From 20ebb5124fe2b73104a192428b16261504a06051 Mon Sep 17 00:00:00 2001 From: tigro Date: Fri, 1 Mar 2024 16:43:04 +0300 Subject: [PATCH] import arj-3.10.22-35.el9 --- .arj.metadata | 1 + .gitignore | 1 + SOURCES/arj-3.10.22-64_bit_clean.patch | 200 ++++++++++++ SOURCES/arj-3.10.22-arches_align.patch | 38 +++ SOURCES/arj-3.10.22-custom-printf.patch | 15 + .../arj-3.10.22-doc_refer_robert_k_jung.patch | 18 ++ SOURCES/arj-3.10.22-missing-protos.patch | 34 ++ .../arj-3.10.22-no_remove_static_const.patch | 20 ++ SOURCES/arj-3.10.22-parallel_build.patch | 180 +++++++++++ SOURCES/arj-3.10.22-quotes.patch | 22 ++ SOURCES/arj-3.10.22-security-afl.patch | 35 ++ .../arj-3.10.22-security-traversal-dir.patch | 33 ++ ...j-3.10.22-security-traversal-symlink.patch | 85 +++++ SOURCES/arj-3.10.22-security_format.patch | 305 ++++++++++++++++++ SOURCES/arj-3.10.22-use_safe_strcpy.patch | 97 ++++++ SOURCES/unarj.1 | 36 +++ SOURCES/unarj.sh | 10 + SPECS/arj.spec | 198 ++++++++++++ 18 files changed, 1328 insertions(+) create mode 100644 .arj.metadata create mode 100644 .gitignore create mode 100644 SOURCES/arj-3.10.22-64_bit_clean.patch create mode 100644 SOURCES/arj-3.10.22-arches_align.patch create mode 100644 SOURCES/arj-3.10.22-custom-printf.patch create mode 100644 SOURCES/arj-3.10.22-doc_refer_robert_k_jung.patch create mode 100644 SOURCES/arj-3.10.22-missing-protos.patch create mode 100644 SOURCES/arj-3.10.22-no_remove_static_const.patch create mode 100644 SOURCES/arj-3.10.22-parallel_build.patch create mode 100644 SOURCES/arj-3.10.22-quotes.patch create mode 100644 SOURCES/arj-3.10.22-security-afl.patch create mode 100644 SOURCES/arj-3.10.22-security-traversal-dir.patch create mode 100644 SOURCES/arj-3.10.22-security-traversal-symlink.patch create mode 100644 SOURCES/arj-3.10.22-security_format.patch create mode 100644 SOURCES/arj-3.10.22-use_safe_strcpy.patch create mode 100644 SOURCES/unarj.1 create mode 100644 SOURCES/unarj.sh create mode 100644 SPECS/arj.spec diff --git a/.arj.metadata b/.arj.metadata new file mode 100644 index 0000000..415810e --- /dev/null +++ b/.arj.metadata @@ -0,0 +1 @@ +e8470f480e9eee14906e5485a8898e5c24738c8b SOURCES/arj-3.10.22.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4b026f7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/arj-3.10.22.tar.gz diff --git a/SOURCES/arj-3.10.22-64_bit_clean.patch b/SOURCES/arj-3.10.22-64_bit_clean.patch new file mode 100644 index 0000000..868fc13 --- /dev/null +++ b/SOURCES/arj-3.10.22-64_bit_clean.patch @@ -0,0 +1,200 @@ +Patch by Guillem Jover for arj <= 3.10.22 which +makes the code 64 bit clean. For further information, please see also +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339815 + +Index: b/arj_arcv.c +=================================================================== +--- a/arj_arcv.c 2005-06-21 22:53:12.000000000 +0300 ++++ b/arj_arcv.c 2008-06-16 08:25:43.000000000 +0300 +@@ -59,27 +59,27 @@ static char idxid_fault[]="?"; + #define setup_hput(ptr) (tmp_hptr=(ptr)) + + #define hget_byte() (*(tmp_hptr++)&0xFF) +-#define hput_byte(c) (*(tmp_hptr++)=(char) (c)) ++#define hput_byte(c) (*(tmp_hptr++)=(uint8_t) (c)) + + /* Reads two bytes from the header, incrementing the pointer */ + +-static unsigned int hget_word() ++static uint16_t hget_word() + { +- unsigned int result; ++ uint16_t result; + + result=mget_word(tmp_hptr); +- tmp_hptr+=sizeof(short); ++ tmp_hptr+=sizeof(uint16_t); + return result; + } + + /* Reads four bytes from the header, incrementing the pointer */ + +-static unsigned long hget_longword() ++static uint32_t hget_longword() + { +- unsigned long result; ++ uint32_t result; + + result=mget_dword(tmp_hptr); +- tmp_hptr+=sizeof(unsigned long); ++ tmp_hptr+=sizeof(uint32_t); + return result; + } + +@@ -87,18 +87,18 @@ static unsigned long hget_longword() + + /* Writes two bytes to the header, incrementing the pointer */ + +-static void hput_word(unsigned int w) ++static void hput_word(uint16_t w) + { + mput_word(w,tmp_hptr); +- tmp_hptr+=sizeof(unsigned short); ++ tmp_hptr+=sizeof(uint16_t); + } + + /* Writes four bytes to the header, incrementing the pointer */ + +-static void hput_longword(unsigned long l) ++static void hput_longword(uint32_t l) + { + mput_dword(l,tmp_hptr); +- tmp_hptr+=sizeof(unsigned long); ++ tmp_hptr+=sizeof(uint32_t); + } + + /* Calculates and stores the basic header size */ +Index: b/arj_proc.c +=================================================================== +--- a/arj_proc.c 2008-06-16 08:25:28.000000000 +0300 ++++ b/arj_proc.c 2008-06-16 08:25:43.000000000 +0300 +@@ -585,7 +585,7 @@ int search_for_extension(char *name, cha + /* Returns the exact amount of data that could be safely written to the + destination volume */ + +-unsigned long get_volfree(unsigned int increment) ++unsigned long get_volfree(unsigned long increment) + { + unsigned long pvol; + unsigned int arjsec_overhead; +@@ -605,7 +605,7 @@ unsigned long get_volfree(unsigned int i + remain=volume_limit-ftell(aostream)-pvol-(long)arjsec_overhead- + (long)out_bytes-(long)cpos-(long)ext_voldata- + MULTIVOLUME_RESERVE-t_volume_offset; +- return((unsigned long)min(remain, (unsigned long)increment)); ++ return((unsigned