new file mode 100644

@@ -0,0 +1,32 @@

+Fix from http://antinode.info/ftp/info-zip/unzip60/zipinfo.c

+diff --git a/zipinfo.c b/zipinfo.c

+index a92bca9..8f8e729 100644

+--- a/zipinfo.c

+@@ -1,5 +1,5 @@

+ /*

+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.

++  Copyright (c) 1990-2016 Info-ZIP.  All rights reserved.

+ 

+   See the accompanying file LICENSE, version 2009-Jan-02 or later

+   (the contents of which are also included in unzip.h) for terms of use.

+@@ -1921,7 +1921,18 @@ static int zi_short(__G)   /* return PK-type error code */

+         ush  dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3);

+         methbuf[3] = dtype[dnum];

+     } else if (methnum >= NUM_METHODS) {   /* unknown */

+-        sprintf(&methbuf[1], "%03u", G.crec.compression_method);

++        /* 2016-12-05 SMS.

++         * https://launchpad.net/bugs/1643750  CVE-2016-9844.

++         * Unexpectedly large compression methods overflow

++         * &methbuf[].  Use the old, three-digit decimal format

++         * for values which fit.  Otherwise, sacrifice the "u",

++         * and use four-digit hexadecimal.

++         */

++        if (G.crec.compression_method <= 999) {

++            sprintf( &methbuf[ 1], "%03u", G.crec.compression_method);

++        } else {

++            sprintf( &methbuf[ 0], "%04X", G.crec.compression_method);

++        }

+     }

+ 

+     for (k = 0;  k < 15;  ++k)

new file mode 100644

@@ -0,0 +1,32 @@

+Fix from http://antinode.info/ftp/info-zip/unzip60/list.c

+diff --git a/list.c b/list.c

+index 15e0011..2328788 100644

+--- a/list.c

+@@ -1,5 +1,5 @@

+ /*

+-  Copyright (c) 1990-2009 Info-ZIP.  All rights reserved.

++  Copyright (c) 1990-2016 Info-ZIP.  All rights reserved.

+ 

+   See the accompanying file LICENSE, version 2009-Jan-02 or later

+   (the contents of which are also included in unzip.h) for terms of use.

+@@ -339,7 +339,18 @@ int list_files(__G)    /* return PK-type error code */

+                 G.crec.compression_method == ENHDEFLATED) {

+                 methbuf[5] = dtype[(G.crec.general_purpose_bit_flag>>1) & 3];

+             } else if (methnum >= NUM_METHODS) {

+-                sprintf(&methbuf[4], "%03u", G.crec.compression_method);

++                /* 2013-02-26 SMS.

++                 * http://sourceforge.net/p/infozip/bugs/27/  CVE-2014-9913.

++                 * Unexpectedly large compression methods overflow

++                 * &methbuf[].  Use the old, three-digit decimal format

++                 * for values which fit.  Otherwise, sacrifice the

++                 * colon, and use four-digit hexadecimal.

++                 */

++                if (G.crec.compression_method <= 999) {

++                    sprintf( &methbuf[ 4], "%03u", G.crec.compression_method);

++                } else {

++                    sprintf( &methbuf[ 3], "%04X", G.crec.compression_method);

++                }

+             }

+ 

+ #if 0       /* GRR/Euro:  add this? */

@@ -1,21 +1,23 @@

 # FIXME: noarch or generate debuginfo

 %define debug_package %{nil}

-Summary:	Unzip-6.0

-Name:		unzip

-Version:	6.0

-Release:	7%{?dist}

-License:	BSD

-URL:		http://www.gnu.org/software/%{name}

-Source0:	http://downloads.sourceforge.net/infozip/unzip60.tar.gz

-%define sha1 unzip=abf7de8a4018a983590ed6f5cbd990d4740f8a22

-Group:		System Environment/Utilities

-Vendor:		VMware, Inc.

+Summary:        Unzip-6.0

+Name:           unzip

+Version:        6.0

+Release:        8%{?dist}

+License:        BSD

+URL:            http://www.gnu.org/software/%{name}

+Source0:        http://downloads.sourceforge.net/infozip/unzip60.tar.gz

+%define sha1    unzip=abf7de8a4018a983590ed6f5cbd990d4740f8a22

+Group:          System Environment/Utilities

+Vendor:         VMware, Inc.

 Distribution:   Photon

 Patch0:         cve-2014-9636.patch

 Patch1:         cve-2015-1315.patch

 Patch2:         CVE-2015-7696-CVE-2015-7697.patch

+Patch3:         unzip-CVE-2014-9844.patch

+Patch4:         unzip-CVE-2014-9913.patch

 %description

 The UnZip package contains ZIP extraction utilities. These are useful 

@@ -27,6 +29,8 @@ with PKZIP or Info-ZIP utilities, primarily in a DOS environment.

 %patch0 -p1

 %patch1 -p1

 %patch2 -p1

+%patch3 -p1

+%patch4 -p1

 %build

 case `uname -m` in

@@ -57,17 +61,19 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}

 %{_bindir}/*

 %changelog

-*       Wed Nov 30 2016 Dheeraj Shetty <dheerajs@vmware.com> 6.0-7

--       Added patch for CVE-2015-7696 and CVE-2015-7697

-*       Tue Sep 20 2016 Kumar Kaushik <kaushikk@vmware.com> 6.0-6

--       Added patch for CVE-2015-1315

-*	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 6.0-5

--	GA - Bump release of all rpms

-*	Tue May 10 2016 Nick Shi <nshi@vmware.com> 6.0-4

--	Added unzipsfx, zipgrep and zipinfo to unzip rpm

-*	Sat Aug 15 2015 Sharath George <sharathg@vmware.com> 6.0-3

--	Added patch for CVE-2014-9636

-*	Wed May 20 2015 Touseef Liaqat <tliaqat@vmware.com> 6.0-2

--	Updated group.

-*	Mon Nov 24 2014 Divya Thaluru <dthaluru@vmware.com> 6.0-1

--	Initial build. First version

+*   Fri Oct 20 2017 Xiaolin Li <xiaolinl@vmware.com> 6.0-8

+-   Fix CVE-2014-9844, CVE-2014-9913

+*   Wed Nov 30 2016 Dheeraj Shetty <dheerajs@vmware.com> 6.0-7

+-   Added patch for CVE-2015-7696 and CVE-2015-7697

+*   Tue Sep 20 2016 Kumar Kaushik <kaushikk@vmware.com> 6.0-6

+-   Added patch for CVE-2015-1315

+*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 6.0-5

+-   GA - Bump release of all rpms

+*   Tue May 10 2016 Nick Shi <nshi@vmware.com> 6.0-4

+-   Added unzipsfx, zipgrep and zipinfo to unzip rpm

+*   Sat Aug 15 2015 Sharath George <sharathg@vmware.com> 6.0-3

+-   Added patch for CVE-2014-9636

+*   Wed May 20 2015 Touseef Liaqat <tliaqat@vmware.com> 6.0-2

+-   Updated group.

+*   Mon Nov 24 2014 Divya Thaluru <dthaluru@vmware.com> 6.0-1

+-   Initial build. First version