UbuntuUpdates.org

Package "unzip"

Name: unzip

Description:

De-archiver for .zip files

Latest version: 6.0-4ubuntu2.6
Release: precise (12.04)
Level: security
Repository: main
Homepage: http://www.info-zip.org/UnZip.html

Links


Download "unzip"


Other versions of "unzip" in Precise

Repository Area Version
base main 6.0-4ubuntu1
updates main 6.0-4ubuntu2.6

Changelog

Version: 6.0-4ubuntu2.6 2021-05-03 15:06:19 UTC

  unzip (6.0-4ubuntu2.6) precise-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in unzip (LP: #387350)
    - debian/patches/17-cve-2014-9913-unzip-buffer-overflow: Accommodate
      printing an oversized compression method number in list.c.
    - CVE-2014-9913
  * SECURITY UPDATE: buffer overflow in zipinfo (LP: #1643750)
    - debian/patches/18-cve-2016-9844-zipinfo-buffer-overflow: Accommodate an
      oversized compression method number in zipinfo.c.
    - CVE-2016-9844
  * SECURITY UPDATE: buffer overflow
    - debian/patches/07-increase-size-of-cfactorstr: Increase size of
      cfactorstr array in list.c.
    - CVE-2018-18384
  * SECURITY UPDATE: buffer overflow in password protected ZIP archives
    - debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch: Perform
      check before allocating memory in fileio.c.
    - CVE-2018-1000035
  * SECURITY UPDATE: denial of service (resource consumption)
    - debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch: Fix bug
      in undefer_input() of fileio.c that misplaced the input state.
    - debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch:
      Detect and reject a zip bomb using overlapped entries.
    - debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch:
      Do not raise a zip bomb alert for a misplaced central directory.
    - CVE-2019-13232

 -- Avital Ostromich <email address hidden> Fri, 04 Dec 2020 09:30:42 -0500

Source diff to previous version
387350 Buffer overflow in unzip with hand-crafted ZIP file
1643750 Buffer Overflow in ZipInfo
CVE-2014-9913 Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors r
CVE-2016-9844 Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large
CVE-2018-18384 Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive has a crafted relationship between the compressed-size value and the uncompres
CVE-2018-1000035 A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to per
CVE-2019-13232 Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip

Version: 6.0-4ubuntu2.5 2015-11-09 17:06:15 UTC

  unzip (6.0-4ubuntu2.5) precise-security; urgency=medium

  * debian/patches/16-fix-integer-underflow-csiz-decrypted: updated to fix
    regression in handling 0-byte files (LP: #1513293)

 -- Marc Deslauriers Mon, 09 Nov 2015 09:17:52 -0600

Source diff to previous version
1513293 unzip security update leads to extracting errors

Version: 6.0-4ubuntu2.4 2015-10-29 18:06:17 UTC

  unzip (6.0-4ubuntu2.4) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service and possible code execution via
    heap overflow
    - debian/patches/14-cve-2015-7696: add check to crypt.c.
    - CVE-2015-7696
  * SECURITY UPDATE: infinite loop when extracting empty bzip2 data
    - debian/patches/15-cve-2015-7697: check for empty input in extract.c.
    - CVE-2015-7697
  * SECURITY UPDATE: unsigned overflow on invalid input
    - debian/patches/16-fix-integer-underflow-csiz-decrypted: make sure
      csiz_decrypted doesn't overflow in extract.c.
    - No CVE number

 -- Marc Deslauriers Thu, 29 Oct 2015 10:33:52 -0400

Source diff to previous version
CVE-2015-7696 Heap buffer overflow when extracting password-protected archive
CVE-2015-7697 Infinite loop when extracting password-protected archive

Version: 6.0-4ubuntu2.3 2015-02-17 21:06:39 UTC

  unzip (6.0-4ubuntu2.3) precise-security; urgency=medium

  * SECURITY UPDATE: heap overflow in charset_to_intern()
    - debian/patches/04-unzip60-alt-iconv-utf8: updated to fix buffer
      overflow in unix/unix.c.
    - CVE-2015-1315
  * SECURITY REGRESSION: regression with executable jar files
    - debian/patches/09-cve-2014-8139-crc-overflow: updated to fix
      regression.
  * SECURITY REGRESSION: regression with certain compressed data headers
    - debian/patches/12-cve-2014-9636-test-compr-eb: updated to fix
      regression.
 -- Marc Deslauriers <email address hidden> Tue, 17 Feb 2015 14:19:20 -0500

Source diff to previous version

Version: 6.0-4ubuntu2.2 2015-02-03 19:06:19 UTC

  unzip (6.0-4ubuntu2.2) precise-security; urgency=medium

  * SECURITY UPDATE: heap overflow via mismatched block sizes
    - debian/patches/12-cve-2014-9636-test-compr-eb: ensure compressed and
      uncompressed block sizes match when using STORED method in extract.c.
    - CVE-2014-9636
 -- Marc Deslauriers <email address hidden> Thu, 29 Jan 2015 11:38:13 -0500

CVE-2014-9636 OOB access (both read and write) issues in test_compr_eb



About   -   Send Feedback to @ubuntu_updates