unzip: Fixes building with gcc 15.

unzip/0001-Fix-CVE-2016-9844-rhbz-1404283.patch

@@ -0,0 +1,39 @@
+From 754137e70cf58a64ad524b704a86b651ba0cde07 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Wed, 14 Dec 2016 16:30:36 +0100
+Subject: [PATCH] Fix CVE-2016-9844 (rhbz#1404283)
+
+Fixes buffer overflow in zipinfo in similar way like fix for
+CVE-2014-9913 provided by upstream.
+---
+ zipinfo.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/zipinfo.c b/zipinfo.c
+index c03620e..accca2a 100644
+--- a/zipinfo.c
++++ b/zipinfo.c
+@@ -1984,7 +1984,19 @@ static int zi_short(__G)   /* return PK-type error code */
+         ush  dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);
+         methbuf[3] = dtype[dnum];
+     } else if (methnum >= NUM_METHODS) {   /* unknown */
+-        sprintf(&methbuf[1], "%03u", G.crec.compression_method);
++        /* 2016-12-05 SMS.
++         * https://launchpad.net/bugs/1643750
++         * Unexpectedly large compression methods overflow
++         * &methbuf[].  Use the old, three-digit decimal format
++         * for values which fit.  Otherwise, sacrifice the "u",
++         * and use four-digit hexadecimal.
++         */
++        if (G.crec.compression_method <= 999) {
++              sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);
++        } else {
++              sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);
++        }
++
+     }
+
+     for (k = 0;  k < 15;  ++k)
+-- 
+2.5.5
+