long)min(remain, increment)); + } + + /* Performs various checks when multivolume data is packed to predict an +@@ -2466,14 +2466,14 @@ static int get_str_from_jq() + *tsptr='\0'; + endptr=tsptr; + tsptr=sptr; +- while((unsigned int)tsptr<(unsigned int)endptr&&patterns>8 , p+1); +@@ -2931,7 +2931,7 @@ void mput_word(unsigned int w, char FAR + + /* Model-independent routine to store 4 bytes in far RAM */ + +-void mput_dword(unsigned long d, char FAR *p) ++void mput_dword(uint32_t d, char FAR *p) + { + mput_word(d&0xFFFF, p); + mput_word(d>>16 , p+2); +Index: b/arj_proc.h +=================================================================== +--- a/arj_proc.h 2008-06-16 08:25:28.000000000 +0300 ++++ b/arj_proc.h 2008-06-16 08:25:43.000000000 +0300 +@@ -8,15 +8,17 @@ + #ifndef ARJ_PROC_INCLUDED + #define ARJ_PROC_INCLUDED + ++#include ++ + /* Helper macros */ + +-#define mget_byte(p) (*(unsigned char FAR *)(p)&0xFF) +-#define mput_byte(c, p) *(unsigned char FAR *)(p)=(unsigned char)(c) ++#define mget_byte(p) (*(uint8_t FAR *)(p)&0xFF) ++#define mput_byte(c, p) *(uint8_t FAR *)(p)=(uint8_t)(c) + #if !defined(ALIGN_POINTERS) && !defined(WORDS_BIGENDIAN) +-#define mget_word(p) (*(unsigned short *)(p)&0xFFFF) +-#define mput_word(w,p) (*(unsigned short *)(p)=(unsigned short)(w)) +-#define mget_dword(p) (*(unsigned long *)(p)) +-#define mput_dword(w,p) (*(unsigned long *)(p)=(unsigned long)(w)) ++#define mget_word(p) (*(uint16_t *)(p)&0xFFFF) ++#define mput_word(w,p) (*(uint16_t *)(p)=(uint16_t)(w)) ++#define mget_dword(p) (*(uint32_t *)(p)) ++#define mput_dword(w,p) (*(uint32_t *)(p)=(uint32_t)(w)) + #endif + + /* Prototypes */ +@@ -31,7 +33,7 @@ void copy_bytes(unsigned long nbytes); + int translate_path(char *name); + void restart_proc(char *dest); + int search_for_extension(char *name, char *ext_list); +-unsigned long get_volfree(unsigned int increment); ++unsigned long get_volfree(unsigned long increment); + unsigned int check_multivolume(unsigned int increment); + void store(); + void hollow_encode(); +@@ -61,10 +63,10 @@ void unpack_mem(struct mempack *mempack) + void strip_lf(char *str); + char *ltrim(char *str); + #if defined(ALIGN_POINTERS) || defined(WORDS_BIGENDIAN) +-unsigned int mget_word(char FAR *p); +-unsigned long mget_dword(char FAR *p); +-void mput_word(unsigned int w, char FAR *p); +-void mput_dword(unsigned long d, char FAR *p); ++uint16_t mget_word(char FAR *p); ++uint32_t mget_dword(char FAR *p); ++void mput_word(uint16_t w, char FAR *p); ++void mput_dword(uint32_t d, char FAR *p); + #endif + + #endif diff --git a/SOURCES/arj-3.10.22-arches_align.patch b/SOURCES/arj-3.10.22-arches_align.patch new file mode 100644 index 0000000..8411a84 --- /dev/null +++ b/SOURCES/arj-3.10.22-arches_align.patch @@ -0,0 +1,38 @@ +Patch by Guillem Jover for arj <= 3.10.22, which +fixes unaligned memory accesses. + +Index: b/arj_proc.c +=================================================================== +--- a/arj_proc.c 2005-06-21 22:53:12.000000000 +0300 ++++ b/arj_proc.c 2008-06-16 08:25:28.000000000 +0300 +@@ -2898,7 +2898,7 @@ char *ltrim(char *str) + } + #endif + +-#if defined(WORDS_BIGENDIAN)&&!defined(ARJDISP)&&!defined(REGISTER) ++#if (defined(WORDS_BIGENDIAN) || defined(ALIGN_POINTERS)) && !defined(ARJDISP) && !defined(REGISTER) + /* Model-independent routine to get 2 bytes from far RAM */ + + unsigned int mget_word(char FAR *p) +Index: b/arj_proc.h +=================================================================== +--- a/arj_proc.h 2004-01-25 12:39:30.000000000 +0200 ++++ b/arj_proc.h 2008-06-16 08:25:28.000000000 +0300 +@@ -12,7 +12,7 @@ + + #define mget_byte(p) (*(unsigned char FAR *)(p)&0xFF) + #define mput_byte(c, p) *(unsigned char FAR *)(p)=(unsigned char)(c) +-#ifndef WORDS_BIGENDIAN ++#if !defined(ALIGN_POINTERS) && !defined(WORDS_BIGENDIAN) + #define mget_word(p) (*(unsigned short *)(p)&0xFFFF) + #define mput_word(w,p) (*(unsigned short *)(p)=(unsigned short)(w)) + #define mget_dword(p) (*(unsigned long *)(p)) +@@ -60,7 +60,7 @@ void pack_mem(struct mempack *mempack); + void unpack_mem(struct mempack *mempack); + void strip_lf(char *str); + char *ltrim(char *str); +-#ifdef WORDS_BIGENDIAN ++#if defined(ALIGN_POINTERS) || defined(WORDS_BIGENDIAN) + unsigned int mget_word(char FAR *p); + unsigned long mget_dword(char FAR *p); + void mput_word(unsigned int w, char FAR *p); diff --git a/SOURCES/arj-3.10.22-custom-printf.patch b/SOURCES/arj-3.10.22-custom-printf.patch new file mode 100644 index 0000000..b789dd5 --- /dev/null +++ b/SOURCES/arj-3.10.22-custom-printf.patch @@ -0,0 +1,15 @@ +Patch by Lubomir Rintel for arj >= 3.10.22, which disables +the custom printf to avoid conflicting strnlen definition with the glibc +headers. By using custom printf (as in the past), we're completely loosing +all the _FORTIFY_SOURCE printf protections. + +--- arj-3.10.22/fardata.c 2004-04-17 13:39:42.000000000 +0200 ++++ arj-3.10.22/fardata.c.printf 2009-04-18 16:23:52.000000000 +0200 +@@ -13,7 +13,6 @@ + /* ASR fix 02/05/2003: need that regardless of COLOR_OUTPUT to support -jp + correctly */ + #if SFX_LEVEL>=ARJ +- #define CUSTOM_PRINTF + #define CHUNK_SIZE 512 /* Size of the output block */ + #define CHUNK_THRESHOLD (CHUNK_SIZE-256) /* Safety