<pre style='margin:0'>
Kurt Hindenburg (kurthindenburg) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/60ad662b8a9c1670e846e5740d97221a645d9632">https://github.com/macports/macports-ports/commit/60ad662b8a9c1670e846e5740d97221a645d9632</a></p>
<pre style="white-space: pre; background: #F8F8F8"><span style='display:block; white-space:pre;color:#808000;'>commit 60ad662b8a9c1670e846e5740d97221a645d9632
</span>Author: Kurt Hindenburg <khindenburg@macports.org>
AuthorDate: Sun Aug 6 10:55:48 2017 -0400
<span style='display:block; white-space:pre;color:#404040;'> unzip: add Debian's patches including several fixes for CVEs
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> closes https://trac.macports.org/ticket/54409
</span>---
archivers/unzip/Portfile | 27 +-
...1-manpages-in-section-1-not-in-section-1l.patch | 295 +++++++++++++++++++++
.../files/04-handle-pkware-verification-bit.patch | 21 ++
.../unzip/files/05-fix-uid-gid-handling.patch | 29 ++
.../files/06-initialize-the-symlink-flag.patch | 20 ++
.../files/07-increase-size-of-cfactorstr.patch | 16 ++
.../files/08-allow-greater-hostver-values.patch | 14 +
.../files/09-cve-2014-8139-crc-overflow.patch | 53 ++++
.../files/10-cve-2014-8140-test-compr-eb.patch | 27 ++
.../files/11-cve-2014-8141-getzip64data.patch | 137 ++++++++++
.../files/12-cve-2014-9636-test-compr-eb.patch | 40 +++
archivers/unzip/files/13-remove-build-date.patch | 17 ++
archivers/unzip/files/14-cve-2015-7696.patch | 33 +++
archivers/unzip/files/15-cve-2015-7697.patch | 26 ++
.../16-fix-integer-underflow-csiz-decrypted.patch | 32 +++
.../17-restore-unix-timestamps-accurately.patch | 41 +++
.../18-cve-2014-9913-unzip-buffer-overflow.patch | 29 ++
.../19-cve-2016-9844-zipinfo-buffer-overflow.patch | 28 ++
18 files changed, 882 insertions(+), 3 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/Portfile b/archivers/unzip/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index b78bcf3..af5d790 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/archivers/unzip/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -4,6 +4,7 @@ PortSystem 1.0
</span>
name unzip
version 6.0
<span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 1
</span> maintainers nomaintainer
categories archivers sysutils
platforms darwin freebsd
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -22,9 +23,29 @@ homepage http://www.info-zip.org/pub/infozip/UnZip.html
</span> master_sites sourceforge:infozip
distname ${name}[strsed $version g/\\.//]
<span style='display:block; white-space:pre;background:#ffe0e0;'>-checksums md5 62b490407489521db863b523a7f86375 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- sha1 abf7de8a4018a983590ed6f5cbd990d4740f8a22 \
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- rmd160 48af66606e9472e45fbb94bc4e285da23d1b89ba
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+checksums rmd160 48af66606e9472e45fbb94bc4e285da23d1b89ba \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sha256 036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Add Debian patches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+patch.pre_args -p1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+patchfiles \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 01-manpages-in-section-1-not-in-section-1l.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 04-handle-pkware-verification-bit.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 05-fix-uid-gid-handling.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 06-initialize-the-symlink-flag.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 07-increase-size-of-cfactorstr.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 08-allow-greater-hostver-values.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 09-cve-2014-8139-crc-overflow.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 10-cve-2014-8140-test-compr-eb.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 11-cve-2014-8141-getzip64data.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 12-cve-2014-9636-test-compr-eb.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 13-remove-build-date.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 14-cve-2015-7696.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 15-cve-2015-7697.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 16-fix-integer-underflow-csiz-decrypted.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 17-restore-unix-timestamps-accurately.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 18-cve-2014-9913-unzip-buffer-overflow.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 19-cve-2016-9844-zipinfo-buffer-overflow.patch
</span>
post-patch {
reinplace -E "/-O3/s|(LF2=\")|\\1[get_canonical_archflags ld]|" \
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/01-manpages-in-section-1-not-in-section-1l.patch b/archivers/unzip/files/01-manpages-in-section-1-not-in-section-1l.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..2499ed9
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/01-manpages-in-section-1-not-in-section-1l.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,295 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Santiago Vila <sanvila@debian.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: In Debian, manpages are in section 1, not in section 1L
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 5.52-3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/man/funzip.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/man/funzip.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -20,7 +20,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .in -4n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ..
