!42 add make check in spec

From: @znzjugod 
Reviewed-by: @ziyangc 
Signed-off-by: @ziyangc

CVE-2019-13232-fur1.patch

@@ -24,7 +24,7 @@ index 0973a33..1b73cb0 100644
 @@ -493,8 +493,11 @@ int extract_or_test_files(__G)    /* return PK-type error code */
      }
  #endif /* !SFX || SFX_EXDIR */
-
+ 
 -    /* One more: initialize cover structure for bomb detection. Start with a
 -       span that covers the central directory though the end of the file. */
 +    /* One more: initialize cover structure for bomb detection. Start with
@@ -62,7 +62,7 @@ index 0973a33..1b73cb0 100644
 +          LoadFarString(OverlappedComponents)));
 +        return PK_BOMB;
 +    }
-
+ 
  /*---------------------------------------------------------------------------
      The basic idea of this function is as follows.  Since the central di-
 diff --git a/process.c b/process.c
@@ -70,14 +70,14 @@ index d2e4dc3..d75d405 100644
 --- a/process.c
 +++ b/process.c
 @@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen)         /* return PK-class error */
-
+ 
      /* Now, we are (almost) sure that we have a Zip64 archive. */
      G.ecrec.have_ecr64 = 1;
 +    G.ecrec.ec_start -= ECLOC64_SIZE+4;
 +    G.ecrec.ec64_start = ecrec64_start_offset;
 +    G.ecrec.ec64_end = ecrec64_start_offset +
 +                       12 + makeint64(&byterec[ECREC64_LENGTH]);
-
+ 
      /* Update the "end-of-central-dir offset" for later checks. */
      G.real_ecrec_offset = ecrec64_start_offset;
 @@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen)          /* return PK-class error */
@@ -86,7 +86,7 @@ index d2e4dc3..d75d405 100644
        makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
 +    G.ecrec.ec_start = G.real_ecrec_offset;
 +    G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
-
+ 
      /* Now, we have to read the archive comment, BEFORE the file pointer
         is moved away backwards to seek for a Zip64 ECLOC64 structure.
 diff --git a/unzpriv.h b/unzpriv.h
@@ -108,4 +108,5 @@ index dc9eff5..297b3c7 100644
 +                                           end of the Zip64 end of central
 +                                           directory record */
     } ecdir_rec;
-
+ 
+ 

CVE-2019-13232-fur2.patch

@@ -22,7 +22,7 @@ index 3a01d13..031efdb 100644
      size_t max;         /* allocated number of spans (num <= max) */
 +    unsigned long count;
  } cover_t;
-
+ 
  /*
   * Return the index of the first span in cover whose beg is greater than val.
   * If there is no such span, then cover->num is returned.
@@ -62,7 +62,7 @@ index 3a01d13..031efdb 100644
 +    size_t pos = cover_find(cover, val, 0);
      return pos > 0 && val < cover->span[pos - 1].end;
  }
-
+ 
 +static int is_exceed_max_overlaps(cover, val)
 +    cover_t *cover;
 +{
@@ -80,10 +80,10 @@ index 3a01d13..031efdb 100644
 +    size_t pos_beg;
 +    size_t pos_end;
      int prec, foll;
-
+ 
      if (beg >= end)
 @@ -396,31 +412,76 @@ static int cover_add(cover, beg, end)
-
+ 
      /* Find where the new span should go, and make sure that it does not
         overlap with any existing spans. */
 -    pos = cover_find(cover, beg);
@@ -92,7 +92,7 @@ index 3a01d13..031efdb 100644
 -        return 1;
 +    pos_beg = cover_find(cover, beg, 0);
 +    pos_end = cover_find(cover, end, 1);
-
+ 
      /* Check for adjacencies. */
 -    prec = pos > 0 && beg == cover->span[pos - 1].end;
 -    foll = pos < cover->num && end == cover->span[pos].beg;
@@ -198,7 +198,7 @@ index 3a01d13..031efdb 100644
                    G.extra_bytes + G.ecrec.offset_start_central_directory,
                    G.extra_bytes + G.ecrec.offset_start_central_directory +
 @@ -1218,7 +1280,7 @@ static int extract_or_test_entrylist(__G__ numchunk,
-
+ 
          /* seek_zipf(__G__ pInfo->offset);  */
          request = G.pInfo->offset + G.extra_bytes;
 -        if (cover_within((cover_t *)G.cover, request)) {
@@ -252,12 +252,12 @@ index 5b7d288..8c4c37e 100644
 +  -g  limit the number of overlap files\n";
  #endif /* ?VM_CMS */
  #endif /* ?MACOS */
-
+ 
 @@ -1367,7 +1414,7 @@ int uz_opts(__G__ pargc, pargv)
      extern char OEM_CP[MAX_CP_NAME];
      extern char ISO_CP[MAX_CP_NAME];
  #endif
--
+-    
 +    uO.max_overlaps = (unsigned long)(-1);  /* if not set, uncheck overlaps */
      while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) {
          s = *argv + 1;
@@ -307,7 +307,7 @@ index ed24a5b..a7e8a64 100644
  #endif /* !FUNZIP */
 +    unsigned long max_overlaps;  /* Maximum number of overlaps allowed */
  } UzpOpts;
-
+ 
  /* intended to be a private struct: */
 diff --git a/unzip.txt b/unzip.txt
 index e8e9719..6594ee6 100644
@@ -315,23 +315,24 @@ index e8e9719..6594ee6 100644
 +++ b/unzip.txt
 @@ -4,7 +4,7 @@ NAME
         unzip - list, test and extract compressed files in a ZIP archive
-
+ 
  SYNOPSIS
 -       unzip  [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^]] file[.zip] [file(s) ...]
 +       unzip  [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^][-g num]] file[.zip] [file(s) ...]
         [-x xfile(s) ...] [-d exdir]
-
+ 
  DESCRIPTION
 @@ -177,6 +177,10 @@ OPTIONS
                implemented but will be in future releases.
-
+ 
         -z     display only the archive comment.
 +       -g num
 +              limit the number of overlap files. When the number of overlap f-
 +              iles exceeds the num we set, it is a bomb. the num is a decimal
 +              number.
-
+ 
  MODIFIERS
         -a     convert  text files.  Ordinarily all files are extracted exactly
---
+-- 
 1.8.3.1
+

