app-arch/unzip: update to 6.0_p25-r1

Update unzip to 6.0_p25-r1 to address the following issues: [CVE-2018-1000035](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035) [CVE-2019-13232](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13232)
2025-08-17 18:06:59 +02:00 · 2020-03-31 09:42:50 +02:00 · 2020-03-31 09:42:50 +02:00 · be7881cc9f
commit be7881cc9f
parent 9df1c78642
7 changed files with 178 additions and 43 deletions
--- a/sdk_container/src/third_party/portage-stable/app-arch/unzip/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-arch/unzip/Manifest
@ -1,8 +1,2 @@
-AUX unzip-6.0-natspec.patch 14304 SHA256 cf7b6146b034e5687e77c328a9e55efc68ddb75636fdcce84853995ab60082dd SHA512 189ce2045430d2d04e27049672a3cfb205319edab1ac1522700a7f89344e5718235d8a15238390f6b4317af493796a65cac6a83f7dceb402bc736628d7a89cda WHIRLPOOL db49d3f17313f37b87dc0a597ff703474c7607ceae0b0fe456b3407bf915806557d3bcfa1de8df37a6d3f1d9c74a516f88ef1f05606fbe97b085f07c17d79337
-AUX unzip-6.0-no-exec-stack.patch 381 SHA256 ae62249dcf8bbc3c30468b07944df6c8777b565927d9ed6d1fdf7395899ea7c7 SHA512 a00ba3c805aa64bebeb3194cd75093c1e7c951366d40bba4852837dcb355eedf1ca6a6e648ea007fcb71124e778e54b5168a7b38a7b7268bc3983d87594633a5 WHIRLPOOL e838b3835e9cdcbbe5f47bb1ab92b2ce0fffff1ce77e69ee460a9ff9d5ed4a3c16311d65b0a16f14a3b4e22b2c09db1f3d88b35fa978d40e67ad5307e5a29a39
-DIST unzip60.tar.gz 1376845 SHA256 036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37 SHA512 0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d WHIRLPOOL eab32d6d0ab100d302b608658a3ae290d3dad4beddccebaf6cb6527102bb238f751ec6482dea68ae62474005de89f11f9e0cf1b1e12bee2ca5a2336a3c0c9808
-DIST unzip_6.0-20.debian.tar.xz 16680 SHA256 7ddfafb1a771ae8d6b4e25c5e31f22c717e0fe606b1bafadcdd574c01f671490 SHA512 7212cb110291581c2e465dc8ea5130eabffc4e0369d6245e8c26fa9d350bed904847d6e1191afaaa2d3fc23bd05fda7da80439d0c06b88f5331b01c9eff97fbe WHIRLPOOL ea5ebd5d95638ff8cd2e91eb77f5be544e33ac6fd478aa00c04da193cd3fad980c5ac1975dfedb2c242192cee6c4eee8bbaf3581299f6c3fa45faa639f0169fd
-EBUILD unzip-6.0_p20.ebuild 2557 SHA256 28da56bf99abfba333e7df31e9c0288123aeb09d5ea1630f19fedd505fb5adf5 SHA512 72014935da1e7acec784f189568fbec2756968811d348594d98e5a4f440579471b9e6348aa57877a18e0e34b6434aa144cd7015a88c5b999805428d4192dd212 WHIRLPOOL 16d6d5c7612bb25877162d572ac88731d313f1d632eadb1f72063063e544d08bde57fd5e87b792adc77adbaf58ada2e3aece28770c583243e7efa2e068f69ce4
-MISC ChangeLog 5049 SHA256 b0c10cf3ce667fc7eb0921a97209fe4337d83375f69510c99a95d4f3f32accbc SHA512 e42d5c5b1e5ccf47f1a1b1a13296d68bf2563f7ec90d67bd0dba798215f1313b14f1671d61f70a4ca77cdde1023b404f72b981655e9f776e2cd3bf2f3fe62aa2 WHIRLPOOL f020fc753e8f5f9def179c888699b879bfd130b73d1768b45c24c30e908a08f870aed8ef851efd8482fb9af1126bf8f436e32002a8ea676391ec7986f7b96680
-MISC ChangeLog-2015 10492 SHA256 d02b2f95413294e2ac375d98127e9465a60c9132166c0d62918d48474992f966 SHA512 06717ced072fc605e067c9018e74e811c3c47c07ae7ec39a7260955b0ba3168ab710a5c76ace3e365c5a90e9ed9976172e2e77a8e985cd4e1154e398244ff200 WHIRLPOOL 3fb404c5672c5977c242380415b7e505eb76af9b7f0028ead8d52f988399fa03f5f3d023aca7e4be95e39133fd49b8a587f3fa6674bc5e97cae8534ab5fbca37
-MISC metadata.xml 476 SHA256 91ce6b527006713ac4c8b533935adac492ace0235b21f7ab4678d75052d78ff3 SHA512 0b82799f21ec8d57451ce8f231d24eabb02f637ee6fd2c32af12f9806f104ea53dc4d848b29950c1d5e848ea81f04a58422fa37f39287937dfb54e186f30b653 WHIRLPOOL 039f215da0822c5bf526b0c1a4483af67c0423326b7a149b39f8a216dc18d1c0ff205dee0e872f5ab8a1ae78e0346eddfdbc42922c7f70d9030fde66746cbc96
+DIST unzip60.tar.gz 1376845 BLAKE2B 5016d300b4452018a391f4ebc03c6960c068df400a0407c0c60bd7bb5ec5012031f916d8b204a6149ba291c2c35beba40d9b43c76fc093026e79471329ab0e47 SHA512 0694e403ebc57b37218e00ec1a406cae5cc9c5b52b6798e0d4590840b6cdbf9ddc0d9471f67af783e960f8fa2e620394d51384257dca23d06bcd90224a80ce5d