bound */ + #endif diff --git a/SOURCES/arj-3.10.22-doc_refer_robert_k_jung.patch b/SOURCES/arj-3.10.22-doc_refer_robert_k_jung.patch new file mode 100644 index 0000000..612aecb --- /dev/null +++ b/SOURCES/arj-3.10.22-doc_refer_robert_k_jung.patch @@ -0,0 +1,18 @@ +Patch by Guillem Jover for arj <= 3.10.22, which +adds a note to original author Robert K. Jung in the manual page. See +also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=456275 + +Index: b/resource/en/arj.1 +=================================================================== +--- a/resource/en/arj.1 2005-06-21 21:27:20.000000000 +0300 ++++ b/resource/en/arj.1 2008-06-16 08:25:47.000000000 +0300 +@@ -21,6 +21,9 @@ arj \- Archiver for .arj files + .IR archive [ .arj ] + .RI [ "base directory" ] + .RI [ "!list name" | "path name" | "wildcard name" ] ++.SH DESCRIPTION ++\fIarj\fP is a compression and file archiving utility. It was invented by ++Robert K. Jung. \fIARJ\fP stands for \fIA\fPrchived by \fIR\fPobert \fIJ\fPung. + .SH COMMANDS + .TP + .B ac diff --git a/SOURCES/arj-3.10.22-missing-protos.patch b/SOURCES/arj-3.10.22-missing-protos.patch new file mode 100644 index 0000000..90061e5 --- /dev/null +++ b/SOURCES/arj-3.10.22-missing-protos.patch @@ -0,0 +1,34 @@ +diff -up arj-3.10.22/environ.c~ arj-3.10.22/environ.c +--- arj-3.10.22/environ.c~ 2008-03-31 15:19:36.000000000 +0200 ++++ arj-3.10.22/environ.c 2008-03-31 15:19:36.000000000 +0200 +@@ -12,6 +12,8 @@ + #include + #include + #include ++#else ++#include + #endif + + #include +diff -up arj-3.10.22/arjsfx.c~ arj-3.10.22/arjsfx.c +--- arj-3.10.22/arjsfx.c~ 2008-03-31 15:17:45.000000000 +0200 ++++ arj-3.10.22/arjsfx.c 2008-03-31 15:17:45.000000000 +0200 +@@ -5,6 +5,7 @@ + * + */ + ++#define _GNU_SOURCE + #include + #include + +diff -up arj-3.10.22/arj.c~ arj-3.10.22/arj.c +--- arj-3.10.22/arj.c~ 2008-03-31 15:17:14.000000000 +0200 ++++ arj-3.10.22/arj.c 2008-03-31 15:17:14.000000000 +0200 +@@ -5,6 +5,7 @@ + * + */ + ++#define _GNU_SOURCE + #include + #include + diff --git a/SOURCES/arj-3.10.22-no_remove_static_const.patch b/SOURCES/arj-3.10.22-no_remove_static_const.patch new file mode 100644 index 0000000..a6763c0 --- /dev/null +++ b/SOURCES/arj-3.10.22-no_remove_static_const.patch @@ -0,0 +1,20 @@ +Patch by Guillem Jover for arj <= 3.10.22, to not +build integr.o with optimizations, otherwise GCC 4.0 removes the static +const variable. For further information, please see also Debian tracker +at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=318366 + +--- + integr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/integr.c ++++ b/integr.c +@@ -5,7 +5,7 @@ + * + */ + +-static const char intergrity_identifier[] = { ++static volatile const char intergrity_identifier[] = { + 0xB0, 0x03, 0xB0, 0x02, 0xB0, 0x03, + 0xB0, 0x04, 0xB0, 0x05, + 0x90, 0x90, 0x90, 0x90, diff --git a/SOURCES/arj-3.10.22-parallel_build.patch b/SOURCES/arj-3.10.22-parallel_build.patch new file mode 100644 index 0000000..d621694 --- /dev/null +++ b/SOURCES/arj-3.10.22-parallel_build.patch @@ -0,0 +1,180 @@ +Patch by Guillem Jover for arj <= 3.10.22, which +fixes upstream Makefile to support parallel builds. + +--- + gnu/makefile.in | 74 +++++++++++++++++++++++++++++++++----------------------- + 1 file changed, 44 insertions(+), 30 deletions(-) + +--- a/gnu/makefile.in ++++ b/gnu/makefile.in +@@ -159,13 +159,15 @@ $(SFXSTUB_DIR)/%.o: $(SRC_DIR)/%.c + # Main dependency tree + # + +-.PHONY: timestamp prepare cleanup package help ++.PHONY: timestamp msg-headers depends prepare clean package help + + ifdef COMMERCIAL + MAKE_KEY=$(TOOLS_DIR)/make_key$x + endif + + all: prepare timestamp ++ $(MAKE) msg-headers ++ $(MAKE) depends + $(MAKE) do-all + + do-all: \ +@@ -175,8 +177,28 @@ do-all: \ + $(REGISTER_DIR)/$(REGISTER)$x \ + $(ARJDISP_DIR)/arjdisp$x \ + $(TOOLS_DIR)/packager$x \ +- $(MAKE_KEY) \ +- dispose ++ $(MAKE_KEY) ++ ++MSG_ID := \ ++ msg_crp msg_stb msg_sfv msg_sfx msg_sfj msg_arj msg_rej msg_reg msg_adi ++MSG_HEADERS := $(patsubst %,$(BASEDIR)/%.h,$(MSG_ID)) ++ ++msg-headers: $(MSG_HEADERS) ++ ++.deps: ++ mkdir -p $@ ++ ++.deps/%.d: %.c .deps ++ $(CC) $(CPPFLAGS) $(COPT) $< -MM > $@ ++ ++SOURCES = $(wildcard *.c) ++DEPS = $(addprefix .deps/,$(SOURCES:.c=.d)) ++ ++ifeq ($(sort $(DEPS)),$(sort $(wildcard .deps/*.d))) ++include $(DEPS) ++endif ++ ++depends: $(DEPS) + + # + # Update timestamp file +@@ -186,12 +208,6 @@ timestamp: $(TOOLS_DIR)/today$x + $(TOOLS_DIR)/today$x $(LOCALE) $(BASEDIR) + + # +-# Final cleanup +-# +- +-dispose: +- +-# + # The tools + # + +@@ -255,7 +271,7 @@ $(ARJCRYPT_DIR)/arjcrypt$d: $(ARJCRYPT_O + $(CC) $(ALL_CFLAGS) $(DLL_FLAGS) -o $@ $(ARJCRYPT_OBJS) $(ARJCRYPT_DEF) $(LIBS) + $(TOOLS_DIR)/postproc $@ + +-$(BASEDIR)/nmsg_crp.c: $(TOOLS_DIR)/msgbind$x $(RESFILE) ++$(BASEDIR)/nmsg_crp.c $(BASEDIR)/msg_crp.h: $(TOOLS_DIR)/msgbind$x $(RESFILE) + $(TOOLS_DIR)/msgbind $(RESFILE) msg_crp $(OS_ID) $(PACKAGE) $(LOCALE) $(BASEDIR) + + # +@@ -269,7 +285,7 @@ $(SFXSTUB_DIR)/sfxstub$x: $(SFXSTUB_OBJS + $(CC) $(ALL_CFLAGS) $(LDFLAGS) -o $@ $(SFXSTUB_OBJS) $(LIBS) + $(TOOLS_DIR)/postproc$x $@ -sfx + +-$(BASEDIR)/nmsg_stb.c: $(TOOLS_DIR)/msgbind$x $(RESFILE) ++$(BASEDIR)/nmsg_stb.c $(BASEDIR)/msg_stb.h: $(TOOLS_DIR)/msgbind$x $(RESFILE) + $(TOOLS_DIR)/msgbind $(RESFILE) msg_stb $(OS_ID) $(PACKAGE) $(LOCALE) $(BASEDIR) + + # +@@ -287,7 +303,8 @@ $(ARJSFXV_DIR)/arjsfxv$x: $(ARJSFXV_OBJS + $(CC) $(ALL_CFLAGS) $(LDFLAGS) -o $@ $(ARJSFXV_OBJS) $(LIBS) $(DYN_LIBS) + $(TOOLS_DIR)/postproc$x $@ -sfx + +-$(BASEDIR)/fmsg_sfv.c $(BASEDIR)/imsg_sfv.c $(BASEDIR)/nmsg_sfv.c: $(TOOLS_DIR)/msgbind$x $(RESFILE) ++$(BASEDIR)/fmsg_sfv.c $(BASEDIR)/imsg_sfv.c $(BASEDIR)/nmsg_sfv.c \ ++$(BASEDIR)/msg_sfv.h: $(TOOLS_DIR)/msgbind$x $(RESFILE) + $(TOOLS_DIR)/msgbind $(RESFILE) msg_sfv $(OS_ID) $(PACKAGE) $(LOCALE) $(BASEDIR) + + # +@@ -304,7 +321,8 @@ $(ARJSFX_DIR)/arjsfx$x: $(ARJSFX_OBJS) $ + $(CC) $(ALL_CFLAGS) $(LDFLAGS) -o $@ $(ARJSFX_OBJS) $(LIBS) + $(TOOLS_DIR)/postproc$x $@ -sfx + +-$(BASEDIR)/fmsg_sfx.c $(BASEDIR)/imsg_sfx.c $(BASEDIR)/nmsg_sfx.c: $(TOOLS_DIR)/msgbind$x $(RESFILE) ++$(BASEDIR)/fmsg_sfx.c $(BASEDIR)/imsg_sfx.c $(BASEDIR)/nmsg_sfx.c \ ++$(BASEDIR)/msg_sfx.h: $(TOOLS_DIR)/msgbind$x $(RESFILE) + $(TOOLS_DIR)/msgbind $(RESFILE) msg_sfx $(OS_ID) $(PACKAGE) $(LOCALE) $(BASEDIR) + + # +@@ -319,7 +337,8 @@ $(ARJSFXJR_DIR)/arjsfxjr$x: $(ARJSFXJR_O + $(CC) $(ALL_CFLAGS) $(LDFLAGS) -o $@ $(ARJSFXJR_OBJS) $(LIBS) + $(TOOLS_DIR)/postproc$x $@ -sfx + +-$(BASEDIR)/fmsg_sfj.c $(BASEDIR)/imsg_sfj.c $(BASEDIR)/nmsg_sfj.c: $(TOOLS_DIR)/msgbind$x $(RESFILE) ++$(BASEDIR)/fmsg_sfj.c $(BASEDIR)/imsg_sfj.c $(BASEDIR)/nmsg_sfj.c \ ++$(BASEDIR)/msg_sfj.h: $(TOOLS_DIR)/msgbind$x $(RESFILE) + $(TOOLS_DIR)/msgbind $(RESFILE) msg_sfj $(OS_ID) $(PACKAGE) $(LOCALE) $(BASEDIR) + + # +@@ -354,7 +373,8 @@ $(ARJ_DIR)/arj$x: $(ARJ_OBJS) \ + $(TOOLS_DIR)/join $(ARJ_DIR)/arj$x $(BASEDIR)/help.arj + $(TOOLS_DIR)/postproc $@ + +-$(BASEDIR)/fmsg_arj.c $(BASEDIR)/imsg_arj.c $(BASEDIR)/nmsg_arj.c: $(TOOLS_DIR)/msgbind$x $(RESFILE) ++$(BASEDIR)/fmsg_arj.c $(BASEDIR)/imsg_arj.c $(BASEDIR)/nmsg_arj.c \ ++$(BASEDIR)/msg_arj.h: $(TOOLS_DIR)/msgbind$x $(RESFILE) + $(TOOLS_DIR)/msgbind $(RESFILE) msg_arj $(OS_ID) $(PACKAGE) $(LOCALE) $(BASEDIR) + + # +@@ -372,7 +392,8 @@ $(REARJ_DIR)/rearj$x: $(REARJ_OBJS) \ + $(CC) $(ALL_CFLAGS) $(LDFLAGS) -o $@ $(REARJ_OBJS) $(LIBS) + $(TOOLS_DIR)/postproc $@ + +-$(BASEDIR)/fmsg_rej.c $(BASEDIR)/imsg_rej.c $(BASEDIR)/nmsg_rej.c: $(TOOLS_DIR)/msgbind$x $(RESFILE) ++$(BASEDIR)/fmsg_rej.c $(BASEDIR)/imsg_rej.c $(BASEDIR)/nmsg_rej.c \ ++$(BASEDIR)/msg_rej.h: $(TOOLS_DIR)/msgbind$x $(RESFILE) + $(TOOLS_DIR)/msgbind $(RESFILE) msg_rej $(OS_ID) $(PACKAGE) $(LOCALE) $(BASEDIR) + + # +@@ -388,7 +409,8 @@ $(REGISTER_DIR)/$(REGISTER)$x: $(REGISTE + $(CC) $(ALL_CFLAGS) $(LDFLAGS) -o $@ $(REGISTER_OBJS) $(LIBS) + $(TOOLS_DIR)/postproc $@ -sfx + +-$(BASEDIR)/fmsg_reg.c $(BASEDIR)/imsg_reg.c $(BASEDIR)/nmsg_reg.c: $(TOOLS_DIR)/msgbind$x $(RESFILE) ++$(BASEDIR)/fmsg_reg.c $(BASEDIR)/imsg_reg.c $(BASEDIR)/nmsg_reg.c \ ++$(BASEDIR)/msg_reg.h: $(TOOLS_DIR)/msgbind$x $(RESFILE) + $(TOOLS_DIR)/msgbind $(RESFILE) msg_reg $(OS_ID) $(PACKAGE) $(LOCALE) $(BASEDIR) + + # +@@ -402,7 +424,8 @@ ARJDISP_OBJS = $(patsubst %,$(ARJDISP_DI + $(ARJDISP_DIR)/arjdisp$x: $(ARJDISP_OBJS) + $(CC) $(ALL_CFLAGS) $(LDFLAGS) -o $@ $(ARJDISP_OBJS) $(LIBS) + +-$(BASEDIR)/fmsg_adi.c $(BASEDIR)/imsg_adi.c $(BASEDIR)/nmsg_adi.c: $(TOOLS_DIR)/msgbind$x $(RESFILE) ++$(BASEDIR)/fmsg_adi.c $(BASEDIR)/imsg_adi.c $(BASEDIR)/nmsg_adi.c \ ++$(BASEDIR)/msg_adi.h: $(TOOLS_DIR)/msgbind$x $(RESFILE) + $(TOOLS_DIR)/msgbind $(RESFILE) msg_adi $(OS_ID) $(PACKAGE) $(LOCALE) $(BASEDIR) + + # +@@ -427,18 +450,9 @@ prepare: + # + + clean: +- -rm -f $(BASEDIR)/* +- -rm -f $(TOOLS_DIR)/* +- -rm -f $(ARJCRYPT_DIR)/* +- -rm -f $(SFXSTUB_DIR)/* +- -rm -f $(ARJSFXV_DIR)/* +- -rm -f $(ARJSFX_DIR)/* +- -rm -f $(ARJSFXJR_DIR)/* +- -rm -f $(ARJ_DIR)/* +- -rm -f $(REARJ_DIR)/* +- -rm -f $(REGISTER_DIR)/* +- -rm -f $(ARJDISP_DIR)/* +- -rm -f arj.core ++ rm -rf .deps ++ rm -rf $(BASEDIR) ++ rm -f arj.core + + # + # Local installation diff --git a/SOURCES/arj-3.10.22-quotes.patch b/SOURCES/arj-3.10.22-quotes.patch new file mode 100644 index 0000000..699890c --- /dev/null +++ b/SOURCES/arj-3.10.22-quotes.patch @@ -0,0 +1,22 @@ +Patch by Milos Jakubicek for arj <= 3.10.22 to fix FTBFS + +--- arj-3.10.22/makefile 2004-06-18 18:19:36.000000000 +0200 ++++ arj-3.10.22/makefile.quotes 2013-10-20 00:49:07.000000000 +0200 +@@ -1633,6 +1633,7 @@ + $(CC) $(ARJ_COPT) + $(BASEDIR)\fmsg_arj.c $(BASEDIR)\imsg_arj.c $(BASEDIR)\nmsg_arj.c: $(BASEDIR)\tools\$(MSGBIND) $(RESFILE) + $(BASEDIR)\tools\msgbind $(RESFILE) msg_arj $(OS_ID) $(PACKAGE) $(LOCALE) $(BASEDIR) ++ sed -e 's|_""|\\""|' -i $(BASEDIR)/fmsg_arj.c + + # + # REARJ utility +--- arj-3.10.22/gnu/makefile.in 2013-10-20 00:47:38.000000000 +0200 ++++ arj-3.10.22/gnu/makefile.in.quotes 2013-10-20 00:50:20.000000000 +0200 +@@ -376,6 +376,7 @@ + $(BASEDIR)/fmsg_arj.c $(BASEDIR)/imsg_arj.c $(BASEDIR)/nmsg_arj.c \ + $(BASEDIR)/msg_arj.h: $(TOOLS_DIR)/msgbind$x $(RESFILE) + $(TOOLS_DIR)/msgbind $(RESFILE) msg_arj $(OS_ID) $(PACKAGE) $(LOCALE) $(BASEDIR) ++ sed -e 's|_""|\\""|' -i $(BASEDIR)/fmsg_arj.c + + # + # REARJ utility diff --git a/SOURCES/arj-3.10.22-security-afl.patch b/SOURCES/arj-3.10.22-security-afl.patch new file mode 100644 index 0000000..ed2bf57 --- /dev/null +++ b/SOURCES/arj-3.10.22-security-afl.patch @@ -0,0 +1,35 @@ +Description: Fix buffer overflow causing an invalid pointer free(). +Author: Guillem Jover +Origin: vendor +Bug-Debian: https://bugs.debian.org/774015 +Forwarded: no +Last-Update: 2015-02-26 + +--- + decode.