1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494
|
unzip (6.0-23+deb10u2) buster; urgency=medium
* Two more patches from Mark Adler for CVE-2019-13232. Closes: #963996.
- Fix bug in UZbunzip2() that incorrectly updated G.incnt.
- Fix bug in UZinflate() that incorrectly updated G.incnt.
-- Santiago Vila <sanvila@debian.org> Sun, 10 Jan 2021 16:12:00 +0100
unzip (6.0-23+deb10u1) buster; urgency=medium
* Apply three patches by Mark Adler to fix CVE-2019-13232.
- Fix bug in undefer_input() that misplaced the input state.
- Detect and reject a zip bomb using overlapped entries.
Bug discovered by David Fifield. Closes: #931433.
- Do not raise a zip bomb alert for a misplaced central directory.
Reported by Peter Green. Closes: #932404.
-- Santiago Vila <sanvila@debian.org> Tue, 30 Jul 2019 22:26:10 +0200
unzip (6.0-23) unstable; urgency=medium
* Fix lame code in fileio.c which parsed 64-bit values incorrectly.
Thanks to David Fifield for the report. Closes: #929502.
-- Santiago Vila <sanvila@debian.org> Wed, 29 May 2019 00:24:08 +0200
unzip (6.0-22) unstable; urgency=medium
* Fix buffer overflow in password protected ZIP archives. Closes: #889838.
Patch borrowed from SUSE. For reference, this is CVE-2018-1000035.
* Rules-Requires-Root: no.
-- Santiago Vila <sanvila@debian.org> Sat, 09 Feb 2019 18:12:00 +0100
unzip (6.0-21) unstable; urgency=medium
* Rename all debian/patches/* to have .patch ending.
* Update 12-cve-2014-9636-test-compr-eb.patch to follow revised
patch "unzip-6.0_overflow3.diff" from mancha (patch author).
Update also to follow upstream coding style.
* Drop workaround for gcc optimization bug on ARM (GCC Bug #764732)
in the hope that it's not present anymore in GCC-6.
* Allow source to be cross-built. Closes: #836051.
* Do not ignore Unix Timestamps. Closes: #842993. Patch by the author.
* Fix CVE-2014-9913, buffer overflow in unzip. Closes: #847485.
Patch by the author.
* Fix CVE-2016-9844, buffer overflow in zipinfo. Closes: #847486.
Patch by the author.
-- Santiago Vila <sanvila@debian.org> Sun, 11 Dec 2016 21:03:30 +0100
unzip (6.0-20) unstable; urgency=high
* Update debian/patches/16-fix-integer-underflow-csiz-decrypted to fix
regression on encrypted 0-byte files. Closes: #804595.
Thanks to Marc Deslauriers for the fix in Ubuntu.
-- Santiago Vila <sanvila@debian.org> Mon, 09 Nov 2015 22:15:32 +0100
unzip (6.0-19) unstable; urgency=medium
* Fix infinite loop when extracting password-protected archive.
This is CVE-2015-7697. Closes: #802160.
* Fix heap overflow when extracting password-protected archive.
This is CVE-2015-7696. Closes: #802162.
* Fix additional unsigned overflow on invalid input.
* Thanks a lot to Raphaël Hertzog for the squeeze-lts release,
from which this upload is mainly derived.
-- Santiago Vila <sanvila@debian.org> Thu, 22 Oct 2015 12:12:46 +0200
unzip (6.0-18) unstable; urgency=medium
* Ship a debian/copyright file in source package instead of generating
it a build time. Closes: #795567.
-- Santiago Vila <sanvila@debian.org> Sun, 16 Aug 2015 23:34:42 +0200
unzip (6.0-17) unstable; urgency=medium
* Switch to dh.
* Remove build date embedded in binary to make the build reproducible.
Thanks to Jérémy Bobbio <lunar@debian.org>. Closes: #782851.
-- Santiago Vila <sanvila@debian.org> Sun, 17 May 2015 12:41:52 +0200
unzip (6.0-16) unstable; urgency=medium
* Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139
the right way (patch by the author). Closes: #775640.
