# # spec file for package unzip # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define _name unzip %define fileversion 60 %bcond_with rcc %if %{with rcc} %define update_weight 20 %define _suffix rcc BuildRequires: librcc-devel Suggests: librcc0 Provides: %{_name} = %{version} %else %define update_weight 10 %define _suffix plain %endif # NOTE: unzip.spec is the major file, if you want to update unzip-rcc.spec # call pre_checkin.sh after editing unzip.spec Name: unzip Version: 6.00 Release: 37.1 Summary: A program to unpack compressed files License: BSD-3-Clause Group: Productivity/Archiving/Compression Url: http://www.info-zip.org/ Source: http://sourceforge.net/projects/infozip/files/UnZip%%206.x%%20%%28latest%%29/UnZip%%206.0/%{_name}%{fileversion}.tar.gz Source1: pre_checkin.sh Patch0: unzip.dif Patch1: unzip-iso8859_2.patch Patch3: unzip-optflags.patch Patch4: unzip-5.52-filename_too_long.patch Patch5: unzip-no_file_name_translation.patch Patch8: unzip-open_missing_mode.patch Patch10: unzip-5.52-use_librcc.patch Patch11: unzip-no-build-date.patch Patch12: unzip-dont_call_isprint.patch Patch13: Fix-CVE-2014-8139-unzip.patch # http://pkgs.fedoraproject.org/cgit/rpms/unzip.git/plain/unzip-6.0-cve-2014-8139.patch Patch14: Fix-CVE-2014-8140-and-CVE-2014-8141.patch Patch15: CVE-2015-7696.patch Patch16: CVE-2015-7697.patch Patch17: CVE-2016-9844.patch Patch18: CVE-2014-9913.patch Patch19: CVE-2018-1000035.patch Patch20: Fix-CVE-2014-9636-unzip-buffer-overflow.patch Patch21: unzip60-total_disks_zero.patch Patch22: unzip60-cfactorstr_overflow.patch Requires(post): update-alternatives Requires(postun): update-alternatives Recommends: %{_name}-doc BuildRoot: %{_tmppath}/%{name}-%{version}-build %description UnZip is an extraction utility for archives compressed in .zip format (known as "zip files"). Although highly compatible both with PKWARE's PKZIP(tm) and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip program, our primary objectives have been portability and non-MS-DOS functionality. This version can also extract encrypted archives. %package doc Summary: Documentation files for unzip Group: Productivity/Archiving/Compression %description doc UnZip is an extraction utility for archives compressed in .zip format (known as "zip files"). Although highly compatible both with PKWARE's PKZIP(tm) and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip program, our primary objectives have been portability and non-MS-DOS functionality. This version can also extract encrypted archives. %prep %setup -q -n %{_name}%{fileversion} %patch0 %patch1 %patch3 %patch4 %patch5 %patch8 %if %{with rcc} %patch10 %endif %patch11 %patch12 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 %patch19 -p0 %patch20 -p1 %patch21 -p1 %patch22 -p1 %build export RPM_OPT_FLAGS="%{optflags} \ -D_GNU_SOURCE -DRCC_LAZY -DWILD_STOP_AT_DIR \ -DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT \ -DUNICODE_WCHAR -DUTF8_MAYBE_NATIVE -DNO_LCHMOD \ -DDATE_FORMAT=DF_YMD -I. -fstack-protector -fno-strict-aliasing -fPIE" make %{?_smp_mflags} -f unix/Makefile LF2="-ldl -pie" linux_noasm %check make %{?