kumquat-buildroot/package/unzip/unzip.mk

################################################################################
#
# unzip
#
################################################################################

UNZIP_VERSION = 60
UNZIP_SOURCE = unzip$(UNZIP_VERSION).tgz
UNZIP_SITE = ftp://ftp.info-zip.org/pub/infozip/src
UNZIP_LICENSE = Info-ZIP
UNZIP_LICENSE_FILES = LICENSE

UNZIP_PATCH = \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/07-increase-size-of-cfactorstr.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/08-allow-greater-hostver-values.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/09-cve-2014-8139-crc-overflow.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/10-cve-2014-8140-test-compr-eb.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/11-cve-2014-8141-getzip64data.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/12-cve-2014-9636-test-compr-eb.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/14-cve-2015-7696.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/15-cve-2015-7697.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/16-fix-integer-underflow-csiz-decrypted.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/17-restore-unix-timestamps-accurately.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/18-cve-2014-9913-unzip-buffer-overflow.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/21-fix-warning-messages-on-big-files.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch \
	https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch

$(eval $(cmake-package))
unzip: new package Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net> Cc: Romain Naour <romain.naour@openwide.fr> Cc: Jan Pedersen <jp@jp-embedded.com> Cc: Arnout Vandecappelle <arnout@mind.be> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-12-01 11:53:29 +01:00			`################################################################################`
			`#`
			`# unzip`
			`#`
			`################################################################################`

			`UNZIP_VERSION = 60`
			`UNZIP_SOURCE = unzip$(UNZIP_VERSION).tgz`
			`UNZIP_SITE = ftp://ftp.info-zip.org/pub/infozip/src`
			`UNZIP_LICENSE = Info-ZIP`
			`UNZIP_LICENSE_FILES = LICENSE`

package/unzip: add security and bug fix patches from Debian Debian bug #741384: Buffer overflow Debian bug #744212: Buffer overflow CVE-2014-8139: CRC32 verification heap-based overflow CVE-2014-8140: Out-of-bounds write issue in test_compr_eb() CVE-2014-8141: Out-of-bounds read issues in getZip64Data() CVE-2014-9636: Heap overflow CVE-2015-7696: Heap overflow when extracting password-protected archive CVE-2015-7697: Infinite loop when extracting password-protected archive Red Hat Bugzilla #1260944: Unsigned overflow on invalid input Debian bug #842993: Do not ignore Unix Timestamps CVE-2014-9913: Buffer overflow CVE-2016-9844: Buffer overflow in zipinfo CVE-2018-1000035: Buffer overflow in password protected ZIP archives Cc: Luca Ceresoli <luca@lucaceresoli.net> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2019-02-22 06:36:34 +01:00			`UNZIP_PATCH = \`
package/unzip: add security patch from Debian Fix the URL and add a new patch. Quoting changelog [1]: unzip (6.0-25) unstable; urgency=medium * Apply one more patch by Mark Adler: - Do not raise a zip bomb alert for a misplaced central directory. This should allow Firefox to build again. Closes: #932404. Reported by Peter Green. Hopefully CVE-2019-13232 is fixed now. -- Santiago Vila <sanvila@debian.org> Sat, 27 Jul 2019 18:01:36 +0200 [1] https://sources.debian.org/data/main/u/unzip/6.0-25/debian/changelog Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2019-09-03 11:20:24 +02:00			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/07-increase-size-of-cfactorstr.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/08-allow-greater-hostver-values.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/09-cve-2014-8139-crc-overflow.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/10-cve-2014-8140-test-compr-eb.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/11-cve-2014-8141-getzip64data.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/12-cve-2014-9636-test-compr-eb.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/14-cve-2015-7696.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/15-cve-2015-7697.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/16-fix-integer-underflow-csiz-decrypted.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/17-restore-unix-timestamps-accurately.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/18-cve-2014-9913-unzip-buffer-overflow.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/19-cve-2016-9844-zipinfo-buffer-overflow.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/21-fix-warning-messages-on-big-files.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch \`
			`https://sources.debian.org/data/main/u/unzip/6.0-25/debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch`
package/unzip: add security and bug fix patches from Debian Debian bug #741384: Buffer overflow Debian bug #744212: Buffer overflow CVE-2014-8139: CRC32 verification heap-based overflow CVE-2014-8140: Out-of-bounds write issue in test_compr_eb() CVE-2014-8141: Out-of-bounds read issues in getZip64Data() CVE-2014-9636: Heap overflow CVE-2015-7696: Heap overflow when extracting password-protected archive CVE-2015-7697: Infinite loop when extracting password-protected archive Red Hat Bugzilla #1260944: Unsigned overflow on invalid input Debian bug #842993: Do not ignore Unix Timestamps CVE-2014-9913: Buffer overflow CVE-2016-9844: Buffer overflow in zipinfo CVE-2018-1000035: Buffer overflow in password protected ZIP archives Cc: Luca Ceresoli <luca@lucaceresoli.net> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2019-02-22 06:36:34 +01:00
unzip: new package Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net> Cc: Romain Naour <romain.naour@openwide.fr> Cc: Jan Pedersen <jp@jp-embedded.com> Cc: Arnout Vandecappelle <arnout@mind.be> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2015-12-01 11:53:29 +01:00			`$(eval $(cmake-package))`