On Sun, Dec 01, 2019 at 05:56:36PM -0600, Bruce Dubbs via blfs-dev wrote: > On 12/1/19 5:12 PM, Ken Moffat via blfs-dev wrote: > > > > So, it seems that there are three sets of deficiencies in our build: > > > > 1. Files with non-ASCII filenames : we recommend using WinZip under > > Wine, or unpacking bsdtar and then using convmv. I guess that > > fedora's many patches perhaps cover this, but does anyone have an > > example zip file they can share for testing ? > > > > 2. A plethora of CVE and related security fixes. > > > > 3. Not supporting members of a zip archive which have been > > compressed with bzip2. > > > > I'm inclined to look at taking all of fedora's patches. The > > configure patch is just one line to change but in all there are 25 > > of them totalling 94KB. I'll list the details from fedora's > > specfile - > > > > # Not sent to upstream. > > Patch1: unzip-6.0-bzip2-configure.patch > > # Upstream plans to do this in zip (hopefully also in unzip). > > Patch2: unzip-6.0-exec-shield.patch > > # Upstream plans to do similar thing. > > Patch3: unzip-6.0-close.patch > > # Details in rhbz#532380. > > # Reported to upstream: http://www.info-zip.org/board/board.pl?m-1259575993/ > > Patch4: unzip-6.0-attribs-overflow.patch > > # Not sent to upstream, as it's Fedora/RHEL specific. > > # Modify the configure script to accept var LFLAGS2 so linking can be > > configurable > > # from the spec file. In addition '-s' is still removed as before > > Patch5: unzip-6.0-configure.patch > > Patch6: unzip-6.0-manpage-fix.patch > > # Update match.c with recmatch() from zip 3.0's util.c > > # This also resolves the license issue in that old function. > > # Original came from here: > > https://projects.parabolagnulinux.org/abslibre.git/plain/libre/unzip-libre/match.patch > > Patch7: unzip-6.0-fix-recmatch.patch > > # Update process.c > > Patch8: unzip-6.0-symlink.patch > > # change using of macro "case_map" by "to_up" > > Patch9: unzip-6.0-caseinsensitive.patch > > # downstream fix for "-Werror=format-security" > > # upstream doesn't want hear about this option again > > Patch10: unzip-6.0-format-secure.patch > > > > Patch11: unzip-6.0-valgrind.patch > > Patch12: unzip-6.0-x-option.patch > > Patch13: unzip-6.0-overflow.patch > > Patch14: unzip-6.0-cve-2014-8139.patch > > Patch15: unzip-6.0-cve-2014-8140.patch > > Patch16: unzip-6.0-cve-2014-8141.patch > > Patch17: unzip-6.0-overflow-long-fsize.patch > > > > # Fix heap overflow and infinite loop when invalid input is given (#1260947) > > Patch18: unzip-6.0-heap-overflow-infloop.patch > > > > # support non-{latin,unicode} encoding > > Patch19: unzip-6.0-alt-iconv-utf8.patch > > Patch20: unzip-6.0-alt-iconv-utf8-print.patch > > Patch21: 0001-Fix-CVE-2016-9844-rhbz-1404283.patch > > > > # restore unix timestamp accurately > > Patch22: unzip-6.0-timestamp.patch > > > > # fix possible heap based stack overflow in passwd protected files > > Patch23: unzip-6.0-cve-2018-1000035-heap-based-overflow.patch > > > > Patch24: unzip-6.0-cve-2018-18384.patch > > > > # covscan issues > > Patch25: unzip-6.0-COVSCAN-fix-unterminated-string.patch > > > > Wow. That's a lot of things for a package we rarely use. I'd say that if > you can use Fedora's patches and then the archive-zip test passes, than > that's good enough for us. > > -- Bruce >
I'm currently looking through the patches one by one, so far a couple seem to be unnecessary (typo in manpage, fix to allow symlinks in process.c). Some of these are definitely from upstream. Assuming that ti all works, I'm not sure what to do about the locale issues - we Note that none of the editors can test this, I'm thinking perhaps in UnZip Locale Issues immediately after the Note add "These issues are thought to be fixed in the patch. Since none of the BLFS editors have data to test this the following workarounds are mentioned in case they might still be needed." So much for a quick system build before looking at what you and Pierre have been doing over the weekend. ĸen -- Whilst all mushrooms are edible, the trick is to eat only those which will prove to be edible more than once. The Celebrated Discworld Almanak recommends you play safe and eat beans on toast. -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
