UbuntuUpdates.org

Package "unzip"

Name: unzip

Description:

De-archiver for .zip files
Latest version: 6.0-20ubuntu1.1
Release: xenial (16.04)
Level: security
Repository: main
Homepage: http://www.info-zip.org/UnZip.html

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "unzip"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "unzip" in Xenial

Repository Area Version
base main 6.0-20ubuntu1
updates main 6.0-20ubuntu1.1

Changelog

Version: 6.0-20ubuntu1.1 2020-12-16 16:08:25 UTC

  unzip (6.0-20ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in unzip (LP: #387350)
    - debian/patches/17-cve-2014-9913-unzip-buffer-overflow: Accommodate
      printing an oversized compression method number in list.c.
    - CVE-2014-9913
  * SECURITY UPDATE: buffer overflow in zipinfo (LP: #1643750)
    - debian/patches/18-cve-2016-9844-zipinfo-buffer-overflow: Accommodate an
      oversized compression method number in zipinfo.c.
    - CVE-2016-9844
  * SECURITY UPDATE: buffer overflow in password protected ZIP archives
    - debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch: Perform
      check before allocating memory in fileio.c.
    - CVE-2018-1000035
  * SECURITY UPDATE: denial of service (resource consumption)
    - debian/patches/22-cve-2019-13232-fix-bug-in-undefer-input.patch: Fix bug
      in undefer_input() of fileio.c that misplaced the input state.
    - debian/patches/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch:
      Detect and reject a zip bomb using overlapped entries.
    - debian/patches/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch:
      Do not raise a zip bomb alert for a misplaced central directory.
    - CVE-2019-13232

 -- Avital Ostromich <email address hidden> Wed, 25 Nov 2020 20:01:25 -0500
387350 Buffer overflow in unzip with hand-crafted ZIP file
1643750 Buffer Overflow in ZipInfo
CVE-2014-9913 Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors r
CVE-2016-9844 Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large
CVE-2018-1000035 A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to per
CVE-2019-13232 Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP container, leading to denial of service (resource consumption), aka a "better zip


About   -   Send Feedback to @ubuntu_updates