A program to unpack compressed files

Edit Package unzip
http://www.info-zip.org/

UnZip is an extraction utility for archives compressed in .zip format
(known as "zip files"). Although highly compatible both with PKWARE's
PKZIP(tm) and PKUNZIP utilities for MS-DOS and with Info-ZIP's own Zip
program, our primary objectives have been portability and non-MS-DOS
functionality. This version can also extract encrypted archives.

Refresh
Refresh
Source Files
Filename Size Changed
CVE-2014-9913.patch 0000001013 1013 Bytes
CVE-2015-7696.patch 0000001234 1.21 KB
CVE-2015-7697.patch 0000001600 1.56 KB
CVE-2016-9844.patch 0000000950 950 Bytes
CVE-2018-1000035.patch 0000001290 1.26 KB
CVE-2022-0529.patch 0000001151 1.12 KB
CVE-2022-0530.patch 0000000898 898 Bytes
Fix-CVE-2014-8139-unzip.patch 0000003322 3.24 KB
Fix-CVE-2014-8140-and-CVE-2014-8141.patch 0000006872 6.71 KB
Fix-CVE-2014-9636-unzip-buffer-overflow.patch 0000001621 1.58 KB
_multibuild 0000000057 57 Bytes
pre_checkin.sh 0000000232 232 Bytes
unzip-5.52-filename_too_long.patch 0000001210 1.18 KB
unzip-5.52-use_librcc.patch 0000004686 4.58 KB
unzip-dont_call_isprint.patch 0000000604 604 Bytes
unzip-iso8859_2.patch 0000007716 7.54 KB
unzip-no-build-date.patch 0000002286 2.23 KB
unzip-no_file_name_translation.patch 0000003873 3.78 KB
unzip-open_missing_mode.patch 0000002755 2.69 KB
unzip-optflags.patch 0000001111 1.08 KB
unzip-rcc.changes 0000015500 15.1 KB
unzip-rcc.spec 0000006000 5.86 KB
unzip.changes 0000015500 15.1 KB
unzip.dif 0000000749 749 Bytes
unzip.spec 0000005989 5.85 KB
unzip60-cfactorstr_overflow.patch 0000001623 1.58 KB
unzip60-total_disks_zero.patch 0000001265 1.24 KB
unzip60.tar.gz 0001376845 1.31 MB
Revision 56 (latest revision is 64)
buildservice-autocommit accepted request 808172 from Martin Pluskal's avatar Martin Pluskal (pluskalm) (revision 56)
baserev update by copy to link target
Comments 2

Kira Marie Backes's avatar

There is a huge and probably very old bug in openSUSE unzip (Tumbleweed as well as 15.3). This bug is fixed in Ubuntu's unzip version, I looked at their patches and there's several CVEs missing here, and I assume it's one of these patches that fixed the issue.

The bug is when extracting an archive where file permissions are not explicitly set, occasionally (but reproducibly) one or more files get converted to be symlinks and the original content of the file is suddenly the link target.

This can easily be reproduced by downloading the zip archives from the Shopware/Platform project, e.g. https://github.com/shopware/platform/archive/dd2bf30d0519dcd9416dc269c88edcfd66f92add.zip

When downloading this zip archive and extracting it in the console with unzip the file platform-dd2bf30d0519dcd9416dc269c88edcfd66f92add/src/Storefront/Resources/app/storefront/dist/assets/icon/default/editor-redo.svg gets erroneously converted into a symlink. The fun thing about this bug is that you can reproduce it with nearly every single zip of a commit and it's always different files, but when extracting the same archive it's always the same file(s) that get converted into a symlink. This bug has caused us a lot of issues for the past year.

I guess it's one of the not applied patches you can see here: https://sources.debian.org/patches/unzip/6.0-26/

kind regards, Kira Backes


openSUSE Build Service is sponsored by