OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-src                      Date:   23-May-2004 09:05:16
  Branch: HEAD                             Handle: 2004052308051600

  Modified files:
    openpkg-src/infozip     infozip.patch infozip.spec

  Log:
    upgrading package: infozip 2.3.5.50 -> 2.3.5.51

  Summary:
    Revision    Changes     Path
    1.5         +0  -81     openpkg-src/infozip/infozip.patch
    1.36        +3  -3      openpkg-src/infozip/infozip.spec
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/infozip/infozip.patch
  ============================================================================
  $ cvs diff -u -r1.4 -r1.5 infozip.patch
  --- openpkg-src/infozip/infozip.patch 30 Oct 2003 13:40:53 -0000      1.4
  +++ openpkg-src/infozip/infozip.patch 23 May 2004 07:05:16 -0000      1.5
  @@ -34,84 +34,3 @@
       overwrite arbitrary files via invalid characters between two . (dot)
       characters, which are filtered and result in a ".." sequence.
   
  ---- unzip-5.50/unix/unix.c.orig      2002-01-21 17:54:42.000000000 -0500
  -+++ unzip-5.50/unix/unix.c   2003-06-11 18:35:38.000000000 -0400
  -@@ -421,7 +421,8 @@
  -  */
  - {
  -     char pathcomp[FILNAMSIZ];      /* path-component buffer */
  --    char *pp, *cp=(char *)NULL;    /* character pointers */
  -+    char *pp, *cp=(char *)NULL,    /* character pointers */
  -+         *dp=(char *)NULL;
  -     char *lastsemi=(char *)NULL;   /* pointer to last semi-colon in pathcomp */
  - #ifdef ACORN_FTYPE_NFS
  -     char *lastcomma=(char *)NULL;  /* pointer to last comma in pathcomp */
  -@@ -429,6 +430,7 @@
  - #endif
  -     int quote = FALSE;             /* flags */
  -     int killed_ddot = FALSE;       /* is set when skipping "../" pathcomp */
  -+    int snarf_ddot = FALSE;    /* Is set while scanning for "../" */
  -     int error = MPN_OK;
  -     register unsigned workch;      /* hold the character being tested */
  - 
  -@@ -467,6 +469,9 @@
  -     while ((workch = (uch)*cp++) != 0) {
  - 
  -         if (quote) {                 /* if character quoted, */
  -+        if ((pp == pathcomp) && (workch == '.'))
  -+            /* Oh no you don't... */
  -+            goto ddot_hack;
  -             *pp++ = (char)workch;    /*  include it literally */
  -             quote = FALSE;
  -         } else
  -@@ -481,15 +486,44 @@
  -                 break;
  - 
  -             case '.':
  --                if (pp == pathcomp) {   /* nothing appended yet... */
  -+                if (pp == pathcomp) {
  -+ddot_hack:
  -+                /* nothing appended yet... */
  -                     if (*cp == '/') {   /* don't bother appending "./" to */
  -                         ++cp;           /*  the path: skip behind the '/' */
  -                         break;
  --                    } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') {
  --                        /* "../" dir traversal detected */
  --                        cp += 2;        /*  skip over behind the '/' */
  --                        killed_ddot = TRUE; /*  set "show message" flag */
  --                        break;
  -+                    } else if (!uO.ddotflag) {
  -+
  -+                    /*
  -+                     * SECURITY: Skip past control characters if the user
  -+                     * didn't OK use of absolute pathnames. lhh - this is
  -+                     * a very quick, ugly, inefficient fix.
  -+                     */
  -+                    dp = cp;
  -+                    do {
  -+                        workch = (uch)(*dp);
  -+                        if (workch == '/' && snarf_ddot) {
  -+                                /* "../" dir traversal detected */
  -+                                cp = dp + 1;      /* skip past the '/' */
  -+                                killed_ddot = TRUE; /* set "show msg" flag */
  -+                                break;
  -+                            } else if (workch == '.' && !snarf_ddot) {
  -+                            snarf_ddot = TRUE;
  -+                        } else if (isprint(workch) ||
  -+                                   ((workch > 127) && (workch <= 254))) {
  -+                            /*
  -+                             * Since we found a printable, non-ctrl char,
  -+                             * we can stop looking for '../', the amount
  -+                             * in ../!
  -+                             */
  -+                            break;
  -+                        }
  -+
  -+                        dp++;
  -+                        } while (*dp != 0);
  -+
  -+                    if (killed_ddot)
  -+                        break;
  -                     }
  -                 }
  -                 *pp++ = '.';
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/infozip/infozip.spec
  ============================================================================
  $ cvs diff -u -r1.35 -r1.36 infozip.spec
  --- openpkg-src/infozip/infozip.spec  18 Feb 2004 11:11:26 -0000      1.35
  +++ openpkg-src/infozip/infozip.spec  23 May 2004 07:05:16 -0000      1.36
  @@ -26,8 +26,8 @@
   #   package versions
   %define       V_zip_here   2.3
   %define       V_zip_real   23
  -%define       V_unzip_here 5.50
  -%define       V_unzip_real 550
  +%define       V_unzip_here 5.51
  +%define       V_unzip_real 551
   
   #   package information
   Name:         infozip
  @@ -40,7 +40,7 @@
   Group:        Archiver
   License:      BSD
   Version:      %{V_zip_here}.%{V_unzip_here}
  -Release:      20040218
  +Release:      20040523
   
   #   list of sources
   Source0:      ftp://ftp.info-zip.org/pub/infozip/src/zip%{V_zip_real}.tar.gz
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to