Add patch to fix the security problem described in SA16309.

3 files changed, 71 insertions, 6 deletions

diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile
index 012d5e90d5a..f80d6694198 100644
--- a/archivers/unzip/Makefile
+++ b/archivers/unzip/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.55 2005/05/22 20:07:37 jlam Exp $
+# $NetBSD: Makefile,v 1.56 2005/08/04 14:20:35 tron Exp $
 
 DISTNAME=	unzip552
 PKGNAME=	unzip-5.52
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	archivers
 MASTER_SITES=	ftp://ftp.info-zip.org/pub/infozip/src/
 
diff --git a/archivers/unzip/distinfo b/archivers/unzip/distinfo
index 8411b95ea03..57ae30fbe7b 100644
--- a/archivers/unzip/distinfo
+++ b/archivers/unzip/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.13 2005/03/01 07:45:28 salo Exp $
+$NetBSD: distinfo,v 1.14 2005/08/04 14:20:35 tron Exp $
 
-SHA1 (unzip-5.52nb1/unzip552.tar.gz) = 1831bd59b9e607a69052f83b263384895e2d4a19
-RMD160 (unzip-5.52nb1/unzip552.tar.gz) = b749b0923bc4cceaa6f937aef688e9713a84328c
-Size (unzip-5.52nb1/unzip552.tar.gz) = 1140291 bytes
+SHA1 (unzip-5.52nb2/unzip552.tar.gz) = 1831bd59b9e607a69052f83b263384895e2d4a19
+RMD160 (unzip-5.52nb2/unzip552.tar.gz) = b749b0923bc4cceaa6f937aef688e9713a84328c
+Size (unzip-5.52nb2/unzip552.tar.gz) = 1140291 bytes
 SHA1 (patch-aa) = de66b7b5c45904167e8596ce5235d957c2df4d2a
 SHA1 (patch-ab) = dd426fdf4b774bd73f4ee46da470ffa3c2cf6513
+SHA1 (patch-ac) = ada9059d9b3384396bbf6437f55fa40f2f6c0c73
diff --git a/archivers/unzip/patches/patch-ac b/archivers/unzip/patches/patch-ac
new file mode 100644
index 00000000000..062be0cbd3e
--- /dev/null
+++ b/archivers/unzip/patches/patch-ac
@@ -0,0 +1,64 @@
+$NetBSD: patch-ac,v 1.1 2005/08/04 14:20:35 tron Exp $
+
+--- unix/unix.c.orig	2005-02-26 19:43:42.000000000 +0000
++++ unix/unix.c	2005-08-04 15:15:17.000000000 +0100
+@@ -1042,8 +1042,6 @@
+     ush z_uidgid[2];
+     int have_uidgid_flg;
+ 
+-    fclose(G.outfile);
+-
+ /*---------------------------------------------------------------------------
+     If symbolic links are supported, allocate storage for a symlink control
+     structure, put the uncompressed "data" and other required info in it, and
+@@ -1059,6 +1057,8 @@
+                                 strlen(G.filename);
+         slinkentry *slnk_entry;
+ 
++        fclose(G.outfile);
++
+         if ((unsigned)slnk_entrysize < ucsize) {
+             Info(slide, 0x201, ((char *)slide,
+               "warning:  symbolic link (%s) failed: mem alloc overflow\n",
+@@ -1107,6 +1107,11 @@
+     }
+ #endif /* SYMLINKS */
+ 
++#ifndef NO_CHMOD
++    if (fchmod(fileno(G.outfile), filtattr(__G__ G.pInfo->file_attr)))
++        perror("chmod (file attributes) error");
++#endif
++
+ #ifdef QLZIP
+     if (G.extra_field) {
+         static void qlfix OF((__GPRO__ uch *ef_ptr, unsigned ef_len));
+@@ -1120,7 +1125,7 @@
+     /* if -X option was specified and we have UID/GID info, restore it */
+     if (have_uidgid_flg) {
+         TTrace((stderr, "close_outfile:  restoring Unix UID/GID info\n"));
+-        if (chown(G.filename, (uid_t)z_uidgid[0], (gid_t)z_uidgid[1]))
++        if (fchown(fileno(G.outfile), (uid_t)z_uidgid[0], (gid_t)z_uidgid[1]))
+         {
+             if (uO.qflag)
+                 Info(slide, 0x201, ((char *)slide,
+@@ -1133,6 +1138,8 @@
+         }
+     }
+ 
++    fclose(G.outfile);
++
+     /* set the file's access and modification times */
+     if (utime(G.filename, &(zt.t2))) {
+ #ifdef AOS_VS
+@@ -1156,11 +1163,6 @@
+     zipfile.
+   ---------------------------------------------------------------------------*/
+ 
+-#ifndef NO_CHMOD
+-    if (chmod(G.filename, filtattr(__G__ G.pInfo->file_attr)))
+-        perror("chmod (file attributes) error");
+-#endif
+-
+ } /* end function close_outfile() */
+ 
+ #endif /* !MTS */