_smp_mflags} -f unix/Makefile check %install mkdir -p %{buildroot}%{_sysconfdir}/alternatives mkdir -p %{buildroot}{%{_bindir},%{_mandir}/man1} for i in unzip funzip unzipsfx; do install $i "%{buildroot}%{_bindir}/$i-"%{_suffix} done ln -s unzip %{buildroot}%{_bindir}/zipinfo install unix/zipgrep "%{buildroot}%{_bindir}/zipgrep-"%{_suffix} for i in unzip funzip unzipsfx zipgrep; do touch %{buildroot}%{_sysconfdir}/alternatives/$i ln -s %{_sysconfdir}/alternatives/$i %{buildroot}%{_bindir}/$i done # do not have the docu in both packages %if %{without rcc} for i in man/*.1; do install -m 644 $i %{buildroot}%{_mandir}/man1/ done %endif %post for bin in unzip funzip unzipsfx zipgrep; do %{_sbindir}/update-alternatives --install %{_bindir}/$bin $bin "%{_bindir}/$bin-"%{_suffix} %{update_weight} done %postun if [ "$1" = 0 ] ; then for bin in unzip funzip unzipsfx zipgrep; do %{_sbindir}/update-alternatives --remove $bin "%{_bindir}/$bin"-%{_suffix} done fi %files %defattr(-,root,root) %ghost %{_sysconfdir}/alternatives/unzip %{_bindir}/unzip %{_bindir}/unzip-%{_suffix} %ghost %{_sysconfdir}/alternatives/funzip %{_bindir}/funzip %{_bindir}/funzip-%{_suffix} %ghost %{_sysconfdir}/alternatives/unzipsfx %{_bindir}/unzipsfx %{_bindir}/unzipsfx-%{_suffix} %{_bindir}/zipinfo %ghost %{_sysconfdir}/alternatives/zipgrep %{_bindir}/zipgrep %{_bindir}/zipgrep-%{_suffix} %if %{without rcc} %files doc %defattr(-,root,root) %{_mandir}/man1/* %doc BUGS Contents History.* LICENSE README ToDo WHERE %doc *.txt proginfo %endif %changelog * Thu Oct 11 2018 kstreitova@suse.com - Add unzip60-cfactorstr_overflow.patch to fix buffer overflow in list.c [bsc#1110194] [CVE-2018-18384] * Wed Jun 27 2018 kstreitova@suse.com - Add unzip60-total_disks_zero.patch that fixes a bug when unzip is unable to process Windows zip64 archives because Windows archivers set total_disks field to 0 but per standard, valid values are 1 and higher [bnc#910683] - Add Fix-CVE-2014-9636-unzip-buffer-overflow.patch to fix heap overflow for STORED field data [bnc#914442] [CVE-2014-9636] * Wed May 16 2018 antoine.belvire@opensuse.org - Fix "remove failed: No such file or directory" warnings upon package removal: * Call 'update-alternative --remove' in %%postun, not in %%preun. * Thu Feb 8 2018 kbabioch@suse.com - Add CVE-2018-1000035.patch: Fix a heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035 bsc#1080074) * Thu Jul 6 2017 nico.kruber@gmail.com - Updated Fix-CVE-2014-8139-unzip.patch: the original patch was causing errors testing valid jar files: $ unzip -t foo.jar Archive: foo.jar testing: META-INF/ bad extra-field entry: EF block length (0 bytes) invalid (< 4) testing: META-INF/MANIFEST.MF OK testing: foo OK (see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8139 where the updated patch was taken from) * Wed Feb 15 2017 josef.moellers@suse.com - Fixed two potential buffer overflows. The patches were extracted from http://antinode.info/ftp/info-zip/unzip60/zipinfo.c and http://antinode.info/ftp/info-zip/unzip60/list.c (bsc#1013992, bsc#1013993, CVE-2016-9844, CVE-2014-9913, CVE-2016-9844.patch, CVE-2014-9913.patch) * Wed Oct 12 2016 josef.moellers@suse.com - When decrypting an encrypted file, quit early if compressed size < HEAD_LEN. When extracting avoid an infinite loop if a file never finishes unzipping. (bsc#950110, bsc#950111, CVE-2015-7696, CVE-2015-7697, CVE-2015-7696.patch, CVE-2015-7697.patch) * Thu Jun 16 2016 tchvatal@suse.com - Require properly the update-alternatives to not throw out errors when installing in OBS chroot * Mon Jan 26 2015 tbehrens@suse.com - Add Fix-CVE-2014-8139-unzip.patch: fix heap overflow condition in the CRC32 verification (fixes bnc#909214) - Add Fix-CVE-2014-8140-and-CVE-2014-8141.patch: fix write error (*_8349_*) shows a problem in