Package unzip: Specfile

Name: unzip
Version: 6.0
Release: alt4

Packager: Victor Forsyuk <>

Summary: An utility for unpacking zip archives
License: Info-ZIP
Group: Archiving/Compression

%define src_ver	%(echo %version|sed "s/\\.//"g)
Patch0: unzip-6.0-alt-natspec.patch

# Not sent to upstream.
Patch1: unzip-6.0-bzip2-configure.patch
# Upstream plans to do this in zip (hopefully also in unzip).
Patch2: unzip-6.0-exec-shield.patch
# Upstream plans to do similar thing.
Patch3: unzip-6.0-close.patch
# Details in rhbz#532380.
# Reported to upstream:
Patch4: unzip-6.0-attribs-overflow.patch
# Not sent to upstream, as it's Fedora/RHEL specific.
# Modify the configure script to accept var LFLAGS2 so linking can be configurable
# from the spec file. In addition '-s' is still removed as before
Patch5: unzip-6.0-configure.patch
Patch6: unzip-6.0-manpage-fix.patch
# Update match.c with recmatch() from zip 3.0's util.c
# This also resolves the license issue in that old function.
# Original came from here:
Patch7: unzip-6.0-fix-recmatch.patch
# Update process.c
Patch8: unzip-6.0-symlink.patch
# change using of macro "case_map" by "to_up"
Patch9: unzip-6.0-caseinsensitive.patch
# downstream fix for "-Werror=format-security"
# upstream doesn't want hear about this option again
Patch10: unzip-6.0-format-secure.patch

Patch11: unzip-6.0-valgrind.patch
Patch12: unzip-6.0-x-option.patch
Patch13: unzip-6.0-overflow.patch
Patch14: unzip-6.0-cve-2014-8139.patch
Patch15: unzip-6.0-cve-2014-8140.patch
Patch16: unzip-6.0-cve-2014-8141.patch
Patch17: unzip-6.0-overflow-long-fsize.patch

# Fix heap overflow and infinite loop when invalid input is given (#1260947)
Patch18: unzip-6.0-heap-overflow-infloop.patch

# support non-{latin,unicode} encoding
#Patch19: unzip-6.0-alt-iconv-utf8.patch
#Patch20: unzip-6.0-alt-iconv-utf8-print.patch
Patch21: 0001-Fix-CVE-2016-9844-rhbz-1404283.patch

# restore unix timestamp accurately
Patch22: unzip-6.0-timestamp.patch

# fix possible heap based stack overflow in passwd protected files
Patch23: unzip-6.0-cve-2018-1000035-heap-based-overflow.patch

Patch24: unzip-6.0-cve-2018-18384.patch

# covscan issues
Patch25: unzip-6.0-COVSCAN-fix-unterminated-string.patch

Patch26: unzip-zipbomb-part1.patch
Patch27: unzip-zipbomb-part2.patch
Patch28: unzip-zipbomb-part3.patch
Patch29: unzip-zipbomb-manpage.patch

Patch30: CVE-2015-7697-part_from_opensuse.patch

# Automatically added by buildreq on Mon Aug 10 2009
BuildRequires: libnatspec-devel
BuildRequires: bzip2-devel

The unzip utility is used to list, test, or extract files from a zip archive.
Zip archives are commonly found on MS-DOS systems. The zip utility, included in
the zip package, creates zip archives. Zip and unzip are both compatible with
archives created by PKWARE(R)'s PKZIP for MS-DOS, but the programs' options and
default behaviors do differ in some respects.

%setup -n unzip%src_ver
%patch0 -p1

%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
#conflicts with natspec
#patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
#conflicts with natspec
#patch19 -p1
#patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
#conflicts with natspec
#patch25 -p1

#CVE-2019-13232 possible zipbomb in unzip
#not works on 32-bit platforms
#patch26 -p1
#patch27 -p1
#patch28 -p1
#patch29 -p1

%patch30 -p1

ln -s unix/Makefile .

%__subst 's/1L/1/g' man/*.1

# Let configure emit link flag required for our build instead of useless strip option:
%__subst 's/"-s"/"-lnatspec"/' unix/configure
# Tweak to build with our optimizations and defines:
# IZ_HAVE_UXUIDGID is needed for right functionality of unzip -X
# NOMEMCPY solve problem with memory overlapping - decomression is slowly,
# but successfull.
%define _optlevel 3
# -DNO_WORKING_ISPRINT fixes ALT bug #21137.