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/decode.c ++++ b/decode.c +@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i + if(i==i_special) + { + c=getbits(2); +- while(--c>=0) ++ while(--c>=0&&i=0) ++ while(--c>=0&&i +Origin: vendor +Bug-Debian: https://bugs.debian.org/774435 +Forwarded: no +Last-Update: 2015-02-26 + +--- + environ.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/environ.c ++++ b/environ.c +@@ -1087,6 +1087,8 @@ static char *validate_path(char *name) + if(action!=VALIDATE_DRIVESPEC) + { + #endif ++ while (name[0]!='\0'&& ++ (name[0]=='.'||name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)) { + if(name[0]=='.') + { + if(name[1]=='.'&&(name[2]==PATHSEP_DEFAULT||name[2]==PATHSEP_UNIX)) +@@ -1096,6 +1098,7 @@ static char *validate_path(char *name) + } + if(name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX) + name++; /* "\\" - revert to root */ ++ } + #if SFX_LEVEL>=ARJSFXV + } + } diff --git a/SOURCES/arj-3.10.22-security-traversal-symlink.patch b/SOURCES/arj-3.10.22-security-traversal-symlink.patch new file mode 100644 index 0000000..3248169 --- /dev/null +++ b/SOURCES/arj-3.10.22-security-traversal-symlink.patch @@ -0,0 +1,85 @@ +Description: Fix symlink directory traversal. + Do not allow symlinks that traverse the current directoru, nor absolute + symlinks. + . + Fixes CVE-2015-0556. +Author: Guillem Jover +Origin: vendor +Bug-Debian: https://bugs.debian.org/774434 +Forwarded: no +Last-Update: 2015-03-28 + +--- + uxspec.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +--- a/uxspec.c ++++ b/uxspec.c +@@ -120,6 +120,58 @@ int query_uxspecial(char FAR **dest, cha + } + #endif + ++#if TARGET==UNIX ++static int is_link_traversal(const char *name) ++{ ++ enum { ++ STATE_NONE, ++ STATE_DOTS, ++ STATE_NAME, ++ } state = STATE_NONE; ++ int ndir = 0; ++ int dots = 0; ++ ++ while(*name) { ++ int c = *name++; ++ ++ if (c == '/') ++ { ++ if ((state == STATE_DOTS) && (dots == 2)) ++ ndir--; ++ if (ndir < 0) ++ return 1; ++ if ((state == STATE_DOTS && dots == 1) && ndir == 0) ++ return 1; ++ if (state == STATE_NONE && ndir == 0) ++ return 1; ++ if ((state == STATE_DOTS) && (dots > 2)) ++ ndir++; ++ state = STATE_NONE; ++ dots = 0; ++ } ++ else if (c == '.') ++ { ++ if (state == STATE_NONE) ++ state = STATE_DOTS; ++ dots++; ++ } ++ else ++ { ++ if (state == STATE_NONE) ++ ndir++; ++ state = STATE_NAME; ++ } ++ } ++ ++ if ((state == STATE_DOTS) && (dots == 2)) ++ ndir--; ++ if ((state == STATE_DOTS) && (dots > 2)) ++ ndir++; ++ ++ return ndir < 0; ++} ++#endif ++ + /* Restores the UNIX special file data */ + + int set_uxspecial(char FAR *storage, char *name) +@@ -156,6 +208,8 @@ int set_uxspecial(char FAR *storage, cha + l=sizeof(tmp_name)-1; + far_memmove((char FAR *)tmp_name, dptr, l); + tmp_name[l]='\0'; ++ if (is_link_traversal(tmp_name)) ++ return(UXSPEC_RC_ERROR); + rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name); + if(!rc) + return(0); diff --git a/SOURCES/arj-3.10.22-security_format.patch b/SOURCES/arj-3.10.22-security_format.patch new file mode 100644 index 0000000..98c1814 --- /dev/null +++ b/SOURCES/arj-3.10.22-security_format.patch @@ -0,0 +1,305 @@ +Patch by Guillem Jover for arj <= 3.10.22, which +fixes format security errors. + +--- + arj_arcv.c | 12 ++++++------ + arj_user.c | 8 ++++---- + arjdisp.c | 58 ++++++++++++++++++++++++++++------------------------------ + arjsfx.c | 2 +- + fardata.c | 10 +++++----- + rearj.c | 2 +- + register.c | 2 +- + 7 files changed, 46 insertions(+), 48 deletions(-) + +--- a/fardata.c ++++ b/fardata.c +@@ -52,7 +52,7 @@ int error_proc(FMSG *errmsg, ...) + /* Check if the message could have a standard error code */ + if(errno!=0&&is_std_error(errmsg)) + { +- msg_cprintf(0, lf); ++ msg_cprintf(0, "\n"); + error_report(); + } + #endif +@@ -379,10 +379,10 @@ static void flush_cbuf(int ccode, char * + { + #if SFX_LEVEL>=ARJSFXV + fprintf(new_stdout, strform, n_text); +- fprintf(new_stdout, lf); ++ fprintf(new_stdout, "\n"); + #else + printf(strform, n_text); +- printf(lf); ++ printf("\n"); + #endif + } + else +@@ -393,13 +393,13 @@ static void flush_cbuf(int ccode, char * + #ifdef NEED_CRLF + scr_out("\r"); + #endif +- scr_out(lf); ++ scr_out("\n"); + } + if(!no_colors) + textcolor(color_table[ccode&H_COLORMASK].color); + #else + printf(strform, n_text); +- printf(lf); ++ printf("\n"); + #endif + n_text=t_text+1; + #if SFX_LEVEL>=ARJ +--- a/arj_user.c ++++ b/arj_user.c +@@ -1059,7 +1059,7 @@ static void finish_processing(int cmd) + if(recover_file(tmp_archive_name, nullstr, tmp_tmp_filename, protected, eof_pos)) + { + msg_cprintf(H_HL, M_CANT_FIND_DAMAGE, archive_name); +- printf(lf); ++ printf("\n"); + } + else + { +@@ -1294,7 +1294,7 @@ static void finish_processing(int cmd) + if(recover_file(archive_name, nullstr, nullstr, protected, eof_pos)) + { + msg_cprintf(H_HL, M_CANT_FIND_DAMAGE, archive_name); +- printf(lf); ++ printf("\n"); + } + else + { +@@ -1327,7 +1327,7 @@ static void finish_processing(int cmd) + msg_cprintf(0, M_CHAPTERS_ON); + else if(chapter_mode==CHAP_REMOVE) + msg_cprintf(0, M_CHAPTERS_OFF); +- msg_cprintf(0, strform, lf); ++ msg_cprintf(0, strform, "\n"); + } + if(cmd==ARJ_CMD_COPY&&protfile_option&&!arjprot_tail) + msg_cprintf(0, M_ARJPROT_DISABLED); +@@ -2303,7 +2303,7 @@ void process_archive() + timestamp_to_str(timetext, &ftime_stamp); + msg_cprintf(H_HL|H_NFMT, M_ARCHIVE_CREATED, timetext); + if(show_ansi_comments) +- printf(cmt_ptr); ++ fputs(cmt_ptr, stdout); + else + display_comment(cmt_ptr); + /* The sfx_setup() occurs here */ +--- a/arj_arcv.c ++++ b/arj_arcv.c +@@ -913,13 +913,13 @@ int supply_comment(char *cmtname, char * + else + { + strcat(tmp_comment, tmp_cmtline); +- strcat(tmp_comment, lf); ++ strcat(tmp_comment, "\n"); + } + } + else + { + strcat(tmp_comment, tmp_cmtline); +- strcat(tmp_comment, lf); ++ strcat(tmp_comment, "\n"); + } + } + } +@@ -1846,7 +1846,7 @@ int pack_file(int is_update, int is_repl + raw_eh=eh_lookup(eh, UXSPECIAL_ID)->raw; + uxspecial_stats(raw_eh, UXSTATS_SHORT); + } +- msg_cprintf(0, lf); ++ msg_cprintf(0, "\n"); + } + if(err_id==0&&user_wants_fail) + { +@@ -2523,9 +2523,9 @@ int unpack_validation() + { + msg_cprintf(0, (FMSG *)strform, misc_buf); + if(search_mode==SEARCH_DEFAULT) +- msg_cprintf(0, (FMSG *)lf); ++ msg_cprintf(0, "\n"); + if(search_mode==SEARCH_BRIEF) +- msg_cprintf(0, (FMSG *)cr); ++ msg_cprintf(0, "\r"); + } + for(pattern=0; pattern=ARJSFXV + if(ferror(stdout)) +- msg_fprintf(stderr, M_DISK_FULL); ++ msg_fprintf(stderr, "Can't write file. Disk full?"); + if(debug_enabled&&strchr(debug_opt, 't')!=NULL) + { + ticks=get_ticks()-ticks; +--- a/rearj.c ++++ b/rearj.c +@@ -935,7 +935,7 @@ static int convert_archive(char *name) + msg_cprintf(H_HL|H_NFMT, M_OLD_SIZE, old_fsize); + msg_cprintf(H_HL|H_NFMT, M_NEW_SIZE, new_fsize); + msg_cprintf(H_HL|H_NFMT, M_SAVINGS_SIZE, gain); +- printf(lf); ++ printf("\n"); + total_old_fsize+=old_fsize; + total_new_fsize+=new_fsize; + total_files++; +--- a/register.c ++++ b/register.c +@@ -205,7 +205,7 @@ int main(int argc, char **argv) + char reg_source[200]; + int i; + +- printf(M_REGISTER_BANNER); ++ fputs(M_REGISTER_BANNER, stdout); + integrity_pattern[0]--; + build_crc32_table(); + if(argc!=2) +--- a/arjdisp.c ++++ b/arjdisp.c +@@ -20,8 +20,6 @@ static long bytes; + static long compsize; + static char cmd_verb; + static char msg_lf[]="\n"; +-char strform[]="%s"; /* Export it for scrnio.c, too +- (a byte saved is a byte gained) */ + + /* Pseudographical controls */ + +@@ -54,19 +52,19 @@ static void show_init_scrn() + textcolor(7); + clrscr(); + gotoxy(2, 2); +- scrprintf(win_top); ++ fputs(win_top, stdout); + for(i=3; i<24; i++) + { +- gotoxy(2, i); scrprintf(win_border); +- gotoxy(79, i); scrprintf(win_border); ++ gotoxy(2, i); fputs(win_border, stdout); ++ gotoxy(79, i); fputs(win_border, stdout); + } +- gotoxy(2, 24); scrprintf(win_bottom); ++ gotoxy(2, 24); fputs(win_bottom, stdout); + gotoxy(10, 5); +- scrprintf(M_ARJDISP_COPYRIGHT); ++ fputs(M_ARJDISP_COPYRIGHT, stdout); + gotoxy(10, 6); +- scrprintf(M_ARJDISP_DISTRIBUTION); ++ fputs(M_ARJDISP_DISTRIBUTION, stdout); + gotoxy(10, 7); +- scrprintf(M_ARJDISP_LICENSE); ++ fputs(M_ARJDISP_LICENSE, stdout); + gotoxy(16, 10); + scrprintf(M_PROCESSING_ARCHIVE, archive_name); + t=strtok(M_ARJDISP_INFO, msg_lf); +@@ -74,11 +72,11 @@ static void show_init_scrn() + while(t!=NULL&&i<=23) + { + gotoxy(10, i++); +- scrprintf(strform, t); ++ scrprintf("%s", t); + t=strtok(NULL, msg_lf); + } + gotoxy(16, 20); +- scrprintf(M_PRESS_ANY_KEY); ++ fputs(M_PRESS_ANY_KEY, stdout); + uni_getch(); + gotoxy(1, 24); + } +@@ -96,19 +94,19 @@ static void show_proc_scrn() + { + clrscr(); + gotoxy(2, 2); +- scrprintf(win_top); ++ fputs(win_top, stdout); + for(i=3; i<24; i++) + { +- gotoxy(2, i); scrprintf(win_border); +- gotoxy(79, i); scrprintf(win_border); ++ gotoxy(2, i); fputs(win_border, stdout); ++ gotoxy(79, i); fputs(win_border, stdout); + } +- gotoxy(2, 24); scrprintf(win_bottom); ++ gotoxy(2, 24); fputs(win_bottom, stdout); + gotoxy(10, 5); +- scrprintf(M_ARJDISP_COPYRIGHT); ++ fputs(M_ARJDISP_COPYRIGHT, stdout); + gotoxy(10, 6); +- scrprintf(M_ARJDISP_DISTRIBUTION); ++ fputs(M_ARJDISP_DISTRIBUTION, stdout); + gotoxy(10, 7); +- scrprintf(M_ARJDISP_LICENSE); ++ fputs(M_ARJDISP_LICENSE, stdout); + gotoxy(16, 10); + scrprintf(M_PROCESSING_ARCHIVE, archive_name); + gotoxy(16, 12); +@@ -132,13 +130,13 @@ static void show_proc_scrn() + break; + } + gotoxy(15, 14); +- scrprintf(ind_top); ++ fputs(ind_top, stdout); + gotoxy(15, 15); +- scrprintf(ind_middle); ++ fputs(ind_middle, stdout); + gotoxy(15, 16); +- scrprintf(ind_bottom); ++ fputs(ind_bottom, stdout); + gotoxy(16, 18); +- scrprintf(M_ARJDISP_CTR_START); ++ fputs(M_ARJDISP_CTR_START, stdout); + } + else + { +@@ -146,7 +144,7 @@ static void show_proc_scrn() + gotoxy(16, 15); + memset(progress, indo, i); + progress[i]='\0'; +- scrprintf(progress); ++ fputs(progress, stdout); + gotoxy(16, 18); + scrprintf(M_ARJDISP_CTR, calc_percentage(bytes, uncompsize)/10); + } +@@ -165,19 +163,19 @@ static void show_ending_scrn() + textcolor(7); + clrscr(); + gotoxy(2, 2); +- scrprintf(win_top); ++ fputs(win_top, stdout); + for(i=3; i<24; i++) + { +- gotoxy(2, i); scrprintf(win_border); +- gotoxy(79, i); scrprintf(win_border); ++ gotoxy(2, i); fputs(win_border, stdout); ++ gotoxy(79, i); fputs(win_border, stdout); + } +- gotoxy(2, 24); scrprintf(win_bottom); ++ gotoxy(2, 24); fputs(win_bottom, stdout); + gotoxy(10, 5); +- scrprintf(M_ARJDISP_COPYRIGHT); ++ fputs(M_ARJDISP_COPYRIGHT, stdout); + gotoxy(10, 6); +- scrprintf(M_ARJDISP_DISTRIBUTION); ++ fputs(M_ARJDISP_DISTRIBUTION, stdout); + gotoxy(10, 7); +- scrprintf(M_ARJDISP_LICENSE); ++ fputs(M_ARJDISP_LICENSE, stdout); + gotoxy(16, 10); + scrprintf(M_FINISHED_PROCESSING, archive_name); + gotoxy(1, 24); diff --git a/SOURCES/arj-3.10.22-use_safe_strcpy.patch b/SOURCES/arj-3.10.22-use_safe_strcpy.patch new file mode 100644 index 0000000..3d72f26 --- /dev/null +++ b/SOURCES/arj-3.10.22-use_safe_strcpy.patch @@ -0,0 +1,97 @@ +Patch by Guillem Jover for arj <= 3.10.22, to +use a safe strcpy for overlapping strings, among others fixes a build +problem with a mangled generated .c file by msgbind (thus FTBFS), and +CRC errors at run-time. For further information, please have a look +to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590354 + +--- + arj.c | 2 +- + arjdata.c | 9 +-------- + ea_mgr.c | 2 +- + misc.h | 4 ++++ + msgbind.c | 2 +- + packager.c | 2 +- + 6 files changed, 9 insertions(+), 12 deletions(-) + +--- a/arjdata.c ++++ b/arjdata.c +@@ -204,13 +204,6 @@ void date_fmt(char *dest) + #endif + } + +-/* A safe strcpy() */ +- +-static void safe_strcpy(char *dest, char *src) +-{ +- memmove(dest, src, strlen(src)+1); +-} +- + /* Context substitution routine */ + + char *expand_tags(char *str, int limit) +@@ -232,7 +225,7 @@ char *expand_tags(char *str, int limit) + { + if(*(p+1)==TAG_CHAR) + { +- strcpy(p, p+1); ++ safe_strcpy(p, p+1); + p++; + } + else if(*(p+1)==TAG_SPECIAL_BEGIN&&(et=strchr(p+3, TAG_SPECIAL_END))!=NULL) +--- a/arj.c ++++ b/arj.c +@@ -1169,7 +1169,7 @@ int main(int argc, char *argv[]) + if(strlen(tmp_ptr)<=121) + tmp_ptr[0]='\0'; + else if(tmp_ptr[120]==' ') +- strcpy(tmp_ptr, tmp_ptr+121); ++ safe_strcpy(tmp_ptr, tmp_ptr+121); + } + if(cmd==ARJ_CMD_ORDER&&strpbrk(tmp_ptr, wildcard_pattern)!=NULL) + error(M_ORDER_WILDCARD); +--- a/ea_mgr.c ++++ b/ea_mgr.c +@@ -696,7 +696,7 @@ int resolve_longname(char *dest, char *n + tmp_name[st_len]='\0'; + if(tmp_name[0]==0xFD&&tmp_name[1]==0xFF) + { +- strcpy(tmp_name, (char *)tmp_name+4); ++ safe_strcpy(tmp_name, (char *)tmp_name+4); + st_len-=4; + } + if(st_len==0||st_len+entry>=FILENAME_MAX) +--- a/msgbind.c ++++ b/msgbind.c +@@ -578,7 +578,7 @@ int main(int argc, char **argv) + } + strcat(pool[tpool].data, msgname); + strcat(pool[tpool].data, ", "); +- strcpy(msg_buffer, msg_buffer+1); ++ safe_strcpy(msg_buffer, msg_buffer+1); + buf_len=strlen(msg_buffer); + msg_buffer[--buf_len]='\0'; + patch_string(msg_buffer); +--- a/packager.c ++++ b/packager.c +@@ -347,7 +347,7 @@ int main(int argc, char **argv) + expand_tags(buf, sizeof(buf)-1); + if((p=strchr(buf, '.'))!=NULL) + { +- strcpy(p, p+1); ++ safe_strcpy(p, p+1); + if((p=strchr(buf, '.'))!=NULL) + *p='\0'; + } +--- a/misc.h ++++ b/misc.h +@@ -11,6 +11,10 @@ + #include "arjtypes.h" + #include "filelist.h" + ++/* A safe strcpy() */ ++ ++#define safe_strcpy(dest, src) memmove(dest, src, strlen(src)+1); ++ + /* ASCIIZ string copy macro */ + + #define strcpyn(dest, src, n) \ diff --git a/SOURCES/unarj.1 b/SOURCES/unarj.1 new file mode 100644 index 0000000..6673796 --- /dev/null +++ b/SOURCES/unarj.1 @@ -0,0 +1,36 @@ +.\" Hey, EMACS: -*- nroff -*- +.TH UNARJ 1 2004-03-12 "3.10" "Arj Software" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +unarj \- Unarchive ARJ files +.SH SYNOPSIS +.B unarj +.RI [ options ] " files" ... +.SH DESCRIPTION +The +.B unarj +command is a simple wrapper to ease transition from the non-free unarj. +.SH OPTIONS +This program has the same command line options as +.BR arj (1). +It also supports to be called without any options as a synonim for +.BR l . +For the full command line list please see +.BR arj (1) +man page. +.SH SEE ALSO +.BR arj (1), +.BR rearj (1). +.SH AUTHOR +This manual page was written by Guillem Jover . diff --git a/SOURCES/unarj.sh b/SOURCES/unarj.sh new file mode 100644 index 0000000..6d8cecf --- /dev/null +++ b/SOURCES/unarj.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +if [ $# -eq 1 ]; then + arj l "$@" +else + arj "$@" +fi + diff --git a/SPECS/arj.spec b/SPECS/arj.spec new file mode 100644 index 0000000..b756800 --- /dev/null +++ b/SPECS/arj.spec @@ -0,0 +1,198 @@ +Summary: Archiver for .arj files +Name: arj +Version: 3.10.22 +Release: 35%{?dist} +License: GPL+ +URL: http://arj.sourceforge.net/ +Source0: https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz +# unarj.