UbuntuUpdates.org

Package "unzip"

Name: unzip

Description:

De-archiver for .zip files

Latest version: 6.0-21ubuntu1.2
Release: bionic (18.04)
Level: security
Repository: main
Homepage: http://www.info-zip.org/UnZip.html

Links


Download "unzip"


Other versions of "unzip" in Bionic

Repository Area Version
base main 6.0-21ubuntu1
updates main 6.0-21ubuntu1.2

Changelog

Version: 6.0-21ubuntu1.2 2022-10-13 12:06:31 UTC

  unzip (6.0-21ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference in unzip (LP: #1957077)
    - debian/patches/CVE-2021-4217.patch: Fix null pointer dereference and use
      of uninitialized data
    - CVE-2021-4217
  * SECURITY UPDATE: Out-of-bound write vulnerability in unzip
    - debian/patches/CVE-2022-0529.patch: Fix wide string conversion in
      process.c
    - debian/patches/CVE-2022-0530.patch: Add missing error handling in
      fileio.c and process.c
    - CVE-2022-0529
    - CVE-2022-0530

 -- Nishit Majithia <email address hidden> Fri, 07 Oct 2022 22:38:33 +0530

Source diff to previous version
1957077 SIGSEGV during processing of unicode string
CVE-2021-4217 A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This f
CVE-2022-0529 A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound wri
CVE-2022-0530 A flaw was found in Unzip. The vulnerability occurs during the conversion of a wide string to a local string that leads to a heap of out-of-bound wri

Version: 6.0-21ubuntu1.1 2020-12-16 16:08:27 UTC

  unzip (6.0-21ubuntu1.1) bionic-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in password protected ZIP archives
    - debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch: Perform
      check before allocating memory in fileio.c.
    - CVE-2018-1000035
  * SECURITY UPDATE: denial of service (resource consumption)
    - debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch: Fix bug
      in undefer_input() of fileio.c that misplaced the input state.
    - debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch:
      Detect and reject a zip bomb using overlapped entries.
    - debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch:
      Do not raise a zip bomb alert for a misplaced central directory.
    - CVE-2019-13232

 -- Avital Ostromich <email address hidden> Thu, 26 Nov 2020 16:01:36 -0500

CVE-2018-1000035 A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to per
CVE-2019-13232 Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip



About   -   Send Feedback to @ubuntu_updates