@@ -4,7 +4,7 @@

 Summary:        Unzip-6.0

 Name:           unzip

 Version:        6.0

-Release:        9%{?dist}

+Release:        10%{?dist}

 License:        BSD

 URL:            http://www.gnu.org/software/%{name}

 Source0:        http://downloads.sourceforge.net/infozip/unzip60.tar.gz

@@ -19,10 +19,11 @@ Patch2:         CVE-2015-7696-CVE-2015-7697.patch

 Patch3:         unzip-CVE-2014-9844.patch

 Patch4:         unzip-CVE-2014-9913.patch

 Patch5:         unzip-CVE-2018-1000035.patch

+Patch6:         unzip_cfactor_overflow.patch

 %description

-The UnZip package contains ZIP extraction utilities. These are useful 

-for extracting files from ZIP archives. ZIP archives are created 

+The UnZip package contains ZIP extraction utilities. These are useful

+for extracting files from ZIP archives. ZIP archives are created

 with PKZIP or Info-ZIP utilities, primarily in a DOS environment.

 %prep

@@ -33,6 +34,7 @@ with PKZIP or Info-ZIP utilities, primarily in a DOS environment.

 %patch3 -p1

 %patch4 -p1

 %patch5 -p1

+%patch6 -p1

 %build

 case `uname -m` in

@@ -63,6 +65,8 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}

 %{_bindir}/*

 %changelog

+*   Thu Jan 24 2019 Ankit Jain <ankitja@vmware.com> 6.0-10

+-   Fix for CVE-2018-18384

 *   Tue May 29 2018 Xiaolin Li <xiaolinl@vmware.com> 6.0-9

 -   Fix CVE-2018-1000035

 *   Fri Oct 20 2017 Xiaolin Li <xiaolinl@vmware.com> 6.0-8

new file mode 100644

@@ -0,0 +1,45 @@

+There was a buffer overflow detected in list.c file where cfactorstr[] had an insufficient size (10). It was fixed in unzip beta versions and expanded to size 12 but I think it's still insufficient. The right size should be 13 (sgn (1), int (10), % (1), nul (1)).

+

+Also, replacing sprintf() by snprintf() might make the code more robust.

+Kudos to Josef Möllers (josef.moellers@suse.com).

+

+Refs: https://sourceforge.net/p/infozip/bugs/53/

+      CVE-2018-18384

+

+diff --git a/list.c b/list.c

+index 15e0011..a770ae7 100644

+--- a/list.c

+@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type error code */

+ {

+     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;

+ #ifndef WINDLL

+-    char sgn, cfactorstr[10];

++    char sgn, cfactorstr[1+10+1+1];	/* <sgn><int>%NUL */

+     int longhdr=(uO.vflag>1);

+ #endif

+     int date_format;

+@@ -378,9 +378,9 @@ int list_files(__G)    /* return PK-type error code */

+             }

+ #else /* !WINDLL */

+             if (cfactor == 100)

+-                sprintf(cfactorstr, LoadFarString(CompFactor100));

++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));

+             else

+-                sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);

++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);

+             if (longhdr)

+                 Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats),

+                   FmZofft(G.crec.ucsize, "8", "u"), methbuf,

+@@ -460,9 +460,9 @@ int list_files(__G)    /* return PK-type error code */

+ 

+ #else /* !WINDLL */

+         if (cfactor == 100)

+-            sprintf(cfactorstr, LoadFarString(CompFactor100));

++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));

+         else

+-            sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);

++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);

+         if (longhdr) {

+             Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer),

+               FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"),