Pullup ticket #4855 - requested by he

archivers/unzip: security fix

Revisions pulled up:
- archivers/unzip/Makefile                                      1.91
- archivers/unzip/distinfo                                      1.29
- archivers/unzip/patches/patch-crypt.c                         1.1
- archivers/unzip/patches/patch-extract.c                       1.3

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Wed Nov 11 12:47:27 UTC 2015

   Modified Files:
   	pkgsrc/archivers/unzip: Makefile distinfo
   	pkgsrc/archivers/unzip/patches: patch-extract.c
   Added Files:
   	pkgsrc/archivers/unzip/patches: patch-crypt.c

   Log Message:
   Add patches to fix CVE-2015-7696, CVE-2015-7697, and an integer underflow.

   From Debian.

   Bump PKGREVISION.

4 files changed, 72 insertions, 9 deletions

diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile
index 9764f92867e..be6b91991a4 100644
--- a/archivers/unzip/Makefile
+++ b/archivers/unzip/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.90 2015/06/05 12:22:28 sevan Exp $
+# $NetBSD: Makefile,v 1.90.4.1 2015/11/20 21:05:34 bsiegert Exp $
 
 DISTNAME=	unzip60
 PKGNAME=	unzip-6.0
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	archivers
 MASTER_SITES=	ftp://ftp.info-zip.org/pub/infozip/src/
 EXTRACT_SUFX=	.tgz
diff --git a/archivers/unzip/distinfo b/archivers/unzip/distinfo
index 3e2133585d7..a184e361df3 100644
--- a/archivers/unzip/distinfo
+++ b/archivers/unzip/distinfo
@@ -1,11 +1,12 @@
-$NetBSD: distinfo,v 1.27 2015/02/11 12:35:42 wiz Exp $
+$NetBSD: distinfo,v 1.27.6.1 2015/11/20 21:05:34 bsiegert Exp $
 
 SHA1 (unzip60.tgz) = abf7de8a4018a983590ed6f5cbd990d4740f8a22
 RMD160 (unzip60.tgz) = 48af66606e9472e45fbb94bc4e285da23d1b89ba
 Size (unzip60.tgz) = 1376845 bytes
 SHA1 (patch-ab) = 672635c469e0a53ac9808f8155ee38643a8acf69
 SHA1 (patch-ac) = 27b91401d4d5ecc3842c91dc49c08f42c8646154
-SHA1 (patch-extract.c) = bba436910084ec43ef8f8e76a1cd0392c566e4ac
+SHA1 (patch-crypt.c) = e44e14ba2c8e5651659c6756a5adbe88b4385ca4
+SHA1 (patch-extract.c) = 042fe7d233d0b3cb1e978902c901e8239f7a3732
 SHA1 (patch-fileio.c) = 910ddb3b847cae92326697a399234b2948555534
 SHA1 (patch-list.c) = 7aa261ecef5e5cc14ad387070560730ff419d635
 SHA1 (patch-process.c) = d6e6ed05ef7c2977353e848d9e9cba2877577812
diff --git a/archivers/unzip/patches/patch-crypt.c b/archivers/unzip/patches/patch-crypt.c
new file mode 100644
index 00000000000..e7e6d53e174
--- /dev/null
+++ b/archivers/unzip/patches/patch-crypt.c
@@ -0,0 +1,26 @@
+$NetBSD: patch-crypt.c,v 1.1.2.2 2015/11/20 21:05:34 bsiegert Exp $
+
+Bug fix for heap overflow, from Debian.
+CVE-2015-7696
+
+--- crypt.c.orig	2007-01-05 15:47:36.000000000 +0000
++++ crypt.c
+@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
+     GLOBAL(pInfo->encrypted) = FALSE;
+     defer_leftover_input(__G);
+     for (n = 0; n < RAND_HEAD_LEN; n++) {
+-        b = NEXTBYTE;
++        /* 2012-11-23 SMS.  (OUSPG report.)
++         * Quit early if compressed size < HEAD_LEN.  The resulting
++         * error message ("unable to get password") could be improved,
++         * but it's better than trying to read nonexistent data, and
++         * then continuing with a negative G.csize.  (See
++         * fileio.c:readbyte()).
++         */
++        if ((b = NEXTBYTE) == (ush)EOF)
++        {
++            return PK_ERR;
++        }
+         h[n] = (uch)b;
+         Trace((stdout, " (%02x)", h[n]));
+     }
diff --git a/archivers/unzip/patches/patch-extract.c b/archivers/unzip/patches/patch-extract.c
index 28f43e55a20..7f6c62ff82a 100644
--- a/archivers/unzip/patches/patch-extract.c
+++ b/archivers/unzip/patches/patch-extract.c
@@ -1,4 +1,4 @@
-$NetBSD: patch-extract.c,v 1.2 2015/02/11 12:35:42 wiz Exp $
+$NetBSD: patch-extract.c,v 1.2.6.1 2015/11/20 21:05:34 bsiegert Exp $
 
 Fixes for
 * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139
@@ -17,6 +17,10 @@ possibly have other unspecified impact.
 