* Update 10-cve-2014-8140-test-compr-eb to apply cleanly.
* Update 12-cve-2014-9636-test-compr-eb to follow the extract.c
file from the author.
-- Santiago Vila <sanvila@debian.org> Fri, 30 Jan 2015 22:16:08 +0100
unzip (6.0-15) unstable; urgency=medium
* Fix heap overflow. Ensure that compressed and uncompressed
block sizes match when using STORED method in extract.c.
Patch taken from Ubuntu. Thanks a lot. Closes: #776589.
For reference, this is CVE-2014-9636.
-- Santiago Vila <sanvila@debian.org> Thu, 29 Jan 2015 18:39:52 +0100
unzip (6.0-14) unstable; urgency=medium
* Drop -O2 optimization on armhf as a workaround for gcc Bug #764732.
Closes: #773785.
-- Santiago Vila <sanvila@debian.org> Tue, 30 Dec 2014 22:17:12 +0100
unzip (6.0-13) unstable; urgency=medium
* Apply upstream fix for three security bugs. Closes: #773722.
CVE-2014-8139: CRC32 verification heap-based overflow
CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
CVE-2014-8141: out-of-bounds read issues in getZip64Data()
-- Santiago Vila <sanvila@debian.org> Mon, 22 Dec 2014 19:16:10 +0100
unzip (6.0-12) unstable; urgency=medium
* Fix zipinfo crash where a value <= 25.5 was printed in a buffer
having room only for values < 10.0. The integral part is now printed
at attribs[11] using %2u instead of attribs[12] using %u.
This way the output is the same as before for values < 10.
Authors tell me that the next unzip release will have a fix
like this, at least for the Unix case. Closes: #744212.
-- Santiago Vila <sanvila@debian.org> Thu, 24 Apr 2014 23:39:38 +0200
unzip (6.0-11) unstable; urgency=medium
* Lowered mime priority to 3, somewhat below 5 which is file-roller
default value. Closes: #727306.
* Increase size of cfactorstr array in list.c to avoid a buffer
overflow problem. Closes: #741384.
-- Santiago Vila <sanvila@debian.org> Mon, 17 Mar 2014 17:38:50 +0100
unzip (6.0-10) unstable; urgency=low
* Fixed bug "unzip thinks some files are symlinks". Closes: #717029.
Reported by Jeff King. Patch by Andreas Schwab.
* Added recommended targets build-arch and build-indep.
* Dropped obsolete Conflicts and Replaces on unzip-crypt, for which
the last version was a dummy transitional package.
* The copyright file is generated from copyright.in at build time.
Added lintian override for no-debian-copyright.
-- Santiago Vila <sanvila@debian.org> Mon, 14 Oct 2013 18:48:40 +0200
unzip (6.0-9) unstable; urgency=low
* Added NO_WORKING_ISPRINT to DEFINES so that UTF8 filenames are
displayed correctly. Reported by Slavek Banko. Closes: #682682.
* Use the right strip command when cross-building. Closes: #695141.
-- Santiago Vila <sanvila@debian.org> Sun, 24 Feb 2013 17:12:00 +0100
unzip (6.0-8) unstable; urgency=low
* Made unzip -X to actually restore uid/gid information.
Closes: #689212. Thanks to Axel Scheepers for the report.
* Disabled memcpy, as it is being used on overlapping buffers,
leading to data corruption. Closes: #694601.
Thanks to M Joonas Pihlaja for the report.
-- Santiago Vila <sanvila@debian.org> Wed, 28 Nov 2012 12:41:34 +0100
unzip (6.0-7) unstable; urgency=low
* Added Multi-Arch: foreign. Closes: #678812.
-- Santiago Vila <sanvila@debian.org> Sat, 30 Jun 2012 14:17:42 +0200
unzip (6.0-6) unstable; urgency=low
* Added hardening flags. Closes: #656268.
-- Santiago Vila <sanvila@debian.org> Sun, 01 Apr 2012 00:01:40 +0200
unzip (6.0-5) unstable; urgency=low
* Handle the PKWare verification bit of internal attributes.