+DIST unzip_6.0-25.debian.tar.xz 23096 BLAKE2B 09cd89165c0354431fa0eb946bb8f8355fa09ef81cd3e3ea03e53ca7f465b323364204ffe11d8e58eeb5b46e40be598d4f709b621d163bfde09070b6847db2a6 SHA512 13c16db420fa4a34be3090a9acdd79b01320da40ac5aa89a9dfca03e64b914b28eb72aff3882d02a8197457bcb8eeb9473c998cf6920e511883c9289a949fb21
--- a/sdk_container/src/third_party/portage-stable/app-arch/unzip/files/unzip-6.0-fix-false-overlap-detection-on-32bit-systems.patch
+++ b/sdk_container/src/third_party/portage-stable/app-arch/unzip/files/unzip-6.0-fix-false-overlap-detection-on-32bit-systems.patch
@ -0,0 +1,50 @@
+From 13f0260beae851f7d5dd96e9ef757d8d6d7daac1 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Sun, 9 Feb 2020 07:20:13 -0800
+Subject: [PATCH] Fix false overlapped components detection on 32-bit systems.
+
+32-bit systems with ZIP64_SUPPORT enabled could have different
+size types for zoff_t and zusz_t. That resulted in bad parameter
+passing to the bound tracking functions, itself due to the lack of
+use of C function prototypes in unzip. This commit assures that
+parameters are cast properly for those calls.
+
+This problem occurred only for ill-chosen make options, which give
+a 32-bit zoff_t. A proper build will result in a zoff_t of 64 bits,
+even on 32-bit systems.
+---
+ extract.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index 1b73cb0..d9866f9 100644
+--- a/extract.c
+++ b/extract.c
+@@ -329,7 +329,7 @@ static ZCONST char Far OverlappedComponents[] =
+ 
+ 
+ /* A growable list of spans. */
+-typedef zoff_t bound_t;
+typedef zusz_t bound_t;
+ typedef struct {
+     bound_t beg;        /* start of the span */
+     bound_t end;        /* one past the end of the span */
+@@ -518,7 +518,8 @@ int extract_or_test_files(__G)    /* return PK-type error code */
+         return PK_MEM;
+     }
+     if ((G.extra_bytes != 0 &&
+-         cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+         cover_add((cover_t *)G.cover,
+                   (bound_t)0, (bound_t)G.extra_bytes) != 0) ||
+         (G.ecrec.have_ecr64 &&
+          cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
+                    G.ecrec.ec64_end) != 0) ||
+@@ -1216,7 +1217,7 @@ static int extract_or_test_entrylist(__G__ numchunk,
+ 
+         /* seek_zipf(__G__ pInfo->offset);  */
+         request = G.pInfo->offset + G.extra_bytes;
+-        if (cover_within((cover_t *)G.cover, request)) {
+        if (cover_within((cover_t *)G.cover, (bound_t)request)) {
+             Info(slide, 0x401, ((char *)slide,
+               LoadFarString(OverlappedComponents)));
+             return PK_BOMB;
--- a/sdk_container/src/third_party/portage-stable/app-arch/unzip/files/unzip-6.0-format-security.patch
+++ b/sdk_container/src/third_party/portage-stable/app-arch/unzip/files/unzip-6.0-format-security.patch
@ -0,0 +1,91 @@
+Fix build with -Werror=format-security
+
+Origin: http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=master-next&id=f7d80257afcfefdc85b6745328f2d12b957a848b
+Author: Edwin Plauchu <edwin.plauchu.camacho@intel.com>
+
+diff --git a/extract.c b/extract.c
+index 7cd9123..25c5a62 100644
+--- a/extract.c
+++ b/extract.c
+@@ -475,7 +475,7 @@ int extract_or_test_files(__G)    /* return PK-type error code */
+                     Info(slide, 0x401, ((char *)slide,
+                       LoadFarString(CentSigMsg), j + blknum*DIR_BLKSIZ + 1));
+                     Info(slide, 0x401, ((char *)slide,
+-                      LoadFarString(ReportMsg)));
+                      "%s",LoadFarString(ReportMsg)));
+                     error_in_archive = PK_BADERR;
+                 }
+                 reached_end = TRUE;     /* ...so no more left to do */
+@@ -754,8 +754,8 @@ int extract_or_test_files(__G)    /* return PK-type error code */
+
+ #ifndef SFX
+     if (no_endsig_found) {                      /* just to make sure */
+-        Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
+-        Info(slide, 0x401, ((char *)slide, LoadFarString(ReportMsg)));
+        Info(slide, 0x401, ((char *)slide, "%s", LoadFarString(EndSigMsg)));
