unzip (5.52-6ubuntu4.1) dapper-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via heap corruption.
  * inflate.c: fix invalid free() calls, patch from Tavis Ormandy.
  * References
    CVE-2008-0888

 -- Kees Cook <kees@ubuntu.com>  Wed, 19 Mar 2008 12:08:30 -0700

unzip (5.52-6ubuntu4) dapper; urgency=low

  * const.h, process.c: Limit the maximum length of displayed file names to
    512 bytes, to avoid spewage with excessively long file names (which caused
    buffer overflows until the recent security fix for CVE-2005-4667).
  * Thanks to Santiago Vila for pointing this out.

 -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 23 Mar 2006 13:00:08 +0100

unzip (5.52-6ubuntu3) dapper; urgency=low

  * Previous security update scrambled the output fields in the contents
    listing, fix that regression.

 -- Martin Pitt <martin.pitt@ubuntu.com>  Wed, 15 Feb 2006 12:11:47 +0100

unzip (5.52-6ubuntu2) dapper; urgency=low

  * SECURITY UPDATE: Arbitrary code execution on specially crafted long file
    names (which should not happen in many scenarios, though).
  * unzpriv.h, Info macro: 
    - Use snprintf() instead of sprintf() as inner formatting function.
    - Use fputs() instead of fprintf() as outer function to ignore leftover
      format strings which might not have been substituted in the inner
      snprintf().
    - Throw away the three different implementations of that macro and use
      just one safe one.
    - CVE-2005-4667

 -- Martin Pitt <martin.pitt@ubuntu.com>  Fri, 10 Feb 2006 20:14:01 +0100

unzip (5.52-6ubuntu1) dapper; urgency=low

  * Resynchronise with Debian.

 -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 28 Dec 2005 11:02:39 +0100

unzip (5.52-6) unstable; urgency=medium

  * Symlinks should work again (Closes: #343680). Fix provided by
    Christian Spieler. Thanks to Carl W. Hoffman for the report.

 -- Santiago Vila <sanvila@debian.org>  Tue, 20 Dec 2005 19:18:32 +0100

unzip (5.52-5ubuntu1) dapper; urgency=low

  * Resynchronise with Debian.
  * Repaired totally scrambled changelog.
  * unzip.c: Change Debian banner to 'Ubuntu', as advised by the Debian
    maintainer.

 -- Martin Pitt <martin.pitt@ubuntu.com>  Mon, 21 Nov 2005 20:38:41 +0100

unzip (5.52-5) unstable; urgency=low

  * Fixed CAN-2005-2475 the same way it will be fixed in unzip 5.53.
    Patch extracted from a prerelease provided by upstream.
  * Changed unzip banner line to reflect the fact that this is
    a "modified" release. Debian-derived distributions should probably
    do the same if they deviate from the Debian version.

 -- Santiago Vila <sanvila@debian.org>  Thu, 17 Nov 2005 16:34:24 +0100

unzip (5.52-4ubuntu1) dapper; urgency=low

  * Resynchronise with Debian.

 -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 11 Nov 2005 13:16:29 +0100

unzip (5.52-4) unstable; urgency=medium

  * Fixed toctou vulnerability (Closes: #321927). Modified unix/unix.c
    to use fchmod() and fchown() instead of chmod() and chown() to change
    permissions and ownerships on the files actually created by unzip.
    Patch from Dan Yefimov. CAN-2005-2475.

 -- Santiago Vila <sanvila@debian.org>  Wed,  9 Nov 2005 18:05:02 +0100

unzip (5.52-3ubuntu2) breezy; urgency=low

  * SECURITY UPDATE: Fix file permission modification race.
  * unix/unix.c: Use fchmod() instead of chmod() to change permissions on the
    files unzip actually created, not the files another attacker might have
    hardlinked to in the meantime.
  * CAN-2005-2475

 -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 29 Sep 2005 17:02:50 +0200

unzip (5.52-3ubuntu1) breezy; urgency=low

  * Resynchronise with Debian.