Patch taken from 6.10 beta. Thanks to sms. Closes: #630078.
-- Santiago Vila <sanvila@debian.org> Fri, 01 Jul 2011 19:06:08 +0200
unzip (6.0-4) unstable; urgency=low
* Added homepage field to control file.
* Switch to 3.0 (quilt) source format.
* Support cross-build.
-- Santiago Vila <sanvila@debian.org> Sun, 21 Feb 2010 17:01:00 +0100
unzip (6.0-3) unstable; urgency=low
* Added "set -e" to postinst and postrm.
-- Santiago Vila <sanvila@debian.org> Tue, 09 Feb 2010 23:53:42 +0100
unzip (6.0-2) unstable; urgency=low
* Do not ignore errors from make clean (lintian warning)
* Remove .comment section from executables (lintian warning).
* Added mime stuff so that mutt is able to see the contents of a zipfile
using "unzip -l". Closes: #474538.
-- Santiago Vila <sanvila@debian.org> Mon, 08 Feb 2010 18:44:00 +0100
unzip (6.0-1) unstable; urgency=low
* New upstream release. Closes: #496989.
* Enabled new Unicode support. Closes: #197427. This may or may not work
for your already created zipfiles, but it's not a bug unless they were
created using the Unicode feature present in zip 3.0.
* Built using DATE_FORMAT=DF_YMD so that unzip -l show dates in ISO format,
as that's the only available one which makes sense. Closes: #312886.
* Enabled new bzip2 support. Closes: #426798.
* Exit code for zipgrep should now be the right one. Closes: #441997.
* The reason why a file may not be created is now shown. Closes: #478791.
* Summary of changes in this version not being the debian/* files:
- Manpages in section 1, not 1L.
- Branding patch. UnZip by Debian. Original by Info-ZIP.
- Always #include <unistd.h>. Debian GNU/kFreeBSD needs it.
-- Santiago Vila <sanvila@debian.org> Fri, 08 May 2009 20:02:40 +0200
unzip (5.52-12) unstable; urgency=medium
* Fixed stack underflow in unshrink.c. Closes: #454037.
Thanks to Christian Spieler for the patch.
-- Santiago Vila <sanvila@debian.org> Sat, 26 Jul 2008 16:51:38 +0200
unzip (5.52-11) unstable; urgency=high
* Apply patch from Tavis Ormandy to address invalid free() calls in
the inflate_dynamic() function (CVE-2008-0888).
-- Santiago Vila <sanvila@debian.org> Thu, 20 Mar 2008 17:53:00 +0100
unzip (5.52-10) unstable; urgency=low
* Fixed typo in unzipsfx(1). Thanks to Kevin Ryde. Closes: #419479.
-- Santiago Vila <sanvila@debian.org> Mon, 2 Jul 2007 18:08:44 +0200
unzip (5.52-9) unstable; urgency=low
* Added appropriate compiler flags for Large File Support (Closes: #192253).
This procedure is blessed by upstream in the FAQ, and as a result,
some .zip archives may now be uncompressed using Debian unzip.
For those which still may not, please test unzip 6.0 beta.
-- Santiago Vila <sanvila@debian.org> Wed, 30 Aug 2006 10:34:24 +0200
unzip (5.52-8) unstable; urgency=low
* Modified unix/unxcfg.h to always #include <unistd.h>.
This should now work on GNU/kFreeBSD (Closes: #340693).
-- Santiago Vila <sanvila@debian.org> Tue, 25 Apr 2006 19:50:24 +0200
unzip (5.52-7) unstable; urgency=medium
* Fixed buffer overflow when insanely long filenames are given on the
command line. Patch from Johnny Lee. Changed some format strings so
that they use 512 characters at most. The "right" fix will be in 5.53,
but this should work well enough for now. Closes: #349794.
* This is CVE-2005-4667.
-- Santiago Vila <sanvila@debian.org> Thu, 16 Mar 2006 10:31:20 +0100
unzip (5.52-6) unstable; urgency=medium
* Symlinks should work again (Closes: #343680). Fix provided by
Christian Spieler. Thanks to Carl W. Hoffman for the report.
