Date: Wed, 21 Jan 2026 23:56:03 +0000 From: Robert Clausecker <fuz@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: git: f3c12d4f0f25 - 2026Q1 - archivers/zip: apply Debian patches Message-ID: <69716793.3b85d.1860a2f7@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch 2026Q1 has been updated by fuz: URL: https://cgit.FreeBSD.org/ports/commit/?id=f3c12d4f0f258b39a9509c416b19a3873e17c0d8 commit f3c12d4f0f258b39a9509c416b19a3873e17c0d8 Author: Robert Clausecker <fuz@FreeBSD.org> AuthorDate: 2026-01-19 15:02:11 +0000 Commit: Robert Clausecker <fuz@FreeBSD.org> CommitDate: 2026-01-21 23:55:19 +0000 archivers/zip: apply Debian patches These patches fix some security and other issues: - ( 7) zipnote.c: Close in_file instead of undefined file x - ( 8) Use format specifier %s to print strings, not the string itself - (14) Fix buffer overflow when filename contains unicode characters - (15) Fix buffer overflow when using '-T -TT' - (16) Fix symlink update detection Obtained from: https://salsa.debian.org/sanvila/zip Reported by: diizzy Reviewed by: diizzy Security: CVE-2018-13410 MFH: 2026Q1 (cherry picked from commit e0e704bfeaaf5b2f0ac6c66a7a331eab62443d9a) --- archivers/zip/Makefile | 2 +- archivers/zip/files/patch-fileio.c | 19 ++++++++++++++++ archivers/zip/files/patch-unix_unix.c | 15 ++++++++++++ archivers/zip/files/patch-zip.c | 43 +++++++++++++++++++++++++++++++++++ archivers/zip/files/patch-zipnote.c | 16 +++++++++++++ 5 files changed, 94 insertions(+), 1 deletion(-) diff --git a/archivers/zip/Makefile b/archivers/zip/Makefile index 0826bd37bce8..eb392156abf8 100644 --- a/archivers/zip/Makefile +++ b/archivers/zip/Makefile @@ -1,6 +1,6 @@ PORTNAME= zip PORTVERSION= 3.0 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= archivers MASTER_SITES= SF/info${PORTNAME}/Zip%203.x%20%28latest%29/${PORTVERSION} DISTNAME= ${PORTNAME}${PORTVERSION:S/.//g} diff --git a/archivers/zip/files/patch-fileio.c b/archivers/zip/files/patch-fileio.c new file mode 100644 index 000000000000..8cd84ef1b5f9 --- /dev/null +++ b/archivers/zip/files/patch-fileio.c @@ -0,0 +1,19 @@ +From: Shengjing Zhu <shengjing.zhu@canonical.com> +Subject: Fix buffer overflow when filename contains unicode characters +Bug-Debian: https://bugs.debian.org/1077054 +Bug-Debian: https://bugs.debian.org/1093629 +Bug-Ubuntu: https://launchpad.net/bugs/2062535 +Forwarded: https://sourceforge.net/p/infozip/bugs/81/ +Origin: https://src.fedoraproject.org/rpms/zip/raw/f41/f/buffer_overflow.patch + +--- fileio.c.orig 2008-05-29 00:13:24 UTC ++++ fileio.c +@@ -3502,7 +3502,7 @@ zwchar *local_to_wide_string(local_string) + if ((wc_string = (wchar_t *)malloc((wsize + 1) * sizeof(wchar_t))) == NULL) { + ZIPERR(ZE_MEM, "local_to_wide_string"); + } +- wsize = mbstowcs(wc_string, local_string, strlen(local_string) + 1); ++ wsize = mbstowcs(wc_string, local_string, wsize + 1); + wc_string[wsize] = (wchar_t) 0; + + /* in case wchar_t is not zwchar */ diff --git a/archivers/zip/files/patch-unix_unix.c b/archivers/zip/files/patch-unix_unix.c new file mode 100644 index 000000000000..22a92db74d40 --- /dev/null +++ b/archivers/zip/files/patch-unix_unix.c @@ -0,0 +1,15 @@ +From: Marcin Owsiany <marcin@owsiany.pl> +Subject: Fix symlink update detection +Bug-Debian: https://bugs.debian.org/1005943 + +--- unix/unix.c.orig 2008-06-19 04:26:18 UTC ++++ unix/unix.c +@@ -423,7 +423,7 @@ ulg filetime(f, a, n, t) + } + } + if (n != NULL) +- *n = (s.st_mode & S_IFMT) == S_IFREG ? s.st_size : -1L; ++ *n = ((s.st_mode & S_IFMT) == S_IFREG || (s.st_mode & S_IFMT) == S_IFLNK) ? s.st_size : -1L; + if (t != NULL) { + t->atime = s.st_atime; + t->mtime = s.st_mtime; diff --git a/archivers/zip/files/patch-zip.c b/archivers/zip/files/patch-zip.c new file mode 100644 index 000000000000..d81182e3baf1 --- /dev/null +++ b/archivers/zip/files/patch-zip.c @@ -0,0 +1,43 @@ +From: Santiago Vila <sanvila@debian.org> +Subject: Use format specifier %s to print strings, not the string itself +Bug-Debian: https://bugs.debian.org/673476 +X-Debian-version: 3.0-5 + +From: Florent 'Skia' Jacquet <florent.jacquet@canonical.com> +Subject: Fix buffer overflow when using '-T -TT' +Bug-Debian: https://bugs.debian.org/1093629 +Bug-Ubuntu: https://launchpad.net/bugs/2093024 +Forwarded: https://sourceforge.net/p/infozip/bugs/81/ + +strlen(unzip_path) + strlen(zipname) + " " + "'" + "'" + '\0' +The additional space required in the `cmd` buffer is 4, not 3. + +--- zip.c.orig 2008-07-05 16:34:06 UTC ++++ zip.c +@@ -1028,7 +1028,7 @@ local void help_extended() + + for (i = 0; i < sizeof(text)/sizeof(char *); i++) + { +- printf(text[i]); ++ printf("%s", text[i]); + putchar('\n'); + } + #ifdef DOS +@@ -1225,7 +1225,7 @@ local void version_info() + CR_MAJORVER, CR_MINORVER, CR_BETA_VER, CR_VERSION_DATE); + for (i = 0; i < sizeof(cryptnote)/sizeof(char *); i++) + { +- printf(cryptnote[i]); ++ printf("%s", cryptnote[i]); + putchar('\n'); + } + ++i; /* crypt support means there IS at least one compilation option */ +@@ -1437,7 +1437,7 @@ local void check_zipfile(zipname, zippath) + /* Replace first {} with archive name. If no {} append name to string. */ + here = strstr(unzip_path, "{}"); + +- if ((cmd = malloc(strlen(unzip_path) + strlen(zipname) + 3)) == NULL) { ++ if ((cmd = malloc(strlen(unzip_path) + strlen(zipname) + 4)) == NULL) { + ziperr(ZE_MEM, "building command string for testing archive"); + } + diff --git a/archivers/zip/files/patch-zipnote.c b/archivers/zip/files/patch-zipnote.c new file mode 100644 index 000000000000..01b1d97f91f2 --- /dev/null +++ b/archivers/zip/files/patch-zipnote.c @@ -0,0 +1,16 @@ +From: Christian Spieler +Subject: zipnote.c: Close in_file instead of undefined file x +Bug-Debian: https://bugs.debian.org/628594 +X-Debian-version: 3.0-4 + +--- zipnote.c.orig 2008-05-08 08:17:08 UTC ++++ zipnote.c +@@ -661,7 +661,7 @@ char **argv; /* command line tokens */ + if ((r = zipcopy(z)) != ZE_OK) + ziperr(r, "was copying an entry"); + } +- fclose(x); ++ fclose(in_file); + + /* Write central directory and end of central directory with new comments */ + if ((c = zftello(y)) == (zoff_t)-1) /* get start of central */home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69716793.3b85d.1860a2f7>