unzip (6.0-26ubuntu3.2) jammy; urgency=medium
* Properly handle Microsoft ZIP64 file (LP: #2051952)
- debian/patches/handle_windows_zip64.patch: ignore invalid "Total
number of disks" field in process.c.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 01 Feb 2024 10:52:55 -0500
unzip (6.0-26ubuntu3.1) jammy-security; urgency=medium
* SECURITY UPDATE: Null pointer dereference in unzip (LP: #1957077)
- debian/patches/CVE-2021-4217.patch: Fix null pointer dereference and use
of uninitialized data
- CVE-2021-4217
* SECURITY UPDATE: Out-of-bound write vulnerability in unzip
- debian/patches/CVE-2022-0529.patch: Fix wide string conversion in
process.c
- debian/patches/CVE-2022-0530.patch: Add missing error handling in
fileio.c and process.c
- CVE-2022-0529
- CVE-2022-0530
-- Nishit Majithia <nishit.majithia@canonical.com> Fri, 07 Oct 2022 22:51:05 +0530
unzip (6.0-26ubuntu3) jammy; urgency=high
* No change rebuild for ppc64el baseline bump.
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 25 Mar 2022 10:59:33 +0100
unzip (6.0-26ubuntu2) impish; urgency=medium
* No-change rebuild to build packages with zstd compression.
-- Matthias Klose <doko@ubuntu.com> Thu, 07 Oct 2021 12:25:55 +0200
unzip (6.0-26ubuntu1) hirsute; urgency=low
* Merge from Debian unstable. Remaining changes:
- Add patch from archlinux which adds the -O option, allowing a charset
to be specified for the proper unzipping of non-Latin and non-Unicode
filenames.
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 29 Jan 2021 12:10:20 -0800
unzip (6.0-26) unstable; urgency=medium
* Two more patches from Mark Adler for CVE-2019-13232. Closes: #963996.
- Fix bug in UZbunzip2() that incorrectly updated G.incnt.
- Fix bug in UZinflate() that incorrectly updated G.incnt.
* Avoid weird zipgrep errors when no members are present.
Thanks to Kevin Locke. Closes: #972233.
* Update dependency on debhelper.
-- Santiago Vila <sanvila@debian.org> Sun, 10 Jan 2021 15:34:00 +0100
unzip (6.0-25ubuntu1) eoan; urgency=low
* Merge from Debian unstable. Remaining changes:
- Add patch from archlinux which adds the -O option, allowing a charset
to be specified for the proper unzipping of non-Latin and non-Unicode
filenames.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Aug 2019 23:39:12 -0700
unzip (6.0-25) unstable; urgency=medium
* Apply one more patch by Mark Adler:
- Do not raise a zip bomb alert for a misplaced central directory.
This should allow Firefox to build again. Closes: #932404.
Reported by Peter Green. Hopefully CVE-2019-13232 is fixed now.
-- Santiago Vila <sanvila@debian.org> Sat, 27 Jul 2019 18:01:36 +0200
unzip (6.0-24ubuntu1) eoan; urgency=low
* Merge from Debian unstable. Remaining changes:
- Add patch from archlinux which adds the -O option, allowing a charset
to be specified for the proper unzipping of non-Latin and non-Unicode
filenames.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 15 Jul 2019 22:02:02 -0700
unzip (6.0-24) unstable; urgency=medium
* Apply two patches by Mark Adler:
- Fix bug in undefer_input() that misplaced the input state.
- Detect and reject a zip bomb using overlapped entries. Closes: #931433.
Bug discovered by David Fifield. For reference, this is CVE-2019-13232.
-- Santiago Vila <sanvila@debian.org> Thu, 11 Jul 2019 18:03:34 +0200
# For older changelog entries, run 'apt-get changelog unzip'
Generated by dwww version 1.14 on Tue Aug 26 07:19:18 CEST 2025.