-
unzip (6.0-17ubuntu1.2) wily-security; urgency=medium
* debian/patches/16-fix-integer-underflow-csiz-decrypted: updated to fix
regression in handling 0-byte files (LP: #1513293)
-- Marc Deslauriers <email address hidden> Mon, 09 Nov 2015 09:08:12 -0600
-
unzip (6.0-17ubuntu1.1) wily-security; urgency=medium
* SECURITY UPDATE: denial of service and possible code execution via
heap overflow
- debian/patches/14-cve-2015-7696: add check to crypt.c.
- CVE-2015-7696
* SECURITY UPDATE: infinite loop when extracting empty bzip2 data
- debian/patches/15-cve-2015-7697: check for empty input in extract.c.
- CVE-2015-7697
* SECURITY UPDATE: unsigned overflow on invalid input
- debian/patches/16-fix-integer-underflow-csiz-decrypted: make sure
csiz_decrypted doesn't overflow in extract.c.
- No CVE number
-- Marc Deslauriers <email address hidden> Thu, 29 Oct 2015 10:15:00 -0400
-
unzip (6.0-17ubuntu1) wily; urgency=medium
* Resynchronise with Debian. Remaining changes:
- Add patch from archlinux which adds the -O option, allowing a charset
to be specified for the proper unzipping of non-Latin and non-Unicode
filenames.
unzip (6.0-17) unstable; urgency=medium
* Switch to dh.
* Remove build date embedded in binary to make the build reproducible.
Thanks to Jérémy Bobbio <email address hidden>. Closes: #782851.
unzip (6.0-16) unstable; urgency=medium
* Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
the right way (patch by the author). Closes: #775640.
* Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
* Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
file from the author.
unzip (6.0-15) unstable; urgency=medium
* Fix heap overflow. Ensure that compressed and uncompressed
block sizes match when using STORED method in extract.c.
Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
For reference, this is CVE-2014-9636.
unzip (6.0-14) unstable; urgency=medium
* Drop -O2 optimization on armhf as a workaround for gcc Bug #764732.
Closes: #773785.
-- Marc Deslauriers <email address hidden> Fri, 22 May 2015 12:31:51 -0400
-
unzip (6.0-13ubuntu3) vivid; urgency=medium
* SECURITY UPDATE: heap overflow in charset_to_intern()
- debian/patches/20-unzip60-alt-iconv-utf8: updated to fix buffer
overflow in unix/unix.c.
- CVE-2015-1315
* SECURITY REGRESSION: regression with executable jar files
- debian/patches/09-cve-2014-8139-crc-overflow: updated to fix
regression.
* SECURITY REGRESSION: regression with certain compressed data headers
- debian/patches/12-cve-2014-9636-test-compr-eb: updated to fix
regression.
-- Marc Deslauriers <email address hidden> Tue, 17 Feb 2015 14:22:58 -0500