# We will use `generic' make target instead of ready made `linux' or `linux_noasm`
# This target allows us to use flags and defines produced by unzip's configure
# script at build time instead of hardcoded for linux target.
%make flags
%make_build -e generic
%make test

mkdir -p %buildroot{%_bindir,%_man1dir}
install -p -m755 %name f%name %{name}sfx unix/zipgrep %buildroot%_bindir
install -p -m644 man/*.1 %buildroot%_man1dir/
ln -s unzip %buildroot%_bindir/zipinfo


* Fri Nov 13 2020 Evgeny Sinelnikov <> 6.0-alt4
- Build with bzip2 compression method support
- Massive apply security patches from Fedora and openSUSE
- Fixes:
  + CVE-2014-8139 CRC32 verification heap-based buffer overread
  + CVE-2014-8140 out-of-bounds write issue in test_compr_eb()
  + CVE-2014-8141 getZip64Data() out-of-bounds read issues
  + CVE-2014-9913 buffer overflow in zipinfo
  + CVE-2014-9636 out-of-bounds read or write and crash
  + CVE-2015-7696 fix for heap overflow
  + CVE-2015-7697 fix infinite loop when extracting empty bzip2 data
  + CVE-2016-9844 buffer overflow in zipinfo in similar way like fix for CVE-2014-9913
  + CVE-2018-1000035 heap based buffer overflow when opening password protected files
  + CVE-2018-18384 buffer overflow, when a ZIP archive specially crafted

* Wed Jan 15 2020 Nikita Ermakov <> 6.0-alt3
- Update license to meet the SPDX.

* Mon Apr 15 2013 Dmitry V. Levin (QA) <> 6.0-alt2.qa1
- NMU: rebuilt for debuginfo.

* Mon Sep 21 2009 Victor Forsyuk <> 6.0-alt2
- Fix ALT #21137.

* Mon Aug 10 2009 Victor Forsyuk <> 6.0-alt1
- 6.0
- Man pages in section 1, not 1L. Fixed.
- Correct branding: "by ALT Linux Team.  Original by Info-ZIP.".
- Built using DATE_FORMAT=DF_YMD so that unzip -l show dates in ISO format.

* Tue Mar 18 2008 Eugene Ostapets <> 5.52-alt5
- fix CVE-2008-0888

* Wed Aug 01 2007 Eugene Ostapets <> 5.52-alt4
- workaround for stupid incoming, nothing else.

* Mon Jul 30 2007 Eugene Ostapets <> 5.52-alt3
- use libnatspec instead iconv + some guesses (fix bug #12313) tnx lav@
- small cleanup spec: use SMP build, use man1dir only

* Tue Apr 10 2007 Eugene Ostapets <> 5.52-alt2
- fix CAN-2005-2475
- fix CVE-2005-4667

* Tue May 17 2005 Alexey Voinov <> 5.52-alt1
- new version (5.52)
- iconv patch updated
- ddottrav patch disabled

* Tue Dec 14 2004 Alexey Voinov <> 5.50-alt4
- added iconv patch (by Dmitry Vukolov <>)
  [fixes #4871]

* Wed Jul 02 2003 Alexey Voinov <> 5.50-alt3
- Fixed '../' directory traversal for filenames which include
  quote and/or control characters.
- Spec cleanup.

* Mon Sep 30 2002 Dmitry V. Levin <> 5.50-alt2
- Fixed summaries, description and url.
- Fixed build to:
  + honor $RPM_OPT_FLAGS properly, define _GNU_SOURCE;
  + avoid implicit strip during buiuld.
- Enabled "unshrinking" algorithm (i.e. LZW decompression).
- Build without assembly, it doesn't seem to increase performance.

* Fri Mar 22 2002 Rider <> 5.50-alt1
- 5.50

* Tue Oct 09 2001 Rider <> 5.42-alt1
- 5.42

* Thu Dec 14 2000 Dmitry V. Levin <> 5.41-ipl3mdk
- RE adaptions.
- FHSification.

* Thu Apr 20 2000 Dmitry V. Levin <>
- Fandra adaptions.

* Sun Nov 28 1999 Pixel <>
- non-intel adaptation (thanks to Stefan van der Eijk)
- cleanup (was it really mandrake adapted?!)

* Wed Nov 10 1999 Chmouel Boudjnah <>
- build release.

* Mon Aug 23 1999 Thierry Vignaud <>
- 5.40
- ix86 optimizations and various spec cleanings

* Wed May 05 1999 Bernhard Rosenkraenzer <>
- Mandrake adaptions
- handle RPM_OPT_FLAGS

* Sun Mar 21 1999 Cristian Gafton <>
- auto rebuild in the new build environment (release 5)

* Thu Dec 17 1998 Michael Maher <>
- built for 6.0

* Tue Aug 11 1998 Jeff Johnson <>
- build root

* Mon Apr 27 1998 Prospector System <>
- translations modified for de, fr, tr

* Tue Oct 21 1997 Erik Troan <>
- builds on non i386 platforms

* Mon Oct 20 1997 Otto Hammersmith <>
- updated the version

* Thu Jul 10 1997 Erik Troan <>
- built against glibc