CVE-2019-13232-pre.patch

@@ -1,5 +1,7 @@
 From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001
 From: Mark Adler <madler@alumni.caltech.edu>
+From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
 Date: Mon, 27 May 2019 08:20:32 -0700
 Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state.
 
@@ -22,4 +24,4 @@ index c042987..bc00d74 100644
 +            G.csize = 0L;
          G.incnt = G.incnt_leftover + (int)G.csize;
          G.inptr = G.inptr_leftover - (int)G.csize;
-         G.incnt_leftover = 0;
+         G.incnt_leftover = 0;

CVE-2019-13232.patch

@@ -158,9 +158,9 @@ index 1acd769..0973a33 100644
 +    }
 +    return 0;
 +}
-
-
-
+ 
+ 
+ 
 @@ -374,6 +493,29 @@ int extract_or_test_files(__G)    /* return PK-type error code */
      }
  #endif /* !SFX || SFX_EXDIR */
@@ -202,7 +202,7 @@ index 1acd769..0973a33 100644
                  reached_end = FALSE;
                  /* ... and cancel scanning the central directory */
 @@ -1060,6 +1203,11 @@ static int extract_or_test_entrylist(__G__ numchunk,
-
+ 
          /* seek_zipf(__G__ pInfo->offset);  */
          request = G.pInfo->offset + G.extra_bytes;
 +        if (cover_within((cover_t *)G.cover, request)) {
@@ -212,7 +212,7 @@ index 1acd769..0973a33 100644
 +        }
          inbuf_offset = request % INBUFSIZ;
          bufstart = request - inbuf_offset;
-
+ 
 @@ -1591,6 +1739,18 @@ static int extract_or_test_entrylist(__G__ numchunk,
              return IZ_CTRLC;        /* cancel operation by user request */
          }
@@ -234,7 +234,7 @@ index 1acd769..0973a33 100644
  #endif
 @@ -1992,6 +2152,34 @@ static int extract_or_test_member(__G)    /* return PK-type error code */
      }
-
+ 
      undefer_input(__G);
 +
 +    if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
@@ -265,7 +265,7 @@ index 1acd769..0973a33 100644
 +    }
 +
      return error;
-
+ 
  } /* end function extract_or_test_member() */
 diff --git a/globals.c b/globals.c
 index fa8cca5..1e0f608 100644
@@ -277,7 +277,7 @@ index fa8cca5..1e0f608 100644
  # endif
 +    G.cover = NULL;     /* not allocated yet */
  #endif
-
+ 
      uO.lflag=(-1);
 diff --git a/globals.h b/globals.h
 index 11b7215..2bdcdeb 100644
@@ -286,7 +286,7 @@ index 11b7215..2bdcdeb 100644
 @@ -260,12 +260,15 @@ typedef struct Globals {
      ecdir_rec       ecrec;         /* used in unzip.c, extract.c */
      z_stat   statbuf;              /* used by main, mapname, check_for_newer */
-
+ 
 +    int zip64;                     /* true if Zip64 info in extra field */
 +
      int      mem_mode;
@@ -296,7 +296,7 @@ index 11b7215..2bdcdeb 100644
      int      disk_full;
      int      newfile;
 +    void     **cover;              /* used in extract.c for bomb detection */
-
+ 
      int      didCRlast;            /* fileio static */
      ulg      numlines;             /* fileio static: number of lines printed */
 diff --git a/process.c b/process.c
@@ -306,7 +306,7 @@ index 1e9a1e1..d2e4dc3 100644
 @@ -637,6 +637,13 @@ void free_G_buffers(__G)     /* releases all memory allocated in global vars */
      }
  #endif
-
+ 
 +    /* Free the cover span list and the cover structure. */
 +    if (G.cover != NULL) {
 +        free(*(G.cover));
@@ -315,17 +315,17 @@ index 1e9a1e1..d2e4dc3 100644
 +    }
 +
  } /* end function free_G_buffers() */
-
-
+ 
+ 
 @@ -1890,6 +1897,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
  #define Z64FLGS 0xffff
  #define Z64FLGL 0xffffffff
-
+ 
 +    G.zip64 = FALSE;
 +
      if (ef_len == 0 || ef_buf == NULL)
          return PK_COOL;
-
+ 
 @@ -1927,6 +1936,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
              G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
              offset += 4;
@@ -346,4 +346,4 @@ index 5b2a326..ed24a5b 100644
 +#define PK_BOMB           12   /* likely zip bomb */
  #define PK_DISK           50   /* disk full */
  #define PK_EOF            51   /* unexpected EOF */
- 
+ 

