != 0); -+ -+ if (killed_ddot) -+ break; - } - } - *pp++ = '.'; -@@ -534,6 +579,16 @@ int mapname(__G__ renamed) - error = (error & MPN_MASK) | PK_WARN; - } - -+ /* Show warning when stripping insecure quoted-slash at beginning of -+ path components */ -+ if (killed_qslash && QCOND2) { -+ Info(slide, 0, ((char *)slide, -+ "warning: skipped root directory component(s) in %s\n", -+ FnFilter1(G.filename))); -+ if (!(error & ~MPN_MASK)) -+ error = (error & MPN_MASK) | PK_WARN; -+ } -+ - /*--------------------------------------------------------------------------- - Report if directory was created (and no file to create: filename ended - in '/'), check name to be sure it exists, and combine path and name be-