-
unzip (6.0-4ubuntu2.6) precise-security; urgency=medium
* SECURITY UPDATE: buffer overflow in unzip (LP: #387350)
- debian/patches/17-cve-2014-9913-unzip-buffer-overflow: Accommodate
printing an oversized compression method number in list.c.
- CVE-2014-9913
* SECURITY UPDATE: buffer overflow in zipinfo (LP: #1643750)
- debian/patches/18-cve-2016-9844-zipinfo-buffer-overflow: Accommodate an
oversized compression method number in zipinfo.c.
- CVE-2016-9844
* SECURITY UPDATE: buffer overflow
- debian/patches/07-increase-size-of-cfactorstr: Increase size of
cfactorstr array in list.c.
- CVE-2018-18384
* SECURITY UPDATE: buffer overflow in password protected ZIP archives
- debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch: Perform
check before allocating memory in fileio.c.
- CVE-2018-1000035
* SECURITY UPDATE: denial of service (resource consumption)
- debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch: Fix bug
in undefer_input() of fileio.c that misplaced the input state.
- debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch:
Detect and reject a zip bomb using overlapped entries.
- debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch:
Do not raise a zip bomb alert for a misplaced central directory.
- CVE-2019-13232
-- Avital Ostromich <email address hidden> Fri, 04 Dec 2020 09:30:42 -0500
-
unzip (6.0-4ubuntu2.5) precise-security; urgency=medium
* debian/patches/16-fix-integer-underflow-csiz-decrypted: updated to fix
regression in handling 0-byte files (LP: #1513293)
-- Marc Deslauriers <email address hidden> Mon, 09 Nov 2015 09:17:52 -0600
-
unzip (6.0-4ubuntu2.4) precise-security; urgency=medium
* SECURITY UPDATE: denial of service and possible code execution via
heap overflow
- debian/patches/14-cve-2015-7696: add check to crypt.c.
- CVE-2015-7696
* SECURITY UPDATE: infinite loop when extracting empty bzip2 data
- debian/patches/15-cve-2015-7697: check for empty input in extract.c.
- CVE-2015-7697
* SECURITY UPDATE: unsigned overflow on invalid input
- debian/patches/16-fix-integer-underflow-csiz-decrypted: make sure
csiz_decrypted doesn't overflow in extract.c.
- No CVE number
-- Marc Deslauriers <email address hidden> Thu, 29 Oct 2015 10:33:52 -0400
-
unzip (6.0-4ubuntu2.3) precise-security; urgency=medium
* SECURITY UPDATE: heap overflow in charset_to_intern()
- debian/patches/04-unzip60-alt-iconv-utf8: updated to fix buffer
overflow in unix/unix.c.
- CVE-2015-1315
* SECURITY REGRESSION: regression with executable jar files
- debian/patches/09-cve-2014-8139-crc-overflow: updated to fix
regression.
* SECURITY REGRESSION: regression with certain compressed data headers
- debian/patches/12-cve-2014-9636-test-compr-eb: updated to fix
regression.
-- Marc Deslauriers <email address hidden> Tue, 17 Feb 2015 14:19:20 -0500
-
unzip (6.0-4ubuntu2.2) precise-security; urgency=medium
* SECURITY UPDATE: heap overflow via mismatched block sizes
- debian/patches/12-cve-2014-9636-test-compr-eb: ensure compressed and
uncompressed block sizes match when using STORED method in extract.c.
- CVE-2014-9636
-- Marc Deslauriers <email address hidden> Thu, 29 Jan 2015 11:38:13 -0500
-
unzip (6.0-4ubuntu2.1) precise-security; urgency=medium
* SECURITY UPDATE: CRC32 verification heap-based overflow
- debian/patches/09-cve-2014-8139-crc-overflow: check extra block
length in extract.c.
- CVE-2014-8139
* SECURITY UPDATE: out-of-bounds write issue in test_compr_eb()
- debian/patches/10-cve-2014-8140-test-compr-eb: properly validate
sizes in extract.c.
- CVE-2014-8140
* SECURITY UPDATE: out-of-bounds read issues in getZip64Data()
- debian/patches/11-cve-2014-8141-getzip64data: validate extra fields
in fileio.c, check sizes in process.c.
- CVE-2014-8141
-- Marc Deslauriers <email address hidden> Wed, 07 Jan 2015 16:14:50 -0500
-
unzip (6.0-4ubuntu2) precise-proposed; urgency=low
* Fix incorrectly displayed file names with UTF-8 characters.
Add -DNO_WORKING_ISPRINT to build flags. (LP: #1199239, LP: #580961)
-- Brian Murray <email address hidden> Wed, 06 Nov 2013 10:21:26 -0800
-
unzip (6.0-4ubuntu1) natty; urgency=low
* Added patch from archlinux which adds the -O option allowing a charset
to be specified for the proper unzipping of non-latin and non-unicode
filenames. (LP: #580961)
-- Brian Thomason <email address hidden> Wed, 12 Jan 2011 20:08:14 -0500
