A program to unpack compressed files
http://www.info-zip.org/
UnZip is an extraction utility for archives compressed in .zip format
(known as "zip files"). Although highly compatible both with PKWARE's
PKZIP(tm) and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip
program, our primary objectives have been portability and non-MS-DOS
functionality. This version can also extract encrypted archives.
- Devel package for openSUSE:Factory
-
3
derived packages
- Links to openSUSE:Factory / unzip
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout Archiving/unzip && cd $_
- Create Badge
Refresh
Refresh
Source Files
Filename | Size | Changed |
---|---|---|
CVE-2014-9913.patch | 0000001013 1013 Bytes | |
CVE-2015-7696.patch | 0000001234 1.21 KB | |
CVE-2015-7697.patch | 0000001600 1.56 KB | |
CVE-2016-9844.patch | 0000000950 950 Bytes | |
CVE-2018-1000035.patch | 0000001290 1.26 KB | |
Fix-CVE-2014-8139-unzip.patch | 0000003322 3.24 KB | |
Fix-CVE-2014-8140-and-CVE-2014-8141.patch | 0000006872 6.71 KB | |
Fix-CVE-2014-9636-unzip-buffer-overflow.patch | 0000001621 1.58 KB | |
_link | 0000000124 124 Bytes | |
pre_checkin.sh | 0000000237 237 Bytes | |
unzip-5.52-filename_too_long.patch | 0000001210 1.18 KB | |
unzip-5.52-use_librcc.patch | 0000004686 4.58 KB | |
unzip-dont_call_isprint.patch | 0000000604 604 Bytes | |
unzip-iso8859_2.patch | 0000007716 7.54 KB | |
unzip-no-build-date.patch | 0000002286 2.23 KB | |
unzip-no_file_name_translation.patch | 0000003873 3.78 KB | |
unzip-open_missing_mode.patch | 0000002755 2.69 KB | |
unzip-optflags.patch | 0000001111 1.08 KB | |
unzip-rcc.changes | 0000013971 13.6 KB | |
unzip-rcc.spec | 0000005542 5.41 KB | |
unzip.changes | 0000013971 13.6 KB | |
unzip.dif | 0000000749 749 Bytes | |
unzip.spec | 0000005531 5.4 KB | |
unzip60-total_disks_zero.patch | 0000001265 1.24 KB | |
unzip60.tar.gz | 0001376845 1.31 MB |
Revision 49 (latest revision is 64)
Martin Pluskal (pluskalm)
accepted
request 619404
from
Kristyna Streitova (kstreitova)
(revision 49)
- Add unzip60-total_disks_zero.patch that fixes a bug when unzip is unable to process Windows zip64 archives because Windows archivers set total_disks field to 0 but per standard, valid values are 1 and higher [bnc#910683] - Add Fix-CVE-2014-9636-unzip-buffer-overflow.patch to fix heap overflow for STORED field data [bnc#914442] [CVE-2014-9636] - Add unzip60-total_disks_zero.patch that fixes a bug when unzip is unable to process Windows zip64 archives because Windows archivers set total_disks field to 0 but per standard, valid values are 1 and higher [bnc#910683] - Add Fix-CVE-2014-9636-unzip-buffer-overflow.patch to fix heap overflow for STORED field data [bnc#914442] [CVE-2014-9636]
Comments 2
There is a huge and probably very old bug in openSUSE unzip (Tumbleweed as well as 15.3). This bug is fixed in Ubuntu's unzip version, I looked at their patches and there's several CVEs missing here, and I assume it's one of these patches that fixed the issue.
The bug is when extracting an archive where file permissions are not explicitly set, occasionally (but reproducibly) one or more files get converted to be symlinks and the original content of the file is suddenly the link target.
This can easily be reproduced by downloading the zip archives from the Shopware/Platform project, e.g. https://github.com/shopware/platform/archive/dd2bf30d0519dcd9416dc269c88edcfd66f92add.zip
When downloading this zip archive and extracting it in the console with unzip the file
platform-dd2bf30d0519dcd9416dc269c88edcfd66f92add/src/Storefront/Resources/app/storefront/dist/assets/icon/default/editor-redo.svg
gets erroneously converted into a symlink. The fun thing about this bug is that you can reproduce it with nearly every single zip of a commit and it's always different files, but when extracting the same archive it's always the same file(s) that get converted into a symlink. This bug has caused us a lot of issues for the past year.I guess it's one of the not applied patches you can see here: https://sources.debian.org/patches/unzip/6.0-26/
kind regards, Kira Backes
https://bugzilla.suse.com/show_bug.cgi?id=1190273