OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 23-May-2004 09:05:16
Branch: HEAD Handle: 2004052308051600
Modified files:
openpkg-src/infozip infozip.patch infozip.spec
Log:
upgrading package: infozip 2.3.5.50 -> 2.3.5.51
Summary:
Revision Changes Path
1.5 +0 -81 openpkg-src/infozip/infozip.patch
1.36 +3 -3 openpkg-src/infozip/infozip.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/infozip/infozip.patch
============================================================================
$ cvs diff -u -r1.4 -r1.5 infozip.patch
--- openpkg-src/infozip/infozip.patch 30 Oct 2003 13:40:53 -0000 1.4
+++ openpkg-src/infozip/infozip.patch 23 May 2004 07:05:16 -0000 1.5
@@ -34,84 +34,3 @@
overwrite arbitrary files via invalid characters between two . (dot)
characters, which are filtered and result in a ".." sequence.
---- unzip-5.50/unix/unix.c.orig 2002-01-21 17:54:42.000000000 -0500
-+++ unzip-5.50/unix/unix.c 2003-06-11 18:35:38.000000000 -0400
-@@ -421,7 +421,8 @@
- */
- {
- char pathcomp[FILNAMSIZ]; /* path-component buffer */
-- char *pp, *cp=(char *)NULL; /* character pointers */
-+ char *pp, *cp=(char *)NULL, /* character pointers */
-+ *dp=(char *)NULL;
- char *lastsemi=(char *)NULL; /* pointer to last semi-colon in pathcomp */
- #ifdef ACORN_FTYPE_NFS
- char *lastcomma=(char *)NULL; /* pointer to last comma in pathcomp */
-@@ -429,6 +430,7 @@
- #endif
- int quote = FALSE; /* flags */
- int killed_ddot = FALSE; /* is set when skipping "../" pathcomp */
-+ int snarf_ddot = FALSE; /* Is set while scanning for "../" */
- int error = MPN_OK;
- register unsigned workch; /* hold the character being tested */
-
-@@ -467,6 +469,9 @@
- while ((workch = (uch)*cp++) != 0) {
-
- if (quote) { /* if character quoted, */
-+ if ((pp == pathcomp) && (workch == '.'))
-+ /* Oh no you don't... */
-+ goto ddot_hack;
- *pp++ = (char)workch; /* include it literally */
- quote = FALSE;
- } else
-@@ -481,15 +486,44 @@
- break;
-
- case '.':
-- if (pp == pathcomp) { /* nothing appended yet... */
-+ if (pp == pathcomp) {
-+ddot_hack:
-+ /* nothing appended yet... */
- if (*cp == '/') { /* don't bother appending "./" to */
- ++cp; /* the path: skip behind the '/' */
- break;
-- } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') {
-- /* "../" dir traversal detected */
-- cp += 2; /* skip over behind the '/' */
-- killed_ddot = TRUE; /* set "show message" flag */
-- break;
-+ } else if (!uO.ddotflag) {
-+
-+ /*
-+ * SECURITY: Skip past control characters if the user
-+ * didn't OK use of absolute pathnames. lhh - this is
-+ * a very quick, ugly, inefficient fix.
-+ */
-+ dp = cp;
-+ do {
-+ workch = (uch)(*dp);
-+ if (workch == '/' && snarf_ddot) {
-+ /* "../" dir traversal detected */
-+ cp = dp + 1; /* skip past the '/' */
-+ killed_ddot = TRUE; /* set "show msg" flag */
-+ break;
-+ } else if (workch == '.' && !snarf_ddot) {
-+ snarf_ddot = TRUE;
-+ } else if (isprint(workch) ||
-+ ((workch > 127) && (workch <= 254))) {
-+ /*
-+ * Since we found a printable, non-ctrl char,
-+ * we can stop looking for '../', the amount
-+ * in ../!
-+ */
-+ break;
-+ }
-+
-+ dp++;
-+ } while (*dp != 0);
-+
-+ if (killed_ddot)
-+ break;
- }
- }
- *pp++ = '.';
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/infozip/infozip.spec
============================================================================
$ cvs diff -u -r1.35 -r1.36 infozip.spec
--- openpkg-src/infozip/infozip.spec 18 Feb 2004 11:11:26 -0000 1.35
+++ openpkg-src/infozip/infozip.spec 23 May 2004 07:05:16 -0000 1.36
@@ -26,8 +26,8 @@
# package versions
%define V_zip_here 2.3
%define V_zip_real 23
-%define V_unzip_here 5.50
-%define V_unzip_real 550
+%define V_unzip_here 5.51
+%define V_unzip_real 551
# package information
Name: infozip
@@ -40,7 +40,7 @@
Group: Archiver
License: BSD
Version: %{V_zip_here}.%{V_unzip_here}
-Release: 20040218
+Release: 20040523
# list of sources
Source0: ftp://ftp.info-zip.org/pub/infozip/src/zip%{V_zip_real}.tar.gz
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