unzip/PKGBUILD

@@ -2,7 +2,7 @@
 
 pkgname=unzip
 pkgver=6.0
-pkgrel=3
+pkgrel=4
 pkgdesc="Unpacks .zip archives such as those made by PKZIP"
 arch=('i686' 'x86_64')
 url="http://www.info-zip.org/"
@@ -13,55 +13,138 @@ msys2_references=(
 )
 license=('custom')
 groups=('compression')
-depends=('libbz2' 'bash')
-makedepends=('libbz2-devel' 'gcc' 'make')
-source=('https://downloads.sourceforge.net/infozip/unzip60.tar.gz'
-        unzip-6.0-attribs-overflow.patch
-        unzip-6.0-bzip2-configure.patch
-        unzip-6.0-caseinsensitive.patch
-        unzip-6.0-close.patch
-        unzip-6.0-fix-recmatch.patch
-        unzip-6.0-format-secure.patch
-        unzip-6.0-nostrip.patch
-        unzip-6.0-symlink.patch)
+depends=('libbz2' 'libiconv' 'bash')
+makedepends=('libbz2-devel' 'libiconv-devel' 'gcc' 'make')
+
+_patches=(
+  # patches from https://src.fedoraproject.org/rpms/unzip/blob/rawhide/f/unzip.spec
+  # Use regexp 'Patch\d+: ' to replace prefixes
+  # Not sent to upstream.
+  unzip-6.0-bzip2-configure.patch
+  # Upstream plans to do this in zip (hopefully also in unzip).
+  unzip-6.0-exec-shield.patch
+  # Upstream plans to do similar thing.
+  unzip-6.0-close.patch
+  # Details in rhbz#532380.
+  # Reported to upstream: http://www.info-zip.org/board/board.pl?m-1259575993/
+  unzip-6.0-attribs-overflow.patch
+  # Not sent to upstream, as it's Fedora/RHEL specific.
+  # Modify the configure script to accept var LFLAGS2 so linking can be configurable
+  # from the spec file. In addition '-s' is still removed as before
+  unzip-6.0-configure.patch
+  unzip-6.0-manpage-fix.patch
+  # Update match.c with recmatch() from zip 3.0's util.c
+  # This also resolves the license issue in that old function.
+  # Original came from here: https://projects.parabolagnulinux.org/abslibre.git/plain/libre/unzip-libre/match.patch
+  unzip-6.0-fix-recmatch.patch
+  # Update process.c
+  unzip-6.0-symlink.patch
+  # change using of macro "case_map" by "to_up"
+  unzip-6.0-caseinsensitive.patch
+  # downstream fix for "-Werror=format-security"
+  # upstream doesn't want hear about this option again
+  unzip-6.0-format-secure.patch
+
+  unzip-6.0-valgrind.patch
+  unzip-6.0-x-option.patch
+  unzip-6.0-overflow.patch
+  unzip-6.0-cve-2014-8139.patch
+  unzip-6.0-cve-2014-8140.patch
+  unzip-6.0-cve-2014-8141.patch
+  unzip-6.0-overflow-long-fsize.patch
+
+  # Fix heap overflow and infinite loop when invalid input is given (#1260947)
+  unzip-6.0-heap-overflow-infloop.patch
+
+  # support non-{latin,unicode} encoding
+  unzip-6.0-alt-iconv-utf8.patch
+  unzip-6.0-alt-iconv-utf8-print.patch
+  0001-Fix-CVE-2016-9844-rhbz-1404283.patch
+
+  # restore unix timestamp accurately
+  unzip-6.0-timestamp.patch
+
+  # fix possible heap based stack overflow in passwd protected files
+  unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
+
+  unzip-6.0-cve-2018-18384.patch
+
+  # covscan issues
+  unzip-6.0-COVSCAN-fix-unterminated-string.patch
+
+  unzip-zipbomb-part1.patch
+  unzip-zipbomb-part2.patch
+  unzip-zipbomb-part3.patch
+  unzip-zipbomb-manpage.patch
+  unzip-zipbomb-part4.patch
+  unzip-zipbomb-part5.patch
+  unzip-zipbomb-part6.patch
+  unzip-zipbomb-part7.patch
+  unzip-zipbomb-switch.patch
+
+  unzip-gnu89-build.patch
+  unzip-6.0-wcstombs-fortify.patch
+)
+
+source=(
+  'https://downloads.sourceforge.net/infozip/unzip60.tar.gz'
+  ${_patches[@]}
+)
+
 sha256sums=('036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37'
-            '74bc961e8013a4058687a3730590a709b7889203beb74a4a8369ba0301bef0e2'
             '41aeebdb356cb6ffa7c0cd168aab63ece586dc03c533e1f720f98422951d79b2'
-            '357bc39af42a256084ba69a020c21ebc97429378c23bd5b8c7f22f02d0c68e63'
+            '2c55be12907c42a454b91f53de92470d4f5d52e9ba7b0eef79684bd58efd4a1e'
             '10754a10be46ee8e7b9f84935e7f2087a99abd0a00dff77f97181c8fd71e0eef'
+            '74bc961e8013a4058687a3730590a709b7889203beb74a4a8369ba0301bef0e2'
+            'a6920a9181d80c6c91a4a0ad57f811768b6f736464ebbf918862f65c7846b894'
+            '47ffa1f54813287c671db80be3e525d19b09c03ad2749ce1dfd6e6dd0557c370'
             '3fc23fa7d46846a7089810c2926b3c3e2b3115d623765331876707e5e9d78041'
+            'fde8f9d6dbc5e9dc59f4497de8e4e313fd74318eaf5f33421acd74442fd10706'
+            '357bc39af42a256084ba69a020c21ebc97429378c23bd5b8c7f22f02d0c68e63'
             '8d9426bdd98cbba00c2d2e36c1dae17da069e6c85bf35811a434a8cbe704e6f4'
-            '654608fe9c153a5d3e0ae2ee157a14ae8c959c868e5fa3c3e34a71081468d417'
-            'fde8f9d6dbc5e9dc59f4497de8e4e313fd74318eaf5f33421acd74442fd10706')
+            'da042334a1ae4a37ea0317ff27cee9eadd0af1529bd8391cde34467a377a4068'
+            '3007d6995eeec7fce12a41b4d37ef309ffe74cae86f952071e4653a1751f0190'
+            'c9a863e570bdaf2637c43bf1bba3d97808a1b0504d85418f6a8550ac286788f2'
+            '337131428f491b7030f96ee5b8ef3d8f5963730d1619b2754c624f4616d79adb'
+            '64f64985270e026c01d2c19c6b66c218cf5bcfc7cf3d4a44e601fad41975ec73'
+            'b7a14c33db93d1e5b4fc6ce113b4b99ff7a81ed56f46c87e001f22ec085e0273'
+            '251d5755ffb1e9701434c545fcda0fbfc2a16372f9d807fd07606b1364a1b55b'
+            'b6f64d7b57e74ceaa794dd13a6937f063ec915343f3d5d88b0f81c919e7bf171'
+            'ba67a8d6a751c9f4854e969da0470bdfff4f43aff8e9767b7e71a729b3b7d484'
+            'b990d8d8d8e02777999484a132170666ea736a865f9ad81da651dc63725475ff'
+            '7d8e5c77ad99f9bf56d4cbf224b5635367feb44f81745dec84b44365f8f5eb16'
+            'ea04cfc8b7ca3b3c03117da0d891870b8c542d26188ef5593fd7e479f4f29f4e'
+            'aced0f27191a67f9b8b3fdc5995938a64fd87cea64a0bbba2106e06137ef91c2'
+            '47e9deff12845e71de98cd19506a51c21d756a61bb67c0b17e77b84bdbe9fb84'
+            '866b8fc05731e4cf72f948c9540c3eb8b2372bf320442456b5b3ae9b74f0827c'
+            '24582ff3dcd926d1a46caf8506f76999d2525dd66e36f50b25dca50799695f12'
+            'f88b9d4119a1e256f3335a2d2c142dd95d13d7c5f9e5ecd4371e547249f3557c'
+            'ee9e26018190a515572b66a26118916843aa1002131a86b5c52769dc663b7acb'
+            'ec4a8e5745e37f3d2d57c594c610b71753b77c5fb4bd92edfb0fb25ef968d13e'
+            '179330daaf395b631025d23ec666c227707caa8859a872cc39d3ea0e2a645e97'
+            '44599c80ea507c1fcfb8fb58b4c9d8d18f3157de453c1e0469a703322deb042a'
+            '81ca46cfd3cf732de8cf78c57790ed7d5c73a5e8d41943b8f6313cede6004f3e'
+            '7e5daf3850e42c7606cce5121eeef0d330537aebd9fd452ded1e4aeda53e60b8'
+            'c8a5a413f7d7a2098b187a4136b96e18356a19d13e0fd11f7f823f5dc85e6030'
+            '92d1b39bd8b4d1af567145781d60f434735f82941b77fae63f7221fbdda422d5'
+            'd9abe3d0dd9f71c35aaee7646de9edeeae511615a655d8b2d536ec8158bf936f')
 