 -- Michael Vogt <michael.vogt@ubuntu.com>  Tue, 28 Jun 2005 15:46:02 +0200

unzip (5.52-3) unstable; urgency=low

  * Put manpages in section 1, not 1L.
  * Fixed more typos (Closes: #309885).

 -- Santiago Vila <sanvila@debian.org>  Wed, 25 May 2005 16:09:02 +0200

unzip (5.52-2) unstable; urgency=low

  * Fixed typos in manpage (Closes: #301915).

 -- Santiago Vila <sanvila@debian.org>  Sun, 24 Apr 2005 19:27:02 +0200

unzip (5.52-1) unstable; urgency=low

  * New upstream release.
  * Enabled new -W option via WILD_STOP_AT_DIR macro.
  * Macro USE_UNSHRINK is no longer defined, as it's now the default.

 -- Santiago Vila <sanvila@debian.org>  Tue,  1 Mar 2005 15:33:54 +0100

unzip (5.51-2ubuntu1) hoary; urgency=low

  * Fixed unzip of >2GB files, thanks to patch from ard at kwaak.net 

 -- Thom May <thom@ubuntu.com>  Mon, 28 Feb 2005 15:25:52 +0000

unzip (5.51-2) unstable; urgency=low

  * Added unshrinking support (Closes: #252563).

 -- Santiago Vila <sanvila@debian.org>  Sun,  6 Jun 2004 17:57:46 +0200

unzip (5.51-1) unstable; urgency=low

  * New upstream release, improves error message when a zipfile is not
    readable (Closes: #139331).
  * Added a newline character to the CannotOpenZipfile string for the
    previous fix to be really complete.

 -- Santiago Vila <sanvila@debian.org>  Tue, 25 May 2004 14:38:26 +0200

unzip (5.50-4) unstable; urgency=low

  * Changed __GNU__ to __GLIBC__ in unix/unxcfg.h to support glibc-based
    systems not being GNU itself, like GNU/KFreeBSD and GNU/KNetBSD.

 -- Santiago Vila <sanvila@debian.org>  Sun, 16 Nov 2003 14:45:28 +0100

unzip (5.50-3) unstable; urgency=high

  * Fixed "unzip directory traversal revisited" again (Bug #206439).
    There was still a missing case that the previous patch didn't catch.
    Patch borrowed from unzip-5.50-33.src.rpm.
  * For reference, this is (still) CAN-2003-0282.

 -- Santiago Vila <sanvila@debian.org>  Wed, 20 Aug 2003 23:00:42 +0200

unzip (5.50-2) unstable; urgency=high

  * Fixed "unzip directory traversal revisited" problem (Bug #199648).
    A filename containing ".somenonprintablechar." will not unpack
    into .. anymore. Patch borrowed from unzip-5.50-11.src.rpm.
  * For reference, this is CAN-2003-0282.
  * No more doc symlinks.

 -- Santiago Vila <sanvila@debian.org>  Mon,  7 Jul 2003 20:25:20 +0200

unzip (5.50-1) unstable; urgency=low

  * New upstream release.
  * Moved from non-US/main to main. Section: utils.

 -- Santiago Vila <sanvila@debian.org>  Sun, 24 Mar 2002 15:54:12 +0100

unzip (5.42-3) unstable; urgency=low

  * Added support for DEB_BUILD_OPTIONS.

 -- Santiago Vila <sanvila@debian.org>  Sun, 11 Nov 2001 16:25:00 +0100

unzip (5.42-2) unstable; urgency=low

  * Applied a patch from Marcus Brinkmann:
  - Closes: #99699: unzip does not build on the Hurd.
  - Modified debian/rules to support cross-compilation.

 -- Santiago Vila <sanvila@debian.org>  Wed,  6 Jun 2001 16:40:14 +0200

unzip (5.42-1) unstable; urgency=low

  * New upstream release.
  * Changed to Section: non-US.
  * Removed "packaged for Debian" from extended description.

