-
unzip (6.0-20ubuntu1.1) xenial-security; urgency=medium
* SECURITY UPDATE: buffer overflow in unzip (LP: #387350)
- debian/patches/17-cve-2014-9913-unzip-buffer-overflow: Accommodate
printing an oversized compression method number in list.c.
- CVE-2014-9913
* SECURITY UPDATE: buffer overflow in zipinfo (LP: #1643750)
- debian/patches/18-cve-2016-9844-zipinfo-buffer-overflow: Accommodate an
oversized compression method number in zipinfo.c.
- CVE-2016-9844
* SECURITY UPDATE: buffer overflow in password protected ZIP archives
- debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch: Perform
check before allocating memory in fileio.c.
- CVE-2018-1000035
* SECURITY UPDATE: denial of service (resource consumption)
- debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch: Fix bug
in undefer_input() of fileio.c that misplaced the input state.
- debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch:
Detect and reject a zip bomb using overlapped entries.
- debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch:
Do not raise a zip bomb alert for a misplaced central directory.
- CVE-2019-13232
-- Avital Ostromich <email address hidden> Wed, 25 Nov 2020 20:01:25 -0500
-
unzip (6.0-20ubuntu1) xenial; urgency=medium
* Resynchronise with Debian. Remaining changes:
- Add patch from archlinux which adds the -O option, allowing a charset
to be specified for the proper unzipping of non-Latin and non-Unicode
filenames.
unzip (6.0-20) unstable; urgency=high
* Update debian/patches/16-fix-integer-underflow-csiz-decrypted to fix
regression on encrypted 0-byte files. Closes: #804595.
Thanks to Marc Deslauriers for the fix in Ubuntu.
-- Marc Deslauriers <email address hidden> Fri, 20 Nov 2015 09:16:18 -0500
-
unzip (6.0-19ubuntu2) xenial; urgency=medium
* debian/patches/16-fix-integer-underflow-csiz-decrypted: updated to fix
regression in handling 0-byte files (LP: #1513293)
-- Marc Deslauriers <email address hidden> Mon, 09 Nov 2015 08:51:17 -0600
-
unzip (6.0-19ubuntu1) xenial; urgency=medium
* Resynchronise with Debian. Remaining changes:
- Add patch from archlinux which adds the -O option, allowing a charset
to be specified for the proper unzipping of non-Latin and non-Unicode
filenames.
unzip (6.0-19) unstable; urgency=medium
* Fix infinite loop when extracting password-protected archive.
This is CVE-2015-7697. Closes: #802160.
* Fix heap overflow when extracting password-protected archive.
This is CVE-2015-7696. Closes: #802162.
* Fix additional unsigned overflow on invalid input.
* Thanks a lot to Raphaël Hertzog for the squeeze-lts release,
from which this upload is mainly derived.
unzip (6.0-18) unstable; urgency=medium
* Ship a debian/copyright file in source package instead of generating
it a build time. Closes: #795567.
-- Sebastien Bacher <email address hidden> Fri, 23 Oct 2015 15:58:43 +0200
-
unzip (6.0-17ubuntu1) wily; urgency=medium
* Resynchronise with Debian. Remaining changes:
- Add patch from archlinux which adds the -O option, allowing a charset
to be specified for the proper unzipping of non-Latin and non-Unicode
filenames.
unzip (6.0-17) unstable; urgency=medium
* Switch to dh.
* Remove build date embedded in binary to make the build reproducible.
Thanks to Jérémy Bobbio <email address hidden>. Closes: #782851.
unzip (6.0-16) unstable; urgency=medium
* Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
the right way (patch by the author). Closes: #775640.
* Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
* Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
file from the author.
unzip (6.0-15) unstable; urgency=medium
* Fix heap overflow. Ensure that compressed and uncompressed
block sizes match when using STORED method in extract.c.
Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
For reference, this is CVE-2014-9636.
unzip (6.0-14) unstable; urgency=medium
* Drop -O2 optimization on armhf as a workaround for gcc Bug #764732.
Closes: #773785.
-- Marc Deslauriers <email address hidden> Fri, 22 May 2015 12:31:51 -0400