 prepare() {
   cd ${srcdir}/${pkgname}${pkgver/./}
-  patch -p1 -i ${srcdir}/unzip-6.0-bzip2-configure.patch
-  patch -p1 -i ${srcdir}/unzip-6.0-close.patch
-  patch -p1 -i ${srcdir}/unzip-6.0-attribs-overflow.patch
-  patch -p1 -i ${srcdir}/unzip-6.0-nostrip.patch
-  patch -p1 -i ${srcdir}/unzip-6.0-fix-recmatch.patch
-  patch -p1 -i ${srcdir}/unzip-6.0-symlink.patch
-  patch -p1 -i ${srcdir}/unzip-6.0-caseinsensitive.patch
-  patch -p1 -i ${srcdir}/unzip-6.0-format-secure.patch
 
+  for patch_filename in "${_patches[@]}"; do
+    echo "Applying patch: '${patch_filename}'"
+    patch --binary -Nbp1 -i "${srcdir}/${patch_filename}"
+  done
 }
 
 build() {
   cd ${srcdir}/${pkgname}${pkgver/./}
 
-  # set CFLAGS -- from Debian
-  export CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64 -DACORN_FTYPE_NFS \
-  -DWILD_STOP_AT_DIR -DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT \
-  -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE -DNO_LCHMOD -DDATE_FORMAT=DF_YMD \
-  -DUSE_BZIP2 -DNATIVE"
-
-  sed -i "/MANDIR =/s#)/#)/share/#" unix/Makefile
-
-  # make -- from Debian
-  make \
-    -f unix/Makefile generic_gcc CC=gcc LD=gcc AS=gcc \
-    CF_NOOPT="${CFLAGS} -DUNIX -I." \
+  # make -- from cygwin
+  make -f unix/Makefile generic_gcc CC=gcc LD=gcc AS=gcc \
+    CF_NOOPT="${CFLAGS} -DUNIX -DNOMEMCPY -DIZ_HAVE_UXUIDGID -I." \
+    LFLAGS2="-liconv" \
     E=".exe" CP="cp" LN="ln -s"
 }
 
@@ -73,5 +156,10 @@ package() {
 
   # install the license file
   install -Dm644 LICENSE ${pkgdir}/usr/share/licenses/unzip/LICENSE
+
+  pushd ${pkgdir}/usr/bin
+  rm -f zipinfo
+  ln -s unzip.exe zipinfo
+  popd
 }
 