extract.c:test_compr_eb(), and: read errors (*_6430_*, *_3422_*) show problems in process.c:getZip64Data() (fixes bnc#909214) * Sun Dec 21 2014 meissner@suse.com - build with PIE * Fri Aug 2 2013 coolo@suse.com - fix defaultattr for old distros * Fri Aug 2 2013 coolo@suse.com - split the rcc dependency into a spec file of it's own, we don't need that complexity during build causing cycles like this: unzip -> librcc -> libproxy -> libXau -> xorg-x11-proto-devel -> docbook-xsl-stylesheets * Fri Apr 5 2013 idonmez@suse.com - Cleanup spec file - Add Source URL, see https://en.opensuse.org/SourceUrls * Fri Aug 5 2011 pth@suse.de - Don't call isprint (bnc#620483). * Mon May 23 2011 lnussel@suse.de - remove use of __DATE__ from correct file * Sat May 7 2011 idoenmez@novell.com - Sync our compile time flags with Debian except Acorn stuff, this enables UTF-8, saves an unrelated warning about lchmod being not implemented. - Enable make check * Fri Jan 28 2011 lnussel@suse.de - use dlopen for librcc0. A direct requires causes lots of other packages to get installed such as aspell which bloats a minimal install. * Mon Aug 30 2010 cristian.rodriguez@opensuse.org - Do not include build host specific info like build dates In binaries. * Fri Jun 25 2010 pth@suse.de - Doing open(O_WRONLY) and then fdopen("w+") will now fail with "Invalid Argument" whereas former glibcs would succeed. So now do open(O_RDWR). - Print error message when open(2) fails. - Add debugging traces in open_outfile. * Fri May 21 2010 pth@suse.de - Update to 6.0: * Support PKWARE ZIP64 extensions, allowing Zip archives and Zip archive entries larger than 4 GiBytes and more than 65536 entries within a single Zip archive. This support is currently only available for Unix, OpenVMS and Win32/Win64. * Support for bzip2 compression method. * Support for UTF-8 encoded entry names, both through PKWARE's "General Purpose Flags Bit 11" indicator and Info-ZIP's new "up" unicode path extra field. (Currently, on Windows the UTF-8 handling is limited to the character subset contained in the configured non-unicode "system code page".) * Fixed "Time of Creation/Time of Use" vulnerability when setting attributes of extracted files, for Unix and Unix-like ports. * Fixed memory leak when processing invalid deflated data. * Fixed long-standing bug in unshrink (partial_clear), added boundary checks against invalid compressed data. * On Unix, keep inherited SGID attribute bit for extracted directories unless restoration of owner/group id or SUID/SGID/Tacky attributes was requested. * On Unix, allow extracted filenames to contain embedded control characters when explicitly requested by specifying the new command line option "-^". * On Unix, support restoration of symbolic link attributes. * On Unix, support restoration of 32-bit UID/GID data using the new "ux" IZUNIX3 extra field introduced with Zip 3.0. * Support symbolic links zipped up on VMS. * New -D option to suppress restoration of timestamps for extracted directory entries (on those ports that support setting of directory timestamps). By specifying "-DD", this new option also allows to suppress timestamp restoration for ALL extracted files on all UnZip ports which support restoration of timestamps. On VMS, the default behaviour is now to skip restoration of directory timestamps; here, "--D" restores ALL timestamps, "-D" restores none. * On OS/2, Win32, and Unix, the (previously optional) feature UNIXBACKUP to allow saving