Age | Commit message (Collapse) | Author | Files | Lines |
|
It fixes CVE-2015-2060, a directory traversal vulnerability.
A CAB file with overlong UTF-8 encodings for "/" can get its files extracted to
an absolute path instead of the current directory. [Debian bug #778753]
Under Cygwin, a CAB file using both "/" and "\" can evade checks for absolute
files and "../" directory traversals and can get its files extracted to any
path.
|
|
* A bug in the LZX decompressor was fixed.
* cabextract is now more tolerant when processing cabinet sets.
* cabextract is now compatible with even more compilers, and
now supports 64-bit file I/O on platforms where it's completely
native, like Mac OS X 10.6 and Fedora x86_64.
* cabextract will no longer print "library not compiled to support
large files" while reading small files.
* The Windows CE installation format document was improved.
|
|
|
|
* The "-t" archive integrity checking option has been added. This was
requested by several users. cabextract can unpack cabinet files and give
you MD5 checksums of the files inside, without writing the unpacked
files to disk.
* Large files (more than 2 gigabytes) are now correctly searched for
cabinet files.
* A security vulnerability has been fixed. Files compressed with the
Quantum method, using a window size less than 32768 bytes, could cause
cabextract to write beyond the end of the window and cause a
segmentation fault. This fix also permits cabextract to unpack this type
of cabinet file (of which only one has been found in the wild) correctly.
* The unnecessary GNU source mempcpy.c, which caused compilation
failures on several systems, was removed.
* An off-by-one error introduced in 1.1's UTF-8 decoder was fixed. Files
with UTF-8 filenames can now be extracted. The UTF-8 decoder was also
upgraded to support the latest Unicode characer maps.
|
|
anywhere, yet configure.ac declared an AC_REPLACE_FUNCS() for it. Rip out
the offending code from configure until it is rebuilt at the source.
(Patch to remove the AC_REPLACE_FUNCS submitted to author.)
|
|
* A security vulnerability has been fixed. If the files within a
cabinet file include "../" in their filenames, this will be
changed to "xx/", so cabinets cannot access the parent directory
of where you want to extract them.
* cabextract should now compile cleanly on AIX and Cygwin.
|
|
|
|
have been converted to USE_BUILDLINK2.
|
|
changes since 0.5:
* pkgsrc fixes for 0.5 integrated
* support for the Quantum compression method reverse-engineered by
Matthew Russotto
* cabextract now exhaustively searches your files for cabinets.
If there's more than one cabinet in the same file, cabextract will
find those too.
* Spanning cabinets sets contain both a 'next' and 'previous' cabinet
name. cabextract now searches backwards through the cabinet chain
to find the start of a cabinet set, before searching in the forwards
direction as usual.
|
|
- Do not compute a pointer outside of an array.
The original code did this and if the executable is mapped at the
low address in virtual space, the "runsrc" value becomes ``negative''
address and caused crash.
Package maintainers should use a.out to detect this sort of botches. :D
- Fix usage of mktime(3).
- Fix usage of tolower(3).
Changes:
- Honor umask for file mode.
- Add a hack to handle self-extracting cabinet (*.exe).
|