 -- Santiago Vila <sanvila@debian.org>  Thu, 10 May 2001 16:47:41 +0200

unzip (5.41-1) unstable; urgency=low

  * New upstream release, featuring a new BSD-like license and built-in
    encryption support. Moved to non-US/main.
  * Copyright file now generated from LICENSE file.
  * Versioned Conflicts and Replaces.
  * Standards-Version: 3.1.1

 -- Santiago Vila <sanvila@debian.org>  Fri, 18 Aug 2000 19:03:59 +0200

unzip (5.40-1) unstable; urgency=low

  * New upstream release.
  * Removed `email-from-greg'.
  * Fixed URL location in copyright file.
  * Enabled -F option, as suggested by James Aylett.

 -- Santiago Vila <sanvila@ctv.es>  Fri, 22 Oct 1999 10:30:49 +0200

unzip (5.32-1) unstable; urgency=low

  * New upstream release, using pristine source.

 -- Santiago Vila <sanvila@ctv.es>  Tue,  4 Nov 1997 14:19:20 +0100

unzip (5.31-2) unstable; urgency=low

  * Removed debstd dependency.

 -- Santiago Vila <sanvila@ctv.es>  Fri, 17 Oct 1997 17:22:22 +0200

unzip (5.31-1) unstable; urgency=low

  * `copyright' file is generated from COPYING automatically.
  * Distribution unstable, Section non-free.
  * Conflicts and Replaces "unzip-crypt".
  * New upstream release.
  * First libc6 release.
  * Added md5sums.

 -- Santiago Vila <sanvila@ctv.es>  Fri, 12 Sep 1997 19:16:59 +0200

unzip (5.20-3) unstable; urgency=low

  * Changed priority from `extra' to `optional'.
  * Changed section from `misc' to `utils'.
  * Simplified debian/rules a little bit. No debstd yet.
  * Copied `History.520' as is. Added the symlink changelog -> History.520.
  * Added ToDo and BUGS to /usr/doc/unzip.
  * New maintainer.

 -- Santiago Vila <sanvila@ctv.es>  Sun, 16 Feb 1997 19:29:13 +0100

unzip (5.20-2) unstable; urgency=low

  * zipgrep manpage is now installed through the unix/Makefile
  * permissions guaranteed to be set properly for the zipgrep script
    (did not work for those who compiled from the straight sources.)
  * removed several superfluous commands from debian/rules.
  * All changes this revision are courtesy of Santiago Vila.

 -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au>  Wed, 8 Jan 1997 18:48:00 +1100

unzip (5.20-1) unstable; urgency=low

  * new upstream version
  * modified the copyright to include 5.2's COPYING, just in case it's changed.
  * minor modifications to debian/rules
  * added zipgrep (from the zip package).

 -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au>  Wed, 13 Nov 1996 19:35:24 +1100

unzip (5.12-15) unstable; urgency=low

  * received email from the upstream maintainers: unzip can now go into
    the distribution proper. Yippee! :-)
  * added the email in question to the copyright file.

 -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au>  Sat, 19 Oct 1996 18:34:21 +1000

unzip (5.12-14) non-free; urgency=low

  * moved to the 2.1.1.0 source format
  * fixed a typo in the Maintainer field (missing the ">". Oops.)

 -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au>  Sun, 1 Sep 1996 07:36:16 +1000

unzip (5.12-13) non-free; urgency=low

  * new maintainer
  * mods to make the "binary" rule portable to different platforms
  * uses dpkg-name rather than manual moving

 -- Stuart Lamble <lamble@yoyo.cc.monash.edu.au>  Tue, 30 Jul 1996 00:00:00 +0000

unzip (5.12-12) non-free; urgency=low

  * initial release (used 2 to avoid confusion with old unzip)

 -- Carl Streeter <streeter@cae.wisc.edu>  Tue, 5 Sep 1995 00:00:00 +0000