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-.TH FUNZIP 1L "20 April 2009 (v3.95)" "Info-ZIP"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.TH FUNZIP 1 "20 April 2009 (v3.95)" "Info-ZIP"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH NAME
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ funzip \- filter for extracting from a ZIP archive in a pipe
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -78,7 +78,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .EE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ To use \fIzip\fP and \fIfunzip\fP in place of \fIcompress\fP(1) and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIzcat\fP(1) (or \fIgzip\fP(1L) and \fIgzcat\fP(1L)) for tape backups:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIzcat\fP(1) (or \fIgzip\fP(1) and \fIgzcat\fP(1)) for tape backups:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .EX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ tar cf \- . | zip \-7 | dd of=/dev/nrst0 obs=8k
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -108,8 +108,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH "SEE ALSO"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIgzip\fP(1L), \fIunzip\fP(1L), \fIunzipsfx\fP(1L), \fIzip\fP(1L),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIzipcloak\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIgzip\fP(1), \fIunzip\fP(1), \fIunzipsfx\fP(1), \fIzip\fP(1),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIzipcloak\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/man/unzip.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/man/unzip.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -20,7 +20,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .in -4n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ..
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-.TH UNZIP 1L "20 April 2009 (v6.0)" "Info-ZIP"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.TH UNZIP 1 "20 April 2009 (v6.0)" "Info-ZIP"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH NAME
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unzip \- list, test and extract compressed files in a ZIP archive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -34,7 +34,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \fIunzip\fP will list, test, or extract files from a ZIP archive, commonly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ found on MS-DOS systems. The default behavior (with no options) is to extract
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ into the current directory (and subdirectories below it) all files from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-specified ZIP archive. A companion program, \fIzip\fP(1L), creates ZIP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++specified ZIP archive. A companion program, \fIzip\fP(1), creates ZIP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ archives; both programs are compatible with archives created by PKWARE's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \fIPKZIP\fP and \fIPKUNZIP\fP for MS-DOS, but in many cases the program
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ options or default behaviors differ.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -105,8 +105,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ list of all possible flags. The exhaustive list follows:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .TP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .B \-Z
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIzipinfo\fP(1L) mode. If the first option on the command line is \fB\-Z\fP,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-the remaining options are taken to be \fIzipinfo\fP(1L) options. See the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIzipinfo\fP(1) mode. If the first option on the command line is \fB\-Z\fP,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++the remaining options are taken to be \fIzipinfo\fP(1) options. See the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ appropriate manual page for a description of these options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .TP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .B \-A
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -178,7 +178,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compressed size and compression ratio figures are independent of the entry's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ encryption status and show the correct compression performance. (The complete
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ size of the encrypted compressed data stream for zipfile entries is reported
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-by the more verbose \fIzipinfo\fP(1L) reports, see the separate manual.)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++by the more verbose \fIzipinfo\fP(1) reports, see the separate manual.)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ When no zipfile is specified (that is, the complete command is simply
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ``\fCunzip \-v\fR''), a diagnostic screen is printed. In addition to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ the normal header with release date and version, \fIunzip\fP lists the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -379,8 +379,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .TP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .B \-N
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ [Amiga] extract file comments as Amiga filenotes. File comments are created
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-with the \-c option of \fIzip\fP(1L), or with the \-N option of the Amiga port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-of \fIzip\fP(1L), which stores filenotes as comments.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++with the \-c option of \fIzip\fP(1), or with the \-N option of the Amiga port
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++of \fIzip\fP(1), which stores filenotes as comments.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .TP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .B \-o
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ overwrite existing files without prompting. This is a dangerous option, so
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -598,7 +598,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ As suggested by the examples above, the default variable names are UNZIP_OPTS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for VMS (where the symbol used to install \fIunzip\fP as a foreign command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ would otherwise be confused with the environment variable), and UNZIP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-for all other operating systems. For compatibility with \fIzip\fP(1L),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++for all other operating systems. For compatibility with \fIzip\fP(1),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ UNZIPOPT is also accepted (don't ask). If both UNZIP and UNZIPOPT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ are defined, however, UNZIP takes precedence. \fIunzip\fP's diagnostic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ option (\fB\-v\fP with no zipfile name) can be used to check the values
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -648,8 +648,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ a password is not known, entering a null password (that is, just a carriage
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return or ``Enter'') is taken as a signal to skip all further prompting.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Only unencrypted files in the archive(s) will thereafter be extracted. (In
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-fact, that's not quite true; older versions of \fIzip\fP(1L) and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIzipcloak\fP(1L) allowed null passwords, so \fIunzip\fP checks each encrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++fact, that's not quite true; older versions of \fIzip\fP(1) and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIzipcloak\fP(1) allowed null passwords, so \fIunzip\fP checks each encrypted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ file to see if the null password works. This may result in ``false positives''
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ and extraction errors, as noted above.)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -943,8 +943,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH "SEE ALSO"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIfunzip\fP(1L), \fIzip\fP(1L), \fIzipcloak\fP(1L), \fIzipgrep\fP(1L),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIfunzip\fP(1), \fIzip\fP(1), \fIzipcloak\fP(1), \fIzipgrep\fP(1),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/man/unzipsfx.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/man/unzipsfx.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -20,7 +20,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .in -4n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ..
