Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package unrar for openSUSE:Factory:NonFree checked in at 2022-05-09 18:43:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory:NonFree/unrar (Old) and /work/SRC/openSUSE:Factory:NonFree/.unrar.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "unrar" Mon May 9 18:43:06 2022 rev:101 rq:975713 version:6.1.7 Changes: -------- --- /work/SRC/openSUSE:Factory:NonFree/unrar/unrar.changes 2022-03-25 21:53:58.134237973 +0100 +++ /work/SRC/openSUSE:Factory:NonFree/.unrar.new.1538/unrar.changes 2022-05-09 18:43:07.340138428 +0200 @@ -1,0 +2,6 @@ +Sat May 7 16:21:18 UTC 2022 - Andreas Stieger <[email protected]> + +- update to 6.1.7: + * Based on final RAR 6.12 + +------------------------------------------------------------------- Old: ---- unrarsrc-6.1.6.tar.gz New: ---- unrarsrc-6.1.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ unrar.spec ++++++ --- /var/tmp/diff_new_pack.9bwWW2/_old 2022-05-09 18:43:08.008139211 +0200 +++ /var/tmp/diff_new_pack.9bwWW2/_new 2022-05-09 18:43:08.012139216 +0200 @@ -18,9 +18,9 @@ # majorversion should match the major version number. %define majorversion 6 -%define libsuffix 6_1_6 +%define libsuffix 6_1_7 Name: unrar -Version: 6.1.6 +Version: 6.1.7 Release: 0 Summary: A program to extract, test, and view RAR archives License: NonFree ++++++ unrarsrc-6.1.6.tar.gz -> unrarsrc-6.1.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/dll.rc new/unrar/dll.rc --- old/unrar/dll.rc 2022-03-03 14:11:57.000000000 +0100 +++ new/unrar/dll.rc 2022-05-04 19:11:37.000000000 +0200 @@ -2,8 +2,8 @@ #include <commctrl.h> VS_VERSION_INFO VERSIONINFO -FILEVERSION 6, 11, 100, 427 -PRODUCTVERSION 6, 11, 100, 427 +FILEVERSION 6, 12, 100, 489 +PRODUCTVERSION 6, 12, 100, 489 FILEOS VOS__WINDOWS32 FILETYPE VFT_APP { @@ -14,8 +14,8 @@ VALUE "CompanyName", "Alexander Roshal\0" VALUE "ProductName", "RAR decompression library\0" VALUE "FileDescription", "RAR decompression library\0" - VALUE "FileVersion", "6.11.0\0" - VALUE "ProductVersion", "6.11.0\0" + VALUE "FileVersion", "6.12.0\0" + VALUE "ProductVersion", "6.12.0\0" VALUE "LegalCopyright", "Copyright ? Alexander Roshal 1993-2022\0" VALUE "OriginalFilename", "Unrar.dll\0" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/ulinks.cpp new/unrar/ulinks.cpp --- old/unrar/ulinks.cpp 2022-03-03 14:18:32.000000000 +0100 +++ new/unrar/ulinks.cpp 2022-05-04 20:23:41.000000000 +0200 @@ -50,6 +50,26 @@ } +// For security purpose we prefer to be sure that CharToWide completed +// successfully and even if it truncated a string for some reason, +// it didn't affect the number of path related characters we analyze +// in IsRelativeSymlinkSafe later. +// This check is likely to be excessive, but let's keep it anyway. +static bool SafeCharToWide(const char *Src,wchar *Dest,size_t DestSize) +{ + if (!CharToWide(Src,Dest,DestSize) || *Dest==0) + return false; + uint SrcChars=0,DestChars=0; + for (uint I=0;Src[I]!=0;I++) + if (Src[I]=='/' || Src[I]=='.') + SrcChars++; + for (uint I=0;Dest[I]!=0;I++) + if (Dest[I]=='/' || Dest[I]=='.') + DestChars++; + return SrcChars==DestChars; +} + + bool ExtractUnixLink30(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName) { char Target[NM]; @@ -72,12 +92,12 @@ return true; wchar TargetW[NM]; - CharToWide(Target,TargetW,ASIZE(TargetW)); - // Check for *TargetW==0 to catch CharToWide failure. + if (!SafeCharToWide(Target,TargetW,ASIZE(TargetW))) + return false; // Use Arc.FileHead.FileName instead of LinkName, since LinkName // can include the destination path as a prefix, which can // confuse IsRelativeSymlinkSafe algorithm. - if (!Cmd->AbsoluteLinks && (*TargetW==0 || IsFullPath(TargetW) || + if (!Cmd->AbsoluteLinks && (IsFullPath(TargetW) || !IsRelativeSymlinkSafe(Cmd,Arc.FileHead.FileName,LinkName,TargetW))) return false; return UnixSymlink(Cmd,Target,LinkName,&Arc.FileHead.mtime,&Arc.FileHead.atime); @@ -100,11 +120,17 @@ return false; DosSlashToUnix(Target,Target,ASIZE(Target)); } + + wchar TargetW[NM]; + if (!SafeCharToWide(Target,TargetW,ASIZE(TargetW))) + return false; // Use hd->FileName instead of LinkName, since LinkName can include // the destination path as a prefix, which can confuse // IsRelativeSymlinkSafe algorithm. - if (!Cmd->AbsoluteLinks && (IsFullPath(Target) || - !IsRelativeSymlinkSafe(Cmd,hd->FileName,Name,hd->RedirName))) + // 2022.05.04: Use TargetW instead of previously used hd->RedirName + // for security reason. + if (!Cmd->AbsoluteLinks && (IsFullPath(TargetW) || + !IsRelativeSymlinkSafe(Cmd,hd->FileName,Name,TargetW))) return false; return UnixSymlink(Cmd,Target,Name,&hd->mtime,&hd->atime); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/version.hpp new/unrar/version.hpp --- old/unrar/version.hpp 2022-03-03 14:18:32.000000000 +0100 +++ new/unrar/version.hpp 2022-05-04 20:23:41.000000000 +0200 @@ -1,6 +1,6 @@ #define RARVER_MAJOR 6 -#define RARVER_MINOR 11 +#define RARVER_MINOR 12 #define RARVER_BETA 0 -#define RARVER_DAY 3 -#define RARVER_MONTH 3 +#define RARVER_DAY 4 +#define RARVER_MONTH 5 #define RARVER_YEAR 2022
