unzip TOCTOU file-permissions vulnerability

(submitted patch slightly modified) PR: 85920 Submitted by: Marcus Alves Grando <marcus@corp.grupos.com.br>
svn path=/head/; revision=142310
2025-02-02 11:09:29 +00:00 · 2005-09-09 18:33:17 +00:00 · 2005-09-09 18:33:17 +00:00 · c0f88731fd · 2021-03-31 03:12:20 +00:00
commit c0f88731fd
parent 975f5a1beb
2 changed files with 37 additions and 1 deletions
--- a/archivers/unzip/Makefile
+++ b/archivers/unzip/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	unzip
 PORTVERSION=	5.52
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES?=	archivers
 MASTER_SITES=	ftp://ftp.info-zip.org/pub/infozip/src/ \
 		${MASTER_SITE_TEX_CTAN:S,%SUBDIR%,tools/zip/info-zip/src/,}
--- a/archivers/unzip/files/patch-unix_unix.c
+++ b/archivers/unzip/files/patch-unix_unix.c
@ -0,0 +1,36 @@
+--- unix/unix.c.orig	Sat Feb 26 16:43:42 2005
+++ unix/unix.c	Fri Sep  9 14:36:35 2005
+@@ -1042,6 +1042,16 @@
+     ush z_uidgid[2];
+     int have_uidgid_flg;
+ 
+/*---------------------------------------------------------------------------
+    Change the file permissions from default ones to those stored in the
+    zipfile.
+  ---------------------------------------------------------------------------*/
+	  
+#ifndef NO_CHMOD
+    if (fchmod(fileno(G.outfile), filtattr(__G__ G.pInfo->file_attr)))
+        perror("fchmod (file attributes) error");
+#endif
+
+     fclose(G.outfile);
+ 
+ /*---------------------------------------------------------------------------
+@@ -1150,16 +1160,6 @@
+               " (warning) cannot set times"));
+ #endif /* ?AOS_VS */
+     }
+-
+-/*---------------------------------------------------------------------------
+-    Change the file permissions from default ones to those stored in the
+-    zipfile.
+-  ---------------------------------------------------------------------------*/
+-
+-#ifndef NO_CHMOD
+-    if (chmod(G.filename, filtattr(__G__ G.pInfo->file_attr)))
+-        perror("chmod (file attributes) error");
+-#endif
+ 
+ } /* end function close_outfile() */
+