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-.TH UNZIPSFX 1L "20 April 2009 (v6.0)" "Info-ZIP"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.TH UNZIPSFX 1 "20 April 2009 (v6.0)" "Info-ZIP"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH NAME
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unzipsfx \- self-extracting stub for prepending to ZIP archives
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -30,7 +30,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH DESCRIPTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIunzipsfx\fP is a modified version of \fIunzip\fP(1L) designed to be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIunzipsfx\fP is a modified version of \fIunzip\fP(1) designed to be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ prepended to existing ZIP archives in order to form self-extracting archives.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Instead of taking its first non-flag argument to be the zipfile(s) to be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extracted, \fIunzipsfx\fP seeks itself under the name by which it was invoked
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -109,7 +109,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH OPTIONS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIunzipsfx\fP supports the following \fIunzip\fP(1L) options: \fB\-c\fP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIunzipsfx\fP supports the following \fIunzip\fP(1) options: \fB\-c\fP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ and \fB\-p\fP (extract to standard output/screen), \fB\-f\fP and \fB\-u\fP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (freshen and update existing files upon extraction), \fB\-t\fP (test
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ archive) and \fB\-z\fP (print archive comment). All normal listing options
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -118,11 +118,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ those creating self-extracting archives may wish to include a short listing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ in the zipfile comment.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-See \fIunzip\fP(1L) for a more complete description of these options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++See \fIunzip\fP(1) for a more complete description of these options.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH MODIFIERS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIunzipsfx\fP currently supports all \fIunzip\fP(1L) modifiers: \fB\-a\fP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIunzipsfx\fP currently supports all \fIunzip\fP(1) modifiers: \fB\-a\fP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (convert text files), \fB\-n\fP (never overwrite), \fB\-o\fP (overwrite
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ without prompting), \fB\-q\fP (operate quietly), \fB\-C\fP (match names
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case-insensitively), \fB\-L\fP (convert uppercase-OS names to lowercase),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -137,18 +137,18 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ of course continue to be supported since the zipfile format implies ASCII
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ storage of text files.)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-See \fIunzip\fP(1L) for a more complete description of these modifiers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++See \fIunzip\fP(1) for a more complete description of these modifiers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH "ENVIRONMENT OPTIONS"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIunzipsfx\fP uses the same environment variables as \fIunzip\fP(1L) does,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIunzipsfx\fP uses the same environment variables as \fIunzip\fP(1) does,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ although this is likely to be an issue only for the person creating and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-testing the self-extracting archive. See \fIunzip\fP(1L) for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++testing the self-extracting archive. See \fIunzip\fP(1) for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH DECRYPTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-Decryption is supported exactly as in \fIunzip\fP(1L); that is, interactively
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-with a non-echoing prompt for the password(s). See \fIunzip\fP(1L) for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Decryption is supported exactly as in \fIunzip\fP(1); that is, interactively
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++with a non-echoing prompt for the password(s). See \fIunzip\fP(1) for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ details. Once again, note that if the archive has no encrypted files there
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ is no reason to use a version of \fIunzipsfx\fP with decryption support;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ that only adds to the size of the archive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -286,7 +286,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ from anywhere in the user's path. The situation is not known for AmigaDOS,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Atari TOS, MacOS, etc.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-As noted above, a number of the normal \fIunzip\fP(1L) functions have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++As noted above, a number of the normal \fIunzip\fP(1) functions have
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ been removed in order to make \fIunzipsfx\fP smaller: usage and diagnostic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ info, listing functions and extraction to other directories. Also, only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ stored and deflated files are supported. The latter limitation is mainly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -303,17 +303,17 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ defined as a ``debug hunk.'') There may be compatibility problems between
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ the ROM levels of older Amigas and newer ones.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-All current bugs in \fIunzip\fP(1L) exist in \fIunzipsfx\fP as well.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++All current bugs in \fIunzip\fP(1) exist in \fIunzipsfx\fP as well.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH DIAGNOSTICS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \fIunzipsfx\fP's exit status (error level) is identical to that of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIunzip\fP(1L); see the corresponding man page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIunzip\fP(1); see the corresponding man page.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH "SEE ALSO"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIfunzip\fP(1L), \fIunzip\fP(1L), \fIzip\fP(1L), \fIzipcloak\fP(1L),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIzipgrep\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIfunzip\fP(1), \fIunzip\fP(1), \fIzip\fP(1), \fIzipcloak\fP(1),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIzipgrep\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -330,7 +330,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH AUTHORS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Greg Roelofs was responsible for the basic modifications to UnZip necessary
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-to create UnZipSFX. See \fIunzip\fP(1L) for the current list of Zip-Bugs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++to create UnZipSFX. See \fIunzip\fP(1) for the current list of Zip-Bugs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ authors, or the file CONTRIBS in the UnZip source distribution for the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ full list of Info-ZIP contributors.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/man/zipgrep.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/man/zipgrep.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8,7 +8,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" zipgrep.1 by Greg Roelofs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-.TH ZIPGREP 1L "20 April 2009" "Info-ZIP"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.TH ZIPGREP 1 "20 April 2009" "Info-ZIP"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH NAME
