gnu: unzip: Fix CVE-2014-9636 and some other bugs.

* gnu/packages/patches/unzip-CVE-2014-9636.patch,
  gnu/packages/patches/unzip-allow-greater-hostver-values.patch,
  gnu/packages/patches/unzip-increase-size-of-cfactorstr.patch,
  gnu/packages/patches/unzip-initialize-symlink-flag.patch,
  gnu/packages/patches/unzip-remove-build-date.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/zip.scm (unzip)[source]: Add patches.
  [arguments]: Use 'modify-phases'.  Remove custom 'configure' phase; pass
  additional make-flags instead.  Add custom 'build' phase that builds
  "generic_gcc" target; remove "generic_gcc" from make-flags.

gnu-system.am

@@ -621,6 +621,11 @@ dist_patch_DATA =						\
   gnu/packages/patches/unzip-CVE-2014-8139.patch		\
   gnu/packages/patches/unzip-CVE-2014-8140.patch		\
   gnu/packages/patches/unzip-CVE-2014-8141.patch		\
+  gnu/packages/patches/unzip-CVE-2014-9636.patch		\
+  gnu/packages/patches/unzip-allow-greater-hostver-values.patch	\
+  gnu/packages/patches/unzip-increase-size-of-cfactorstr.patch	\
+  gnu/packages/patches/unzip-initialize-symlink-flag.patch	\
+  gnu/packages/patches/unzip-remove-build-date.patch		\
   gnu/packages/patches/util-linux-tests.patch			\
   gnu/packages/patches/upower-builddir.patch			\
   gnu/packages/patches/valgrind-glibc-2.21.patch		\

gnu/packages/patches/unzip-CVE-2014-9636.patch

@@ -0,0 +1,41 @@
+Copied from Debian.
+
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 3 Nov 2014
+Subject: Info-ZIP UnZip buffer overflow
+Bug-Debian: http://bugs.debian.org/776589
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+--- a/extract.c
++++ b/extract.c
+@@ -2228,6 +2228,7 @@
+     ulg eb_ucsize;
+     uch *eb_ucptr;
+     int r;
++    ush eb_compr_method;
+ 
+     if (compr_offset < 4)                /* field is not compressed: */
+         return PK_OK;                    /* do nothing and signal OK */
+@@ -2244,6 +2245,14 @@
+      ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+         return IZ_EF_TRUNC;             /* no/bad compressed data! */
+ 
++    /* 2014-11-03 Michal Zalewski, SMS.
++     * For STORE method, compressed and uncompressed sizes must agree.
++     * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
++     */
++    eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
++    if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
++        return PK_ERR;
++
+     if (
+ #ifdef INT_16BIT
+         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||

gnu/packages/patches/unzip-allow-greater-hostver-values.patch

@@ -0,0 +1,16 @@
+Copied from Debian.
+
+From: Santiago Vila <sanvila@debian.org>
+Subject: zipinfo.c: Do not crash when hostver byte is >= 100
+
+--- a/zipinfo.c
++++ b/zipinfo.c
+@@ -2114,7 +2114,7 @@
+             else
+                 attribs[9] = (xattr & UNX_ISVTX)? 'T' : '-';  /* T==undefined */
+ 
+-            sprintf(&attribs[12], "%u.%u", hostver/10, hostver%10);
++            sprintf(&attribs[11], "%2u.%u", hostver/10, hostver%10);
+             break;
+ 
+     } /* end switch (hostnum: external attributes format) */

gnu/packages/patches/unzip-increase-size-of-cfactorstr.patch

@@ -0,0 +1,18 @@
+Copied from Debian.
+
+From: sms
+Subject: Increase size of cfactorstr array to avoid buffer overflow
+Bug-Debian: http://bugs.debian.org/741384
+X-Debian-version: 6.0-11
+
+--- a/list.c
++++ b/list.c
+@@ -97,7 +97,7 @@
+ {
+     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+-    char sgn, cfactorstr[10];
++    char sgn, cfactorstr[12];
+     int longhdr=(uO.vflag>1);
+ #endif
+     int date_format;

gnu/packages/patches/unzip-initialize-symlink-flag.patch

@@ -0,0 +1,22 @@
+Copied from Debian.
+
+From: Andreas Schwab <schwab@linux-m68k.org>
+Subject: Initialize the symlink flag
+Bug-Debian: http://bugs.debian.org/717029
+X-Debian-version: 6.0-10
+
+--- a/process.c
++++ b/process.c
+@@ -1758,6 +1758,12 @@
+         = (G.crec.general_purpose_bit_flag & (1 << 11)) == (1 << 11);
+ #endif
+ 
++#ifdef SYMLINKS
++    /* Initialize the symlink flag, may be set by the platform-specific
++       mapattr function.  */
++    G.pInfo->symlink = 0;
++#endif
++
+     return PK_COOL;
+ 
+ } /* end function process_cdir_file_hdr() */

gnu/packages/patches/unzip-remove-build-date.patch

@@ -0,0 +1,19 @@
+Copied from Debian.
+
+From: Jérémy Bobbio <lunar@debian.org>
+Subject: Remove build date
+Bug-Debian: http://bugs.debian.org/782851
+ In order to make unzip build reproducibly, we remove the
+ (already optional) build date from the binary.
+
+--- a/unix/unix.c
++++ b/unix/unix.c
+@@ -1705,7 +1705,7 @@
+ #endif /* Sun */
+ #endif /* SGI */
+ 
+-#ifdef __DATE__
++#if 0
+       " on ", __DATE__
+ #else
+       "", ""

gnu/packages/zip.scm

@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -81,23 +81,29 @@ Compression ratios of 2:1 to 3:1 are common for text files.")
       (sha256
        (base32
         "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"))
-      (patches (list (search-patch "unzip-CVE-2014-8139.patch")
-                     (search-patch "unzip-CVE-2014-8140.patch")
-                     (search-patch "unzip-CVE-2014-8141.patch")))))
+      (patches (map search-patch '("unzip-CVE-2014-8139.patch"
+                                   "unzip-CVE-2014-8140.patch"
+                                   "unzip-CVE-2014-8141.patch"
+                                   "unzip-CVE-2014-9636.patch"
+                                   "unzip-allow-greater-hostver-values.patch"
+                                   "unzip-increase-size-of-cfactorstr.patch"
+                                   "unzip-initialize-symlink-flag.patch"
+                                   "unzip-remove-build-date.patch")))))
     (build-system gnu-build-system)
     ;; no inputs; bzip2 is not supported, since not compiled with BZ_NO_STDIO
     (arguments
-     `(#:make-flags '("generic_gcc")
-       #:phases
-        (alist-replace
-         'configure
-         (lambda* (#:key inputs outputs #:allow-other-keys)
-           (let* ((out (assoc-ref outputs "out")))
-             (copy-file "unix/Makefile" "Makefile")
-             (substitute* "Makefile"
-               (("/usr/local") out)
-               (("/man/") "/share/man/"))))
-        %standard-phases)))
+     `(#:phases (modify-phases %standard-phases
+                  (delete 'configure)
+                  (replace 'build
+                           (lambda* (#:key make-flags #:allow-other-keys)
+                             (zero? (apply system* "make"
+                                           `("-j" ,(number->string
+                                                    (parallel-job-count))
+                                             ,@make-flags
+                                             "generic_gcc"))))))
+       #:make-flags (list "-f" "unix/Makefile"
+                          (string-append "prefix=" %output)
+                          (string-append "MANDIR=" %output "/share/man/man1"))))
     (home-page "http://www.info-zip.org/UnZip.html")
     (synopsis "Decompression and file extraction utility")
     (description