 This patch ensures that when extra fields use STORED mode, the
 "compressed" and uncompressed block sizes match.
+* CVE-2015-7697 (from Debian)
+  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802160
+* integer underflow
+  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802160
 
 --- extract.c.orig	2009-03-14 01:32:52.000000000 +0000
 +++ extract.c
@@ -36,7 +40,26 @@ This patch ensures that when extra fields use STORED mode, the
     static ZCONST char Far InvalidComprDataEAs[] =
       " invalid compressed data for EAs\n";
  #  if (defined(WIN32) && defined(NTSD_EAS))
-@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_l
+@@ -1255,8 +1257,17 @@ static int extract_or_test_entrylist(__G
+         if (G.lrec.compression_method == STORED) {
+             zusz_t csiz_decrypted = G.lrec.csize;
+ 
+-            if (G.pInfo->encrypted)
++            if (G.pInfo->encrypted) {
++                if (csiz_decrypted <= 12) {
++                    /* handle the error now to prevent unsigned overflow */
++                    Info(slide, 0x401, ((char *)slide,
++                      LoadFarStringSmall(ErrUnzipNoFile),
++                      LoadFarString(InvalidComprData),
++                      LoadFarStringSmall2(Inflate)));
++                    return PK_ERR;
++                }
+                 csiz_decrypted -= 12;
++            }
+             if (G.lrec.ucsize != csiz_decrypted) {
+                 Info(slide, 0x401, ((char *)slide,
+                   LoadFarStringSmall2(WrnStorUCSizCSizDiff),
+@@ -2023,7 +2034,8 @@ static int TestExtraField(__G__ ef, ef_l
          ebID = makeword(ef);
          ebLen = (unsigned)makeword(ef+EB_LEN);
  
@@ -46,7 +69,7 @@ This patch ensures that when extra fields use STORED mode, the
             /* Discovered some extra field inconsistency! */
              if (uO.qflag)
                  Info(slide, 1, ((char *)slide, "%-22s ",
-@@ -2032,6 +2035,16 @@ static int TestExtraField(__G__ ef, ef_l
+@@ -2032,6 +2044,16 @@ static int TestExtraField(__G__ ef, ef_l
                ebLen, (ef_len - EB_HEADSIZE)));
              return PK_ERR;
          }
@@ -63,7 +86,7 @@ This patch ensures that when extra fields use STORED mode, the
  
          switch (ebID) {
              case EF_OS2:
-@@ -2217,6 +2230,7 @@ static int test_compr_eb(__G__ eb, eb_si
+@@ -2217,6 +2239,7 @@ static int test_compr_eb(__G__ eb, eb_si
      ulg eb_ucsize;
      uch *eb_ucptr;
      int r;
@@ -71,7 +94,7 @@ This patch ensures that when extra fields use STORED mode, the
  
      if (compr_offset < 4)                /* field is not compressed: */
          return PK_OK;                    /* do nothing and signal OK */
-@@ -2226,6 +2240,13 @@ static int test_compr_eb(__G__ eb, eb_si
+@@ -2226,6 +2249,13 @@ static int test_compr_eb(__G__ eb, eb_si
           eb_size <= (compr_offset + EB_CMPRHEADLEN)))
          return IZ_EF_TRUNC;               /* no compressed data! */
  
@@ -85,3 +108,16 @@ This patch ensures that when extra fields use STORED mode, the
      if (
  #ifdef INT_16BIT
          (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
+@@ -2701,6 +2731,12 @@ __GDEF
+     int repeated_buf_err;
+     bz_stream bstrm;
+ 
++    if (G.incnt <= 0 && G.csize <= 0L) {
++        /* avoid an infinite loop */
++        Trace((stderr, "UZbunzip2() got empty input\n"));
++        return 2;
++    }
++
+ #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
+     if (G.redirect_slide)
+         wsize = G.redirect_size, redirSlide = G.redirect_buffer;