Hello community, here is the log from the commit of package unrar for openSUSE:Factory:NonFree checked in at 2017-07-04 09:12:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory:NonFree/unrar (Old) and /work/SRC/openSUSE:Factory:NonFree/.unrar.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "unrar" Tue Jul 4 09:12:29 2017 rev:66 rq:507803 version:5.5.6 Changes: -------- --- /work/SRC/openSUSE:Factory:NonFree/unrar/unrar.changes 2017-06-28 10:38:05.192096936 +0200 +++ /work/SRC/openSUSE:Factory:NonFree/.unrar.new/unrar.changes 2017-07-04 09:12:36.879874950 +0200 @@ -1,0 +2,6 @@ +Mon Jul 3 12:09:04 UTC 2017 - idon...@suse.com + +- Update to version 5.5.6 + * No changelog upstream + +------------------------------------------------------------------- Old: ---- unrarsrc-5.5.5.tar.gz New: ---- unrarsrc-5.5.6.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ unrar.spec ++++++ --- /var/tmp/diff_new_pack.33bn1a/_old 2017-07-04 09:12:41.239261887 +0200 +++ /var/tmp/diff_new_pack.33bn1a/_new 2017-07-04 09:12:41.243261324 +0200 @@ -18,10 +18,10 @@ # majorversion should match the major version number. %define majorversion 5 -%define libsuffix 5_5_5 +%define libsuffix 5_5_6 Name: unrar -Version: 5.5.5 +Version: 5.5.6 Release: 0 Summary: A program to extract, test, and view RAR archives License: SUSE-NonFree ++++++ unrarsrc-5.5.5.tar.gz -> unrarsrc-5.5.6.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/crypt5.cpp new/unrar/crypt5.cpp --- old/unrar/crypt5.cpp 2017-06-16 09:02:22.000000000 +0200 +++ new/unrar/crypt5.cpp 2017-07-02 09:52:35.000000000 +0200 @@ -67,10 +67,10 @@ sha256_process(&RCtx, KeyBuf, Sha256BlockSize); // Hash padded key. } - if (ICtxOpt!=NULL && !*SetROpt) // Store constant context for further reuse. + if (RCtxOpt!=NULL && !*SetROpt) // Store constant context for further reuse. { *RCtxOpt=RCtx; - *SetIOpt=true; + *SetROpt=true; } sha256_process(&RCtx, IDig, SHA256_DIGEST_SIZE); // Hash internal digest. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/dll.rc new/unrar/dll.rc --- old/unrar/dll.rc 2017-06-16 08:56:20.000000000 +0200 +++ new/unrar/dll.rc 2017-07-02 09:48:59.000000000 +0200 @@ -2,8 +2,8 @@ #include <commctrl.h> VS_VERSION_INFO VERSIONINFO -FILEVERSION 5, 50, 4, 2362 -PRODUCTVERSION 5, 50, 4, 2362 +FILEVERSION 5, 50, 5, 2378 +PRODUCTVERSION 5, 50, 5, 2378 FILEOS VOS__WINDOWS32 FILETYPE VFT_APP { @@ -14,8 +14,8 @@ VALUE "CompanyName", "Alexander Roshal\0" VALUE "ProductName", "RAR decompression library\0" VALUE "FileDescription", "RAR decompression library\0" - VALUE "FileVersion", "5.50.4\0" - VALUE "ProductVersion", "5.50.4\0" + VALUE "FileVersion", "5.50.5\0" + VALUE "ProductVersion", "5.50.5\0" VALUE "LegalCopyright", "Copyright � Alexander Roshal 1993-2017\0" VALUE "OriginalFilename", "Unrar.dll\0" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/extinfo.cpp new/unrar/extinfo.cpp --- old/unrar/extinfo.cpp 2017-06-16 09:02:22.000000000 +0200 +++ new/unrar/extinfo.cpp 2017-07-02 09:52:35.000000000 +0200 @@ -74,34 +74,63 @@ -bool IsRelativeSymlinkSafe(const wchar *SrcName,const wchar *TargetName) +// Calculate a number of path components except \. and \.. +static int CalcAllowedDepth(const wchar *Name) { - if (IsFullRootPath(SrcName)) - return false; int AllowedDepth=0; - while (*SrcName!=0) + while (*Name!=0) { - if (IsPathDiv(SrcName[0]) && SrcName[1]!=0 && !IsPathDiv(SrcName[1])) + if (IsPathDiv(Name[0]) && Name[1]!