debian/0000755000000000000000000000000011770310137007166 5ustar debian/dirs0000644000000000000000000000001011161535245010044 0ustar usr/bin debian/manpages0000644000000000000000000000001711161535245010705 0ustar debian/unace.1 debian/watch0000644000000000000000000000011611746366443010233 0ustar # The original source code was obtained from a mail from the upstream author. debian/patches/0000755000000000000000000000000011770310132010610 5ustar debian/patches/004_64_bit_clean.patch0000644000000000000000000000112311161535245014452 0ustar Index: b/declare.h =================================================================== --- a/declare.h +++ b/declare.h @@ -15,12 +15,14 @@ #else /* AMIGA */ -typedef unsigned short USHORT; -typedef short SHORT ; -typedef unsigned short UWORD ; -typedef short WORD ; -typedef unsigned long ULONG ; -typedef long LONG ; +#include + +typedef uint16_t USHORT; +typedef int16_t SHORT ; +typedef uint16_t UWORD ; +typedef int16_t WORD ; +typedef uint32_t ULONG ; +typedef int32_t LONG ; #endif /* !AMIGA */ debian/patches/series0000644000000000000000000000016011746373466012050 0ustar 001_cpp_define.patch 002_fix_warnings.patch 003_security.patch 004_64_bit_clean.patch 005_format-security.patch debian/patches/005_format-security.patch0000644000000000000000000000131611746374113015367 0ustar --- unace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/unace.c +++ b/unace.c @@ -265,7 +265,7 @@ INT open_archive(INT print_err) printf("Authenticity Verification:"); // print the AV sprintf(av_str, "\ncreated on %d.%d.%d by ", ts_day(adat.time_cr), ts_month(adat.time_cr), ts_year(adat.time_cr)); - printf(av_str); + printf("%s", av_str); copylen = mhead.AV_SIZE; if (copylen > 79) copylen = 79; @@ -566,7 +566,7 @@ int main(INT argc, CHAR * argv[]) INT show_help, arg_cnt = 1; - printf(version); + printf("%s", version); show_help=0; if (argc < 3 || strlen(argv[1]) > 1 || argv[argc-1][0] == '-') debian/patches/001_cpp_define.patch0000644000000000000000000000277311770310132014316 0ustar --- unix/makefile | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) --- a/unix/makefile +++ b/unix/makefile @@ -10,26 +10,28 @@ OBJ = globals.o uac_comm.o uac_crc.o uac_crt.o uac_dcpr.o uac_sys.o unace.o SRC = globals.c uac_comm.c uac_crc.c uac_crt.c uac_dcpr.c uac_sys.c unace.c -#CFLAGS = -dNOSTRICMP #for UNIX compilers not supporting stricmp() -#CFLAGS = -dHI_LO_BYTE_ORDER #select correct byte order for your machine!! +#CFLAGS = -DNOSTRICMP #for UNIX compilers not supporting stricmp() +#CFLAGS = -DHI_LO_BYTE_ORDER #select correct byte order for your machine!! #CFLAGS = -Wall -O3 -s #-DNDEBUG #CFLAGS = -g -Wall -DMDEBUG #CFLAGS = -O3 -fno-strength-reduce -fomit-frame-pointer # These are for Linux -CFLAGS = -O -g -Wall -dLO_HI_BYTE_ORDER +CFLAGS = -O -g -Wall CHALLOC = challoc.o CHALLOC = CHNEW = chnew.o challoc.o CC = gcc +OSTYPE = $(shell uname -s) + ifeq ($(OSTYPE), Linux) -CFLAGS += -DUNIX -DCASEINSENSE +CPPFLAGS += -DUNIX -DCASEINSENSE else ifeq ($(OSTYPE), DOS) EXEEXT = .exe -CFLAGS += -DDOS +CPPFLAGS += -DDOS else -CFLAGS += -DUNIX -DCASEINSENSE +CPPFLAGS += -DUNIX -DCASEINSENSE endif endif @@ -37,15 +39,14 @@ endif #LIBS = -lm -unace$(EXEEXT): $(OBJ) $(CHALLOC) - gcc $(CFLAGS) -o $@ $^ $(LIBS) +unace$(EXEEXT): $(OBJ) $(CHALLOC) $(LIBS) clean: rm -f *.o a.out core unace unace.exe dep: chmod a+rx ./gccmaked - ./gccmaked -- $(CFLAGS) -- *.c* + ./gccmaked -- $(CPPFLAGS) -- *.c* rm -f ?akefile.bak # DO NOT DELETE debian/patches/003_security.patch0000644000000000000000000001107311161535245014074 0ustar Index: b/uac_crt.c =================================================================== --- a/uac_crt.c +++ b/uac_crt.c @@ -35,12 +35,15 @@ /* gets file name from header */ -CHAR *ace_fname(CHAR * s, thead * head, INT nopath) +CHAR *ace_fname(CHAR * s, thead * head, INT nopath, unsigned int size) { - INT i; + unsigned int i; char *cp; - strncpy(s, (*(tfhead *) head).FNAME, i = (*(tfhead *) head).FNAME_SIZE); + i = (*(tfhead *) head).FNAME_SIZE; + if (i > (size - 1)) + i = size - 1; + strncpy(s, (*(tfhead *) head).FNAME, i); s[i] = 0; if (nopath) @@ -58,22 +61,73 @@ CHAR *ace_fname(CHAR * s, thead * head, } #endif + cp = s; + while (*cp == '/') cp++; + if (cp != s) + memmove(s, cp, strlen(cp) + 1); + return s; } +int is_directory_traversal(char *str) +{ + unsigned int mode, countdots; + /* mode 0 = fresh, 1 = just dots, 2 = not just dots */ + + mode = countdots = 0; + + while (*str) + { + char ch = *str++; + + if ((ch == '/') && (mode == 1) && (countdots > 1)) + return 1; + + if (ch == '/') + { + mode = countdots = 0; + continue; + } + + if (ch == '.') + { + if (mode == 0) + mode = 1; + + countdots++; + } + else + mode = 2; + } + + if ((mode == 1) && (countdots > 1)) + return 1; + + return 0; +} + void check_ext_dir(CHAR * f) // checks/creates path of file { CHAR *cp, d[PATH_MAX]; - INT i; + unsigned int i; d[0] = 0; + if (is_directory_traversal(f)) + { + f_err = ERR_WRITE; + printf("\n Directory traversal attempt: %s\n", f); + return; + } + for (;;) { if ((cp = (CHAR *) strchr(&f[strlen(d) + 1], DIRSEP))!=NULL) { i = cp - f; + if (i > (PATH_MAX - 1)) + i = PATH_MAX - 1; strncpy(d, f, i); d[i] = 0; } Index: b/uac_crt.h =================================================================== --- a/uac_crt.h +++ b/uac_crt.h @@ -8,7 +8,7 @@ #include "acestruc.h" -CHAR *ace_fname(CHAR * s, thead * head, INT nopath); +CHAR *ace_fname(CHAR * s, thead * head, INT nopath, unsigned int size); INT create_dest_file(CHAR * file, INT a); #ifdef UNIX Index: b/unace.c =================================================================== --- a/unace.c +++ b/unace.c @@ -242,6 +242,7 @@ INT read_arc_head(void) // searc INT open_archive(INT print_err) // opens archive (or volume) { CHAR av_str[80]; + unsigned int copylen; archan = open(aname, O_RDONLY | O_BINARY); // open file @@ -265,8 +266,11 @@ INT open_archive(INT print_err) sprintf(av_str, "\ncreated on %d.%d.%d by ", ts_day(adat.time_cr), ts_month(adat.time_cr), ts_year(adat.time_cr)); printf(av_str); - strncpy(av_str, mhead.AV, mhead.AV_SIZE); - av_str[mhead.AV_SIZE] = 0; + copylen = mhead.AV_SIZE; + if (copylen > 79) + copylen = 79; + strncpy(av_str, mhead.AV, copylen); + av_str[copylen] = 0; printf("%s\n\n", av_str); } comment_out("Main comment:"); // print main comment @@ -302,7 +306,7 @@ void get_next_volname(void) INT proc_vol(void) // opens volume { INT i; - CHAR s[80]; + CHAR s[PATH_MAX + 80]; // if f_allvol_pr is 2 we have -y and should never ask if ((!fileexists_insense(aname) && f_allvol_pr != 2) || !f_allvol_pr) @@ -430,7 +434,7 @@ void extract_files(int nopath, int test) if (head.HEAD_TYPE == FILE_BLK) { comment_out("File comment:"); // show file comment - ace_fname(file, &head, nopath); // get file name + ace_fname(file, &head, nopath, sizeof(file)); // get file name printf("\n%s", file); flush; dcpr_init_file(); // initialize decompression of file @@ -498,7 +502,7 @@ void list_files(int verbose) if (head.HEAD_TYPE == FILE_BLK) { ULONG ti=fhead.FTIME; - ace_fname(file, &head, verbose ? 