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ zipgrep \- search files in a ZIP archive for lines matching a pattern
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -21,7 +21,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH DESCRIPTION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ \fIzipgrep\fP will search files within a ZIP archive for lines matching
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ the given string or pattern. \fIzipgrep\fP is a shell script and requires
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIegrep\fP(1) and \fIunzip\fP(1L) to function. Its output is identical to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIegrep\fP(1) and \fIunzip\fP(1) to function. Its output is identical to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ that of \fIegrep\fP(1).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -69,8 +69,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH "SEE ALSO"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIegrep\fP(1), \fIunzip\fP(1L), \fIzip\fP(1L), \fIfunzip\fP(1L),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIzipcloak\fP(1L), \fIzipinfo\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIegrep\fP(1), \fIunzip\fP(1), \fIzip\fP(1), \fIfunzip\fP(1),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIzipcloak\fP(1), \fIzipinfo\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH URL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/man/zipinfo.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/man/zipinfo.1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -34,7 +34,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .in -4n
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ..
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-.TH ZIPINFO 1L "20 April 2009 (v3.0)" "Info-ZIP"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++.TH ZIPINFO 1 "20 April 2009 (v3.0)" "Info-ZIP"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH NAME
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ zipinfo \- list detailed information about a ZIP archive
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -272,7 +272,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Note that because of limitations in the MS-DOS format used to store file
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ times, the seconds field is always rounded to the nearest even second.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ For Unix files this is expected to change in the next major releases of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIzip\fP(1L) and \fIunzip\fP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIzip\fP(1) and \fIunzip\fP.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ In addition to individual file information, a default zipfile listing
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ also includes header and trailer lines:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -361,7 +361,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ As suggested above, the default variable names are ZIPINFO_OPTS for VMS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (where the symbol used to install \fIzipinfo\fP as a foreign command
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ would otherwise be confused with the environment variable), and ZIPINFO
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-for all other operating systems. For compatibility with \fIzip\fP(1L),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++for all other operating systems. For compatibility with \fIzip\fP(1),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ZIPINFOOPT is also accepted (don't ask). If both ZIPINFO and ZIPINFOOPT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ are defined, however, ZIPINFO takes precedence. \fIunzip\fP's diagnostic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ option (\fB\-v\fP with no zipfile name) can be used to check the values
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -496,8 +496,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH "SEE ALSO"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIls\fP(1), \fIfunzip\fP(1L), \fIunzip\fP(1L), \fIunzipsfx\fP(1L),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-\fIzip\fP(1L), \fIzipcloak\fP(1L), \fIzipnote\fP(1L), \fIzipsplit\fP(1L)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIls\fP(1), \fIfunzip\fP(1), \fIunzip\fP(1), \fIunzipsfx\fP(1),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++\fIzip\fP(1), \fIzipcloak\fP(1), \fIzipnote\fP(1), \fIzipsplit\fP(1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .PD
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .\" =========================================================================
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ .SH URL
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/04-handle-pkware-verification-bit.patch b/archivers/unzip/files/04-handle-pkware-verification-bit.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..6bda15a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/04-handle-pkware-verification-bit.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,21 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: "Steven M. Schweda" <sms@antinode.info>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Handle the PKWare verification bit of internal attributes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/630078
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1729,6 +1729,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else if (uO.L_flag > 1) /* let -LL force lower case for all names */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.pInfo->lcflag = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Handle the PKWare verification bit, bit 2 (0x0004) of internal
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ attributes. If this is set, then a verification checksum is in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ first 3 bytes of the external attributes. In this case all we can use
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ for setting file attributes is the last external attributes byte. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.crec.internal_file_attributes & 0x0004)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.crec.external_file_attributes &= (ulg)0xff;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* do Amigas (AMIGA_) also have volume labels? */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (IS_VOLID(G.crec.external_file_attributes) &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (G.pInfo->hostnum == FS_FAT_ || G.pInfo->hostnum == FS_HPFS_ ||
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/05-fix-uid-gid-handling.patch b/archivers/unzip/files/05-fix-uid-gid-handling.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ee9b3dd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/05-fix-uid-gid-handling.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,29 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: "Steven M. Schweda" <sms@antinode.info>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Restore uid and gid information when requested
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/689212
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-8
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2904,7 +2904,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef IZ_HAVE_UXUIDGID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (eb_len >= EB_UX3_MINLEN