backup copies of overwritten files on extraction is now enabled by default. * Mon May 10 2010 pth@suse.de - Use librcc to convert russian/slavic file names (bnc#540598). * Sun Dec 6 2009 jengelh@.medozas.de - enable parallel building * Tue Dec 9 2008 schwab@suse.de - Fix last change. * Mon Sep 15 2008 ro@suse.de - use hardlink instead of softlink * Mon Feb 4 2008 pth@suse.de - Add patch to fix erroneous freeing of buffers (bnc#358425) * Fri Dec 7 2007 pth@suse.de - Pass file mode when calling open with O_CREAT. * Mon Dec 3 2007 pth@suse.de - Add patch to extend the maximum file/archive size to 2^32-8193 (4294959103) bytes. - Add patch to fix CVE-2005-2475 (bnc#274156) * Thu Jun 21 2007 adrian@suse.de - fix changelog entry order * Thu May 3 2007 pth@suse.de - Add patch from Takashi Iwai that adds a new option (-S) to unzip and infozip that disables file name translation (bnc#267901). - Recompress tarball with bzip2 * Fri Jan 27 2006 mls@suse.de - converted neededforbuild to BuildRequires * Thu Jan 26 2006 pth@suse.de - Reject file names that are too long (bnc#140304) - Use stack protector. * Fri Jan 20 2006 schwab@suse.de - Don't strip binaries. * Thu Dec 15 2005 pth@suse.de - Compile with (limited) large file support. This will support single files exceeding 2 GB as long as the archive stays below that theshold. * Mon Jun 13 2005 rommel@suse.de - update to version 5.52 (bnc#67279) * Sat Aug 7 2004 rommel@suse.de - update to version 5.51 (fixes old security bugs, adds PKWARE's compression code Deflate64) * Wed May 19 2004 ro@suse.de - added -fno-strict-aliasing - really use RPM_OPT_FLAGS * Sun Jan 11 2004 adrian@suse.de - build as user * Tue Sep 23 2003 rommel@suse.de - replaced fix for ../ exploit with a fix both for the ../ exploit and '/' exploit (Bugzilla #29311) * Thu Jul 3 2003 rommel@suse.de - added fix for ../ exploit (Bugzilla #27667) * Fri Jan 17 2003 rommel@suse.de - fixed Summary: to be more verbose about what this package does * Tue Sep 17 2002 ro@suse.de - removed bogus self-provides * Fri Jul 5 2002 kukuk@suse.de - Use %%ix86 macro * Mon Mar 11 2002 rommel@suse.de - Update to 5.50 - took over parts of pmladek's patch (see below) * Thu Jan 24 2002 grimmer@suse.de - added unzip-5.42-iso8859_2.patch to fix coding conversion between Microsoft and Linux file names (originally from http://www.axis.cz/linux/zip_unzip.php3, enhanced to support both ISO8859-1 and ISO8859-2 by Petr Mladek ) * Mon Apr 9 2001 grimmer@suse.de - Update to 5.42 - file list fixes (new license file, documentation renames) * Wed Dec 13 2000 grimmer@suse.de - Update to 5.41 (now includes decryption support) - now Provides and Obsoletes crunzip - bzipped sources - use BuildRoot * Tue Feb 29 2000 schwab@suse.de - Add support for ia64. - /usr/man -> /usr/share/man * Wed Dec 22 1999 grimmer@suse.de - Added "Conflicts: crzip" to spec file - cleaned up Provides: tag * Fri Dec 17 1999 grimmer@suse.de - Spec file cleanups * Sat Nov 27 1999 kukuk@suse.de - Use linux_noasm Makefile target on SPARC * Mon Sep 13 1999 bs@suse.de - ran old prepare_spec on spec file to switch to new prepare_spec. * Wed Sep 8 1999 uli@suse.de - uses target linux_noasm for PPC * Wed Feb 24 1999 grimmer@suse.de - new version (5.40) - specfile modifications - added french description * Mon Jan 11 1999 ro@suse.de - use target linux_noasm for alpha * Fri Jan 23 1998 rj@suse.de - version 5.32 * Thu Feb 6 1997 rj@suse.de - version 5.12 - new test/changes/plist files