Some security fixes and some touch ups. tar and unzip are both prone to

undesirable directory traversal (nothing like leaving .. unlinked *shudder*) I
package.masked unzip-5.42 since thier server is busted and I can't test it yet.
http://www.security.nnov.ru/advisories <-- is the advisories. rar is also
suceptible. Remeber you should run archivers under a privleged UID.

1 files changed, 31 insertions, 0 deletions

diff --git a/app-arch/unzip/files/unzip-5.42.patch b/app-arch/unzip/files/unzip-5.42.patch
new file mode 100644
index 000000000000..a39d3c7d137e
--- /dev/null
+++ b/app-arch/unzip/files/unzip-5.42.patch
@@ -0,0 +1,31 @@
+*** extract.orig	Sun Jan 14 00:40:20 2001
+--- extract.c	Mon Jul  9 14:45:42 2001
+***************
+*** 154,159 ****
+--- 154,161 ----
+  #ifndef WINDLL
+     static ZCONST char Far ReplaceQuery[] =
+       "replace %s? [y]es, [n]o, [A]ll, [N]one, [r]ename: ";
++    static ZCONST char Far TraversalWarning[] = 
++      "%s skipped because of directory traversal\n";
+     static ZCONST char Far AssumeNone[] = " NULL\n(assuming [N]one)\n";
+     static ZCONST char Far NewNameQuery[] = "new name: ";
+     static ZCONST char Far InvalidResponse[] = "error:  invalid response [%c]\n";
+***************
+*** 877,882 ****
+--- 879,893 ----
+                      } /* end switch (*answerbuf) */
+  #endif /* ?WINDLL */
+                  } /* end if (query) */
++ 		if(*__G__ G.filename=='/' || !strncmp(__G__ G.filename, "../", 3)
++ 		    || strstr(__G__ G.filename,"/../")){
++                         skip_entry = SKIP_Y_EXISTING;
++ #ifndef WINDLL
++                     Info(slide, 0x81, ((char *)slide,
++                       LoadFarString(TraversalWarning),
++                       FnFilter1(G.filename)));
++ #endif
++ 		}
+                  if (skip_entry != SKIP_NO) {
+  #ifdef WINDLL
+                      if (skip_entry == SKIP_Y_EXISTING) {