Fix multiple vulnerabilities.

PR:		204413 (based on)
Notified by:	venture37@geeklan.co.uk
Security:	CVE-2015-7696, CVE-2015-7697
MFH:		2016Q1

3 files changed, 41 insertions, 7 deletions

diff --git a/archivers/unzip/Makefile b/archivers/unzip/Makefile
index 426efbc903b2..4cb7478b3fe5 100644
--- a/archivers/unzip/Makefile
+++ b/archivers/unzip/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=	unzip
 PORTVERSION=	6.0
-PORTREVISION=	6
+PORTREVISION=	7
 CATEGORIES=	archivers
 MASTER_SITES=	SF/infozip/UnZip%206.x%20%28latest%29/UnZip%20${PORTVERSION}/:main \
 		SF/infozip/UnZip%205.x%20and%20earlier/5.51/:unreduce
diff --git a/archivers/unzip/files/patch-crypt.c b/archivers/unzip/files/patch-crypt.c
new file mode 100644
index 000000000000..96d1c071a7a2
--- /dev/null
+++ b/archivers/unzip/files/patch-crypt.c
@@ -0,0 +1,21 @@
+--- crypt.c.orig	2007-01-05 16:47:36.000000000 +0100
++++ crypt.c	2016-01-04 14:39:27.300502995 +0100
+@@ -465,7 +465,17 @@
+     GLOBAL(pInfo->encrypted) = FALSE;
+     defer_leftover_input(__G);
+     for (n = 0; n < RAND_HEAD_LEN; n++) {
+-        b = NEXTBYTE;
++        /* 2012-11-23 SMS.  (OUSPG report.)
++         * Quit early if compressed size < HEAD_LEN.  The resulting
++         * error message ("unable to get password") could be improved,
++         * but it's better than trying to read nonexistent data, and
++         * then continuing with a negative G.csize.  (See
++         * fileio.c:readbyte()).
++         */
++        if ((b = NEXTBYTE) == (ush)EOF)
++        {
++            return PK_ERR;
++        }
+         h[n] = (uch)b;
+         Trace((stdout, " (%02x)", h[n]));
+     }
diff --git a/archivers/unzip/files/patch-extract.c b/archivers/unzip/files/patch-extract.c
index dea0b3254379..63ad0548ad83 100644
--- a/archivers/unzip/files/patch-extract.c
+++ b/archivers/unzip/files/patch-extract.c
@@ -1,5 +1,5 @@
---- extract.c.orig	2009-03-14 01:32:52 UTC
-+++ extract.c
+--- extract.c.orig	2009-03-14 02:32:52.000000000 +0100
++++ extract.c	2016-01-04 14:43:11.813488458 +0100
 @@ -1,5 +1,5 @@
  /*
 -  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.
@@ -7,7 +7,7 @@
  
    See the accompanying file LICENSE, version 2009-Jan-02 or later
    (the contents of which are also included in unzip.h) for terms of use.
-@@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] =
+@@ -298,6 +298,8 @@
  #ifndef SFX
     static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
       EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
@@ -16,7 +16,7 @@
     static ZCONST char Far InvalidComprDataEAs[] =
       " invalid compressed data for EAs\n";
  #  if (defined(WIN32) && defined(NTSD_EAS))
-@@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_l
+@@ -2023,7 +2025,8 @@
          ebID = makeword(ef);
          ebLen = (unsigned)makeword(ef+EB_LEN);
  
@@ -26,7 +26,7 @@
             /* Discovered some extra field inconsistency! */
              if (uO.qflag)
                  Info(slide, 1, ((char *)slide, "%-22s ",
-@@ -2032,6 +2035,16 @@ static int TestExtraField(__G__ ef, ef_l
+@@ -2032,6 +2035,16 @@
                ebLen, (ef_len - EB_HEADSIZE)));
              return PK_ERR;
          }
@@ -43,7 +43,7 @@
  
          switch (ebID) {
              case EF_OS2:
-@@ -2217,14 +2230,28 @@ static int test_compr_eb(__G__ eb, eb_si
+@@ -2217,14 +2230,28 @@
      ulg eb_ucsize;
      uch *eb_ucptr;
      int r;
@@ -75,3 +75,16 @@
  
      if (
  #ifdef INT_16BIT
+@@ -2701,6 +2728,12 @@
+     int repeated_buf_err;
+     bz_stream bstrm;
+ 
++    if (G.incnt <= 0 && G.csize <= 0L) {
++        /* avoid an infinite loop */
++        Trace((stderr, "UZbunzip2() got empty input\n"));
++        return 2;
++    }
++
+ #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
+     if (G.redirect_slide)
+         wsize = G.redirect_size, redirSlide = G.redirect_buffer;