-- Santiago Vila <sanvila@debian.org> Tue, 20 Dec 2005 19:18:32 +0100
unzip (5.52-5) unstable; urgency=low
* Fixed CAN-2005-2475 the same way it will be fixed in unzip 5.53.
Patch extracted from a prerelease provided by upstream.
* Changed unzip banner line to reflect the fact that this is
a "modified" release. Debian-derived distributions should probably
do the same if they deviate from the Debian version.
-- Santiago Vila <sanvila@debian.org> Thu, 17 Nov 2005 16:34:24 +0100
unzip (5.52-4) unstable; urgency=medium
* Fixed toctou vulnerability (Closes: #321927). Modified unix/unix.c
to use fchmod() and fchown() instead of chmod() and chown() to change
permissions and ownerships on the files actually created by unzip.
Patch from Dan Yefimov. CAN-2005-2475.
-- Santiago Vila <sanvila@debian.org> Wed, 9 Nov 2005 18:05:02 +0100
unzip (5.52-3) unstable; urgency=low
* Put manpages in section 1, not 1L.
* Fixed more typos (Closes: #309885).
-- Santiago Vila <sanvila@debian.org> Wed, 25 May 2005 16:09:02 +0200
unzip (5.52-2) unstable; urgency=low
* Fixed typos in manpage (Closes: #301915).
-- Santiago Vila <sanvila@debian.org> Sun, 24 Apr 2005 19:27:02 +0200
unzip (5.52-1) unstable; urgency=low
* New upstream release.
* Enabled new -W option via WILD_STOP_AT_DIR macro.
* Macro USE_UNSHRINK is no longer defined, as it's now the default.
-- Santiago Vila <sanvila@debian.org> Tue, 1 Mar 2005 15:33:54 +0100
unzip (5.51-2) unstable; urgency=low
* Added unshrinking support (Closes: #252563).
-- Santiago Vila <sanvila@debian.org> Sun, 6 Jun 2004 17:57:46 +0200
unzip (5.51-1) unstable; urgency=low
* New upstream release, improves error message when a zipfile is not
readable (Closes: #139331).
* Added a newline character to the CannotOpenZipfile string for the
previous fix to be really complete.
-- Santiago Vila <sanvila@debian.org> Tue, 25 May 2004 14:38:26 +0200
unzip (5.50-4) unstable; urgency=low
* Changed __GNU__ to __GLIBC__ in unix/unxcfg.h to support glibc-based
systems not being GNU itself, like GNU/KFreeBSD and GNU/KNetBSD.
-- Santiago Vila <sanvila@debian.org> Sun, 16 Nov 2003 14:45:28 +0100
unzip (5.50-3) unstable; urgency=high
* Fixed "unzip directory traversal revisited" again (Bug #206439).
There was still a missing case that the previous patch didn't catch.
Patch borrowed from unzip-5.50-33.src.rpm.
* For reference, this is (still) CAN-2003-0282.
-- Santiago Vila <sanvila@debian.org> Wed, 20 Aug 2003 23:00:42 +0200
unzip (5.50-2) unstable; urgency=high
* Fixed "unzip directory traversal revisited" problem (Bug #199648).
A filename containing ".somenonprintablechar." will not unpack
into .. anymore. Patch borrowed from unzip-5.50-11.src.rpm.
* For reference, this is CAN-2003-0282.
* No more doc symlinks.
-- Santiago Vila <sanvila@debian.org> Mon, 7 Jul 2003 20:25:20 +0200
unzip (5.50-1) unstable; urgency=low
* New upstream release.
* Moved from non-US/main to main. Section: utils.
-- Santiago Vila <sanvila@debian.org> Sun, 24 Mar 2002 15:54:12 +0100
unzip (5.42-3) unstable; urgency=low
* Added support for DEB_BUILD_OPTIONS.
-- Santiago Vila <sanvila@debian.org> Sun, 11 Nov 2001 16:25:00 +0100
unzip (5.42-2) unstable; urgency=low
* Applied a patch from Marcus Brinkmann:
- Closes: #99699: unzip does not build on the Hurd.
