-
unzip (6.0-23+deb10u2) buster; urgency=medium
* Two more patches from Mark Adler for CVE-2019-13232. Closes: #963996.
- Fix bug in UZbunzip2() that incorrectly updated G.incnt.
- Fix bug in UZinflate() that incorrectly updated G.incnt.
-- Santiago Vila <email address hidden> Sun, 10 Jan 2021 16:12:00 +0100
-
unzip (6.0-23+deb10u1) buster; urgency=medium
* Apply three patches by Mark Adler to fix CVE-2019-13232.
- Fix bug in undefer_input() that misplaced the input state.
- Detect and reject a zip bomb using overlapped entries.
Bug discovered by David Fifield. Closes: #931433.
- Do not raise a zip bomb alert for a misplaced central directory.
Reported by Peter Green. Closes: #932404.
-- Santiago Vila <email address hidden> Tue, 30 Jul 2019 22:26:10 +0200
-
unzip (6.0-23) unstable; urgency=medium
* Fix lame code in fileio.c which parsed 64-bit values incorrectly.
Thanks to David Fifield for the report. Closes: #929502.
-- Santiago Vila <email address hidden> Wed, 29 May 2019 00:24:08 +0200
-
unzip (6.0-22) unstable; urgency=medium
* Fix buffer overflow in password protected ZIP archives. Closes: #889838.
Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
* Rules-Requires-Root: no.
-- Santiago Vila <email address hidden> Sat, 09 Feb 2019 18:12:00 +0100
-
unzip (6.0-21) unstable; urgency=medium
* Rename all debian/patches/* to have .patch ending.
* Update 12-cve-2014-9636-test-compr-eb.patch to follow revised
patch "unzip-6.0_overflow3.diff" from mancha (patch author).
Update also to follow upstream coding style.
* Drop workaround for gcc optimization bug on ARM (GCC Bug #764732)
in the hope that it's not present anymore in GCC-6.
* Allow source to be cross-built. Closes: #836051.
* Do not ignore Unix Timestamps. Closes: #842993. Patch by the author.
* Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485.
Patch by the author.
* Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486.
Patch by the author.
-- Santiago Vila <email address hidden> Sun, 11 Dec 2016 21:03:30 +0100