0 : 1); // get file name + ace_fname(file, &head, verbose ? 0 : 1, sizeof(file)); // get file name size += fhead.SIZE; psize += @@ -590,7 +594,8 @@ int main(INT argc, CHAR * argv[]) init_unace(); // initialize unace - strcpy(aname, argv[arg_cnt]); // get archive name + strncpy(aname, argv[arg_cnt], sizeof(aname) - 4); // get archive name + aname[sizeof(aname) - 5] = '\0'; if (!(s = (CHAR *) strrchr(aname, DIRSEP))) s = aname; if (!strrchr(s, '.')) debian/patches/002_fix_warnings.patch0000644000000000000000000000155611161535245014727 0ustar Index: b/uac_dcpr.c =================================================================== --- a/uac_dcpr.c +++ b/uac_dcpr.c @@ -67,6 +67,7 @@ void sortrange(INT left, INT right) //sort partial ranges - when very small, sort directly if (left < zr) + { if (left < zr - 1) sortrange(left, zr); else if (sort_freq[left] < sort_freq[zr]) @@ -74,8 +75,10 @@ void sortrange(INT left, INT right) xchg_def(sort_freq[left], sort_freq[zr]); xchg_def(sort_org[left], sort_org[zr]); } + } if (right > zl) + { if (zl < right - 1) sortrange(zl, right); else if (sort_freq[zl] < sort_freq[right]) @@ -83,6 +86,7 @@ void sortrange(INT left, INT right) xchg_def(sort_freq[zl], sort_freq[right]); xchg_def(sort_org[zl], sort_org[right]); } + } } void quicksort(INT n) debian/control0000644000000000000000000000100611746366022010575 0ustar Source: unace Section: utils Priority: optional Maintainer: Guillem Jover Build-Depends: debhelper (>= 7) Vcs-Browser: http://git.hadrons.org/?p=debian/pkgs/unace.git Vcs-Git: git://git.hadrons.org/git/debian/pkgs/unace.git Standards-Version: 3.9.3 Package: unace Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: extract, test and view .ace archives The unace utility is used for extracting, testing and viewing the contents of archives created with the ACE archiver. debian/README.Debian0000644000000000000000000000040511161535245011231 0ustar unace for Debian ---------------- This is an old version of unace that has been relicensed to GPL. New versions may get relicensed as well but upstream does not promise to do so for now. -- Guillem Jover , Tue, 3 Feb 2004 02:30:09 +0100 debian/source/0000755000000000000000000000000011277443433010476 5ustar debian/source/format0000644000000000000000000000001411277443433011704 0ustar 3.0 (quilt) debian/compat0000644000000000000000000000000211161535245010367 0ustar 7 debian/rules0000755000000000000000000000311211770310132010236 0ustar #!/usr/bin/make -f # GNU copyright 1997 to 1999 by Joey Hess. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 DEB_HOST_ARCH_ENDIAN := $(shell dpkg-architecture -qDEB_HOST_ARCH_ENDIAN) CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) -DUNIX -DCASEINSENSE ifeq ($(DEB_HOST_ARCH_ENDIAN),little) CPPFLAGS += -DLO_HI_BYTE_ORDER else ifeq ($(DEB_HOST_ARCH_ENDIAN),big) CPPFLAGS += -DHI_LO_BYTE_ORDER else $(error "unknown endian") endif CFLAGS = $(shell dpkg-buildflags --get CFLAGS) -Wall LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS) Makefile: unix/makefile dh_testdir cp -f $^ $@ gccmaked: unix/gccmaked dh_testdir cp -f $^ $@ build-indep: build-arch: Makefile gccmaked dh_testdir $(MAKE) dep