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ && z_uidgid != NULL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- && (*((EB_HEADSIZE + 0) + ef_buf) == 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ && (*((EB_HEADSIZE + 0) + ef_buf) == 1))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* only know about version 1 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ uch uid_size;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2916,10 +2916,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ flags &= ~0x0ff; /* ignore any previous UNIX field */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- uid_size, z_uidgid[0])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ uid_size, &z_uidgid[0])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ read_ux3_value((EB_HEADSIZE + uid_size + 3) + ef_buf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- gid_size, z_uidgid[1]) )
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ gid_size, &z_uidgid[1]) )
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ flags |= EB_UX2_VALID; /* signal success */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/06-initialize-the-symlink-flag.patch b/archivers/unzip/files/06-initialize-the-symlink-flag.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..11fa0d9
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/06-initialize-the-symlink-flag.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,20 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Andreas Schwab <schwab@linux-m68k.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Initialize the symlink flag
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/717029
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1758,6 +1758,12 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ = (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#ifdef SYMLINKS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Initialize the symlink flag, may be set by the platform-specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ mapattr function. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.pInfo->symlink = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return PK_COOL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } /* end function process_cdir_file_hdr() */
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/07-increase-size-of-cfactorstr.patch b/archivers/unzip/files/07-increase-size-of-cfactorstr.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e2d8926
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/07-increase-size-of-cfactorstr.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,16 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: "Steven M. Schweda" <sms@antinode.info>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Increase size of cfactorstr array to avoid buffer overflow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/741384
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-11
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/list.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/list.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -97,7 +97,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifndef WINDLL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- char sgn, cfactorstr[10];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char sgn, cfactorstr[12];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int longhdr=(uO.vflag>1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int date_format;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/08-allow-greater-hostver-values.patch b/archivers/unzip/files/08-allow-greater-hostver-values.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..3460787
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/08-allow-greater-hostver-values.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,14 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Santiago Vila <sanvila@debian.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: zipinfo.c: Do not crash when hostver byte is >= 100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/zipinfo.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/zipinfo.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2114,7 +2114,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ attribs[9] = (xattr & UNX_ISVTX)? 'T' : '-'; /* T==undefined */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- sprintf(&attribs[12], "%u.%u", hostver/10, hostver%10);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sprintf(&attribs[11], "%2u.%u", hostver/10, hostver%10);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } /* end switch (hostnum: external attributes format) */
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/09-cve-2014-8139-crc-overflow.patch b/archivers/unzip/files/09-cve-2014-8139-crc-overflow.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..3b49472
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/09-cve-2014-8139-crc-overflow.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,53 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: "Steven M. Schweda" <sms@antinode.info>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/773722
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1,5 +1,5 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ See the accompanying file LICENSE, version 2009-Jan-02 or later
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (the contents of which are also included in unzip.h) for terms of use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -298,6 +298,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifndef SFX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ EF block length (%u bytes) invalid (< %d)\n";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static ZCONST char Far InvalidComprDataEAs[] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ " invalid compressed data for EAs\n";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # if (defined(WIN32) && defined(NTSD_EAS))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2023,7 +2025,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ebID = makeword(ef);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ebLen = (unsigned)makeword(ef+EB_LEN);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (ebLen > (ef_len - EB_HEADSIZE)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ebLen > (ef_len - EB_HEADSIZE))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Discovered some extra field inconsistency! */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (uO.qflag)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Info(slide, 1, ((char *)slide, "%-22s ",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2158,11 +2161,19 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case EF_PKVMS:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (makelong(ef+EB_HEADSIZE) !=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (ebLen < 4)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Info(slide, 1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ((char *)slide, LoadFarString(TooSmallEBlength),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ebLen, 4));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else if (makelong(ef+EB_HEADSIZE) !=
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (extent)(ebLen-4)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Info(slide, 1, ((char *)slide,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LoadFarString(BadCRC_EAs)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case EF_PKW32:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case EF_PKUNIX:
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/10-cve-2014-8140-test-compr-eb.patch b/archivers/unzip/files/10-cve-2014-8140-test-compr-eb.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ad74239
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/10-cve-2014-8140-test-compr-eb.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,27 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: "Steven M. Schweda" <sms@antinode.info>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/773722
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2232,10 +2232,17 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (compr_offset < 4) /* field is not compressed: */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return PK_OK; /* do nothing and signal OK */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Return no/bad-data error status if any problem is found:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 1. eb_size is too small to hold the uncompressed size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * (eb_ucsize). (Else extract eb_ucsize.)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * 3. eb_ucsize is positive, but eb_size is too small to hold
