unzip (5.52-9ubuntu3.1) feisty-security; urgency=low * SECURITY UPDATE: arbitrary code execution via heap corruption. * inflate.c: fix invalid free() calls, patch from Tavis Ormandy. * References CVE-2008-0888 -- Kees Cook Wed, 19 Mar 2008 12:08:30 -0700 unzip (5.52-9ubuntu3) feisty; urgency=low * Apply patch from https://bugzilla.altlinux.org/long_list.cgi?buglist=4871 to support UTF-8 file names. Ubuntu #10979. -- Matthias Klose Sat, 31 Mar 2007 13:10:40 +0200 unzip (5.52-9ubuntu2) feisty; urgency=low * Rebuild for changes in the amd64 toolchain. * Set Ubuntu maintainer address. -- Matthias Klose Mon, 5 Mar 2007 01:27:17 +0000 unzip (5.52-9ubuntu1) feisty; urgency=low * Merge from debian unstable. -- Michael Vogt Wed, 22 Nov 2006 12:10:13 +0100 unzip (5.52-9) unstable; urgency=low * Added appropriate compiler flags for Large File Support (Closes: #192253). This procedure is blessed by upstream in the FAQ, and as a result, some .zip archives may now be uncompressed using Debian unzip. For those which still may not, please test unzip 6.0 beta. -- Santiago Vila Wed, 30 Aug 2006 10:34:24 +0200 unzip (5.52-8ubuntu1) edgy; urgency=low * Merge from debian unstable; only Ubuntu changes left: - debian/rules: Configure with large file support. - unzip.c: Change banner to indicate Ubuntu modification. -- Martin Pitt Fri, 30 Jun 2006 11:28:40 +0200 unzip (5.52-8) unstable; urgency=low * Modified unix/unxcfg.h to always #include . This should now work on GNU/kFreeBSD (Closes: #340693). -- Santiago Vila Tue, 25 Apr 2006 19:50:24 +0200 unzip (5.52-7) unstable; urgency=medium * Fixed buffer overflow when insanely long filenames are given on the command line. Patch from Johnny Lee. Changed some format strings so that they use 512 characters at most. The "right" fix will be in 5.53, but this should work well enough for now. Closes: #349794. * This is CVE-2005-4667. -- Santiago Vila Thu, 16 Mar 2006 10:31:20 +0100 unzip (5.52-6ubuntu4) dapper; urgency=low * const.h, process.c: Limit the maximum length of displayed file names to 512 bytes, to avoid spewage with excessively long file names (which caused buffer overflows until the recent security fix for CVE-2005-4667). * Thanks to Santiago Vila for pointing this out. -- Martin Pitt Thu, 23 Mar 2006 13:00:08 +0100 unzip (5.52-6ubuntu3) dapper; urgency=low * Previous security update scrambled the output fields in the contents listing, fix that regression. -- Martin Pitt Wed, 15 Feb 2006 12:11:47 +0100 unzip (5.52-6ubuntu2) dapper; urgency=low * SECURITY UPDATE: Arbitrary code execution on specially crafted long file names (which should not happen in many scenarios, though). * unzpriv.h, Info macro: - Use snprintf() instead of sprintf() as inner formatting function. - Use fputs() instead of fprintf() as outer function to ignore leftover format strings which might not have been substituted in the inner snprintf(). - Throw away the three different implementations of that macro and use just one safe one. - CVE-2005-4667 -- Martin Pitt Fri, 10 Feb 2006 20:14:01 +0100 unzip (5.52-6ubuntu1) dapper; urgency=low * Resynchronise with Debian. -- Michael Vogt Wed, 28 Dec 2005 11:02:39 +0100 unzip (5.52-6) unstable; urgency=medium * Symlinks should work again (Closes: #343680). Fix provided by Christian Spieler. Thanks to Carl W. Hoffman for the report. -- Santiago Vila Tue, 20 Dec 2005 19:18:32 +0100 unzip (5.52-5ubuntu1) dapper; urgency=low * Resynchronise with Debian. * Repaired totally scrambled changelog. * unzip.c: Change Debian banner to 'Ubuntu', as advised by the Debian maintainer. -- Martin Pitt Mon, 21 Nov 2005 20:38:41 +0100 unzip (5.52-5) unstable; urgency=low * Fixed CAN-2005-2475 the same way it will be fixed in unzip 5.53. Patch extracted from a prerelease provided by upstream. * Changed unzip banner line to reflect the fact that this is a "modified" release. Debian-derived distributions should probably do the same if they deviate from the Debian version. -- Santiago Vila Thu, 17 Nov 2005 16:34:24 +0100 unzip (5.52-4ubuntu1) dapper; urgency=low * Resynchronise with Debian. -- Michael Vogt Fri, 11 Nov 2005 13:16:29 +0100 unzip (5.52-4) unstable; urgency=medium * Fixed toctou vulnerability (Closes: #321927). Modified unix/unix.c to use fchmod() and fchown() instead of chmod() and chown() to change permissions and ownerships on the files actually created by unzip. Patch from Dan Yefimov. CAN-2005-2475. -- Santiago Vila Wed, 9 Nov 2005 18:05:02 +0100 unzip (5.52-3ubuntu2) breezy; urgency=low * SECURITY UPDATE: Fix file permission modification race. * unix/unix.c: Use fchmod() instead of chmod() to change permissions on the files unzip actually created, not the files another attacker might have hardlinked to in the meantime. * CAN-2005-2475 -- Martin Pitt Thu, 29 Sep 2005 17:02:50 +0200 unzip (5.52-3ubuntu1) breezy; urgency=low * Resynchronise with Debian. -- Michael Vogt Tue, 28 Jun 2005 15:46:02 +0200 unzip (5.52-3) unstable; urgency=low * Put manpages in section 1, not 1L. * Fixed more typos (Closes: #309885). -- Santiago Vila Wed, 25 May 2005 16:09:02 +0200 unzip (5.52-2) unstable; urgency=low * Fixed typos in manpage (Closes: #301915). -- Santiago Vila Sun, 24 Apr 2005 19:27:02 +0200 unzip (5.52-1) unstable; urgency=low * New upstream release. * Enabled new -W option via WILD_STOP_AT_DIR macro. * Macro USE_UNSHRINK is no longer defined, as it's now the default. -- Santiago Vila Tue, 1 Mar 2005 15:33:54 +0100 unzip (5.51-2ubuntu1) hoary; urgency=low * Fixed unzip of >2GB files, thanks to patch from ard at kwaak.net -- Thom May Mon, 28 Feb 2005 15:25:52 +0000 unzip (5.51-2) unstable; urgency=low * Added unshrinking support (Closes: #252563). -- Santiago Vila Sun, 6 Jun 2004 17:57:46 +0200 unzip (5.51-1) unstable; urgency=low * New upstream release, improves error message when a zipfile is not readable (Closes: #139331). * Added a newline character to the CannotOpenZipfile string for the previous fix to be really complete. -- Santiago Vila Tue, 25 May 2004 14:38:26 +0200 unzip (5.50-4) unstable; urgency=low * Changed __GNU__ to __GLIBC__ in unix/unxcfg.h to support glibc-based systems not being GNU itself, like GNU/KFreeBSD and GNU/KNetBSD. -- Santiago Vila Sun, 16 Nov 2003 14:45:28 +0100 unzip (5.50-3) unstable; urgency=high * Fixed "unzip directory traversal revisited" again (Bug #206439). There was still a missing case that the previous patch didn't catch. Patch borrowed from unzip-5.50-33.src.rpm. * For reference, this is (still) CAN-2003-0282. -- Santiago Vila Wed, 20 Aug 2003 23:00:42 +0200 unzip (5.50-2) unstable; urgency=high * Fixed "unzip directory traversal revisited" problem (Bug #199648). A filename containing ".somenonprintablechar." will not unpack into .. anymore. Patch borrowed from unzip-5.50-11.src.rpm. * For reference, this is CAN-2003-0282. * No more doc symlinks. -- Santiago Vila Mon, 7 Jul 2003 20:25:20 +0200 unzip (5.50-1) unstable; urgency=low * New upstream release. * Moved from non-US/main to main. Section: utils. -- Santiago Vila Sun, 24 Mar 2002 15:54:12 +0100 unzip (5.42-3) unstable; urgency=low * Added support for DEB_BUILD_OPTIONS. -- Santiago Vila Sun, 11 Nov 2001 16:25:00 +0100 unzip (5.42-2) unstable; urgency=low * Applied a patch from Marcus Brinkmann: - Closes: #99699: unzip does not build on the Hurd. - Modified debian/rules to support cross-compilation. -- Santiago Vila Wed, 6 Jun 2001 16:40:14 +0200 unzip (5.42-1) unstable; urgency=low * New upstream release. * Changed to Section: non-US. * Removed "packaged for Debian" from extended description. -- Santiago Vila Thu, 10 May 2001 16:47:41 +0200 unzip (5.41-1) unstable; urgency=low * New upstream release, featuring a new BSD-like license and built-in encryption support. Moved to non-US/main. * Copyright file now generated from LICENSE file. * Versioned Conflicts and Replaces. * Standards-Version: 3.1.1 -- Santiago Vila Fri, 18 Aug 2000 19:03:59 +0200 unzip (5.40-1) unstable; urgency=low * New upstream release. * Removed `email-from-greg'. * Fixed URL location in copyright file. * Enabled -F option, as suggested by James Aylett. -- Santiago Vila Fri, 22 Oct 1999 10:30:49 +0200 unzip (5.32-1) unstable; urgency=low * New upstream release, using pristine source. -- Santiago Vila Tue, 4 Nov 1997 14:19:20 +0100 unzip (5.31-2) unstable; urgency=low * Removed debstd dependency. -- Santiago Vila Fri, 17 Oct 1997 17:22:22 +0200 unzip (5.31-1) unstable; urgency=low * `copyright' file is generated from COPYING automatically. * Distribution unstable, Section non-free. * Conflicts and Replaces "unzip-crypt". * New upstream release. * First libc6 release. * Added md5sums. -- Santiago Vila Fri, 12 Sep 1997 19:16:59 +0200 unzip (5.20-3) unstable; urgency=low * Changed priority from `extra' to `optional'. * Changed section from `misc' to `utils'. * Simplified debian/rules a little bit. No debstd yet. * Copied `History.520' as is. Added the symlink changelog -> History.520. * Added ToDo and BUGS to /usr/doc/unzip. * New maintainer. -- Santiago Vila Sun, 16 Feb 1997 19:29:13 +0100 unzip (5.20-2) unstable; urgency=low * zipgrep manpage is now installed through the unix/Makefile * permissions guaranteed to be set properly for the zipgrep script (did not work for those who compiled from the straight sources.) * removed several superfluous commands from debian/rules. * All changes this revision are courtesy of Santiago Vila. -- Stuart Lamble Wed, 8 Jan 1997 18:48:00 +1100 unzip (5.20-1) unstable; urgency=low * new upstream version * modified the copyright to include 5.2's COPYING, just in case it's changed. * minor modifications to debian/rules * added zipgrep (from the zip package). -- Stuart Lamble Wed, 13 Nov 1996 19:35:24 +1100 unzip (5.12-15) unstable; urgency=low * received email from the upstream maintainers: unzip can now go into the distribution proper. Yippee! :-) * added the email in question to the copyright file. -- Stuart Lamble Sat, 19 Oct 1996 18:34:21 +1000 unzip (5.12-14) non-free; urgency=low * moved to the 2.1.1.0 source format * fixed a typo in the Maintainer field (missing the ">". Oops.) -- Stuart Lamble Sun, 1 Sep 1996 07:36:16 +1000 unzip (5.12-13) non-free; urgency=low * new maintainer * mods to make the "binary" rule portable to different platforms * uses dpkg-name rather than manual moving -- Stuart Lamble Tue, 30 Jul 1996 00:00:00 +0000 unzip (5.12-12) non-free; urgency=low * initial release (used 2 to avoid confusion with old unzip) -- Carl Streeter Tue, 5 Sep 1995 00:00:00 +0000