unzip/unzip-6.0-COVSCAN-fix-unterminated-string.patch

@@ -0,0 +1,131 @@
+From 06d1b08aef94984256cad3c5a54cedb10295681f Mon Sep 17 00:00:00 2001
+From: Jakub Martisko <jamartis@redhat.com>
+Date: Thu, 8 Nov 2018 09:31:18 +0100
+Subject: [PATCH] Possible unterminated string fix
+
+---
+ unix/unix.c   |  4 +++-
+ unix/unxcfg.h |  2 +-
+ unzip.c       | 12 ++++++++----
+ zipinfo.c     | 12 ++++++++----
+ 4 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/unix/unix.c b/unix/unix.c
+index 59b622d..cd57f80 100644
+--- a/unix/unix.c
++++ b/unix/unix.c
+@@ -1945,7 +1945,9 @@ void init_conversion_charsets()
+     	for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++)
+     		if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) {
+     			strncpy(OEM_CP, dos_charset_map[i].archive_charset,
+-    					sizeof(OEM_CP));
++    					MAX_CP_NAME - 1);
++
++			OEM_CP[MAX_CP_NAME - 1] = '\0';
+     			break;
+     		}
+     }
+diff --git a/unix/unxcfg.h b/unix/unxcfg.h
+index 8729de2..9ee8cfe 100644
+--- a/unix/unxcfg.h
++++ b/unix/unxcfg.h
+@@ -228,7 +228,7 @@ typedef struct stat z_stat;
+ /*    and notfirstcall are used by do_wild().                          */
+
+
+-#define MAX_CP_NAME 25 
++#define MAX_CP_NAME 25 + 1 
+
+ #ifdef SETLOCALE
+ #  undef SETLOCALE
+diff --git a/unzip.c b/unzip.c
+index 2d94a38..a485f2b 100644
+--- a/unzip.c
++++ b/unzip.c
+@@ -1561,7 +1561,8 @@ int uz_opts(__G__ pargc, pargv)
+         		                  "error:  a valid character encoding should follow the -I argument"));
+     	                        return(PK_PARAM); 
+     						}
+-    						strncpy(ISO_CP, s, sizeof(ISO_CP));
++    						strncpy(ISO_CP, s, MAX_CP_NAME - 1);
++                ISO_CP[MAX_CP_NAME - 1] = '\0';
+     					} else { /* -I charset */
+     						++argv;
+     						if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+@@ -1570,7 +1571,8 @@ int uz_opts(__G__ pargc, pargv)
+     	                        return(PK_PARAM); 
+     						}
+     						s = *argv;
+-    						strncpy(ISO_CP, s, sizeof(ISO_CP));
++    						strncpy(ISO_CP, s, MAX_CP_NAME - 1);
++                ISO_CP[MAX_CP_NAME - 1] = '\0';
+     					}
+     					while(*(++s)); /* No params straight after charset name */
+     				}
+@@ -1665,7 +1667,8 @@ int uz_opts(__G__ pargc, pargv)
+         		                  "error:  a valid character encoding should follow the -I argument"));
+     	                        return(PK_PARAM); 
+     						}
+-    						strncpy(OEM_CP, s, sizeof(OEM_CP));
++    						strncpy(OEM_CP, s, MAX_CP_NAME - 1);
++                OEM_CP[MAX_CP_NAME - 1] = '\0';
+     					} else { /* -O charset */
+     						++argv;
+     						if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+@@ -1674,7 +1677,8 @@ int uz_opts(__G__ pargc, pargv)
+     	                        return(PK_PARAM); 
+     						}
+     						s = *argv;
+-    						strncpy(OEM_CP, s, sizeof(OEM_CP));
++    						strncpy(OEM_CP, s, MAX_CP_NAME - 1);
++                OEM_CP[MAX_CP_NAME - 1] = '\0';
+     					}
+     					while(*(++s)); /* No params straight after charset name */
+     				}
+diff --git a/zipinfo.c b/zipinfo.c
+index accca2a..cb7e08d 100644
+--- a/zipinfo.c
++++ b/zipinfo.c
+@@ -519,7 +519,8 @@ int zi_opts(__G__ pargc, pargv)
+         		                  "error:  a valid character encoding should follow the -I argument"));
+     	                        return(PK_PARAM); 
+     						}
+-    						strncpy(ISO_CP, s, sizeof(ISO_CP));
++    						strncpy(ISO_CP, s, MAX_CP_NAME - 1);
++                ISO_CP[MAX_CP_NAME - 1] = '\0';
+     					} else { /* -I charset */
+     						++argv;
+     						if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+@@ -528,7 +529,8 @@ int zi_opts(__G__ pargc, pargv)
+     	                        return(PK_PARAM); 
+     						}
+     						s = *argv;
+-    						strncpy(ISO_CP, s, sizeof(ISO_CP));
++    						strncpy(ISO_CP, s, MAX_CP_NAME - 1);
++                ISO_CP[MAX_CP_NAME - 1] = '\0';
+     					}
+     					while(*(++s)); /* No params straight after charset name */
+     				}
+@@ -568,7 +570,8 @@ int zi_opts(__G__ pargc, pargv)
+         		                  "error:  a valid character encoding should follow the -I argument"));
+     	                        return(PK_PARAM); 
+     						}
+-    						strncpy(OEM_CP, s, sizeof(OEM_CP));
++    						strncpy(OEM_CP, s, MAX_CP_NAME - 1);
++                OEM_CP[MAX_CP_NAME - 1] = '\0';
+     					} else { /* -O charset */
+     						++argv;
+     						if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
+@@ -577,7 +580,8 @@ int zi_opts(__G__ pargc, pargv)
+     	                        return(PK_PARAM); 
+     						}
+     						s = *argv;
+-    						strncpy(OEM_CP, s, sizeof(OEM_CP));
++    						strncpy(OEM_CP, s, MAX_CP_NAME - 1);
++                OEM_CP[MAX_CP_NAME - 1] = '\0';
+     					}
+     					while(*(++s)); /* No params straight after charset name */
+     				}
+-- 
+2.14.5
+