A program to unpack compressed files
http://www.info-zip.org/
UnZip is an extraction utility for archives compressed in .zip format
(known as "zip files"). Although highly compatible both with PKWARE's
PKZIP(tm) and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip
program, our primary objectives have been portability and non-MS-DOS
functionality. This version can also extract encrypted archives.
- Devel package for openSUSE:Factory
-
3
derived packages
- Links to openSUSE:Factory / unzip
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout Archiving/unzip && cd $_ - Create Badge
Refresh
Refresh
Source Files
| Filename | Size | Changed |
|---|---|---|
| CVE-2014-9913.patch | 0000001013 1013 Bytes | |
| CVE-2015-7696.patch | 0000001234 1.21 KB | |
| CVE-2015-7697.patch | 0000001600 1.56 KB | |
| CVE-2016-9844.patch | 0000000950 950 Bytes | |
| CVE-2018-1000035.patch | 0000001290 1.26 KB | |
| Fix-CVE-2014-8139-unzip.patch | 0000003322 3.24 KB | |
| Fix-CVE-2014-8140-and-CVE-2014-8141.patch | 0000006872 6.71 KB | |
| _link | 0000000124 124 Bytes | |
| pre_checkin.sh | 0000000237 237 Bytes | |
| unzip-5.52-filename_too_long.patch | 0000001210 1.18 KB | |
| unzip-5.52-use_librcc.patch | 0000004686 4.58 KB | |
| unzip-dont_call_isprint.patch | 0000000604 604 Bytes | |
| unzip-iso8859_2.patch | 0000007716 7.54 KB | |
| unzip-no-build-date.patch | 0000002286 2.23 KB | |
| unzip-no_file_name_translation.patch | 0000003873 3.78 KB | |
| unzip-open_missing_mode.patch | 0000002755 2.69 KB | |
| unzip-optflags.patch | 0000001111 1.08 KB | |
| unzip-rcc.changes | 0000013495 13.2 KB | |
| unzip-rcc.spec | 0000005407 5.28 KB | |
| unzip.changes | 0000013495 13.2 KB | |
| unzip.dif | 0000000749 749 Bytes | |
| unzip.spec | 0000005396 5.27 KB | |
| unzip60.tar.gz | 0001376845 1.31 MB |
Revision 47 (latest revision is 64)
Martin Pluskal (pluskalm)
accepted
request 609924
from
Antoine Belvire (1Antoine1)
(revision 47)
- Fix "remove failed: No such file or directory" warnings upon package removal: * Call 'update-alternative --remove' in %postun, not in %preun. - Add CVE-2018-1000035.patch: Fix a heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035 bsc#1080074) - Fix "remove failed: No such file or directory" warnings upon package removal: * Call 'update-alternative --remove' in %postun, not in %preun.
Comments 2
There is a huge and probably very old bug in openSUSE unzip (Tumbleweed as well as 15.3). This bug is fixed in Ubuntu's unzip version, I looked at their patches and there's several CVEs missing here, and I assume it's one of these patches that fixed the issue.
The bug is when extracting an archive where file permissions are not explicitly set, occasionally (but reproducibly) one or more files get converted to be symlinks and the original content of the file is suddenly the link target.
This can easily be reproduced by downloading the zip archives from the Shopware/Platform project, e.g. https://github.com/shopware/platform/archive/dd2bf30d0519dcd9416dc269c88edcfd66f92add.zip
When downloading this zip archive and extracting it in the console with unzip the file
platform-dd2bf30d0519dcd9416dc269c88edcfd66f92add/src/Storefront/Resources/app/storefront/dist/assets/icon/default/editor-redo.svggets erroneously converted into a symlink. The fun thing about this bug is that you can reproduce it with nearly every single zip of a commit and it's always different files, but when extracting the same archive it's always the same file(s) that get converted into a symlink. This bug has caused us a lot of issues for the past year.I guess it's one of the not applied patches you can see here: https://sources.debian.org/patches/unzip/6.0-26/
kind regards, Kira Backes
https://bugzilla.suse.com/show_bug.cgi?id=1190273