CVE-2022-0529.patch

@@ -0,0 +1,104 @@
+From 8b40e8021a98728b5889516af308dd52378c964c Mon Sep 17 00:00:00 2001
+From: Lv Ying <lvying6@huawei.com>
+Date: Wed, 23 Feb 2022 09:32:21 +0800
+Subject: [PATCH 2/2] fix CVE-2022-0529 Heap out-of-bound writes and reads
+ during conversion of wide string to local string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2022-0529 discussed in https://bugzilla.redhat.com/show_bug.cgi?id=2051402
+CVE can be reproduced:
+$ unset LANG
+$ valgrind ./unzip ./unzip_03/testcase
+valgrind will detect Heap out-of-bound writes and reads just as bugzilla discussed
+
+This is because wide_to_escape_string returns a string that represents a wide char
+not in local char set, is longer than MAX_ESCAPE_BYTES(8). Actually, MAX_ESCAPE_BYTES
+max is 10, for example, 4-byte wide character '#L02020276' is 10 bytes long, not
+including the terminating null character. So strcat(buffer, escape_string) will cause
+Heap out-of-bound writes.
+
+By default, the OS vendor sets the LANG environment variable. valgrind tests this POC
+will get another memory error.
+$ export | grep LANG
+declare -x LANG="en_US.UTF-8"
+$ valgrind ./unzip ./unzip_03/testcase
+
+Archive:  unzip_03/testcase
+warning [unzip_03/testcase]:  303 extra bytes at beginning or within zipfile
+  (attempting to process anyway)
+error [unzip_03/testcase]:  reported length of central directory is
+  -303 bytes too long (Atari STZip zipfile?  J.H.Holm ZIPSPLIT 1.1
+  zipfile?).  Compensating...
+==15725== Conditional jump or move depends on uninitialised value(s)
+==15725==    at 0x4903169: __wcsnlen_sse4_1 (strlen.S:186)
+==15725==    by 0x48F3D61: wcsrtombs (wcsrtombs.c:104)
+==15725==    by 0x488B9A0: wcstombs (wcstombs.c:34)
+==15725==    by 0x407279: wcstombs (stdlib.h:154)
+==15725==    by 0x407279: fnfilter.constprop.2 (extract.c:2946)
+==15725==    by 0x4076A5: store_info (extract.c:1155)
+==15725==    by 0x40AFF4: extract_or_test_files (extract.c:782)
+==15725==    by 0x41586C: do_seekable (process.c:994)
+==15725==    by 0x4167EE: process_zipfiles (process.c:401)
+==15725==    by 0x40449B: unzip (unzip.c:1280)
+==15725==    by 0x4874B26: (below main) (libc-start.c:308)
+==15725==
+   skipping: ??????????????????????????????????????????????????????????????????????????ı  need PK compat. v4.6 (can do v4.5)
+==15725==
+==15725== HEAP SUMMARY:
+==15725==     in use at exit: 0 bytes in 0 blocks
+==15725==   total heap usage: 37 allocs, 37 frees, 90,739 bytes allocated
+==15725==
+==15725== All heap blocks were freed -- no leaks are possible
+==15725==
+==15725== For counts of detected and suppressed errors, rerun with: -v
+==15725== Use --track-origins=yes to see where uninitialised values come from
+==15725== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
+
+This is because wcstombs( newraw, wostring, (woslen * MB_CUR_MAX) + 1) in fnfilter
+use wrong n parameter which stands for At most n bytes are written to dest.
+When LANG environment variable is set, MB_CUR_MAX = 6, so wcstombs will writes more
+bytes over dest(newraw).
+
+Signed-off-by: Lv Ying <lvying6@huawei.com>
+---
+ extract.c | 4 ++--
+ process.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index f0e8217..3f6e14d 100644
+--- a/extract.c
++++ b/extract.c
+@@ -2856,12 +2856,12 @@ char *fnfilter(raw, space, size)   /* convert name to safely printable form */