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * the compressed data header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((eb_size < (EB_UCSIZE_P + 4)) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return IZ_EF_TRUNC; /* no compressed data! */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return IZ_EF_TRUNC; /* no/bad compressed data! */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef INT_16BIT
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/11-cve-2014-8141-getzip64data.patch b/archivers/unzip/files/11-cve-2014-8141-getzip64data.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..6097966
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/11-cve-2014-8141-getzip64data.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,137 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: "Steven M. Schweda" <sms@antinode.info>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/773722
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/fileio.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/fileio.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -176,6 +176,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static ZCONST char Far ExtraFieldTooLong[] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "warning: extra field too long (%d). Ignoring...\n";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static ZCONST char Far ExtraFieldCorrupt[] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef WINDLL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static ZCONST char Far DiskFullQuery[] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2295,7 +2297,12 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (readbuf(__G__ (char *)G.extra_field, length) == 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return PK_EOF;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Looks like here is where extra fields are read */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- getZip64Data(__G__ G.extra_field, length);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Info(slide, 0x401, ((char *)slide,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error = PK_WARN;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef UNICODE_SUPPORT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.unipath_filename = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (G.UzO.U_flag < 2) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1,5 +1,5 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ See the accompanying file LICENSE, version 2009-Jan-02 or later
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (the contents of which are also included in unzip.h) for terms of use.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1901,48 +1901,82 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ and a 4-byte version of disk start number.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Sets both local header and central header fields. Not terribly clever,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ but it means that this procedure is only called in one place.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ 2014-12-05 SMS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Added checks to ensure that enough data are available before calling
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ makeint64() or makelong(). Replaced various sizeof() values with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ simple ("4" or "8") constants. (The Zip64 structures do not depend
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ on our variable sizes.) Error handling is crude, but we should now
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ stay within the buffer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ---------------------------------------------------------------------------*/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define Z64FLGS 0xffff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define Z64FLGL 0xffffffff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ef_len == 0 || ef_buf == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return PK_COOL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ef_len));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- while (ef_len >= EB_HEADSIZE) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while (ef_len >= EB_HEADSIZE)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ eb_id = makeword(EB_ID + ef_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ eb_len = makeword(EB_LEN + ef_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (eb_len > (ef_len - EB_HEADSIZE)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* discovered some extra field inconsistency! */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (eb_len > (ef_len - EB_HEADSIZE))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Extra block length exceeds remaining extra field length. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Trace((stderr,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ef_len - EB_HEADSIZE));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (eb_id == EF_PKSZ64) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (eb_id == EF_PKSZ64)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int offset = EB_HEADSIZE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- offset += sizeof(G.crec.ucsize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (offset+ 8 > ef_len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_ERR;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ offset += 8;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- offset += sizeof(G.crec.csize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (offset+ 8 > ef_len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_ERR;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ offset += 8;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (G.crec.relative_offset_local_header == 0xffffffff){
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.crec.relative_offset_local_header == Z64FLGL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (offset+ 8 > ef_len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_ERR;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- offset += sizeof(G.crec.relative_offset_local_header);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ offset += 8;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (G.crec.disk_number_start == 0xffff){
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.crec.disk_number_start == Z64FLGS)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (offset+ 4 > ef_len)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_ERR;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- offset += sizeof(G.crec.disk_number_start);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ offset += 4;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ break; /* Expect only one EF_PKSZ64 block. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#endif /* 0 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* Skip this extra field block */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Skip this extra field block. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ef_buf += (eb_len + EB_HEADSIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ef_len -= (eb_len + EB_HEADSIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/12-cve-2014-9636-test-compr-eb.patch b/archivers/unzip/files/12-cve-2014-9636-test-compr-eb.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..1f38384
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/12-cve-2014-9636-test-compr-eb.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,40 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: mancha <mancha1 AT zoho DOT com>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Wed, 11 Feb 2015
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Info-ZIP UnZip buffer overflow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/776589
