-
unzip (6.0-21+deb9u2) stretch; urgency=medium
* Fix incorrect parsing of 64-bit values in fileio.c. Closes: #929502.
* Apply three patches by Mark Adler to fix CVE-2019-13232.
- Fix bug in undefer_input() that misplaced the input state.
- Detect and reject a zip bomb using overlapped entries.
Bug discovered by David Fifield. Closes: #931433.
- Do not raise a zip bomb alert for a misplaced central directory.
Reported by Peter Green. Closes: #932404.
-- Santiago Vila <email address hidden> Mon, 05 Aug 2019 18:10:06 +0200
-
unzip (6.0-21+deb9u1) stretch; urgency=medium
* Fix buffer overflow in password protected ZIP archives. Closes: #889838.
Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
-- Santiago Vila <email address hidden> Wed, 17 Apr 2019 21:23:40 +0200
-
unzip (6.0-21) unstable; urgency=medium
* Rename all debian/patches/* to have .patch ending.
* Update 12-cve-2014-9636-test-compr-eb.patch to follow revised
patch "unzip-6.0_overflow3.diff" from mancha (patch author).
Update also to follow upstream coding style.
* Drop workaround for gcc optimization bug on ARM (GCC Bug #764732)
in the hope that it's not present anymore in GCC-6.
* Allow source to be cross-built. Closes: #836051.
* Do not ignore Unix Timestamps. Closes: #842993. Patch by the author.
* Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485.
Patch by the author.
* Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486.
Patch by the author.
-- Santiago Vila <email address hidden> Sun, 11 Dec 2016 21:03:30 +0100
-
unzip (6.0-20) unstable; urgency=high
* Update debian/patches/16-fix-integer-underflow-csiz-decrypted to fix
regression on encrypted 0-byte files. Closes: #804595.
Thanks to Marc Deslauriers for the fix in Ubuntu.
-- Santiago Vila <email address hidden> Mon, 09 Nov 2015 22:15:32 +0100
-
unzip (6.0-19) unstable; urgency=medium
* Fix infinite loop when extracting password-protected archive.
This is CVE-2015-7697. Closes: #802160.
* Fix heap overflow when extracting password-protected archive.
This is CVE-2015-7696. Closes: #802162.
* Fix additional unsigned overflow on invalid input.
* Thanks a lot to Raphaël Hertzog for the squeeze-lts release,
from which this upload is mainly derived.
-- Santiago Vila <email address hidden> Thu, 22 Oct 2015 12:12:46 +0200
-
unzip (6.0-18) unstable; urgency=medium
* Ship a debian/copyright file in source package instead of generating
it a build time. Closes: #795567.
-- Santiago Vila <email address hidden> Sun, 16 Aug 2015 23:34:42 +0200
-
unzip (6.0-17) unstable; urgency=medium
* Switch to dh.
* Remove build date embedded in binary to make the build reproducible.
Thanks to Jérémy Bobbio <email address hidden>. Closes: #782851.
-- Santiago Vila <email address hidden> Sun, 17 May 2015 12:41:52 +0200
-
unzip (6.0-16) unstable; urgency=medium
* Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
the right way (patch by the author). Closes: #775640.
* Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
* Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
file from the author.
-- Santiago Vila <email address hidden> Fri, 30 Jan 2015 22:16:08 +0100