+     if (wslen != (size_t)-1)
+     {
+         /* Apparently valid Unicode.  Allocate wide-char storage. */
+-        wstring = (wchar_t *)malloc((wslen + 1) * sizeof(wchar_t));
++        wstring = (wchar_t *)calloc((wslen + 1), sizeof(wchar_t));
+         if (wstring == NULL) {
+             strcpy( (char *)space, raw);
+             return (char *)space;
+         }
+-        wostring = (wchar_t *)malloc(2 * (wslen + 1) * sizeof(wchar_t));
++        wostring = (wchar_t *)calloc(2 * (wslen + 1), sizeof(wchar_t));
+         if (wostring == NULL) {
+             free(wstring);
+             strcpy( (char *)space, raw);
+diff --git a/process.c b/process.c
+index 5cba073..3e7fcb3 100644
+--- a/process.c
++++ b/process.c
+@@ -2395,7 +2395,7 @@ char *local_to_utf8_string(local_string)
+   */
+ 
+  /* set this to the max bytes an escape can be */
+-#define MAX_ESCAPE_BYTES 8
++#define MAX_ESCAPE_BYTES 10
+ 
+ char *wide_to_escape_string(wide_char)
+   zwchar wide_char;
+-- 
+2.27.0
+

CVE-2022-0530.patch

@@ -0,0 +1,61 @@
+From 4d9e8cd35d59f05f75cb2d8f05c6e4c9277dcf9c Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 22 Feb 2022 21:04:25 +0000
+Subject: [PATCH 1/2] Fix CVE-2022-0530
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ fileio.c  | 20 +++++++++++++-------
+ process.c |  2 ++
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/fileio.c b/fileio.c
+index cf995a9..e237272 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -2360,16 +2360,22 @@ int do_string(__G__ length, option)   /* return PK-type error code */
+                   /* convert UTF-8 to local character set */
+                   fn = utf8_to_local_string(G.unipath_filename,
+                                             G.unicode_escape_all);
+-                  /* make sure filename is short enough */
+-                  if (strlen(fn) >= FILNAMSIZ) {
+-                    fn[FILNAMSIZ - 1] = '\0';
++                  if (!fn) {
+                     Info(slide, 0x401, ((char *)slide,
+-                      LoadFarString(UFilenameTooLongTrunc)));
++                      LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
+                     error = PK_WARN;
++                  } else {
++                    /* make sure filename is short enough */
++                    if (strlen(fn) >= FILNAMSIZ) {
++                      fn[FILNAMSIZ - 1] = '\0';
++                      Info(slide, 0x401, ((char *)slide,
++                        LoadFarString(UFilenameTooLongTrunc)));
++                      error = PK_WARN;
++                    }
++                    /* replace filename with converted UTF-8 */
++                    strcpy(G.filename, fn);
++                    free(fn);
+                   }
+-                  /* replace filename with converted UTF-8 */
+-                  strcpy(G.filename, fn);
+-                  free(fn);
+                 }
+ # endif /* UNICODE_WCHAR */
+                 if (G.unipath_filename != G.filename_full)
+diff --git a/process.c b/process.c
+index 46abce2..5cba073 100644
+--- a/process.c
++++ b/process.c
+@@ -2597,6 +2597,8 @@ char *utf8_to_local_string(utf8_string, escape_all)
+   int escape_all;
+ {
+   zwchar *wide = utf8_to_wide_string(utf8_string);
++  if (!wide)
++    return NULL;
+   char *loc = wide_to_local_string(wide, escape_all);
+   free(wide);
+   return loc;
+-- 
+2.27.0
+