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+By carefully crafting a corrupt ZIP archive with "extra fields" that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+purport to have compressed blocks larger than the corresponding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+uncompressed blocks in STORED no-compression mode, an attacker can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+trigger a heap overflow that can result in application crash or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+possibly have other unspecified impact.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+This patch ensures that when extra fields use STORED mode, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+"compressed" and uncompressed block sizes match.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2228,6 +2228,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ulg eb_ucsize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ uch *eb_ucptr;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ush eb_compr_method;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (compr_offset < 4) /* field is not compressed: */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return PK_OK; /* do nothing and signal OK */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2244,6 +2245,15 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return IZ_EF_TRUNC; /* no/bad compressed data! */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * For STORE method, compressed and uncompressed sizes must agree.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((eb_compr_method == STORED) &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_ERR;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef INT_16BIT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/13-remove-build-date.patch b/archivers/unzip/files/13-remove-build-date.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..bb60533
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/13-remove-build-date.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,17 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Jérémy Bobbio <lunar@debian.org>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Remove build date
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/782851
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ In order to make unzip build reproducibly, we remove the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (already optional) build date from the binary.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/unix/unix.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/unix/unix.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1705,7 +1705,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* Sun */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* SGI */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#ifdef __DATE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#if 0
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ " on ", __DATE__
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "", ""
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/14-cve-2015-7696.patch b/archivers/unzip/files/14-cve-2015-7696.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..91482dae
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/14-cve-2015-7696.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,33 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Petr Stodulka <pstodulk@redhat.com>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Mon, 14 Sep 2015 18:23:17 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Upstream fix for heap overflow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/802162
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Origin: https://bugzilla.redhat.com/attachment.cgi?id=1073002
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Forwarded: yes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ crypt.c | 12 +++++++++++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 1 file changed, 11 insertions(+), 1 deletion(-)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/crypt.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/crypt.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -465,7 +465,17 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ GLOBAL(pInfo->encrypted) = FALSE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ defer_leftover_input(__G);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (n = 0; n < RAND_HEAD_LEN; n++) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- b = NEXTBYTE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* 2012-11-23 SMS. (OUSPG report.)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Quit early if compressed size < HEAD_LEN. The resulting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * error message ("unable to get password") could be improved,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * but it's better than trying to read nonexistent data, and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * then continuing with a negative G.csize. (See
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * fileio.c:readbyte()).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((b = NEXTBYTE) == (ush)EOF)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_ERR;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ h[n] = (uch)b;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Trace((stdout, " (%02x)", h[n]));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/15-cve-2015-7697.patch b/archivers/unzip/files/15-cve-2015-7697.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..7824310
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/15-cve-2015-7697.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,26 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Kamil Dudka <kdudka@redhat.com>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Mon, 14 Sep 2015 18:24:56 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: fix infinite loop when extracting empty bzip2 data
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/802160
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1073339
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extract.c | 6 ++++++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 1 file changed, 6 insertions(+)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2729,6 +2729,12 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int repeated_buf_err;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bz_stream bstrm;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.incnt <= 0 && G.csize <= 0L) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* avoid an infinite loop */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Trace((stderr, "UZbunzip2() got empty input\n"));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (G.redirect_slide)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ wsize = G.redirect_size, redirSlide = G.redirect_buffer;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/16-fix-integer-underflow-csiz-decrypted.patch b/archivers/unzip/files/16-fix-integer-underflow-csiz-decrypted.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..45afbdd
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/16-fix-integer-underflow-csiz-decrypted.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,32 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Kamil Dudka <kdudka@redhat.com>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Date: Tue, 22 Sep 2015 18:52:23 +0200
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: [PATCH] extract: prevent unsigned overflow on invalid input
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Origin: other, https://bugzilla.redhat.com/attachment.cgi?id=1075942
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1260944
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Suggested-by: Stefan Cornelius
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+---
