-
unzip (6.0-13ubuntu3.2) vivid-security; urgency=medium
* debian/patches/16-fix-integer-underflow-csiz-decrypted: updated to fix
regression in handling 0-byte files (LP: #1513293)
-- Marc Deslauriers <email address hidden> Mon, 09 Nov 2015 09:14:34 -0600
-
unzip (6.0-13ubuntu3.1) vivid-security; urgency=medium
* SECURITY UPDATE: denial of service and possible code execution via
heap overflow
- debian/patches/14-cve-2015-7696: add check to crypt.c.
- CVE-2015-7696
* SECURITY UPDATE: infinite loop when extracting empty bzip2 data
- debian/patches/15-cve-2015-7697: check for empty input in extract.c.
- CVE-2015-7697
* SECURITY UPDATE: unsigned overflow on invalid input
- debian/patches/16-fix-integer-underflow-csiz-decrypted: make sure
csiz_decrypted doesn't overflow in extract.c.
- No CVE number
-- Marc Deslauriers <email address hidden> Thu, 29 Oct 2015 10:29:02 -0400
-
unzip (6.0-13ubuntu3) vivid; urgency=medium
* SECURITY UPDATE: heap overflow in charset_to_intern()
- debian/patches/20-unzip60-alt-iconv-utf8: updated to fix buffer
overflow in unix/unix.c.
- CVE-2015-1315
* SECURITY REGRESSION: regression with executable jar files
- debian/patches/09-cve-2014-8139-crc-overflow: updated to fix
regression.
* SECURITY REGRESSION: regression with certain compressed data headers
- debian/patches/12-cve-2014-9636-test-compr-eb: updated to fix
regression.
-- Marc Deslauriers <email address hidden> Tue, 17 Feb 2015 14:22:58 -0500
-
unzip (6.0-13ubuntu2) vivid; urgency=medium
* SECURITY UPDATE: heap overflow via mismatched block sizes
- debian/patches/12-cve-2014-9636-test-compr-eb: ensure compressed and
uncompressed block sizes match when using STORED method in extract.c.
- CVE-2014-9636
-- Marc Deslauriers <email address hidden> Thu, 29 Jan 2015 11:16:07 -0500
-
unzip (6.0-13ubuntu1) vivid; urgency=medium
* Merge with Debian; remaining changes:
unzip (6.0-13) unstable; urgency=medium
* Apply upstream fix for three security bugs. Closes: #773722.
CVE-2014-8139: CRC32 verification heap-based overflow
CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
CVE-2014-8141: out-of-bounds read issues in getZip64Data()
-- Matthias Klose <email address hidden> Thu, 25 Dec 2014 13:34:55 +0100
-
unzip (6.0-12ubuntu1) utopic; urgency=medium
* Resynchronise with Debian. Remaining changes:
- Add patch from archlinux which adds the -O option, allowing a charset
to be specified for the proper unzipping of non-Latin and non-Unicode
filenames.
unzip (6.0-12) unstable; urgency=medium
* Fix zipinfo crash where a value <= 25.5 was printed in a buffer
having room only for values < 10.0. The integral part is now printed
at attribs[11] using %2u instead of attribs[12] using %u.
This way the output is the same as before for values < 10.
Authors tell me that the next unzip release will have a fix
like this, at least for the Unix case. Closes: #744212.
unzip (6.0-11) unstable; urgency=medium
* Lowered mime priority to 3, somewhat below 5 which is file-roller
default value. Closes: #727306.
* Increase size of cfactorstr array in list.c to avoid a buffer
overflow problem. Closes: #741384.
unzip (6.0-10) unstable; urgency=low
* Fixed bug "unzip thinks some files are symlinks". Closes: #717029.
Reported by Jeff King. Patch by Andreas Schwab.
* Added recommended targets build-arch and build-indep.
* Dropped obsolete Conflicts and Replaces on unzip-crypt, for which
the last version was a dummy transitional package.
* The copyright file is generated from copyright.in at build time.
Added lintian override for no-debian-copyright.
-- Colin Watson <email address hidden> Thu, 05 Jun 2014 10:03:44 +0100