+        Info(slide, 0x401, ((char *)slide, "%s", LoadFarString(ReportMsg)));
+         if (!error_in_archive)       /* don't overwrite stronger error */
+             error_in_archive = PK_WARN;
+     }
+diff --git a/list.c b/list.c
+index 15e0011..0b484f6 100644
+--- a/list.c
+++ b/list.c
+@@ -181,7 +181,7 @@ int list_files(__G)    /* return PK-type error code */
+                 Info(slide, 0x401,
+                      ((char *)slide, LoadFarString(CentSigMsg), j));
+                 Info(slide, 0x401,
+-                     ((char *)slide, LoadFarString(ReportMsg)));
+                     ((char *)slide, "%s", LoadFarString(ReportMsg)));
+                 return PK_BADERR;   /* sig not found */
+             }
+         }
+@@ -507,7 +507,7 @@ int list_files(__G)    /* return PK-type error code */
+             && (!G.ecrec.is_zip64_archive)
+             && (memcmp(G.sig, end_central_sig, 4) != 0)
+            ) {          /* just to make sure again */
+-            Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
+            Info(slide, 0x401, ((char *)slide, "%s", LoadFarString(EndSigMsg)));
+             error_in_archive = PK_WARN;   /* didn't find sig */
+         }
+
+@@ -591,7 +591,7 @@ int get_time_stamp(__G__ last_modtime, nmember)  /* return PK-type error code */
+                 Info(slide, 0x401,
+                      ((char *)slide, LoadFarString(CentSigMsg), j));
+                 Info(slide, 0x401,
+-                     ((char *)slide, LoadFarString(ReportMsg)));
+                     ((char *)slide, "%s", LoadFarString(ReportMsg)));
+                 return PK_BADERR;   /* sig not found */
+             }
+         }
+@@ -674,7 +674,7 @@ int get_time_stamp(__G__ last_modtime, nmember)  /* return PK-type error code */
+   ---------------------------------------------------------------------------*/
+ 
+     if (memcmp(G.sig, end_central_sig, 4)) {    /* just to make sure again */
+-        Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
+        Info(slide, 0x401, ((char *)slide, "%s", LoadFarString(EndSigMsg)));
+         error_in_archive = PK_WARN;
+     }
+     if (*nmember == 0L && error_in_archive <= PK_WARN)
+diff --git a/zipinfo.c b/zipinfo.c
+index 0ac75b3..1e7fa82 100644
+--- a/zipinfo.c
+++ b/zipinfo.c
+@@ -833,7 +833,7 @@ int zipinfo(__G)   /* return PK-type error code */
+                 Info(slide, 0x401,
+                      ((char *)slide, LoadFarString(CentSigMsg), j));
+                 Info(slide, 0x401,
+-                     ((char *)slide, LoadFarString(ReportMsg)));
+                     ((char *)slide, "%s", LoadFarString(ReportMsg)));
+                 error_in_archive = PK_BADERR;   /* sig not found */
+                 break;
+             }
+@@ -1022,7 +1022,7 @@ int zipinfo(__G)   /* return PK-type error code */
+             && (!G.ecrec.is_zip64_archive)
+             && (memcmp(G.sig, end_central_sig, 4) != 0)
+            ) {          /* just to make sure again */
+-            Info(slide, 0x401, ((char *)slide, LoadFarString(EndSigMsg)));
+            Info(slide, 0x401, ((char *)slide, "%s", LoadFarString(EndSigMsg)));
+             error_in_archive = PK_WARN;   /* didn't find sig */
+         }
+ 
--- a/sdk_container/src/third_party/portage-stable/app-arch/unzip/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-arch/unzip/metadata.xml
@ -9,6 +9,7 @@
 		<flag name="natspec">Use <pkg>dev-libs/libnatspec</pkg> to correctly decode non-ascii file names archived in Windows.</flag>
 	</use>
 	<upstream>
+		<remote-id type="cpe">cpe:/a:info-zip:unzip</remote-id>
 		<remote-id type="sourceforge">infozip</remote-id>
 	</upstream>
 </pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/app-arch/unzip/unzip-6.0_p25-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-arch/unzip/unzip-6.0_p25-r1.ebuild
@ -1,9 +1,9 @@
-# Copyright 1999-2016 Gentoo Foundation
+# Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2