* from Debian +Source1: unarj.sh +Source2: unarj.1 +Patch0: arj-3.10.22-arches_align.patch +Patch1: arj-3.10.22-no_remove_static_const.patch +Patch2: arj-3.10.22-64_bit_clean.patch +Patch3: arj-3.10.22-parallel_build.patch +Patch4: arj-3.10.22-use_safe_strcpy.patch +Patch5: arj-3.10.22-doc_refer_robert_k_jung.patch +Patch6: arj-3.10.22-security_format.patch +Patch7: arj-3.10.22-missing-protos.patch +Patch8: arj-3.10.22-custom-printf.patch +# Filed into upstream bugtracker as https://sourceforge.net/tracker/?func=detail&aid=2853421&group_id=49820&atid=457566 +Patch9: arj-3.10.22-quotes.patch +Patch10: arj-3.10.22-security-afl.patch +Patch11: arj-3.10.22-security-traversal-dir.patch +Patch12: arj-3.10.22-security-traversal-symlink.patch +BuildRequires: gcc +BuildRequires: autoconf +BuildRequires: make +Provides: unarj = %{version}-%{release} +Obsoletes: unarj < 3 + +%description +This package is an open source version of the arj archiver. It has +been created with the intent to preserve maximum compatibility and +retain the feature set of original ARJ archiver as provided by ARJ +Software, Inc. + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 + +pushd gnu + autoconf +popd + +%build +pushd gnu + %configure +popd + +# Disable binary strippings +%make_build ADD_LDFLAGS="" + +%install +%make_install + +install -D -p -m 644 resource/rearj.cfg.example $RPM_BUILD_ROOT%{_sysconfdir}/rearj.cfg +install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/unarj +install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/man1/unarj.1 + +# remove the register remainders of arj's sharewares time +rm -f $RPM_BUILD_ROOT%{_bindir}/arj-register +rm -f $RPM_BUILD_ROOT%{_mandir}/man1/arj-register.1* + +%files +%license doc/COPYING +%doc ChangeLog* doc/rev_hist.txt +%config(noreplace) %{_sysconfdir}/rearj.cfg +%{_bindir}/*arj* +%{_libdir}/arj/ +%{_mandir}/man1/*arj*1.* + +%changelog +* Fri Mar 01 2024 Arkady L. Shane - 3.10.22-35 +- Rebuilt for MSVSphere 9.3 + +* Wed Jul 21 2021 Fedora Release Engineering - 3.10.22-35 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Fedora Release Engineering - 3.10.22-34 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 3.10.22-33 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jan 28 2020 Fedora Release Engineering - 3.10.22-32 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jul 24 2019 Fedora Release Engineering - 3.10.22-31 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 3.10.22-30 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 3.10.22-29 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Feb 07 2018 Fedora Release Engineering - 3.10.22-28 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Aug 02 2017 Fedora Release Engineering - 3.10.22-27 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 3.10.22-26 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 3.10.22-25 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Feb 03 2016 Fedora Release Engineering - 3.10.22-24 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 3.10.22-23 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri Apr 03 2015 Robert Scheck 3.10.22-22 +- Added patch from Debian to avoid free on invalid pointer due to a + buffer overflow (#1196751, #1207180) +- Added patch from Debian for symlink directory traversal (#1178824) +- Added patch from Debian to fix the directory traversal via + //multiple/leading/slash (#1178824) + +* Sat Feb 21 2015 Till Maas - 3.10.22-21 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Fri Aug 15 2014 Fedora Release Engineering - 3.10.22-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 3.10.22-19 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Oct 20 2013 Robert Scheck 3.10.22-18 +- Replaced compressed Debian patch file by regular patches + +* Sat Aug 03 2013 Fedora Release Engineering - 3.10.22-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Feb 13 2013 Fedora Release Engineering - 3.10.22-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jul 18 2012 Fedora Release Engineering - 3.10.22-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jan 12 2012 Fedora Release Engineering - 3.10.22-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Feb 07 2011 Fedora Release Engineering - 3.10.22-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Sun Mar 28 2010 Robert Scheck 3.10.22-12 +- Re-enable parallel builds again now that quoting is fixed + +* Sun Sep 6 2009 Milos Jakubicek 3.10.22-11 +- Fix FTBFS: added arj-3.10.22-quotes.patch + +* Wed Aug 19 2009 Robert Scheck 3.10.22-10 +- Disabled the even with patches broken parallel builds again + +* Fri Jul 24 2009 Fedora Release Engineering - 3.10.22-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Apr 18 2009 Robert Scheck 3.10.22-8 +- Added patch to disable the custom printf to avoid conflicting + strnlen definition with glibc headers (thanks to Lubomir Rintel) + +* Mon Feb 23 2009 Robert Scheck 3.10.22-7 +- Rebuild against gcc 4.4 and rpm 4.6 + +* Mon Sep 08 2008 Robert Scheck 3.10.22-6 +- Added patch to refer to original author in the manual page +- Added patch to support parallel builds in upstream Makefile + +* Sat Aug 30 2008 Robert Scheck 3.10.22-5 +- Corrected from %%patch to %%patch0 to make rpm > 4.4 happy + +* Mon Mar 31 2008 Hans de Goede 3.10.22-4 +- Fix missing prototype compiler warnings + +* Tue Feb 19 2008 Fedora Release Engineering - 3.10.22-3 +- Autorebuild for GCC 4.3 + +* Fri Aug 3 2007 Hans de Goede 3.10.22-2 +- Update License tag for new Licensing Guidelines compliance + +* Sat Sep 9 2006 Hans de Goede 3.10.22-1 +- initial FE submission based on a src.rpm by Ville Skyttä