backport-CVE-2021-4217.patch

@@ -0,0 +1,39 @@
+From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
+From: Nils Bars <nils.bars@t-online.de>
+Date: Mon, 17 Jan 2022 16:53:16 +0000
+Subject: [PATCH] Fix null pointer dereference and use of uninitialized data
+
+This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
+to read as many bytes as indicated by the extra field length attribute.
+Furthermore, this fixes a null pointer dereference if an archive contains an
+`EF_UNIPATH` extra field but does not have a filename set.
+
+Reference:https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
+Conflict: fileio.c file not change.
+---
+ process.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/process.c b/process.c
+index abe938b..f573ee4 100644
+--- a/process.c
++++ b/process.c
+@@ -2060,10 +2060,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
+           G.unipath_checksum = makelong(offset + ef_buf);
+           offset += 4;
+ 
++          if (!G.filename_full) {
++            /* Check if we have a unicode extra section but no filename set */
++            return PK_ERR;
++          }
++
+           /*
+            * Compute 32-bit crc
+            */
+-
+           chksum = crc32(chksum, (uch *)(G.filename_full),
+                          strlen(G.filename_full));
+ 
+-- 
+2.33.0
+

unzip-6.0-alt-iconv-utf8.patch

@@ -174,7 +174,7 @@ Index: unzip-6.0/unzip.c
 +#else /* UNIX */
 +static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
 +  -h  print header line       -t  print totals for listed files or for all\n\
-+  -z  print zipfile comment  %c-T%c print file times in sortable decimal format\
++  -z  print zipfile comment   -T  print file times in sortable decimal format\
 +\n %c-C%c be case-insensitive   %s\
 +  -x  exclude filenames that follow from listing\n\
 +  -O CHARSET  specify a character encoding for DOS, Windows and OS/2 archives\n\

unzip.spec

@@ -1,6 +1,6 @@
 Name:           unzip
 Version:        6.0
-Release:        44
+Release:        48
 Summary:        A utility for unpacking zip files
 License:        BSD
 URL:            http://www.info-zip.org/UnZip.html
@@ -34,8 +34,10 @@ Patch6000:      CVE-2018-18384.patch
 Patch6001:      CVE-2019-13232-pre.patch
 Patch6002:      CVE-2019-13232.patch
 Patch6003:      CVE-2019-13232-fur1.patch
+Patch6004:      backport-CVE-2021-4217.patch
 Patch9000:      CVE-2019-13232-fur2.patch
-
+Patch9001:      CVE-2022-0530.patch
+Patch9002:      CVE-2022-0529.patch
 
 BuildRequires:  bzip2-devel
 
@@ -61,6 +63,9 @@ Package help includes man pages for unzip.
 %install
 %make_install -f unix/Makefile prefix=$RPM_BUILD_ROOT%{_prefix} MANDIR=$RPM_BUILD_ROOT%{_mandir}/man1 INSTALL="cp -p"
 
+%check
+make check -f unix/Makefile
+
 %files
 %license LICENSE COPYING.OLD
 %doc README BUGS
@@ -70,6 +75,18 @@ Package help includes man pages for unzip.
 %{_mandir}/man1/*
 
 %changelog
+* Thu Feb 16 2023 zhangnan <zhangnan134@huawei.com> - 6.0-48
+- add make check in spec
+
+* Tue Sep 6 2022 dongyuzhen <dongyuzhen@h-partners.com> - 6.0-47
+- fix CVE-2021-4217
+
+* Wed Feb 23 2022  tianwei <tianwei@h-partners.com> - 6.0-46
+- fix CVE-2022-0529 CVE-2022-0530
+
+* Mon Mar 2 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.0-45
+- delete garbled characters
+
 * Mon Mar 2 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.0-44
 - fix CVE-2019-13232