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ extract.c | 11 ++++++++++-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 1 file changed, 10 insertions(+), 1 deletion(-)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1257,8 +1257,17 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (G.lrec.compression_method == STORED) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ zusz_t csiz_decrypted = G.lrec.csize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (G.pInfo->encrypted)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.pInfo->encrypted) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (csiz_decrypted < 12) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* handle the error now to prevent unsigned overflow */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Info(slide, 0x401, ((char *)slide,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LoadFarStringSmall(ErrUnzipNoFile),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LoadFarString(InvalidComprData),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LoadFarStringSmall2(Inflate)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_ERR;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ csiz_decrypted -= 12;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (G.lrec.ucsize != csiz_decrypted) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Info(slide, 0x401, ((char *)slide,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LoadFarStringSmall2(WrnStorUCSizCSizDiff),
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/17-restore-unix-timestamps-accurately.patch b/archivers/unzip/files/17-restore-unix-timestamps-accurately.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..2aa9424
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/17-restore-unix-timestamps-accurately.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,41 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: "Steven M. Schweda" <sms@antinode.info>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Do not ignore extra fields containing Unix Timestamps
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/842993
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-21
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2914,10 +2914,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case EF_IZUNIX2:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (have_new_type_eb == 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- flags &= ~0x0ff; /* ignore any previous IZUNIX field */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (have_new_type_eb == 0) { /* (< 1) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ have_new_type_eb = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (have_new_type_eb <= 1) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Ignore any prior (EF_IZUNIX/EF_PKUNIX) UID/GID. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ flags &= 0x0ff;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef IZ_HAVE_UXUIDGID
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (have_new_type_eb > 1)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break; /* IZUNIX3 overrides IZUNIX2 e.f. block ! */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2933,6 +2936,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* new 3rd generation Unix ef */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ have_new_type_eb = 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Ignore any prior EF_IZUNIX/EF_PKUNIX/EF_IZUNIX2 UID/GID. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ flags &= 0x0ff;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Version 1 byte version of this extra field, currently 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ UIDSize 1 byte Size of UID field
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2953,8 +2958,6 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ uid_size = *((EB_HEADSIZE + 1) + ef_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ gid_size = *((EB_HEADSIZE + uid_size + 2) + ef_buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- flags &= ~0x0ff; /* ignore any previous UNIX field */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ( read_ux3_value((EB_HEADSIZE + 2) + ef_buf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ uid_size, &z_uidgid[0])
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &&
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/18-cve-2014-9913-unzip-buffer-overflow.patch b/archivers/unzip/files/18-cve-2014-9913-unzip-buffer-overflow.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..a5675f4
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/18-cve-2014-9913-unzip-buffer-overflow.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,29 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: "Steven M. Schweda" <sms@antinode.info>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Fix CVE-2014-9913, buffer overflow in unzip
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug: https://sourceforge.net/p/infozip/bugs/27/
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/847485
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Ubuntu: https://launchpad.net/bugs/387350
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-21
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/list.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/list.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -339,7 +339,18 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.crec.compression_method == ENHDEFLATED) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else if (methnum >= NUM_METHODS) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- sprintf(&methbuf[4], "%03u", G.crec.compression_method);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* 2013-02-26 SMS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * http://sourceforge.net/p/infozip/bugs/27/ CVE-2014-9913.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Unexpectedly large compression methods overflow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * &methbuf[]. Use the old, three-digit decimal format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * for values which fit. Otherwise, sacrifice the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * colon, and use four-digit hexadecimal.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.crec.compression_method <= 999) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if 0 /* GRR/Euro: add this? */
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/19-cve-2016-9844-zipinfo-buffer-overflow.patch b/archivers/unzip/files/19-cve-2016-9844-zipinfo-buffer-overflow.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..52d0798
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/19-cve-2016-9844-zipinfo-buffer-overflow.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,28 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: "Steven M. Schweda" <sms@antinode.info>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Fix CVE-2016-9844, buffer overflow in zipinfo
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/847486
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Ubuntu: https://launchpad.net/bugs/1643750
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-21
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/zipinfo.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/zipinfo.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1921,7 +1921,18 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ methbuf[3] = dtype[dnum];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else if (methnum >= NUM_METHODS) { /* unknown */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- sprintf(&methbuf[1], "%03u", G.crec.compression_method);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* 2016-12-05 SMS.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * https://launchpad.net/bugs/1643750
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Unexpectedly large compression methods overflow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * &methbuf[]. Use the old, three-digit decimal format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * for values which fit. Otherwise, sacrifice the "u",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * and use four-digit hexadecimal.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.crec.compression_method <= 999) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (k = 0; k < 15; ++k)
</span></pre><pre style='margin:0'>
</pre>