-EAPI="5"
+EAPI=7

-inherit eutils toolchain-funcs flag-o-matic
+inherit toolchain-funcs flag-o-matic

 MY_PV="${PV//.}"
 MY_PV="${MY_PV%_p*}"
@ -16,7 +16,7 @@ SRC_URI="mirror://sourceforge/infozip/${MY_P}.tar.gz

 LICENSE="Info-ZIP"
 SLOT="0"
-KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x86-linux"
 IUSE="bzip2 natspec unicode"

 DEPEND="bzip2? ( app-arch/bzip2 )
@ -27,14 +27,13 @@ S="${WORKDIR}/${MY_P}"

 src_prepare() {
 	local deb="${WORKDIR}"/debian/patches
-	rm \
-		"${deb}"/series \
-		"${deb}"/02-branding-patch-this-is-debian-unzip \
-		|| die
-	epatch "${deb}"/*
+	rm "${deb}"/02-this-is-debian-unzip.patch || die
+	eapply "${deb}"/*.patch

-	epatch "${FILESDIR}"/${PN}-6.0-no-exec-stack.patch
-	use natspec && epatch "${FILESDIR}/${PN}-6.0-natspec.patch" #275244
+	eapply "${FILESDIR}"/${PN}-6.0-no-exec-stack.patch
+	eapply "${FILESDIR}"/${PN}-6.0-format-security.patch
+	eapply "${FILESDIR}"/${PN}-6.0-fix-false-overlap-detection-on-32bit-systems.patch
+	use natspec && eapply "${FILESDIR}/${PN}-6.0-natspec.patch" #275244
 	sed -i -r \
 		-e '/^CFLAGS/d' \
 		-e '/CFLAGS/s:-O[0-9]?:$(CFLAGS) $(CPPFLAGS):' \
@ -54,30 +53,30 @@ src_prepare() {
 	# Delete bundled code to make sure we don't use it.
 	rm -r bzip2 || die

-	epatch_user
+	eapply_user
 }

 src_configure() {
 	case ${CHOST} in
-	i?86*-*linux*)       TARGET="linux_asm" ;;
-	*linux*)             TARGET="linux_noasm" ;;
-	i?86*-*bsd* | \
-	i?86*-dragonfly*)    TARGET="freebsd" ;; # mislabelled bsd with x86 asm
-	*bsd* | *dragonfly*) TARGET="bsd" ;;
-	*-darwin*)           TARGET="macosx" ;;
-	*-cygwin*)           TARGET="cygwin" ;;
-	*) die "Unknown target; please update the ebuild to handle ${CHOST}	" ;;
+		i?86*-*linux*)       TARGET="linux_asm" ;;
+		*linux*)             TARGET="linux_noasm" ;;
+		i?86*-*bsd* | \
+		i?86*-dragonfly*)    TARGET="freebsd" ;; # mislabelled bsd with x86 asm
+		*bsd* | *dragonfly*) TARGET="bsd" ;;
+		*-darwin*)           TARGET="macosx" ;;
+		*-cygwin*)           TARGET="cygwin" ;;
+		*) die "Unknown target; please update the ebuild to handle ${CHOST}	" ;;
 	esac