=0 && !IsPathDiv(Name[1])) { - bool Dot=SrcName[1]=='.' && (IsPathDiv(SrcName[2]) || SrcName[2]==0); - bool Dot2=SrcName[1]=='.' && SrcName[2]=='.' && (IsPathDiv(SrcName[3]) || SrcName[3]==0); + bool Dot=Name[1]=='.' && (IsPathDiv(Name[2]) || Name[2]==0); + bool Dot2=Name[1]=='.' && Name[2]=='.' && (IsPathDiv(Name[3]) || Name[3]==0); if (!Dot && !Dot2) AllowedDepth++; } - SrcName++; + Name++; } - if (IsFullRootPath(TargetName)) // Catch root dir based /path/file paths. + return AllowedDepth; +} + + +bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *PrepSrcName,const wchar *TargetName) +{ + // Catch root dir based /path/file paths also as stuff like \\?\. + // Do not check PrepSrcName here, it can be root based if destination path + // is a root based. + if (IsFullRootPath(SrcName) || IsFullRootPath(TargetName)) return false; + + // We could check just prepared src name, but for extra safety + // we check both original (as from archive header) and prepared + // (after applying the destination path and -ep switches) names. + + int AllowedDepth=CalcAllowedDepth(SrcName); // Original name depth. + + // Remove the destination path from prepared name if any. We should not + // count the destination path depth, because the link target must point + // inside of this path, not outside of it. + size_t ExtrPathLength=wcslen(Cmd->ExtrPath); + if (ExtrPathLength>0 && wcsncmp(PrepSrcName,Cmd->ExtrPath,ExtrPathLength)==0) + { + PrepSrcName+=ExtrPathLength; + while (IsPathDiv(*PrepSrcName)) + PrepSrcName++; + } + int PrepAllowedDepth=CalcAllowedDepth(PrepSrcName); + + // Number of ".." in link target. + int UpLevels=0; for (int Pos=0;*TargetName!=0;Pos++) { bool Dot2=TargetName[0]=='.' && TargetName[1]=='.' && (IsPathDiv(TargetName[2]) || TargetName[2]==0) && (Pos==0 || IsPathDiv(*(TargetName-1))); if (Dot2) - AllowedDepth--; + UpLevels++; TargetName++; } - return AllowedDepth>=0; + return AllowedDepth>=UpLevels && PrepAllowedDepth>=UpLevels; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/extinfo.hpp new/unrar/extinfo.hpp --- old/unrar/extinfo.hpp 2017-06-16 09:02:22.000000000 +0200 +++ new/unrar/extinfo.hpp 2017-07-02 09:52:35.000000000 +0200 @@ -1,7 +1,7 @@ #ifndef _RAR_EXTINFO_ #define _RAR_EXTINFO_ -bool IsRelativeSymlinkSafe(const wchar *SrcName,const wchar *TargetName); +bool IsRelativeSymlinkSafe(CommandData *Cmd,const wchar *SrcName,const wchar *PrepSrcName,const wchar *TargetName); bool ExtractSymlink(CommandData *Cmd,ComprDataIO &DataIO,Archive &Arc,const wchar *LinkName); #ifdef _UNIX void SetUnixOwner(Archive &Arc,const wchar *FileName); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/extract.cpp new/unrar/extract.cpp --- old/unrar/extract.cpp 2017-06-16 09:02:22.000000000 +0200 +++ new/unrar/extract.cpp 2017-07-02 09:52:35.000000000 +0200 @@ -525,6 +525,9 @@ return true; TotalFileCount++; ExtrCreateDir(Arc,ArcFileName); + // It is important to not increment MatchedArgs here, so we extract + // dir with its entire contents and not dir record only even if + // dir record precedes files. return true; } else @@ -757,6 +760,9 @@ } } } + // It is important to increment it for files, but not dirs. So we extract + // dir with its entire contents, not just dir record only even if dir + // record precedes files. if (MatchFound) MatchedArgs++; if (DataIO.NextVolumeMissing) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/ulinks.cpp new/unrar/ulinks.cpp --- old/unrar/ulinks.cpp 2017-06-16 09:02:23.000000000 +0200 +++ new/unrar/ulinks.cpp 2017-07-02 09:52:37.000000000 +0200 @@ -63,8 +63,14 @@ if (!DataIO.UnpHash.Cmp(&Arc.FileHead.FileHash,Arc.FileHead.UseHashKey ? Arc.FileHead.HashKey:NULL)) return true; - if (!Cmd->AbsoluteLinks && (IsFullPath(Target) || - !IsRelativeSymlinkSafe(Arc.FileHead.FileName,Arc.FileHead.RedirName))) + wchar TargetW[NM]; + CharToWide(Target,TargetW,ASIZE(TargetW)); + // Check for *TargetW==0 to catch CharToWide failure. + // Use Arc.FileHead.FileName instead of LinkName, since LinkName + // can include the destination path as a prefix, which can + // confuse IsRelativeSymlinkSafe algorithm. + if (!Cmd->AbsoluteLinks && (*TargetW==0 || IsFullPath(TargetW) || + !IsRelativeSymlinkSafe(Cmd,Arc.FileHead.FileName,LinkName,TargetW))) return false; return UnixSymlink(Target,LinkName,&Arc.FileHead.mtime,&Arc.FileHead.atime); } @@ -86,8 +92,11 @@ return false; DosSlashToUnix(Target,Target,ASIZE(Target)); } + // Use hd->FileName instead of LinkName, since LinkName can include + // the destination path as a prefix, which can confuse + // IsRelativeSymlinkSafe algorithm. if (!Cmd->AbsoluteLinks && (IsFullPath(Target) || - !IsRelativeSymlinkSafe(hd->FileName,hd->RedirName))) + !IsRelativeSymlinkSafe(Cmd,hd->FileName,Name,hd->RedirName))) return false; return UnixSymlink(Target,Name,&hd->mtime,&hd->atime); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/unpack.cpp new/unrar/unpack.cpp --- old/unrar/unpack.cpp 2017-06-16 09:02:23.000000000 +0200 +++ new/unrar/unpack.cpp 2017-07-02 09:52:37.000000000 +0200 @@ -259,7 +259,7 @@ // Prepare the copy of DecodePos. We'll modify this copy below, // so we cannot use the original DecodePos. - uint CopyDecodePos[16]; + uint CopyDecodePos[ASIZE(Dec->DecodePos)]; memcpy(CopyDecodePos,Dec->DecodePos,sizeof(CopyDecodePos)); // For every bit length in the bit length table and so for every item @@ -337,14 +337,17 @@ // Now we can calculate the position in the code list. It is the sum // of first position for current bit length and right aligned distance // between our bit field and start code for current bit length. - uint Pos=Dec->DecodePos[CurBitLength]+Dist; - - if (Pos<Size) // Safety check for damaged archives. + uint Pos; + if (CurBitLength<ASIZE(Dec->DecodePos) && + (Pos=Dec->DecodePos[CurBitLength]+Dist)<Size) { // Define the code to alphabet number translation. Dec->QuickNum[Code]=Dec->DecodeNum[Pos]; } else + { + // Can be here for length table filled with zeroes only (empty). Dec->QuickNum[Code]=0; + } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/version.hpp new/unrar/version.hpp --- old/unrar/version.hpp 2017-06-16 09:02:24.000000000 +0200 +++ new/unrar/version.hpp 2017-07-02 09:52:37.000000000 +0200 @@ -1,6 +1,6 @@ #define RARVER_MAJOR 5 #define RARVER_MINOR 50 -#define RARVER_BETA 4 -#define RARVER_DAY 16 -#define RARVER_MONTH 6 +#define RARVER_BETA 5 +#define RARVER_DAY 2 +#define RARVER_MONTH 7 #define RARVER_YEAR 2017 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/unrar/win32lnk.cpp new/unrar/win32lnk.cpp --- old/unrar/win32lnk.cpp 2017-06-16 09:02:24.000000000 +0200 +++ new/unrar/win32lnk.cpp 2017-07-02 09:52:37.000000000 +0200 @@ -65,8 +65,10 @@ // IsFullPath is not really needed here, AbsPath check is enough. // We added it just for extra safety, in case some Windows version would // allow to create absolute targets with SYMLINK_FLAG_RELATIVE. + // Use hd->FileName instead of Name, since Name can include the destination + // path as a prefix, which can confuse IsRelativeSymlinkSafe algorithm. if (!Cmd->AbsoluteLinks && (AbsPath || IsFullPath(hd->RedirName) || - !IsRelativeSymlinkSafe(hd->FileName,hd->RedirName))) + !IsRelativeSymlinkSafe(Cmd,hd->FileName,Name,hd->RedirName))) return false; CreatePath(Name,true);