CPPFLAGS="$(CPPFLAGS)" $(MAKE) CPPFLAGS="$(CPPFLAGS)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" build: build-indep build-arch .PHONY: build-indep build-arch build clean: dh_testdir dh_testroot [ ! -f Makefile ] || $(MAKE) clean rm -f Makefile gccmaked dh_clean install-arch: build-arch dh_testdir dh_testroot dh_prep dh_installdirs #$(MAKE) install DESTDIR=$(CURDIR)/debian/unace dh_install .PHONY: install-arch clean # Build architecture-independent files here. binary-indep: # Nothing to do. # Build architecture-dependent files here. binary-arch: install-arch dh_testdir dh_testroot dh_installchangelogs changes.log dh_installdocs dh_installexamples dh_installman dh_link dh_strip dh_compress dh_fixperms dh_installdeb dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb binary: binary-indep binary-arch .PHONY: binary-indep binary-arch binary debian/unace.10000644000000000000000000000225711161535245010354 0ustar .TH unace 1 2006-08-07 "1.2b" "unace manual" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME unace \- extract, test and view ACE archives .SH SYNOPSIS .B unace .RI < command > .RI [ switches ] .RI < archive [ .ace ]> .SH DESCRIPTION The \fBunace\fP utility is used for extracting, testing and viewing the contents of archives created with the ACE archiver. .SH COMMANDS .TP .B e Extract files. .TP .B l List archive. .TP .B t Test archive integrity. .TP .B v List archive (verbose). .TP .B x Extract files with full path. .SH SWITCHES .TP .B \-y Assume 'yes' on all questions, never ask for input. .SH SEE ALSO .BR gzip (1), .BR bzip2 (1), .BR zip (1), .BR arj (1), .BR ppmd (1). .SH AUTHOR This manual page was written by Guillem Jover , for the Debian project (but may be used by others). debian/docs0000644000000000000000000000000711161535245010041 0ustar readme debian/install0000644000000000000000000000001611161535245010557 0ustar unace usr/bin debian/changelog0000644000000000000000000001163211770310137011043 0ustar unace (1.2b-10) unstable; urgency=low * Rework debian/rules targets: - Remove install dependency from binary-indep. - Rename build to build-arch. - Rename install to install-arch. - Add new build and build-indep targets. * Now using Standards-Version 3.9.3. * Add empty debian/watch documenting where the original source came from. * Fix format-security build failures. * Use «dpkg-architecture -qDEB_HOST_ARCH_ENDIAN» instead of building a test program to detect the host architecture endianness. * Use dpkg-buildflags to set CPPFLAGS, CFLAGS and LDFLAGS. -- Guillem Jover Wed, 20 Jun 2012 10:57:02 +0200 unace (1.2b-9) unstable; urgency=low * Now using Standards-Version 3.9.2 (no changes needed). -- Guillem Jover Fri, 27 May 2011 01:59:37 +0200 unace (1.2b-8) unstable; urgency=low * Switch to debhelper compatibility level 7. * Use dh_prep instead of “dh_clean -k”. * Use $(filter ...) instead of $(findstring ...) to extract space separated options from DEB_BUILD_OPTIONS in debian/rules. * Now using Standards-Version 3.8.3 (no changes needed). * Switch to source format “3.0 (quilt)”: - Remove quilt from Build-Depends. - Remove quilt.make include from debian/rules. - Remove patch and unpatch targets from debian/rules. - Remove now unneeded debian/README.source. -- Guillem Jover Wed, 02 Dec 2009 22:36:40 +0100 unace (1.2b-7) unstable; urgency=low * Update packaging Vcs fields to the new URL. * Add a debian/README.source file. * Now using Standards-Version 3.8.0. * Cleanup debian/copyright: - Change 'Upstream Author' to 'Copyright Holder'. - Add missing copyright years and use UTF-8 copyright symbol. - Refer to GPL-2 from common-licenses instead of just GPL. * Refresh patches with -pab. (Closes: #485261) -- Guillem Jover Sun, 22 Jun 2008 07:53:40 +0300 unace (1.2b-6) unstable; urgency=low * Add Vcs-Browser and Vcs-Svn fields. * Fix debian/rules dependencies to play nice with parallel builds. - Change binary-arch and binary-indep to stop depending on build. - Move patch dependency to unix/makefile. * Now using Standards-Version 3.7.3 (no changes needed). -- Guillem Jover Wed, 05 Dec 2007 06:41:13 +0200 unace (1.2b-5) unstable; urgency=low * Switched to quilt: - Add new debian/patches/series file. - Add Build-Depends on 'quilt (>= 0.40)'. - Include quilt.make from debian/rules. - Remove now unused debian/patch.mk. * Clean up patches: - debian/patches/001_cpp_define.patch: Rediff. - debian/patches/002_fix_warnings.patch: Likewise. - debian/patches/003_security.patch: Likewise. Remove .orig duplicate. * Make the program 64 bit clean, by using to typedef the data types independently of the target system. (Closes: #431380) - debian/patches/004_64_bit_clean.patch: New file. * Do not ignore errors from from 'make clean' on the clean target. -- Guillem Jover Tue, 17 Jul 2007 09:29:11 +0300 unace (1.2b-4) unstable; urgency=low * Now using Standards-Version 3.7.2 (no changes needed). * Switched to debhelper compatibility level 5. * Lower-case the manpage title. * Reindent debian/copyright to 4 spaces. * Update FSF address. * Use dh_install instead of using INSTALL_PROGRAM. * Clean up debian/rules: - Remove unused commented debhelper commands. - Do not use a build stamp. - Switch clean to single-colon target, make it depend on unpatch. - Replace the configure target to normal file targets to be copied. * Clean up debian/patch.mk: - Rename clean to unpatch. - Switch patch and unpatch to single-colon targets. - Add unpatch to the PHONY targets. -- Guillem Jover Mon, 7 Aug 2006 15:27:52 +0300 unace (1.2b-3) unstable; urgency=high * Fix several buffer overflows [CAN-2005-0160] and directory traversal bugs [CAN-2005-0161]. (Closes: #296839, #248374) Thanks to Ulf Härnhammar . * Use License: instead of missplaced Copyright: on debian/copyright. * Provide a patch target instead of pre-build. - debian/patch.mk: Likewise. - debian/rules: Fix accordingly. -- Guillem Jover Sun, 27 Feb 2005 03:03:16 +0100 unace (1.2b-2) unstable; urgency=low * debian/test-endian.c: - Added a lost sizeof in the big endian detection. (Closes: #239654) Thanks Falk Hueffner - Print error message to stderr. And fix and improve the message. * debian/copyrigth: Make clearer the origin of the original source. * Added more "SEE ALSO" entries to the man page. -- Guillem Jover Wed, 24 Mar 2004 09:01:32 +0100 unace (1.2b-1) unstable; urgency=low * Initial Release. (Closes: #220930) -- Guillem Jover Sun, 7 Mar 2004 10:58:50 +0100 debian/copyright0000644000000000000000000000213411567564232011134 0ustar This package was debianized by Guillem Jover on Tue, 3 Feb 2004 02:30:09 +0100. The original source code was obtained from a mail from the upstream author. Copyright Holder: Copyright © 1998, 2004 Marcel Lemke License: This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA On Debian systems, the complete text of the GNU General Public License can be found in '/usr/share/common-licenses/GPL-2'.