 	[[ ${CHOST} == *linux* ]] && append-cppflags -DNO_LCHMOD
 	use bzip2 && append-cppflags -DUSE_BZIP2
-	use unicode && append-cppflags -DUNICODE_SUPPORT -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE
+	use unicode && append-cppflags -DUNICODE_SUPPORT -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE -DUSE_ICONV_MAPPING
 	append-cppflags -DLARGE_FILE_SUPPORT #281473
 }

 src_compile() {
 	ASFLAGS="${ASFLAGS} $(get_abi_var CFLAGS)" \
-	emake -f unix/Makefile ${TARGET}
+		emake -f unix/Makefile ${TARGET}
 }

 src_install() {
--- a/sdk_container/src/third_party/portage-stable/metadata/md5-cache/app-arch/unzip-6.0_p20
+++ b/sdk_container/src/third_party/portage-stable/metadata/md5-cache/app-arch/unzip-6.0_p20
@ -1,13 +0,0 @@
-DEFINED_PHASES=compile configure install prepare
-DEPEND=bzip2? ( app-arch/bzip2 ) natspec? ( dev-libs/libnatspec )
-DESCRIPTION=unzipper for pkzip-compressed files
-EAPI=5
-HOMEPAGE=http://www.info-zip.org/
-IUSE=bzip2 natspec unicode
-KEYWORDS=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux
-LICENSE=Info-ZIP
-RDEPEND=bzip2? ( app-arch/bzip2 ) natspec? ( dev-libs/libnatspec )
-SLOT=0
-SRC_URI=mirror://sourceforge/infozip/unzip60.tar.gz mirror://debian/pool/main/u/unzip/unzip_6.0-20.debian.tar.xz
-_eclasses_=desktop	b1d22ac8bdd4679ab79c71aca235009d	epatch	a1bf4756dba418a7238f3be0cb010c54	estack	43ddf5aaffa7a8d0482df54d25a66a1f	eutils	6e6c2737b59a4b982de6fb3ecefd87f8	flag-o-matic	a09389deba2c0a7108b581e02c7cecbf	ltprune	2729691420b6deeda2a90b1f1183fb55	multilib	1d91b03d42ab6308b5f4f6b598ed110e	preserve-libs	ef207dc62baddfddfd39a164d9797648	toolchain-funcs	8c7f9d80beedd16f2e5a7f612c609529	vcs-clean	2a0f74a496fa2b1552c4f3398258b7bf
-_md5_=c4cb8e1105df8a892a2fdf16331040ed
--- a/sdk_container/src/third_party/portage-stable/metadata/md5-cache/app-arch/unzip-6.0_p25-r1
+++ b/sdk_container/src/third_party/portage-stable/metadata/md5-cache/app-arch/unzip-6.0_p25-r1
@ -0,0 +1,13 @@
+DEFINED_PHASES=compile configure install prepare
+DEPEND=bzip2? ( app-arch/bzip2 ) natspec? ( dev-libs/libnatspec )
+DESCRIPTION=unzipper for pkzip-compressed files
+EAPI=7
+HOMEPAGE=http://www.info-zip.org/
+IUSE=bzip2 natspec unicode
+KEYWORDS=~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~x86-linux
+LICENSE=Info-ZIP
+RDEPEND=bzip2? ( app-arch/bzip2 ) natspec? ( dev-libs/libnatspec )
+SLOT=0
+SRC_URI=mirror://sourceforge/infozip/unzip60.tar.gz mirror://debian/pool/main/u/unzip/unzip_6.0-25.debian.tar.xz
+_eclasses_=eutils	6e6c2737b59a4b982de6fb3ecefd87f8	flag-o-matic	a09389deba2c0a7108b581e02c7cecbf	multilib	1d91b03d42ab6308b5f4f6b598ed110e	toolchain-funcs	8c7f9d80beedd16f2e5a7f612c609529
+_md5_=5e8010bbeeed80d84f20d50c19c6e463