- Modified debian/rules to support cross-compilation.
-- Santiago Vila <sanvila@debian.org> Wed, 6 Jun 2001 16:40:14 +0200
unzip (5.42-1) unstable; urgency=low
* New upstream release.
* Changed to Section: non-US.
* Removed "packaged for Debian" from extended description.
-- Santiago Vila <sanvila@debian.org> Thu, 10 May 2001 16:47:41 +0200
unzip (5.41-1) unstable; urgency=low
* New upstream release, featuring a new BSD-like license and built-in
encryption support. Moved to non-US/main.
* Copyright file now generated from LICENSE file.
* Versioned Conflicts and Replaces.
* Standards-Version: 3.1.1
-- Santiago Vila <sanvila@debian.org> Fri, 18 Aug 2000 19:03:59 +0200
unzip (5.40-1) unstable; urgency=low
* New upstream release.
* Removed `email-from-greg'.
* Fixed URL location in copyright file.
* Enabled -F option, as suggested by James Aylett.
-- Santiago Vila <sanvila@ctv.es> Fri, 22 Oct 1999 10:30:49 +0200
unzip (5.32-1) unstable; urgency=low
* New upstream release, using pristine source.
-- Santiago Vila <sanvila@ctv.es> Tue, 4 Nov 1997 14:19:20 +0100
unzip (5.31-2) unstable; urgency=low
* Removed debstd dependency.
-- Santiago Vila <sanvila@ctv.es> Fri, 17 Oct 1997 17:22:22 +0200
unzip (5.31-1) unstable; urgency=low
* `copyright' file is generated from COPYING automatically.
* Distribution unstable, Section non-free.
* Conflicts and Replaces "unzip-crypt".
* New upstream release.
* First libc6 release.
* Added md5sums.
-- Santiago Vila <sanvila@ctv.es> Fri, 12 Sep 1997 19:16:59 +0200
unzip (5.20-3) unstable; urgency=low
* Changed priority from `extra' to `optional'.
* Changed section from `misc' to `utils'.
* Simplified debian/rules a little bit. No debstd yet.
* Copied `History.520' as is. Added the symlink changelog -> History.520.
* Added ToDo and BUGS to /usr/doc/unzip.
* New maintainer.
-- Santiago Vila <sanvila@ctv.es> Sun, 16 Feb 1997 19:29:13 +0100
unzip (5.20-2) unstable; urgency=low
* zipgrep manpage is now installed through the unix/Makefile
* permissions guaranteed to be set properly for the zipgrep script
(did not work for those who compiled from the straight sources.)
* removed several superfluous commands from debian/rules.
* All changes this revision are courtesy of Santiago Vila.
-- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Wed, 8 Jan 1997 18:48:00 +1100
unzip (5.20-1) unstable; urgency=low
* new upstream version
* modified the copyright to include 5.2's COPYING, just in case it's changed.
* minor modifications to debian/rules
* added zipgrep (from the zip package).
-- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Wed, 13 Nov 1996 19:35:24 +1100
unzip (5.12-15) unstable; urgency=low
* received email from the upstream maintainers: unzip can now go into
the distribution proper. Yippee! :-)
* added the email in question to the copyright file.
-- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Sat, 19 Oct 1996 18:34:21 +1000
unzip (5.12-14) non-free; urgency=low
* moved to the 2.1.1.0 source format
* fixed a typo in the Maintainer field (missing the ">". Oops.)
-- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Sun, 1 Sep 1996 07:36:16 +1000
unzip (5.12-13) non-free; urgency=low
* new maintainer
* mods to make the "binary" rule portable to different platforms
* uses dpkg-name rather than manual moving
-- Stuart Lamble <lamble@yoyo.cc.monash.edu.au> Tue, 30 Jul 1996 00:00:00 +0000
unzip (5.12-12) non-free; urgency=low
* initial release (used 2 to avoid confusion with old unzip)
-- Carl Streeter <streeter@cae.wisc.edu> Tue, 5 Sep 1995 00:00:00 +0000
|