package/zip: add patch for CVE-2018-13410

Fixes the following vulnerability:

- CVE-2018-13410

    Info-ZIP Zip 3.0, when the -T and -TT command-line options are used,
    allows attackers to cause a denial of service (invalid free and
    application crash) or possibly have unspecified other impact because
    of an off-by-one error. NOTE: it is unclear whether there are
    realistic scenarios in which an untrusted party controls the -TT
    value, given that the entire purpose of -TT is execution of
    arbitrary commands

For more information, see:
  - https://nvd.nist.gov//vuln/detail/CVE-2018-13410

This patch also includes the patch 0009 which address a buffer overflow
when passing unicode characters that doesn't have a CVE assigned.

Tested with `./support/testing/run-tests -d dl -o output_folder -k tests.package.test_zip`

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>

package/zip/0009-buffer-overflow-unicode-filename.patch

@@ -0,0 +1,23 @@
+From: Shengjing Zhu <shengjing.zhu@canonical.com>
+Subject: Fix buffer overflow when filename contains unicode characters
+Bug-Debian: https://bugs.debian.org/1077054
+Bug-Debian: https://bugs.debian.org/1093629
+Bug-Ubuntu: https://launchpad.net/bugs/2062535
+Forwarded: https://sourceforge.net/p/infozip/bugs/81/
+Origin: https://src.fedoraproject.org/rpms/zip/raw/f41/f/buffer_overflow.patch
+
+Upstream: https://sources.debian.org/src/zip/3.0-15/debian/patches/14-buffer-overflow-unicode-filename.patch
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+diff -Nura a/fileio.c b/fileio.c
+--- a/fileio.c
++++ b/fileio.c
+@@ -3502,7 +3502,7 @@
+   if ((wc_string = (wchar_t *)malloc((wsize + 1) * sizeof(wchar_t))) == NULL) {
+     ZIPERR(ZE_MEM, "local_to_wide_string");
+   }
+-  wsize = mbstowcs(wc_string, local_string, strlen(local_string) + 1);
++  wsize = mbstowcs(wc_string, local_string, wsize + 1);
+   wc_string[wsize] = (wchar_t) 0;
+ 
+   /* in case wchar_t is not zwchar */

package/zip/0010-buffer-overflow-cve-2018-13410.patch

@@ -0,0 +1,25 @@
+From: Florent 'Skia' Jacquet <florent.jacquet@canonical.com>
+Subject: Fix buffer overflow when using '-T -TT'
+Bug-Debian: https://bugs.debian.org/1093629
+Bug-Ubuntu: https://launchpad.net/bugs/2093024
+Forwarded: https://sourceforge.net/p/infozip/bugs/81/
+
+strlen(unzip_path) + strlen(zipname) + " " + "'" + "'" + '\0'
+The additional space required in the `cmd` buffer is 4, not 3.
+
+CVE: CVE-2018-13410
+Upstream: https://sources.debian.org/src/zip/3.0-15/debian/patches/15-buffer-overflow-cve-2018-13410.patch
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+diff -Nura a/zip.c b/zip.c
+--- a/zip.c
++++ b/zip.c
+@@ -1437,7 +1437,7 @@
+     /* Replace first {} with archive name.  If no {} append name to string. */
+     here = strstr(unzip_path, "{}");
+ 
+-    if ((cmd = malloc(strlen(unzip_path) + strlen(zipname) + 3)) == NULL) {
++    if ((cmd = malloc(strlen(unzip_path) + strlen(zipname) + 4)) == NULL) {
+       ziperr(ZE_MEM, "building command string for testing archive");
+     }
+ 

package/zip/zip.mk

@@ -12,6 +12,9 @@ ZIP_LICENSE = Info-ZIP
 ZIP_LICENSE_FILES = LICENSE
 ZIP_CPE_ID_VENDOR = info-zip_project
 
+# 0010-buffer-overflow-cve-2018-13410.patch
+ZIP_IGNORE_CVES += CVE-2018-13410
+
 ifeq ($(BR2_PACKAGE_BZIP2),y)
 ZIP_DEPENDENCIES += bzip2
 endif