SECURITY:

fix a buffer overflow; bump PKGNAME; When zip performs recursive folder compression, it does not check for the length of resulting path. If the path is too long, a buffer overflow occurs leading to stack corruption and segmentation fault; CAN-2004-1010
2004-12-04 15:36:36 +00:00 · 2004-12-04 15:36:36 +00:00 · acdf132e4d
commit acdf132e4d
parent 5cf43988ff
2 changed files with 30 additions and 2 deletions
--- a/archivers/zip/Makefile
+++ b/archivers/zip/Makefile
@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.31 2004/11/21 12:50:33 espie Exp $
+# $OpenBSD: Makefile,v 1.32 2004/12/04 15:36:36 robert Exp $
 # $FreeBSD: Makefile,v 1.11 1997/11/25 20:45:45 ache Exp $

 COMMENT=	"create/update ZIP files compatible with PKZip(tm)"

 DISTNAME=	zip23
-PKGNAME=	zip-2.3
+PKGNAME=	zip-2.3p0
 CATEGORIES=	archivers
 MASTER_SITES=	ftp://ftp.uu.net/pub/archiving/zip/src/ \
 		ftp://ftp.icce.rug.nl/infozip/src/
--- a/archivers/zip/patches/patch-unix_unix_c
+++ b/archivers/zip/patches/patch-unix_unix_c
@ -0,0 +1,28 @@
+$OpenBSD: patch-unix_unix_c,v 1.1 2004/12/04 15:36:36 robert Exp $
+--- unix/unix.c.orig	Sat Dec  4 16:25:31 2004
+++ unix/unix.c	Sat Dec  4 16:26:56 2004
+@@ -319,9 +319,9 @@
+    a file size of -1 */
+ {
+   struct stat s;        /* results of stat() */
+-  char name[FNMAX];
+-  int len = strlen(f);
+-
+  char *name;
+  size_t len = strlen(f);
+  
+   if (f == label) {
+     if (a != NULL)
+       *a = label_mode;
+@@ -331,6 +331,11 @@
+       t->atime = t->mtime = t->ctime = label_utim;
+     return label_time;
+   }
+  
+  name = malloc(len + 1);
+  if (!name)
+    return 0;
+    
+   strcpy(name, f);
+   if (name[len - 1] == '/')
+     name[len - 1] = '\0';